Wednesday, January 8, 2020
TenFourFox not vulnerable to CVE-2019-17026
After doing some analysis late last night and today to determine if we need a chemspill build, I have concluded that TenFourFox is not vulnerable to CVE-2019-17026, or at least not to any of the PoCs or test cases available to me. This is the 0-day that was fixed in Firefox 72.0.1 and 68.4.1. Though a portion of the affected code exists in the TenFourFox code base, there doesn't seem to be a way to trigger the exploit due to various other missing optimizations and the oddities of our JIT. (Firefox 45-based browsers using our patches as upstream should bear in mind this may not be true for other architectures, however.) Absent evidence to the contrary it will be nevertheless patched as part of the standard security fixes in FPR19.
CK I have to drop a big congratulations to you on your G5 optimization in TFF. I've had a few G5's come in for some work lately (everyone knows me as the "old Mac guy") and in nearly ever task, the G5s are just not that much faster than G4s (both of these were DP 2.5 GHz machines and geekbenched at 175% of my MDD G4, but in nearly every app felt maybe 10-15% faster). HOWEVER in TenFourFox, they were noticeably faster. I could really feel that nearly 2x power advantage. It's a shame you were not working on Mac apps when the G5 was in the limelight - you might have kept them going as a group!
ReplyDeleteLike the first major tests that showed in things like QuickTime conversions, how much of the G5's power often goes unused, most ever app I tried didn't even show a raw-clockspeed advantage. But TenFourFox, made that anodized aluminum shine like a new system. BRAVO!