It looks like last week's automatic update to Firefox came with an unintended hitchhiker: a new bug that opened up a potentially critical security vulnerability. The Mozilla Foundation responded by pushing out a new update that fixes the problem:
- MFSA 2009-23 Crash in nsTextFrame::ClearTextRun()
I found the time line on this one interesting so I thought I'd share it. It provides a fascinating insight into Mozilla's around-the-clock development process (all times are PDT):
- 5:11am: Marc Gueury, who was running a pre-release version of Firefox, noticed a new crash when using the HTML Validator extension (bug 489322). As more people started running into it, one noted:
Firefox 3.0.9 downloaded in the background and installed when I restarted. Ordinarily I think that is a brilliant thing, but this time, because of this bug, it's corrupting my ability to work.
- 1:06pm: Daniel Veditz noticed a new "topcrash" and filed bug 489647. Topcrashes are like Firefox's equivalent of a "Top 10 list" from the automatic crash reporter.
- 1:16pm: Developers narrowed down the time frame of the regression and identified a couple of possible pushes that might have caused it.
- 11:17pm: The exact problem was described. Essentially, a fix to one problem got tangled up in a fix to another problem, which resulted in an incomplete patch being applied.
- 3:46am: A test case was created.
- 3:52am: A patch was created to fix the bug.
- 10:20am: The patch was checked into source control.
- 12:30am: The fix was approved for an emergency release.
- 5:04pm: The bug fix was verified on 3.0.10 builds on Linux.
- 11:52pm: The bug fix was verified on 3.0.10 builds on Windows.
Once the fix was approved and verified the process of pushing out a new automatic update was started.