Explore top 10 tips to secure your open-source projects now. Read More

×
Alerts This Week
Warning Icon 1 556
Alerts This Week
Warning Icon 1 556

Arch Linux: ASA-201803-13 Critical: Firefox Arbitrary Code Execution

Archlinux Large Esm H446
The package firefox before version 59.0.1-1 is vulnerable to arbitrary code execution.
Arch Linux Security Advisory ASA-201803-13
=========================================
Severity: Critical
Date    : 2018-03-18
CVE-ID  : CVE-2018-5146
Package : firefox
Type    : arbitrary code execution
Remote  : Yes
Link    : https://security.archlinux.org/AVG-657

Summary
======
The package firefox before version 59.0.1-1 is vulnerable to arbitrary
code execution.

Resolution
=========
Upgrade to 59.0.1-1.

# pacman -Syu "firefox>=59.0.1-1"

The problem has been fixed upstream in version 59.0.1.

Workaround
=========
None.

Description
==========
An out of bounds memory write vulnerability has been discovered in
libvorbis before 1.3.6 while processing Vorbis audio data related to
codebooks that are not an exact divisor of the partition size.

Impact
=====
A remote attacker is able to execute arbitrary code by tricking the
user into visiting a website with a vorbis audio file.

References
=========
https://www.mozilla.org/en-US/security/advisories/mfsa2018-08/#CVE-2018-5146
https://bugzilla.mozilla.org/show_bug.cgi?id=1446062
https://github.com/xiph/vorbis/commit/667ceb4aab60c1f74060143bb24e5f427b3cce5f
https://seclists.org/oss-sec/2018/q1/243
https://security.archlinux.org/CVE-2018-5146