ArchLinux: 201805-10: firefox: multiple issues
Summary
- CVE-2018-5150 (arbitrary code execution)
Several memory safety bugs have been found in Firefox before 60.0. Some
of these bugs showed evidence of memory corruption and Mozilla presumes
that with enough effort some of these could be exploited to run
arbitrary code.
- CVE-2018-5151 (arbitrary code execution)
Several memory safety bugs has been found in Firefox before 60.0. Some
of these bugs showed evidence of memory corruption and Mozilla presumes
that with enough effort some of these could be exploited to run
arbitrary code.
- CVE-2018-5152 (information disclosure)
An information disclosure vulnerability has been found in Firefox <
60.0. WebExtensions with the appropriate permissions can attach content
scripts to Mozilla sites such as accounts.firefox.com and listen to
network traffic to the site through the webRequest API. For example,
this allows for the interception of username and an encrypted password
during login to Firefox Accounts. This issue does not expose
synchronization traffic directly and is limited to the process of user
login to the website and the data displayed to the user once logged in.
- CVE-2018-5153 (information disclosure)
An information disclosure vulnerability has been found in Firefox <
60.0. If websocket data is sent with mixed text and binary in a single
message, the binary data can be corrupted. This can result in an out-of-bounds read with the read memory sent to the originating server in
response.
- CVE-2018-5154 (arbitrary code execution)
A use-after-free vulnerability has been found in Firefox < 60.0, while
enumerating attributes during SVG animations with clip paths.
- CVE-2018-5155 (arbitrary code execution)
A use-after-free vulnerability has been found in Firefox < 60.0, while
adjusting layout during SVG animations with text paths.
- CVE-2018-5157 (same-origin policy bypass)
A same-origin policy bypass vulnerability has been found in the PDF
viewer of Firefox < 60.0, allowing a malicious site to intercept
messages meant for the viewer. This could allow the site to retrieve
PDF files restricted to viewing by an authenticated user on a third-party website.
- CVE-2018-5158 (arbitrary code execution)
A insufficient sanitization of Postscript calculator functions
vulnerability has been found in the PDF viewer of Firefox < 60.0,
allowing malicious JavaScript to be injected through a crafted PDF
file. This JavaScript can then be run with the permissions of the PDF
viewer by its worker.
- CVE-2018-5159 (arbitrary code execution)
An integer overflow vulnerability has been found in the Skia library
used in Firefox < 60.0, due to 32-bit integer use in an array without
integer overflow checks, resulting in possible out-of-bounds writes.
This could lead to a potentially exploitable crash triggerable by web
content.
- CVE-2018-5160 (arbitrary code execution)
A uninitialized memory use vulnerability has been found in the WebRTC
component of Firefox < 60.0, which can use a WrappedI420Buffer pixel
buffer whose owning image object can be freed while it is still in use.
This can result in the WebRTC encoder using uninitialized memory,
leading to a potentially exploitable crash.
- CVE-2018-5163 (sandbox escape)
A sandbox escape vulnerability has been found in Firefox < 60.0. If a
malicious attacker has used another vulnerability to gain full control
over a content process, they may be able to replace the alternate data
resources stored in the JavaScript Start-up Bytecode Cache (JSBC) for
other JavaScript code. If the parent process then runs this replaced
code, the executed script would be run with the parent process'
privileges, escaping the sandbox on content processes.
- CVE-2018-5164 (access restriction bypass)
A Content Security Policy (CSP) bypass has been found in Firefox <
60.0, where the CSP is not applied correctly to all parts of multipart
content sent with the multipart/x-mixed-replace MIME type. This could
allow for script to run where CSP should block it, allowing for cross-site scripting (XSS) and other attacks.
- CVE-2018-5166 (access restriction bypass)
WebExtensions in Firefox before 60.0 can use request redirection and a
filterReponseData filter to bypass host permission settings to redirect
network traffic and access content from a host for which they do not
have explicit user permission.
- CVE-2018-5167 (content spoofing)
The web console and JavaScript debugger in Firefox < 6.0.0 do not
sanitize all output that can be hyperlinked. Both will display chrome:
links as active, clickable hyperlinks in their output. Web sites should
not be able to directly link to internal chrome pages. Additionally,
the JavaScript debugger will display javascript: links, which users
could be tricked into clicking by malicious sites.
- CVE-2018-5168 (access restriction bypass)
Sites can bypass security checks on permissions to install lightweight
themes in Firefox before 60.0, by manipulating the baseURI property of
the theme element. This could allow a malicious site to install a theme
without user interaction which could contain offensive or embarrassing
images.
- CVE-2018-5169 (access restriction bypass)
If manipulated hyperlinked text with chrome: URL contained in it is
dragged and dropped on the "home" icon in Firefox before 60.0, the home
page can be reset to include a normally-unlinkable chrome page as one
of the home page tabs.
- CVE-2018-5172 (arbitrary code execution)
The Live Bookmarks page and the PDF viewer in Firefox before 60.0 can
run injected script content if a user pastes script from the clipboard
into them while viewing RSS feeds or PDF files. This could allow a
malicious site to socially engineer a user to copy and paste malicious
script content that could then run with the context of either page but
does not allow for privilege escalation.
- CVE-2018-5173 (content spoofing)
The filename appearing in the Downloads panel in Firefox before 60.0
improperly renders some Unicode characters, allowing for the file name
to be spoofed. This can be used to obscure the file extension of
potentially executable files from user view in the panel.
- CVE-2018-5175 (access restriction bypass)
A mechanism to bypass Content Security Policy (CSP) protections on
sites that have a script-src policy of 'strict-dynamic' has been found
in Firefox < 60.0. If a target website contains an HTML injection flaw
an attacker could inject a reference to a copy of the require.js
library that is part of Firefox’s Developer Tools, and then use a known
technique using that library to bypass the CSP restrictions on
executing injected scripts.
- CVE-2018-5176 (information disclosure)
The JSON Viewer in Firefox before 60.0 displays clickable hyperlinks
for strings that are parseable as URLs, including javascript: links. If
a JSON file contains malicious JavaScript script embedded as
javascript: links, users may be tricked into clicking and running this
code in the context of the JSON Viewer. This can allow for the theft of
cookies and authorization tokens which are accessible to that context.
- CVE-2018-5177 (denial of service)
A vulnerability exists in the XSLT component of Firefox before 60.0,
during number formatting where a negative buffer size may be allocated
in some instances, leading to a buffer overflow and crash if it occurs.
- CVE-2018-5180 (arbitrary code execution)
A use-after-free vulnerability can occur during WebGL operations in
Firefox before 60.0. While this results in a potentially exploitable
crash, the vulnerability is limited because the memory is freed and
reused in a brief window of time during the freeing of the same
callstack.
- CVE-2018-5181 (access restriction bypass)
If a URL using the file: protocol is dragged and dropped onto an open
tab of Firefox before 60.0 that is running in a different child process
the tab will open a local file corresponding to the dropped URL,
contrary to policy. One way to make the target tab open more reliably
in a separate process is to open it with the noopener keyword.
- CVE-2018-5182 (access restriction bypass)
If a text string that happens to be a filename in the operating
system's native format is dragged and dropped onto the address bar of
Firefox before 60.0, the specified local file will be opened. This is
contrary to policy and is what would happen if the string were the
equivalent file: URL.
Resolution
Upgrade to 60.0-1.
# pacman -Syu "firefox>=60.0-1"
The problems have been fixed upstream in version 60.0.
References
https://www.mozilla.org/en-US/security/advisories/mfsa2018-11/ https://www.mozilla.org/en-US/security/advisories/mfsa2018-11/ https://bugzilla.mozilla.org/buglist.cgi?bug_id=1388020%2C1433609%2C1409440%2C1448705%2C1451376%2C1452202%2C1444668%2C1393367%2C1411415%2C1426129 https://www.mozilla.org/en-US/security/advisories/mfsa2018-11/ https://bugzilla.mozilla.org/buglist.cgi?bug_id=1445234%2C1449530%2C1437455%2C1447989%2C1438827%2C1436983%2C1435036%2C1440465%2C1439723%2C1448771%2C1453653%2C1454359%2C1432323%2C1454126%2C1436759%2C1439655%2C1448612%2C1449358%2C1367727%2C1452417 https://www.mozilla.org/en-US/security/advisories/mfsa2018-11/ https://bugzilla.mozilla.org/show_bug.cgi?id=1415644 https://www.mozilla.org/en-US/security/advisories/mfsa2018-11/ https://bugzilla.mozilla.org/show_bug.cgi?id=1436809 https://www.mozilla.org/en-US/security/advisories/mfsa2018-11/ https://bugzilla.mozilla.org/show_bug.cgi?id=1443092 https://www.mozilla.org/en-US/security/advisories/mfsa2018-11/ https://bugzilla.mozilla.org/show_bug.cgi?id=1448774 https://www.mozilla.org/en-US/security/advisories/mfsa2018-11/ https://bugzilla.mozilla.org/show_bug.cgi?id=1449898 https://www.mozilla.org/en-US/security/advisories/mfsa2018-11/ https://bugzilla.mozilla.org/show_bug.cgi?id=1452075 https://www.mozilla.org/en-US/security/advisories/mfsa2018-11/ https://bugzilla.mozilla.org/show_bug.cgi?id=1441941 https://www.mozilla.org/en-US/security/advisories/mfsa2018-11/ https://bugzilla.mozilla.org/show_bug.cgi?id=1436117 https://www.mozilla.org/en-US/security/advisories/mfsa2018-11/ https://bugzilla.mozilla.org/show_bug.cgi?id=1426353 https://www.mozilla.org/en-US/security/advisories/mfsa2018-11/ https://bugzilla.mozilla.org/show_bug.cgi?id=1416045 https://www.mozilla.org/en-US/security/advisories/mfsa2018-11/ https://bugzilla.mozilla.org/show_bug.cgi?id=1437325 https://www.mozilla.org/en-US/security/advisories/mfsa2018-11/ https://bugzilla.mozilla.org/show_bug.cgi?id=1447969 https://www.mozilla.org/en-US/security/advisories/mfsa2018-11/ https://bugzilla.mozilla.org/show_bug.cgi?id=1449548 https://www.mozilla.org/en-US/security/advisories/mfsa2018-11/ https://bugzilla.mozilla.org/show_bug.cgi?id=1319157 https://www.mozilla.org/en-US/security/advisories/mfsa2018-11/ https://bugzilla.mozilla.org/show_bug.cgi?id=1436482 https://www.mozilla.org/en-US/security/advisories/mfsa2018-11/ https://bugzilla.mozilla.org/show_bug.cgi?id=1438025 https://www.mozilla.org/en-US/security/advisories/mfsa2018-11/ https://bugzilla.mozilla.org/show_bug.cgi?id=1432358 https://www.mozilla.org/en-US/security/advisories/mfsa2018-11/ https://bugzilla.mozilla.org/show_bug.cgi?id=1442840 https://www.mozilla.org/en-US/security/advisories/mfsa2018-11/ https://bugzilla.mozilla.org/show_bug.cgi?id=1451908 https://www.mozilla.org/en-US/security/advisories/mfsa2018-11/ https://bugzilla.mozilla.org/show_bug.cgi?id=1444086 https://www.mozilla.org/en-US/security/advisories/mfsa2018-11/ https://bugzilla.mozilla.org/show_bug.cgi?id=1424107 https://www.mozilla.org/en-US/security/advisories/mfsa2018-11/ https://security.archlinux.org/CVE-2018-5150 https://security.archlinux.org/CVE-2018-5151 https://security.archlinux.org/CVE-2018-5152 https://security.archlinux.org/CVE-2018-5153 https://security.archlinux.org/CVE-2018-5154 https://security.archlinux.org/CVE-2018-5155 https://security.archlinux.org/CVE-2018-5157 https://security.archlinux.org/CVE-2018-5158 https://security.archlinux.org/CVE-2018-5159 https://security.archlinux.org/CVE-2018-5160 https://security.archlinux.org/CVE-2018-5163 https://security.archlinux.org/CVE-2018-5164 https://security.archlinux.org/CVE-2018-5166 https://security.archlinux.org/CVE-2018-5167 https://security.archlinux.org/CVE-2018-5168 https://security.archlinux.org/CVE-2018-5169 https://security.archlinux.org/CVE-2018-5172 https://security.archlinux.org/CVE-2018-5173 https://security.archlinux.org/CVE-2018-5175 https://security.archlinux.org/CVE-2018-5176 https://security.archlinux.org/CVE-2018-5177 https://security.archlinux.org/CVE-2018-5180 https://security.archlinux.org/CVE-2018-5181 https://security.archlinux.org/CVE-2018-5182
Workaround
None.