ArchLinux: 201902-16: firefox: multiple issues

    Date18 Feb 2019
    CategoryArchLinux
    554
    Posted ByLinuxSecurity Advisories
    The package firefox before version 65.0.1-1 is vulnerable to multiple issues including arbitrary code execution and same-origin policy bypass.
    Arch Linux Security Advisory ASA-201902-16
    ==========================================
    
    Severity: High
    Date    : 2019-02-13
    CVE-ID  : CVE-2018-18356 CVE-2018-18511 CVE-2019-5785
    Package : firefox
    Type    : multiple issues
    Remote  : Yes
    Link    : https://security.archlinux.org/AVG-896
    
    Summary
    =======
    
    The package firefox before version 65.0.1-1 is vulnerable to multiple
    issues including arbitrary code execution and same-origin policy
    bypass.
    
    Resolution
    ==========
    
    Upgrade to 65.0.1-1.
    
    # pacman -Syu "firefox>=65.0.1-1"
    
    The problems have been fixed upstream in version 65.0.1.
    
    Workaround
    ==========
    
    None.
    
    Description
    ===========
    
    - CVE-2018-18356 (arbitrary code execution)
    
    A use-after-free has been found in the Skia component of chromium
    before 71.0.3578.80 and firefox before 65.0.1.
    
    - CVE-2018-18511 (same-origin policy bypass)
    
    A cross-origin theft of images issue has been found in the
    ImageBitmapRenderingContext component of firefox 65.0, where cross-
    origin images can be read from a canvas element in violation of the
    same-origin policy using the transferFromImageBitmap method. The issue
    has been fixed in 65.0.1 and versions prior to 65.0 were not affected.
    
    - CVE-2019-5785 (arbitrary code execution)
    
    An integer overflow issue has been found in the Skia component of
    firefox before 65.0.1.
    
    Impact
    ======
    
    A remote attacker can bypass the same-origin policy to access sensitive
    information, or execute arbitrary code, via a crafted web content.
    
    References
    ==========
    
    https://www.mozilla.org/en-US/security/advisories/mfsa2019-04/
    https://chromereleases.googleblog.com/2018/12/stable-channel-update-for-desktop.html
    https://bugs.chromium.org/p/chromium/issues/detail?id=883666
    https://www.mozilla.org/en-US/security/advisories/mfsa2019-04/#CVE-2018-18356
    https://bugzilla.mozilla.org/show_bug.cgi?id=1525817
    https://www.mozilla.org/en-US/security/advisories/mfsa2019-04/#CVE-2019-5785
    https://bugzilla.mozilla.org/show_bug.cgi?id=1526218
    https://bugzilla.mozilla.org/show_bug.cgi?id=1525433
    https://googleprojectzero.blogspot.com/2019/02/the-curious-case-of-convexity-confusion.html
    https://security.archlinux.org/CVE-2018-18356
    https://security.archlinux.org/CVE-2018-18511
    https://security.archlinux.org/CVE-2019-5785
    
    You are not authorised to post comments.

    LinuxSecurity Poll

    In your opinion, what is the biggest advantage associated with choosing open-source software/products?

    Message!

    Poll results are hidden from public viewing.

    You are not authorized to vote on this poll.

    No answer selected. Please try again.
    Please select either existing option or enter your own, however not both.
    Please select minimum 0 answer(s) and maximum 4 answer(s).
    /component/communitypolls/?task=poll.vote
    8
    radio
    bottom200

    We use cookies to provide and improve our services. By using our site, you consent to our Cookie Policy.