ArchLinux: 201902-2: firefox: multiple issues
Summary
- CVE-2018-18500 (arbitrary code execution)
A use-after-free vulnerability has been found in Firefox < 65.0, that
can occur while parsing an HTML5 stream in concert with custom HTML
elements. This results in the stream parser object being freed while
still in use, leading to a potentially exploitable crash.
- CVE-2018-18501 (arbitrary code execution)
Several memory safety bugs have been found in Firefox < 65.0. Some of
these bugs showed evidence of memory corruption and Mozilla presumes
that with enough effort some of these could be exploited to run
arbitrary code.
- CVE-2018-18502 (arbitrary code execution)
Several memory safety bugs have been found in Firefox < 65.0. Some of
these bugs showed evidence of memory corruption and Mozilla presumes
that with enough effort some of these could be exploited to run
arbitrary code.
- CVE-2018-18503 (arbitrary code execution)
A memory corruption vulnerability has been found in the Audio Buffer
component of Firefox < 65.0. When JavaScript is used to create and
manipulate an audio buffer, a potentially exploitable crash may occur
because of a compartment mismatch in some situations.
- CVE-2018-18504 (arbitrary code execution)
A memory corruption and out-of-bounds read have been found in Firefox <
65.0, that can occur when the buffer of a texture client is freed while
it is still in use during graphic operations. This results in a
potentially exploitable crash and the possibility of reading from the
memory of the freed buffers.
- CVE-2018-18505 (privilege escalation)
A privilege escalation issue has been found in Firefox < 65.0. An
earlier fix for an Inter-process Communication (IPC) vulnerability,
CVE-2011-3079, added authentication to communication between IPC
endpoints and server parents during IPC process creation. This
authentication is insufficient for channels created after the IPC
process is started, leading to the authentication not being correctly
applied to later channels. This could allow for a sandbox escape
through IPC channels due to lack of message validation in the listener
process.
- CVE-2018-18506 (access restriction bypass)
When proxy auto-detection is enabled in Firefox < 65.0, if a web server
serves a Proxy Auto-Configuration (PAC) file or if a PAC file is loaded
locally, this PAC file can specify that requests to the localhost are
to be sent through the proxy to another server. This behavior is
disallowed by default when a proxy is manually configured, but when
enabled could allow for attacks on services and tools that bind to the
localhost for networked behavior if they are accessed through browsing.
Resolution
Upgrade to 65.0-1.
# pacman -Syu "firefox>=65.0-1"
The problems have been fixed upstream in version 65.0.
References
https://www.mozilla.org/en-US/security/advisories/mfsa2019-01/ https://www.mozilla.org/en-US/security/advisories/mfsa2019-01/#CVE-2018-18500 https://bugzilla.mozilla.org/show_bug.cgi?id=1510114 https://www.mozilla.org/en-US/security/advisories/mfsa2019-01/#CVE-2018-18501 https://bugzilla.mozilla.org/buglist.cgi?bug_id=1512450%2C1517542%2C1513201%2C1460619%2C1502871%2C1516738%2C1516514 https://www.mozilla.org/en-US/security/advisories/mfsa2019-01/#CVE-2018-18502 https://bugzilla.mozilla.org/buglist.cgi?bug_id=1499426%2C1480090%2C1472990%2C1514762%2C1501482%2C1505887%2C1508102%2C1508618%2C1511580%2C1493497%2C1510145%2C1516289%2C1506798%2C1512758 https://www.mozilla.org/en-US/security/advisories/mfsa2019-01/#CVE-2018-18503 https://bugzilla.mozilla.org/show_bug.cgi?id=1509442 https://www.mozilla.org/en-US/security/advisories/mfsa2019-01/#CVE-2018-18504 https://bugzilla.mozilla.org/show_bug.cgi?id=1496413 https://www.mozilla.org/en-US/security/advisories/mfsa2019-01/#CVE-2018-18505 https://bugzilla.mozilla.org/show_bug.cgi?id=1497749 https://www.mozilla.org/en-US/security/advisories/mfsa2019-01/#CVE-2018-18506 https://bugzilla.mozilla.org/show_bug.cgi?id=1503393 https://security.archlinux.org/CVE-2018-18500 https://security.archlinux.org/CVE-2018-18501 https://security.archlinux.org/CVE-2018-18502 https://security.archlinux.org/CVE-2018-18503 https://security.archlinux.org/CVE-2018-18504 https://security.archlinux.org/CVE-2018-18505 https://security.archlinux.org/CVE-2018-18506
Workaround
None.