The package firefox before version 69.0-1 is vulnerable to multiple issues including arbitrary code execution, cross-site scripting, same- origin policy bypass, sandbox escape, access restriction bypass, denial of service and information disclosure.
Arch Linux Security Advisory ASA-201909-2
========================================
Severity: High
Date : 2019-09-04
CVE-ID : CVE-2019-5849 CVE-2019-9812 CVE-2019-11734 CVE-2019-11735
CVE-2019-11737 CVE-2019-11738 CVE-2019-11740 CVE-2019-11741
CVE-2019-11742 CVE-2019-11743 CVE-2019-11744 CVE-2019-11746
CVE-2019-11747 CVE-2019-11748 CVE-2019-11749 CVE-2019-11750
CVE-2019-11752
Package : firefox
Type : multiple issues
Remote : Yes
Link : https://security.archlinux.org/AVG-1036
Summary
======
The package firefox before version 69.0-1 is vulnerable to multiple
issues including arbitrary code execution, cross-site scripting, same-
origin policy bypass, sandbox escape, access restriction bypass, denial
of service and information disclosure.
Resolution
=========
Upgrade to 69.0-1.
# pacman -Syu "firefox>=69.0-1"
The problems have been fixed upstream in version 69.0.
Workaround
=========
None.
Description
==========
- CVE-2019-5849 (information disclosure)
An out-of-bounds read vulnerability exists in the Skia graphics library
shipped in Firefox before 69.0, allowing for the possible leaking of
data from memory.
- CVE-2019-9812 (sandbox escape)
In Firefox before 69.0, given a compromised sandboxed content process
due to a separate vulnerability, it is possible to escape that sandbox
by loading accounts.firefox.com in that process and forcing a log-in to
a malicious Firefox Sync account. Preference settings that disable the
sandbox are then synchronized to the local machine and the compromised
browser would restart without the sandbox if a crash is triggered.
- CVE-2019-11734 (arbitrary code execution)
Several memory safety bugs have been found in Firefox before 69.0. Some
of these bugs showed evidence of memory corruption and Mozilla presumes
that with enough effort some of these could be exploited to run
arbitrary code.
- CVE-2019-11735 (arbitrary code execution)
Several memory safety bugs have been found in Firefox before 69.0. Some
of these bugs showed evidence of memory corruption and Mozilla presumes
that with enough effort some of these could be exploited to run
arbitrary code.
- CVE-2019-11737 (access restriction bypass)
In Firefox before 69.0, if a wildcard ('*') is specified for the host
in Content Security Policy (CSP) directives, any port or path
restriction of the directive will be ignored, leading to CSP directives
not being properly applied to content.
- CVE-2019-11738 (access restriction bypass)
In Firefox before 69.0, if a Content Security Policy (CSP) directive is
defined that uses a hash-based source that takes the empty string as
input, execution of any javascript: URIs will be allowed. This could
allow for malicious JavaScript content to be run, bypassing CSP
permissions.
- CVE-2019-11740 (arbitrary code execution)
Several memory safety bugs have been found in Firefox before 69.0. Some
of these bugs showed evidence of memory corruption and Mozilla presumes
that with enough effort some of these could be exploited to run
arbitrary code.
- CVE-2019-11741 (cross-site scripting)
In Firefox before 69.0, a compromised sandboxed content process can
perform a Universal Cross-site Scripting (UXSS) attack on content from
any site it can cause to be loaded in the same process. Because
addons.mozilla.org and accounts.firefox.com have close ties to the
Firefox product, malicious manipulation of these sites within the
browser can potentially be used to modify a user's Firefox
configuration. These two sites will now be isolated into their own
process and not allowed to be loaded in a standard content process.
- CVE-2019-11742 (same-origin policy bypass)
A same-origin policy violation can occur in Firefox before 69.0,
allowing the theft of cross-origin images through a combination of SVG
filters and a