ArchLinux: 202004-6: firefox: arbitrary code execution

    Date 07 Apr 2020
    303
    Posted By LinuxSecurity Advisories
    The package firefox before version 74.0.1-1 is vulnerable to arbitrary code execution.
    Arch Linux Security Advisory ASA-202004-6
    =========================================
    
    Severity: Critical
    Date    : 2020-04-04
    CVE-ID  : CVE-2020-6819 CVE-2020-6820
    Package : firefox
    Type    : arbitrary code execution
    Remote  : Yes
    Link    : https://security.archlinux.org/AVG-1125
    
    Summary
    =======
    
    The package firefox before version 74.0.1-1 is vulnerable to arbitrary
    code execution.
    
    Resolution
    ==========
    
    Upgrade to 74.0.1-1.
    
    # pacman -Syu "firefox>=74.0.1-1"
    
    The problems have been fixed upstream in version 74.0.1.
    
    Workaround
    ==========
    
    None.
    
    Description
    ===========
    
    - CVE-2020-6819 (arbitrary code execution)
    
    A use-after-free vulnerability has been found in Firefox before 74.0.1
    where under certain conditions, when running the nsDocShell destructor,
    a race condition can cause a use-after-free. Mozilla is aware of
    targeted attacks in the wild abusing this flaw.
    
    - CVE-2020-6820 (arbitrary code execution)
    
    A use-after-free vulnerability has been found in Firefox before 74.0.1
    where, under certain conditions, when handling a ReadableStream, a race
    condition can cause a use-after-free. Mozilla is aware of targeted
    attacks in the wild abusing this flaw.
    
    Impact
    ======
    
    A remote attacker can execute arbitrary code on the affected host.
    
    References
    ==========
    
    https://www.mozilla.org/en-US/security/advisories/mfsa2020-11/
    https://www.mozilla.org/en-US/security/advisories/mfsa2020-11/#CVE-2020-6819
    https://bugzilla.mozilla.org/show_bug.cgi?id=1620818
    https://www.mozilla.org/en-US/security/advisories/mfsa2020-11/#CVE-2020-6820
    https://bugzilla.mozilla.org/show_bug.cgi?id=1626728
    https://security.archlinux.org/CVE-2020-6819
    https://security.archlinux.org/CVE-2020-6820
    
    

    LinuxSecurity Poll

    What do you think of the LinuxSecurity Privacy news articles?

    No answer selected. Please try again.
    Please select either existing option or enter your own, however not both.
    Please select minimum 0 answer(s) and maximum 3 answer(s).
    /main-polls/25-what-do-you-think-of-the-linuxsecurity-privacy-news-articles?task=poll.vote&format=json
    25
    radio
    [{"id":"90","title":"Love them!","votes":"94","type":"x","order":"1","pct":79.66,"resources":[]},{"id":"91","title":"I'm indifferent","votes":"18","type":"x","order":"2","pct":15.25,"resources":[]},{"id":"92","title":"Not interested in this topic","votes":"6","type":"x","order":"3","pct":5.08,"resources":[]}] ["#ff5b00","#4ac0f2","#b80028","#eef66c","#60bb22","#b96a9a","#62c2cc"] ["rgba(255,91,0,0.7)","rgba(74,192,242,0.7)","rgba(184,0,40,0.7)","rgba(238,246,108,0.7)","rgba(96,187,34,0.7)","rgba(185,106,154,0.7)","rgba(98,194,204,0.7)"] 350
    bottom 200

    Please enable / Bitte aktiviere JavaScript!
    Veuillez activer / Por favor activa el Javascript![ ? ]

    We use cookies to provide and improve our services. By using our site, you consent to our Cookie Policy.