Arch Linux Security Advisory ASA-202011-12
==========================================

Severity: Critical
Date    : 2020-11-17
CVE-ID  : CVE-2020-15999 CVE-2020-16012 CVE-2020-26951 CVE-2020-26952
          CVE-2020-26953 CVE-2020-26956 CVE-2020-26958 CVE-2020-26959
          CVE-2020-26960 CVE-2020-26961 CVE-2020-26962 CVE-2020-26963
          CVE-2020-26965 CVE-2020-26967 CVE-2020-26968 CVE-2020-26969
Package : firefox
Type    : multiple issues
Remote  : Yes
Link    : https://security.archlinux.org/AVG-1279

Summary
=======

The package firefox before version 83.0-1 is vulnerable to multiple
issues including arbitrary code execution, access restriction bypass,
content spoofing, cross-site scripting, information disclosure,
insufficient validation, denial of service and incorrect calculation.

Resolution
==========

Upgrade to 83.0-1.

# pacman -Syu "firefox>=83.0-1"

The problems have been fixed upstream in version 83.0.

Workaround
==========

None.

Description
===========

- CVE-2020-15999 (arbitrary code execution)

A heap buffer overflow has been found in freetype2 before 2.10.4.
Malformed TTF files with PNG sbit glyphs can cause a heap buffer
overflow in Load_SBit_Png as libpng uses the original 32-bit values,
which are saved in png_struct. If the original width and/or height are
greater than 65535, the allocated buffer won't be able to fit the
bitmap.

- CVE-2020-16012 (information disclosure)

An information disclosure issue has been found in Firefox before 83.0
and chromium before 87.0.4280.66. When drawing a transparent image on
top of an unknown cross-origin image, the Skia library drawImage
function took a variable amount of time depending on the content of the
underlying image. This resulted in potential cross-origin information
exposure of image content through timing side-channel attacks.

- CVE-2020-26951 (access restriction bypass)

A parsing and event loading mismatch has been found in Firefox's SVG
code before 83.0 and could have allowed load events to fire, even after
sanitization. An attacker already capable of exploiting an XSS
vulnerability in privileged internal pages could have used this attack
to bypass the built-in sanitizer.

- CVE-2020-26952 (arbitrary code execution)

A security issue has been found in Firefox before 83.0 where incorrect
bookkeeping of functions inlined during JIT compilation could have led
to memory corruption and a potentially exploitable crash when handling
out-of-memory errors.

- CVE-2020-26953 (content spoofing)

A security issue has been found in Firefox before 83.0 where it was
possible to cause the browser to enter fullscreen mode without
displaying the security UI; thus making it possible to attempt a
phishing attack or otherwise confuse the user.

- CVE-2020-26956 (cross-site scripting)

A security issue has been found in Firefox before 83.0 where, in some
cases, removing HTML elements during sanitization would keep existing
SVG event handlers and therefore lead to XSS.

- CVE-2020-26958 (access restriction bypass)

Firefox before 83.0 did not block execution of scripts with incorrect
MIME types when the response was intercepted and cached through a
ServiceWorker. This could lead to a cross-site script inclusion
vulnerability, or a Content Security Policy bypass.

- CVE-2020-26959 (arbitrary code execution)

A security issue has been found in Firefox before 83.0 where, during
browser shutdown, reference decrementing could have occurred on a
previously freed object, resulting in a use-after-free, memory
corruption, and a potentially exploitable crash.

- CVE-2020-26960 (arbitrary code execution)

A security issue has been found in Firefox before 83.0 where, if the
Compact() method was called on an nsTArray, the array could have been
reallocated without updating other pointers, leading to a potential
use-after-free and exploitable crash.

- CVE-2020-26961 (insufficient validation)

A security issue has been found in Firefox before 83.0 where, when DNS
over HTTPS is in use, it intentionally filters RFC1918 and related IP
ranges from the responses as these do not make sense coming from a DoH
resolver. However when an IPv4 address was mapped through IPv6, these
addresses were erroneously let through, leading to a potential DNS
Rebinding attack.

- CVE-2020-26962 (access restriction bypass)

A security issue has been found in Firefox before 83.0, where cross-
origin iframes that contained a login form could have been recognized
by the login autofill service, and populated. This could have been used
in clickjacking attacks, as well as be read across partitions in
dynamic first party isolation.

- CVE-2020-26963 (denial of service)

A denial of service issue has been found in Firefox before 83.0, where
repeated calls to the history and location interfaces could have been
used to hang the browser. This was addressed by introducing rate-
limiting to these API calls.

- CVE-2020-26965 (information disclosure)

An information disclosure issue has been found in Firefox before 83.0.
Some websites have a feature "Show Password" where clicking a button
will change a password field into a textbox field, revealing the typed
password. If, when using a software keyboard that remembers user input,
a user typed their password and used that feature, the type of the
password field was changed, resulting in a keyboard layout change and
the possibility for the software keyboard to remember the typed
password.

- CVE-2020-26967 (incorrect calculation)

A security issue has been found in Firefox before 83.0 where, when
listening for page changes with a Mutation Observer, a malicious web
page could confuse Firefox Screenshots into interacting with elements
other than those that it injected into the page. This would lead to
internal errors and unexpected behavior in the Screenshots code.

- CVE-2020-26968 (arbitrary code execution)

Several memory safety issues have been found in Firefox before 83.0 and
Firefox ESR before 78.4. Some of these bugs showed evidence of memory
corruption and Mozilla presumes that with enough effort some of these
could have been exploited to run arbitrary code.

- CVE-2020-26969 (arbitrary code execution)

Several memory safety issues have been found in Firefox before 83.0.
Some of these bugs showed evidence of memory corruption and Mozilla
presumes that with enough effort some of these could have been
exploited to run arbitrary code.

Impact
======

A remote attacker might be able to access sensitive information, bypass
security measures, trick a user into performing unwanted actions, crash
the browser or execute arbitrary code.

References
==========

https://www.mozilla.org/en-US/security/advisories/mfsa2020-50/
https://git.savannah.nongnu.org/cgit/freetype/freetype2.git/commit/?id=a3bab162b2ae616074c8877a04556932998aeacd
https://savannah.nongnu.org/bugs/?59308
https://www.mozilla.org/en-US/security/advisories/mfsa2020-50/#CVE-2020-16012
https://bugzilla.mozilla.org/show_bug.cgi?id=1642028
https://www.mozilla.org/en-US/security/advisories/mfsa2020-50/#CVE-2020-26951
https://bugzilla.mozilla.org/show_bug.cgi?id=1667113
https://www.mozilla.org/en-US/security/advisories/mfsa2020-50/#CVE-2020-26952
https://bugzilla.mozilla.org/show_bug.cgi?id=1667685
https://www.mozilla.org/en-US/security/advisories/mfsa2020-50/#CVE-2020-26953
https://bugzilla.mozilla.org/show_bug.cgi?id=1656741
https://www.mozilla.org/en-US/security/advisories/mfsa2020-50/#CVE-2020-26956
https://www.mozilla.org/en-US/security/advisories/mfsa2020-50/#CVE-2020-26958
https://bugzilla.mozilla.org/show_bug.cgi?id=1669355
https://www.mozilla.org/en-US/security/advisories/mfsa2020-50/#CVE-2020-26959
https://bugzilla.mozilla.org/show_bug.cgi?id=1669466
https://www.mozilla.org/en-US/security/advisories/mfsa2020-50/#CVE-2020-26960
https://bugzilla.mozilla.org/show_bug.cgi?id=1670358
https://www.mozilla.org/en-US/security/advisories/mfsa2020-50/#CVE-2020-26961
https://bugzilla.mozilla.org/show_bug.cgi?id=1672528
https://www.mozilla.org/en-US/security/advisories/mfsa2020-50/#CVE-2020-26962
https://bugzilla.mozilla.org/show_bug.cgi?id=610997
https://www.mozilla.org/en-US/security/advisories/mfsa2020-50/#CVE-2020-26963
https://bugzilla.mozilla.org/show_bug.cgi?id=1314912
https://www.mozilla.org/en-US/security/advisories/mfsa2020-50/#CVE-2020-26965
https://bugzilla.mozilla.org/show_bug.cgi?id=1661617
https://www.mozilla.org/en-US/security/advisories/mfsa2020-50/#CVE-2020-26967
https://bugzilla.mozilla.org/show_bug.cgi?id=1665820
https://www.mozilla.org/en-US/security/advisories/mfsa2020-50/#CVE-2020-26968
https://bugzilla.mozilla.org/buglist.cgi?bug_id=1551615%2C1607762%2C1656697%2C1657739%2C1660236%2C1667912%2C1671479%2C1671923
https://www.mozilla.org/en-US/security/advisories/mfsa2020-50/#CVE-2020-26969
https://bugzilla.mozilla.org/buglist.cgi?bug_id=1623920%2C1651705%2C1667872%2C1668876
https://security.archlinux.org/CVE-2020-15999
https://security.archlinux.org/CVE-2020-16012
https://security.archlinux.org/CVE-2020-26951
https://security.archlinux.org/CVE-2020-26952
https://security.archlinux.org/CVE-2020-26953
https://security.archlinux.org/CVE-2020-26956
https://security.archlinux.org/CVE-2020-26958
https://security.archlinux.org/CVE-2020-26959
https://security.archlinux.org/CVE-2020-26960
https://security.archlinux.org/CVE-2020-26961
https://security.archlinux.org/CVE-2020-26962
https://security.archlinux.org/CVE-2020-26963
https://security.archlinux.org/CVE-2020-26965
https://security.archlinux.org/CVE-2020-26967
https://security.archlinux.org/CVE-2020-26968
https://security.archlinux.org/CVE-2020-26969