Mageia: 2018-0396 Critical: Firefox Remote Code Execution Risks
mageia
October 14, 2018
Updated firefox packages fix security vulnerabilities: A vulnerability in register allocation in JavaScript can lead to type confusion, allowing for an arbitrary read and write
Summary
Updated firefox packages fix security vulnerabilities:
A vulnerability in register allocation in JavaScript can lead to type
confusion, allowing for an arbitrary read and write. This leads to remote
code execution inside the sandboxed content process when triggered
(CVE-2018-12386).
A vulnerability where the JavaScript JIT compiler inlines Array.prototype.push
with multiple arguments that results in the stack pointer being off by 8 bytes
after a bailout. This leaks a memory address to the calling function which can
be used as part of an exploit inside the sandboxed content process
(CVE-2018-12387).
References
- https://bugs.mageia.org/show_bug.cgi?id=23653
- https://www.mozilla.org/en-US/security/advisories/mfsa2018-24/
- https://www.cve.org/CVERecord?id=CVE-2018-12386
- https://www.cve.org/CVERecord?id=CVE-2018-12387
Topics Covered
Resolution
SRPMS
- 6/core/firefox-60.2.2-1.mga6
- 6/core/firefox-l10n-60.2.2-1.mga6
PREVIOUS
NEXT
Severity
critical
Lowest
Low
Medium
High
Critical
Publication date: 14 Oct 2018
URL: https://advisories.mageia.org/MGASA-2018-0396.html
Type: security
CVE: CVE-2018-12386,
CVE-2018-12387
Topics Covered
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Related News
Powered By
Linux Security - Your source for Top Linux News, Advisories, HOWTOs and Feature Releases
QUICK LINKS
subscribe to newsletters!
Like staying secure? So do we.
Sign up for updates, tips, and alerts!