MGASA-2020-0009 - Updated mozjs60 packages fix security vulnerability

Publication date: 05 Jan 2020
URL: https://advisories.mageia.org/MGASA-2020-0009.html
Type: security
Affected Mageia releases: 7
CVE: CVE-2019-11707,
     CVE-2019-11708

The updated packages fix security vulnerabilities:

A type confusion vulnerability can occur when manipulating JavaScript
objects due to issues in Array.pop. This can allow for an exploitable
crash. We are aware of targeted attacks in the wild abusing this flaw.
This vulnerability affects Firefox ESR < 60.7.1, Firefox < 67.0.3,
and Thunderbird < 60.7.2. (CVE-2019-11707)

Insufficient vetting of parameters passed with the Prompt:Open IPC message
between child and parent processes can result in the non-sandboxed parent
process opening web content chosen by a compromised child process. When
combined with additional vulnerabilities this could result in executing
arbitrary code on the user's computer. This vulnerability affects Firefox
ESR < 60.7.2, Firefox < 67.0.4, and Thunderbird < 60.7.2. (CVE-2019-11708)

The mozjs60 package has been updated to version 60.9.0, fixing these issues
and other bugs. The gjs package has been rebuilt against the updated mozjs60.

References:
- https://bugs.mageia.org/show_bug.cgi?id=25910
- https://lists.fedoraproject.org/archives/list/[email protected]/thread/OS4TDQ75LLRCFOAXMPHTQE6XCPJGZQ6X/
- https://lists.fedoraproject.org/archives/list/[email protected]/thread/ZS2X4UWVWTNTNWOCAJYQO77GGSSI3H6K/
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11707
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11708

SRPMS:
- 7/core/mozjs60-60.9.0-1.mga7
- 7/core/gjs-1.56.2-1.1.mga7