Alerts This Week
Warning Icon 1 640
Alerts This Week
Warning Icon 1 640

Mageia 8: MGASA-2022-0220 Moderate: Firefox Memory Corruption Risks

mageia
Calendar Grey June 4, 2022
Dist Mageia Esm H88
The update for Mageia 2022-0220 addresses various vulnerabilities found in Firefox and associated applications for users of the Mageia operating system.
A malicious website could have learned the size of a cross-origin resource that supported Range requests (CVE-2022-31736)

Summary

A malicious website could have learned the size of a cross-origin resource that supported Range requests (CVE-2022-31736).
A malicious webpage could have caused an out-of-bounds write in WebGL, leading to memory corruption and a potentially exploitable crash (CVE-2022-31737).
When exiting fullscreen mode, an iframe could have confused the browser about the current state of fullscreen, resulting in potential user confusion or spoofing attacks (CVE-2022-31738).
On arm64, WASM code could have resulted in incorrect assembly generation leading to a register allocation problem, and a potentially exploitable crash (CVE-2022-31740).
A crafted CMS message could have been processed incorrectly, leading to an invalid memory read, and potentially further memory corruption (CVE-2022-31741).
An attacker could have exploited a timing attack by sending a large number of allowCredential entries and detecting the difference between invalid key handles and cross-origin key handles. This could have led...

Read the Full Advisory

References

- https://bugs.mageia.org/show_bug.cgi?id=30498

- https://groups.google.com/a/mozilla.org/g/dev-tech-crypto/c/e9q0AqO8t2k

- https://groups.google.com/a/mozilla.org/g/dev-tech-crypto/c/ZghhNaaxnUA

- https://firefox-source-docs.mozilla.org/security/nss/releases/nss_3_79.html

- https://www.mozilla.org/en-US/security/advisories/mfsa2022-21/

- https://www.cve.org/CVERecord?id=CVE-2022-31736

- https://www.cve.org/CVERecord?id=CVE-2022-31737

- https://www.cve.org/CVERecord?id=CVE-2022-31738

- https://www.cve.org/CVERecord?id=CVE-2022-31740

- https://www.cve.org/CVERecord?id=CVE-2022-31741

- https://www.cve.org/CVERecord?id=CVE-2022-31742

- https://www.cve.org/CVERecord?id=CVE-2022-31747

Resolution

SRPMS

- 8/core/firefox-91.10.0-1.mga8

- 8/core/firefox-l10n-91.10.0-1.mga8

- 8/core/nspr-4.34-1.mga8

- 8/core/nss-3.79.0-1.mga8

Publication date: 04 Jun 2022
URL: https://advisories.mageia.org/MGASA-2022-0220.html
Type: security
CVE: CVE-2022-31736, CVE-2022-31737, CVE-2022-31738, CVE-2022-31740, CVE-2022-31741, CVE-2022-31742, CVE-2022-31747

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.

Your message here