Explore top 10 tips to secure your open-source projects now. Read More

×
Alerts This Week
Warning Icon 1 547
Alerts This Week
Warning Icon 1 547

Mageia 8: MGASA-2023-0056 Critical: Firefox Memory Write Threat

mageia
Calendar Grey February 20, 2023
Dist Mageia Esm H88
MGASA-2023-0057 outlines an important security patch for Chrome that resolves multiple vulnerabilities related to code execution and data disclosure risks.
An attacker could construct a PKCS 12 cert bundle in such a way that could allow for arbitrary memory writes via PKCS 12 Safe Bag attributes being mishandled (CVE-2023-0767)

Summary

An attacker could construct a PKCS 12 cert bundle in such a way that could allow for arbitrary memory writes via PKCS 12 Safe Bag attributes being mishandled (CVE-2023-0767).
The Content-Security-Policy-Report-Only header could allow an attacker to leak a child iframe's unredacted URI when interaction with that iframe triggers a redirect (CVE-2023-25728).
Permission prompts for opening external schemes were only shown for ContentPrincipals resulting in extensions being able to open them without user interaction via ExpandedPrincipals. This could lead to further malicious actions such as downloading files or interacting with software already installed on the system (CVE-2023-25729).
A background script invoking requestFullscreen and then blocking the main thread could force the browser into fullscreen mode indefinitely, resulting in potential user confusion or spoofing attacks (CVE-2023-25730).
In EncodeInputStream, wen encoding data from an inputStream in xpcom the size of the input...

Read the Full Advisory

References

- https://bugs.mageia.org/show_bug.cgi?id=31556

- https://groups.google.com/a/mozilla.org/g/dev-tech-crypto/c/hSYAJS__-rw

- https://groups.google.com/a/mozilla.org/g/dev-tech-crypto/c/zleRGChurmo

- https://firefox-source-docs.mozilla.org/security/nss/releases/nss_3_88.html

- https://firefox-source-docs.mozilla.org/security/nss/releases/nss_3_88_1.html

- https://www.mozilla.org/en-US/security/advisories/mfsa2023-06/

- https://www.cve.org/CVERecord?id=CVE-2023-0767

- https://www.cve.org/CVERecord?id=CVE-2023-25728

- https://www.cve.org/CVERecord?id=CVE-2023-25729

- https://www.cve.org/CVERecord?id=CVE-2023-25730

- https://www.cve.org/CVERecord?id=CVE-2023-25732

- https://www.cve.org/CVERecord?id=CVE-2023-25735

- https://www.cve.org/CVERecord?id=CVE-2023-25737

- https://www.cve.org/CVERecord?id=CVE-2023-25739

- https://www.cve.org/CVERecord?id=CVE-2023-25742

- https://www.cve.org/CVERecord?id=CVE-2023-25744

- https://www.cve.org/CVERecord?id=CVE-2023-25746

Resolution

SRPMS

- 8/core/firefox-102.8.0-1.mga8

- 8/core/firefox-l10n-102.8.0-1.mga8

- 8/core/nss-3.88.1-1.mga8

Severity
critical
Lowest
Low
Medium
High
Critical

Publication date: 20 Feb 2023
URL: https://advisories.mageia.org/MGASA-2023-0056.html
Type: security
CVE: CVE-2023-0767, CVE-2023-25728, CVE-2023-25729, CVE-2023-25730, CVE-2023-25732, CVE-2023-25735, CVE-2023-25737, CVE-2023-25739, CVE-2023-25742, CVE-2023-25744, CVE-2023-25746

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.