Arch Linux Security Advisory ASA-201805-10 ========================================== Severity: Critical Date : 2018-05-13 CVE-ID : CVE-2018-5150 CVE-2018-5151 CVE-2018-5152 CVE-2018-5153 CVE-2018-5154 CVE-2018-5155 CVE-2018-5157 CVE-2018-5158 CVE-2018-5159 CVE-2018-5160 CVE-2018-5163 CVE-2018-5164 CVE-2018-5166 CVE-2018-5167 CVE-2018-5168 CVE-2018-5169 CVE-2018-5172 CVE-2018-5173 CVE-2018-5175 CVE-2018-5176 CVE-2018-5177 CVE-2018-5180 CVE-2018-5181 CVE-2018-5182 Package : firefox Type : multiple issues Remote : Yes Link : https://security.archlinux.org/AVG-693 Summary ======= The package firefox before version 60.0-1 is vulnerable to multiple issues including arbitrary code execution, same-origin policy bypass, access restriction bypass, content spoofing, denial of service, information disclosure and sandbox escape. Resolution ========== Upgrade to 60.0-1. # pacman -Syu "firefox>=60.0-1" The problems have been fixed upstream in version 60.0. Workaround ========== None. Description =========== - CVE-2018-5150 (arbitrary code execution) Several memory safety bugs have been found in Firefox before 60.0. Some of these bugs showed evidence of memory corruption and Mozilla presumes that with enough effort some of these could be exploited to run arbitrary code. - CVE-2018-5151 (arbitrary code execution) Several memory safety bugs has been found in Firefox before 60.0. Some of these bugs showed evidence of memory corruption and Mozilla presumes that with enough effort some of these could be exploited to run arbitrary code. - CVE-2018-5152 (information disclosure) An information disclosure vulnerability has been found in Firefox < 60.0. WebExtensions with the appropriate permissions can attach content scripts to Mozilla sites such as accounts.firefox.com and listen to network traffic to the site through the webRequest API. For example, this allows for the interception of username and an encrypted password during login to Firefox Accounts. This issue does not expose synchronization traffic directly and is limited to the process of user login to the website and the data displayed to the user once logged in. - CVE-2018-5153 (information disclosure) An information disclosure vulnerability has been found in Firefox < 60.0. If websocket data is sent with mixed text and binary in a single message, the binary data can be corrupted. This can result in an out- of-bounds read with the read memory sent to the originating server in response. - CVE-2018-5154 (arbitrary code execution) A use-after-free vulnerability has been found in Firefox < 60.0, while enumerating attributes during SVG animations with clip paths. - CVE-2018-5155 (arbitrary code execution) A use-after-free vulnerability has been found in Firefox < 60.0, while adjusting layout during SVG animations with text paths. - CVE-2018-5157 (same-origin policy bypass) A same-origin policy bypass vulnerability has been found in the PDF viewer of Firefox < 60.0, allowing a malicious site to intercept messages meant for the viewer. This could allow the site to retrieve PDF files restricted to viewing by an authenticated user on a third- party website. - CVE-2018-5158 (arbitrary code execution) A insufficient sanitization of Postscript calculator functions vulnerability has been found in the PDF viewer of Firefox < 60.0, allowing malicious JavaScript to be injected through a crafted PDF file. This JavaScript can then be run with the permissions of the PDF viewer by its worker. - CVE-2018-5159 (arbitrary code execution) An integer overflow vulnerability has been found in the Skia library used in Firefox < 60.0, due to 32-bit integer use in an array without integer overflow checks, resulting in possible out-of-bounds writes. This could lead to a potentially exploitable crash triggerable by web content. - CVE-2018-5160 (arbitrary code execution) A uninitialized memory use vulnerability has been found in the WebRTC component of Firefox < 60.0, which can use a WrappedI420Buffer pixel buffer whose owning image object can be freed while it is still in use. This can result in the WebRTC encoder using uninitialized memory, leading to a potentially exploitable crash. - CVE-2018-5163 (sandbox escape) A sandbox escape vulnerability has been found in Firefox < 60.0. If a malicious attacker has used another vulnerability to gain full control over a content process, they may be able to replace the alternate data resources stored in the JavaScript Start-up Bytecode Cache (JSBC) for other JavaScript code. If the parent process then runs this replaced code, the executed script would be run with the parent process' privileges, escaping the sandbox on content processes. - CVE-2018-5164 (access restriction bypass) A Content Security Policy (CSP) bypass has been found in Firefox < 60.0, where the CSP is not applied correctly to all parts of multipart content sent with the multipart/x-mixed-replace MIME type. This could allow for script to run where CSP should block it, allowing for cross- site scripting (XSS) and other attacks. - CVE-2018-5166 (access restriction bypass) WebExtensions in Firefox before 60.0 can use request redirection and a filterReponseData filter to bypass host permission settings to redirect network traffic and access content from a host for which they do not have explicit user permission. - CVE-2018-5167 (content spoofing) The web console and JavaScript debugger in Firefox < 6.0.0 do not sanitize all output that can be hyperlinked. Both will display chrome: links as active, clickable hyperlinks in their output. Web sites should not be able to directly link to internal chrome pages. Additionally, the JavaScript debugger will display javascript: links, which users could be tricked into clicking by malicious sites. - CVE-2018-5168 (access restriction bypass) Sites can bypass security checks on permissions to install lightweight themes in Firefox before 60.0, by manipulating the baseURI property of the theme element. This could allow a malicious site to install a theme without user interaction which could contain offensive or embarrassing images. - CVE-2018-5169 (access restriction bypass) If manipulated hyperlinked text with chrome: URL contained in it is dragged and dropped on the "home" icon in Firefox before 60.0, the home page can be reset to include a normally-unlinkable chrome page as one of the home page tabs. - CVE-2018-5172 (arbitrary code execution) The Live Bookmarks page and the PDF viewer in Firefox before 60.0 can run injected script content if a user pastes script from the clipboard into them while viewing RSS feeds or PDF files. This could allow a malicious site to socially engineer a user to copy and paste malicious script content that could then run with the context of either page but does not allow for privilege escalation. - CVE-2018-5173 (content spoofing) The filename appearing in the Downloads panel in Firefox before 60.0 improperly renders some Unicode characters, allowing for the file name to be spoofed. This can be used to obscure the file extension of potentially executable files from user view in the panel. - CVE-2018-5175 (access restriction bypass) A mechanism to bypass Content Security Policy (CSP) protections on sites that have a script-src policy of 'strict-dynamic' has been found in Firefox < 60.0. If a target website contains an HTML injection flaw an attacker could inject a reference to a copy of the require.js library that is part of Firefox’s Developer Tools, and then use a known technique using that library to bypass the CSP restrictions on executing injected scripts. - CVE-2018-5176 (information disclosure) The JSON Viewer in Firefox before 60.0 displays clickable hyperlinks for strings that are parseable as URLs, including javascript: links. If a JSON file contains malicious JavaScript script embedded as javascript: links, users may be tricked into clicking and running this code in the context of the JSON Viewer. This can allow for the theft of cookies and authorization tokens which are accessible to that context. - CVE-2018-5177 (denial of service) A vulnerability exists in the XSLT component of Firefox before 60.0, during number formatting where a negative buffer size may be allocated in some instances, leading to a buffer overflow and crash if it occurs. - CVE-2018-5180 (arbitrary code execution) A use-after-free vulnerability can occur during WebGL operations in Firefox before 60.0. While this results in a potentially exploitable crash, the vulnerability is limited because the memory is freed and reused in a brief window of time during the freeing of the same callstack. - CVE-2018-5181 (access restriction bypass) If a URL using the file: protocol is dragged and dropped onto an open tab of Firefox before 60.0 that is running in a different child process the tab will open a local file corresponding to the dropped URL, contrary to policy. One way to make the target tab open more reliably in a separate process is to open it with the noopener keyword. - CVE-2018-5182 (access restriction bypass) If a text string that happens to be a filename in the operating system's native format is dragged and dropped onto the address bar of Firefox before 60.0, the specified local file will be opened. This is contrary to policy and is what would happen if the string were the equivalent file: URL. Impact ====== A remote attacker can bypass various security mechanisms including the sandbox and the same-origin policy, access sensitive information and execute arbitrary code on the affected host. References ========== https://www.mozilla.org/en-US/security/advisories/mfsa2018-11 https://www.mozilla.org/en-US/security/advisories/mfsa2018-11/#CVE-2018-5150 https://bugzilla.mozilla.org/buglist.cgi?bug_id=1388020%2C1433609%2C1409440%... https://www.mozilla.org/en-US/security/advisories/mfsa2018-11/#CVE-2018-5151 https://bugzilla.mozilla.org/buglist.cgi?bug_id=1445234%2C1449530%2C1437455%... https://www.mozilla.org/en-US/security/advisories/mfsa2018-11/#CVE-2018-5152 https://bugzilla.mozilla.org/show_bug.cgi?id=1415644 https://www.mozilla.org/en-US/security/advisories/mfsa2018-11/#CVE-2018-5153 https://bugzilla.mozilla.org/show_bug.cgi?id=1436809 https://www.mozilla.org/en-US/security/advisories/mfsa2018-11/#CVE-2018-5154 https://bugzilla.mozilla.org/show_bug.cgi?id=1443092 https://www.mozilla.org/en-US/security/advisories/mfsa2018-11/#CVE-2018-5155 https://bugzilla.mozilla.org/show_bug.cgi?id=1448774 https://www.mozilla.org/en-US/security/advisories/mfsa2018-11/#CVE-2018-5157 https://bugzilla.mozilla.org/show_bug.cgi?id=1449898 https://www.mozilla.org/en-US/security/advisories/mfsa2018-11/#CVE-2018-5158 https://bugzilla.mozilla.org/show_bug.cgi?id=1452075 https://www.mozilla.org/en-US/security/advisories/mfsa2018-11/#CVE-2018-5159 https://bugzilla.mozilla.org/show_bug.cgi?id=1441941 https://www.mozilla.org/en-US/security/advisories/mfsa2018-11/#CVE-2018-5160 https://bugzilla.mozilla.org/show_bug.cgi?id=1436117 https://www.mozilla.org/en-US/security/advisories/mfsa2018-11/#CVE-2018-5163 https://bugzilla.mozilla.org/show_bug.cgi?id=1426353 https://www.mozilla.org/en-US/security/advisories/mfsa2018-11/#CVE-2018-5164 https://bugzilla.mozilla.org/show_bug.cgi?id=1416045 https://www.mozilla.org/en-US/security/advisories/mfsa2018-11/#CVE-2018-5166 https://bugzilla.mozilla.org/show_bug.cgi?id=1437325 https://www.mozilla.org/en-US/security/advisories/mfsa2018-11/#CVE-2018-5167 https://bugzilla.mozilla.org/show_bug.cgi?id=1447969 https://www.mozilla.org/en-US/security/advisories/mfsa2018-11/#CVE-2018-5168 https://bugzilla.mozilla.org/show_bug.cgi?id=1449548 https://www.mozilla.org/en-US/security/advisories/mfsa2018-11/#CVE-2018-5169 https://bugzilla.mozilla.org/show_bug.cgi?id=1319157 https://www.mozilla.org/en-US/security/advisories/mfsa2018-11/#CVE-2018-5172 https://bugzilla.mozilla.org/show_bug.cgi?id=1436482 https://www.mozilla.org/en-US/security/advisories/mfsa2018-11/#CVE-2018-5173 https://bugzilla.mozilla.org/show_bug.cgi?id=1438025 https://www.mozilla.org/en-US/security/advisories/mfsa2018-11/#CVE-2018-5175 https://bugzilla.mozilla.org/show_bug.cgi?id=1432358 https://www.mozilla.org/en-US/security/advisories/mfsa2018-11/#CVE-2018-5176 https://bugzilla.mozilla.org/show_bug.cgi?id=1442840 https://www.mozilla.org/en-US/security/advisories/mfsa2018-11/#CVE-2018-5177 https://bugzilla.mozilla.org/show_bug.cgi?id=1451908 https://www.mozilla.org/en-US/security/advisories/mfsa2018-11/#CVE-2018-5180 https://bugzilla.mozilla.org/show_bug.cgi?id=1444086 https://www.mozilla.org/en-US/security/advisories/mfsa2018-11/#CVE-2018-5181 https://bugzilla.mozilla.org/show_bug.cgi?id=1424107 https://www.mozilla.org/en-US/security/advisories/mfsa2018-11/#CVE-2018-5182 https://security.archlinux.org/CVE-2018-5150 https://security.archlinux.org/CVE-2018-5151 https://security.archlinux.org/CVE-2018-5152 https://security.archlinux.org/CVE-2018-5153 https://security.archlinux.org/CVE-2018-5154 https://security.archlinux.org/CVE-2018-5155 https://security.archlinux.org/CVE-2018-5157 https://security.archlinux.org/CVE-2018-5158 https://security.archlinux.org/CVE-2018-5159 https://security.archlinux.org/CVE-2018-5160 https://security.archlinux.org/CVE-2018-5163 https://security.archlinux.org/CVE-2018-5164 https://security.archlinux.org/CVE-2018-5166 https://security.archlinux.org/CVE-2018-5167 https://security.archlinux.org/CVE-2018-5168 https://security.archlinux.org/CVE-2018-5169 https://security.archlinux.org/CVE-2018-5172 https://security.archlinux.org/CVE-2018-5173 https://security.archlinux.org/CVE-2018-5175 https://security.archlinux.org/CVE-2018-5176 https://security.archlinux.org/CVE-2018-5177 https://security.archlinux.org/CVE-2018-5180 https://security.archlinux.org/CVE-2018-5181 https://security.archlinux.org/CVE-2018-5182