[ASA-201908-11] firefox: information disclosure

Jelle van der Waa jelle at archlinux.org
Sat Aug 24 13:39:19 UTC 2019


Arch Linux Security Advisory ASA-201908-11
==========================================

Severity: Medium
Date    : 2019-08-16
CVE-ID  : CVE-2019-11733
Package : firefox
Type    : information disclosure
Remote  : No
Link    : https://security.archlinux.org/AVG-1025

Summary
=======

The package firefox before version 68.0.2-1 is vulnerable to
information disclosure.

Resolution
==========

Upgrade to 68.0.2-1.

# pacman -Syu "firefox>=68.0.2-1"

The problem has been fixed upstream in version 68.0.2.

Workaround
==========

None.

Description
===========

An issue has been found in Firefox before 68.0.2. When a master
password is set, it is required to be entered before stored passwords
can be accessed in the 'Saved Logins' dialog. It was found that locally
stored passwords can be copied to the clipboard through the 'copy
password' context menu item without first entering the master password,
allowing for potential theft of stored passwords.

Impact
======

A local attacker is able to obtain stored passwords without first
entering the master password leading to information disclosure.

References
==========

https://www.mozilla.org/en-US/security/advisories/mfsa2019-24/
https://www.mozilla.org/en-US/security/advisories/mfsa2019-24/#CVE-2019-11733
https://bugzilla.mozilla.org/show_bug.cgi?id=1565780
https://security.archlinux.org/CVE-2019-11733
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: not available
URL: <https://lists.archlinux.org/pipermail/arch-security/attachments/20190824/23be6e49/attachment.sig>


More information about the arch-security mailing list