[ASA-201902-2] firefox: multiple issues

Remi Gacogne rgacogne at archlinux.org
Mon Feb 11 16:05:21 UTC 2019


Arch Linux Security Advisory ASA-201902-2
=========================================

Severity: Critical
Date    : 2019-02-06
CVE-ID  : CVE-2018-18500 CVE-2018-18501 CVE-2018-18502 CVE-2018-18503
          CVE-2018-18504 CVE-2018-18505 CVE-2018-18506
Package : firefox
Type    : multiple issues
Remote  : Yes
Link    : https://security.archlinux.org/AVG-862

Summary
=======

The package firefox before version 65.0-1 is vulnerable to multiple
issues including arbitrary code execution, privilege escalation and
access restriction bypass.

Resolution
==========

Upgrade to 65.0-1.

# pacman -Syu "firefox>=65.0-1"

The problems have been fixed upstream in version 65.0.

Workaround
==========

None.

Description
===========

- CVE-2018-18500 (arbitrary code execution)

A use-after-free vulnerability has been found in Firefox < 65.0, that
can occur while parsing an HTML5 stream in concert with custom HTML
elements. This results in the stream parser object being freed while
still in use, leading to a potentially exploitable crash.

- CVE-2018-18501 (arbitrary code execution)

Several memory safety bugs have been found in Firefox < 65.0. Some of
these bugs showed evidence of memory corruption and Mozilla presumes
that with enough effort some of these could be exploited to run
arbitrary code.

- CVE-2018-18502 (arbitrary code execution)

Several memory safety bugs have been found in Firefox < 65.0. Some of
these bugs showed evidence of memory corruption and Mozilla presumes
that with enough effort some of these could be exploited to run
arbitrary code.

- CVE-2018-18503 (arbitrary code execution)

A memory corruption vulnerability has been found in the Audio Buffer
component of Firefox < 65.0. When JavaScript is used to create and
manipulate an audio buffer, a potentially exploitable crash may occur
because of a compartment mismatch in some situations.

- CVE-2018-18504 (arbitrary code execution)

A memory corruption and out-of-bounds read have been found in Firefox <
65.0, that can occur when the buffer of a texture client is freed while
it is still in use during graphic operations. This results in a
potentially exploitable crash and the possibility of reading from the
memory of the freed buffers.

- CVE-2018-18505 (privilege escalation)

A privilege escalation issue has been found in Firefox < 65.0. An
earlier fix for an Inter-process Communication (IPC) vulnerability,
CVE-2011-3079, added authentication to communication between IPC
endpoints and server parents during IPC process creation. This
authentication is insufficient for channels created after the IPC
process is started, leading to the authentication not being correctly
applied to later channels. This could allow for a sandbox escape
through IPC channels due to lack of message validation in the listener
process.

- CVE-2018-18506 (access restriction bypass)

When proxy auto-detection is enabled in Firefox < 65.0, if a web server
serves a Proxy Auto-Configuration (PAC) file or if a PAC file is loaded
locally, this PAC file can specify that requests to the localhost are
to be sent through the proxy to another server. This behavior is
disallowed by default when a proxy is manually configured, but when
enabled could allow for attacks on services and tools that bind to the
localhost for networked behavior if they are accessed through browsing.

Impact
======

A remote attacker might be able to execute arbitrary code via a crafted
web content, or force requests to localhost to be sent through a proxy
to another server. A local attacker might be able to escape firefox's
sandbox via privilege escalation .

References
==========

https://www.mozilla.org/en-US/security/advisories/mfsa2019-01/
https://www.mozilla.org/en-US/security/advisories/mfsa2019-01/#CVE-2018-18500
https://bugzilla.mozilla.org/show_bug.cgi?id=1510114
https://www.mozilla.org/en-US/security/advisories/mfsa2019-01/#CVE-2018-18501
https://bugzilla.mozilla.org/buglist.cgi?bug_id=1512450%2C1517542%2C1513201%2C1460619%2C1502871%2C1516738%2C1516514
https://www.mozilla.org/en-US/security/advisories/mfsa2019-01/#CVE-2018-18502
https://bugzilla.mozilla.org/buglist.cgi?bug_id=1499426%2C1480090%2C1472990%2C1514762%2C1501482%2C1505887%2C1508102%2C1508618%2C1511580%2C1493497%2C1510145%2C1516289%2C1506798%2C1512758
https://www.mozilla.org/en-US/security/advisories/mfsa2019-01/#CVE-2018-18503
https://bugzilla.mozilla.org/show_bug.cgi?id=1509442
https://www.mozilla.org/en-US/security/advisories/mfsa2019-01/#CVE-2018-18504
https://bugzilla.mozilla.org/show_bug.cgi?id=1496413
https://www.mozilla.org/en-US/security/advisories/mfsa2019-01/#CVE-2018-18505
https://bugzilla.mozilla.org/show_bug.cgi?id=1497749
https://www.mozilla.org/en-US/security/advisories/mfsa2019-01/#CVE-2018-18506
https://bugzilla.mozilla.org/show_bug.cgi?id=1503393
https://security.archlinux.org/CVE-2018-18500
https://security.archlinux.org/CVE-2018-18501
https://security.archlinux.org/CVE-2018-18502
https://security.archlinux.org/CVE-2018-18503
https://security.archlinux.org/CVE-2018-18504
https://security.archlinux.org/CVE-2018-18505
https://security.archlinux.org/CVE-2018-18506

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <https://lists.archlinux.org/pipermail/arch-security/attachments/20190211/7f393c39/attachment.sig>


More information about the arch-security mailing list