[ASA-201906-20] firefox: sandbox escape
foxboron at archlinux.org
Mon Jul 1 19:00:23 UTC 2019
Arch Linux Security Advisory ASA-201906-20
Date : 2019-06-25
CVE-ID : CVE-2019-11708
Package : firefox
Type : sandbox escape
Remote : Yes
Link : https://security.archlinux.org/AVG-997
The package firefox before version 67.0.4-1 is vulnerable to sandbox
Upgrade to 67.0.4-1.
# pacman -Syu "firefox>=67.0.4-1"
The problem has been fixed upstream in version 67.0.4.
An issue has been found in Firefox before 67.0.4, where an insufficient
vetting of parameters passed with the Prompt:Open IPC message between
child and parent processes can result in the non-sandboxed parent
process opening web content chosen by a compromised child process. When
combined with additional vulnerabilities this could result in executing
arbitrary code on the user's computer.
An attacker could use this vulnerability, combined with another one, to
bypass the sandbox and execute arbitrary code on the host.
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 833 bytes
Desc: not available
More information about the arch-security