[manjaro-security] [ASA-201805-10] firefox: multiple issues

Mon May 14 21:47:30 CEST 2018

Arch Linux Security Advisory ASA-201805-10
==========================================

Severity: Critical
Date    : 2018-05-13
CVE-ID  : CVE-2018-5150 CVE-2018-5151 CVE-2018-5152 CVE-2018-5153
          CVE-2018-5154 CVE-2018-5155 CVE-2018-5157 CVE-2018-5158
          CVE-2018-5159 CVE-2018-5160 CVE-2018-5163 CVE-2018-5164
          CVE-2018-5166 CVE-2018-5167 CVE-2018-5168 CVE-2018-5169
          CVE-2018-5172 CVE-2018-5173 CVE-2018-5175 CVE-2018-5176
          CVE-2018-5177 CVE-2018-5180 CVE-2018-5181 CVE-2018-5182
Package : firefox
Type    : multiple issues
Remote  : Yes
Link    : https://security.archlinux.org/AVG-693

Summary
=======

The package firefox before version 60.0-1 is vulnerable to multiple
issues including arbitrary code execution, same-origin policy bypass,
access restriction bypass, content spoofing, denial of service,
information disclosure and sandbox escape.

Resolution
==========

Upgrade to 60.0-1.

# pacman -Syu "firefox>=60.0-1"

The problems have been fixed upstream in version 60.0.

Workaround
==========

None.

Description
===========

- CVE-2018-5150 (arbitrary code execution)

Several memory safety bugs have been found in Firefox before 60.0. Some
of these bugs showed evidence of memory corruption and Mozilla presumes
that with enough effort some of these could be exploited to run
arbitrary code.

- CVE-2018-5151 (arbitrary code execution)

Several memory safety bugs has been found in Firefox before 60.0. Some
of these bugs showed evidence of memory corruption and Mozilla presumes
that with enough effort some of these could be exploited to run
arbitrary code.

- CVE-2018-5152 (information disclosure)

An information disclosure vulnerability has been found in Firefox <
60.0. WebExtensions with the appropriate permissions can attach content
scripts to Mozilla sites such as accounts.firefox.com and listen to
network traffic to the site through the webRequest API. For example,
this allows for the interception of username and an encrypted password
during login to Firefox Accounts. This issue does not expose
synchronization traffic directly and is limited to the process of user
login to the website and the data displayed to the user once logged in.

- CVE-2018-5153 (information disclosure)

An information disclosure vulnerability has been found in Firefox <
60.0. If websocket data is sent with mixed text and binary in a single
message, the binary data can be corrupted. This can result in an out-
of-bounds read with the read memory sent to the originating server in
response.

- CVE-2018-5154 (arbitrary code execution)

A use-after-free vulnerability has been found in Firefox < 60.0, while
enumerating attributes during SVG animations with clip paths.

- CVE-2018-5155 (arbitrary code execution)

A use-after-free vulnerability has been found in Firefox < 60.0, while
adjusting layout during SVG animations with text paths.

- CVE-2018-5157 (same-origin policy bypass)

A same-origin policy bypass vulnerability has been found in the PDF
viewer of Firefox < 60.0,  allowing a malicious site to intercept
messages meant for the viewer. This could allow the site to retrieve
PDF files restricted to viewing by an authenticated user on a third-
party website.

- CVE-2018-5158 (arbitrary code execution)

A insufficient sanitization of Postscript calculator functions
vulnerability has been found in the PDF viewer of Firefox < 60.0,
allowing malicious JavaScript to be injected through a crafted PDF
file. This JavaScript can then be run with the permissions of the PDF
viewer by its worker.

- CVE-2018-5159 (arbitrary code execution)

An integer overflow vulnerability has been found in the Skia library
used in Firefox < 60.0, due to 32-bit integer use in an array without
integer overflow checks, resulting in possible out-of-bounds writes.
This could lead to a potentially exploitable crash triggerable by web
content.

- CVE-2018-5160 (arbitrary code execution)

A uninitialized memory use vulnerability has been found in the WebRTC
component of Firefox < 60.0, which can use a WrappedI420Buffer pixel
buffer whose owning image object can be freed while it is still in use.
This can result in the WebRTC encoder using uninitialized memory,
leading to a potentially exploitable crash.

- CVE-2018-5163 (sandbox escape)

A sandbox escape vulnerability has been found in Firefox < 60.0. If a
malicious attacker has used another vulnerability to gain full control
over a content process, they may be able to replace the alternate data
resources stored in the JavaScript Start-up Bytecode Cache (JSBC) for
other JavaScript code. If the parent process then runs this replaced
code, the executed script would be run with the parent process'
privileges, escaping the sandbox on content processes.

- CVE-2018-5164 (access restriction bypass)

A Content Security Policy (CSP) bypass has been found in Firefox <
60.0, where the CSP is not applied correctly to all parts of multipart
content sent with the multipart/x-mixed-replace MIME type. This could
allow for script to run where CSP should block it, allowing for cross-
site scripting (XSS) and other attacks.

- CVE-2018-5166 (access restriction bypass)

WebExtensions in Firefox before 60.0 can use request redirection and a
filterReponseData filter to bypass host permission settings to redirect
network traffic and access content from a host for which they do not
have explicit user permission.

- CVE-2018-5167 (content spoofing)

The web console and JavaScript debugger in Firefox < 6.0.0 do not
sanitize all output that can be hyperlinked. Both will display chrome:
links as active, clickable hyperlinks in their output. Web sites should
not be able to directly link to internal chrome pages. Additionally,
the JavaScript debugger will display javascript: links, which users
could be tricked into clicking by malicious sites.

- CVE-2018-5168 (access restriction bypass)

Sites can bypass security checks on permissions to install lightweight
themes in Firefox before 60.0, by manipulating the baseURI property of
the theme element. This could allow a malicious site to install a theme
without user interaction which could contain offensive or embarrassing
images.

- CVE-2018-5169 (access restriction bypass)

If manipulated hyperlinked text with chrome: URL contained in it is
dragged and dropped on the "home" icon in Firefox before 60.0, the home
page can be reset to include a normally-unlinkable chrome page as one
of the home page tabs.

- CVE-2018-5172 (arbitrary code execution)

The Live Bookmarks page and the PDF viewer in Firefox before 60.0 can
run injected script content if a user pastes script from the clipboard
into them while viewing RSS feeds or PDF files. This could allow a
malicious site to socially engineer a user to copy and paste malicious
script content that could then run with the context of either page but
does not allow for privilege escalation.

- CVE-2018-5173 (content spoofing)

The filename appearing in the Downloads panel in Firefox before 60.0
improperly renders some Unicode characters, allowing for the file name
to be spoofed. This can be used to obscure the file extension of
potentially executable files from user view in the panel.

- CVE-2018-5175 (access restriction bypass)

A mechanism to bypass Content Security Policy (CSP) protections on
sites that have a script-src policy of 'strict-dynamic' has been found
in Firefox < 60.0. If a target website contains an HTML injection flaw
an attacker could inject a reference to a copy of the require.js
library that is part of Firefox’s Developer Tools, and then use a known
technique using that library to bypass the CSP restrictions on
executing injected scripts.

- CVE-2018-5176 (information disclosure)

The JSON Viewer in Firefox before 60.0 displays clickable hyperlinks
for strings that are parseable as URLs, including javascript: links. If
a JSON file contains malicious JavaScript script embedded as
javascript: links, users may be tricked into clicking and running this
code in the context of the JSON Viewer. This can allow for the theft of
cookies and authorization tokens which are accessible to that context.

- CVE-2018-5177 (denial of service)

A vulnerability exists in the XSLT component of Firefox before 60.0,
during number formatting where a negative buffer size may be allocated
in some instances, leading to a buffer overflow and crash if it occurs.

- CVE-2018-5180 (arbitrary code execution)

A use-after-free vulnerability can occur during WebGL operations in
Firefox before 60.0. While this results in a potentially exploitable
crash, the vulnerability is limited because the memory is freed and
reused in a brief window of time during the freeing of the same
callstack.

- CVE-2018-5181 (access restriction bypass)

If a URL using the file: protocol is dragged and dropped onto an open
tab of Firefox before 60.0 that is running in a different child process
the tab will open a local file corresponding to the dropped URL,
contrary to policy. One way to make the target tab open more reliably
in a separate process is to open it with the noopener keyword.

- CVE-2018-5182 (access restriction bypass)

If a text string that happens to be a filename in the operating
system's native format is dragged and dropped onto the address bar of
Firefox before 60.0, the specified local file will be opened. This is
contrary to policy and is what would happen if the string were the
equivalent file: URL.

Impact
======

A remote attacker can bypass various security mechanisms including the
sandbox and the same-origin policy, access sensitive information and
execute arbitrary code on the affected host.

References
==========

https://www.mozilla.org/en-US/security/advisories/mfsa2018-11
https://www.mozilla.org/en-US/security/advisories/mfsa2018-11/#CVE-2018-5150
https://bugzilla.mozilla.org/buglist.cgi?bug_id=1388020%2C1433609%2C1409440%2C1448705%2C1451376%2C1452202%2C1444668%2C1393367%2C1411415%2C1426129
https://www.mozilla.org/en-US/security/advisories/mfsa2018-11/#CVE-2018-5151
https://bugzilla.mozilla.org/buglist.cgi?bug_id=1445234%2C1449530%2C1437455%2C1447989%2C1438827%2C1436983%2C1435036%2C1440465%2C1439723%2C1448771%2C1453653%2C1454359%2C1432323%2C1454126%2C1436759%2C1439655%2C1448612%2C1449358%2C1367727%2C1452417
https://www.mozilla.org/en-US/security/advisories/mfsa2018-11/#CVE-2018-5152
https://bugzilla.mozilla.org/show_bug.cgi?id=1415644
https://www.mozilla.org/en-US/security/advisories/mfsa2018-11/#CVE-2018-5153
https://bugzilla.mozilla.org/show_bug.cgi?id=1436809
https://www.mozilla.org/en-US/security/advisories/mfsa2018-11/#CVE-2018-5154
https://bugzilla.mozilla.org/show_bug.cgi?id=1443092
https://www.mozilla.org/en-US/security/advisories/mfsa2018-11/#CVE-2018-5155
https://bugzilla.mozilla.org/show_bug.cgi?id=1448774
https://www.mozilla.org/en-US/security/advisories/mfsa2018-11/#CVE-2018-5157
https://bugzilla.mozilla.org/show_bug.cgi?id=1449898
https://www.mozilla.org/en-US/security/advisories/mfsa2018-11/#CVE-2018-5158
https://bugzilla.mozilla.org/show_bug.cgi?id=1452075
https://www.mozilla.org/en-US/security/advisories/mfsa2018-11/#CVE-2018-5159
https://bugzilla.mozilla.org/show_bug.cgi?id=1441941
https://www.mozilla.org/en-US/security/advisories/mfsa2018-11/#CVE-2018-5160
https://bugzilla.mozilla.org/show_bug.cgi?id=1436117
https://www.mozilla.org/en-US/security/advisories/mfsa2018-11/#CVE-2018-5163
https://bugzilla.mozilla.org/show_bug.cgi?id=1426353
https://www.mozilla.org/en-US/security/advisories/mfsa2018-11/#CVE-2018-5164
https://bugzilla.mozilla.org/show_bug.cgi?id=1416045
https://www.mozilla.org/en-US/security/advisories/mfsa2018-11/#CVE-2018-5166
https://bugzilla.mozilla.org/show_bug.cgi?id=1437325
https://www.mozilla.org/en-US/security/advisories/mfsa2018-11/#CVE-2018-5167
https://bugzilla.mozilla.org/show_bug.cgi?id=1447969
https://www.mozilla.org/en-US/security/advisories/mfsa2018-11/#CVE-2018-5168
https://bugzilla.mozilla.org/show_bug.cgi?id=1449548
https://www.mozilla.org/en-US/security/advisories/mfsa2018-11/#CVE-2018-5169
https://bugzilla.mozilla.org/show_bug.cgi?id=1319157
https://www.mozilla.org/en-US/security/advisories/mfsa2018-11/#CVE-2018-5172
https://bugzilla.mozilla.org/show_bug.cgi?id=1436482
https://www.mozilla.org/en-US/security/advisories/mfsa2018-11/#CVE-2018-5173
https://bugzilla.mozilla.org/show_bug.cgi?id=1438025
https://www.mozilla.org/en-US/security/advisories/mfsa2018-11/#CVE-2018-5175
https://bugzilla.mozilla.org/show_bug.cgi?id=1432358
https://www.mozilla.org/en-US/security/advisories/mfsa2018-11/#CVE-2018-5176
https://bugzilla.mozilla.org/show_bug.cgi?id=1442840
https://www.mozilla.org/en-US/security/advisories/mfsa2018-11/#CVE-2018-5177
https://bugzilla.mozilla.org/show_bug.cgi?id=1451908
https://www.mozilla.org/en-US/security/advisories/mfsa2018-11/#CVE-2018-5180
https://bugzilla.mozilla.org/show_bug.cgi?id=1444086
https://www.mozilla.org/en-US/security/advisories/mfsa2018-11/#CVE-2018-5181
https://bugzilla.mozilla.org/show_bug.cgi?id=1424107
https://www.mozilla.org/en-US/security/advisories/mfsa2018-11/#CVE-2018-5182
https://security.archlinux.org/CVE-2018-5150
https://security.archlinux.org/CVE-2018-5151
https://security.archlinux.org/CVE-2018-5152
https://security.archlinux.org/CVE-2018-5153
https://security.archlinux.org/CVE-2018-5154
https://security.archlinux.org/CVE-2018-5155
https://security.archlinux.org/CVE-2018-5157
https://security.archlinux.org/CVE-2018-5158
https://security.archlinux.org/CVE-2018-5159
https://security.archlinux.org/CVE-2018-5160
https://security.archlinux.org/CVE-2018-5163
https://security.archlinux.org/CVE-2018-5164
https://security.archlinux.org/CVE-2018-5166
https://security.archlinux.org/CVE-2018-5167
https://security.archlinux.org/CVE-2018-5168
https://security.archlinux.org/CVE-2018-5169
https://security.archlinux.org/CVE-2018-5172
https://security.archlinux.org/CVE-2018-5173
https://security.archlinux.org/CVE-2018-5175
https://security.archlinux.org/CVE-2018-5176
https://security.archlinux.org/CVE-2018-5177
https://security.archlinux.org/CVE-2018-5180
https://security.archlinux.org/CVE-2018-5181
https://security.archlinux.org/CVE-2018-5182

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.manjaro.org/pipermail/manjaro-security/attachments/20180514/ce22b112/attachment-0001.sig>