Gentoo update for Mozilla Firefox

Published: 2018-11-09 09:45:39 | Updated: 2018-11-09 09:45:52
Severity High
Patch available YES
Number of vulnerabilities 7
CVE ID CVE-2018-12389
CVE-2018-12390
CVE-2018-12392
CVE-2018-12393
CVE-2018-12395
CVE-2018-12396
CVE-2018-12397
CVSSv3 8.3 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]
8.3 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]
8.3 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]
8.3 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]
5.5 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L/E:U/RL:O/RC:C]
7.7 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
5.5 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L/E:U/RL:O/RC:C]
CWE ID CWE-119
CWE-388
CWE-787
CWE-190
CWE-20
Exploitation vector Network
Public exploit Not available
Vulnerable software Gentoo Linux
Vulnerable software versions Gentoo Linux -
Vendor URL Gentoo

Security Advisory

1) Memory corruption

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The weakness exists due to boundary error when handling malicious input. A remote attacker can trick the victim into visiting a specially crafted website, trigger memory corruption and execute arbitrary code with elevated privileges.

Successful exploitation of the vulnerability may result in system compromise.

Remediation

Update the affected packages.
www-client/firefox to version: 60.3.0
www-client/firefox-bin to version: 60.3.0

External links

https://security.gentoo.org/glsa/201811-04

2) Memory corruption

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The weakness exists due to boundary error when handling malicious input. A remote attacker can trick the victim into visiting a specially crafted website, trigger memory corruption and execute arbitrary code with elevated privileges.

Successful exploitation of the vulnerability may result in system compromise.

Remediation

Update the affected packages.
www-client/firefox to version: 60.3.0
www-client/firefox-bin to version: 60.3.0

External links

https://security.gentoo.org/glsa/201811-04

3) Poor event handling

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The weakness exists due to poor event handling when manipulating user events in nested loops while opening a document through script. A remote attacker can trick the victim into visiting a specially crafted website and execute arbitrary code with elevated privileges.

Successful exploitation of the vulnerability may result in system compromise.

Remediation

Update the affected packages.
www-client/firefox to version: 60.3.0
www-client/firefox-bin to version: 60.3.0

External links

https://security.gentoo.org/glsa/201811-04

4) Integer overflow

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The weakness exists due to integer overflow during the conversion of scripts to an internal UTF-16 representation. A remote attacker can trick the victim into visiting a specially crafted website, trigger out-of-bounds write and execute arbitrary code with elevated privileges.

Successful exploitation of the vulnerability may result in system compromise.

Remediation

Update the affected packages.
www-client/firefox to version: 60.3.0
www-client/firefox-bin to version: 60.3.0

External links

https://security.gentoo.org/glsa/201811-04

5) Security restrictions bypass

Description

The vulnerability allows a remote attacker to bypass security restrictions on the target system.

The weakness exists due to an error in WebExtension. A remote attacker can trick the victim into visiting a specially crafted website, rewrite the Host request headers using the webRequest API and bypass domain restrictions through domain fronting. This would allow access to domains that share a host that are otherwise restricted.

Remediation

Update the affected packages.
www-client/firefox to version: 60.3.0
www-client/firefox-bin to version: 60.3.0

External links

https://security.gentoo.org/glsa/201811-04

6) Privilege escalation

Description

The vulnerability allows a remote attacker to gain elevated privileges on the target system.

The weakness exists due to a WebExtension can run content scripts in disallowed contexts following navigation or other events. A remote attacker can trick the victim into visiting a specially crafted website containing WebExtension where content scripts should not be run and gain elevated privileges.

Remediation

Update the affected packages.
www-client/firefox to version: 60.3.0
www-client/firefox-bin to version: 60.3.0

External links

https://security.gentoo.org/glsa/201811-04

7) Security restrictions bypass

Description

The vulnerability allows a remote attacker to bypass security restrictions on the target system.

The weakness exists due to WebExtension can request access to local files without the warning prompt stating that the extension will "Access your data for all websites" being displayed to the user. A remote attacker can trick the victim into visiting a specially crafted website, run content scripts in local pages without permission warnings when a local file is opened.

Remediation

Update the affected packages.
www-client/firefox to version: 60.3.0
www-client/firefox-bin to version: 60.3.0

External links

https://security.gentoo.org/glsa/201811-04

Back to List