SB2019071043 - Permissions, Privileges, and Access Controls in firefox-esr (Alpine package)
Published: July 10, 2019
Security Bulletin ID
SB2019071043
Severity
High
Patch available
YES
Number of vulnerabilities
1
Exploitation vector
Remote access
Highest impact
Code execution
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 1 security vulnerability.
1) Permissions, Privileges, and Access Controls (CVE-ID: CVE-2019-9811)
The vulnerability allows a remote non-authenticated attacker to execute arbitrary code.
As part of a winning Pwn2Own entry, a researcher demonstrated a sandbox escape by installing a malicious language pack and then opening a browser feature that used the compromised translation. This vulnerability affects Firefox ESR < 60.8, Firefox < 68, and Thunderbird < 60.8.
Remediation
Install update from vendor's website.
References
- https://git.alpinelinux.org/aports/commit/?id=df118d5706ba2d60b54d1285b0c2544abd2dc984
- https://git.alpinelinux.org/aports/commit/?id=dbc43022e7aaaeb53d19f31c2ba03ab99f95c608
- https://git.alpinelinux.org/aports/commit/?id=2619d83127353533f980218076d6c0c02fe7c198
- https://git.alpinelinux.org/aports/commit/?id=a0c09e8b7fb341082bdaced72c40714ba91f932a