SB20200407126 - Out-of-bounds write in firefox-esr (Alpine package)
Published: April 7, 2020
Security Bulletin ID
SB20200407126
Severity
High
Patch available
YES
Number of vulnerabilities
1
Exploitation vector
Remote access
Highest impact
Code execution
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 1 security vulnerability.
1) Out-of-bounds write (CVE-ID: CVE-2020-6822)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary condition in GMPDecodeData when processing images larger than 4Gb on 32-bit builds. A remote attacker can create a specially crafted image, trick the victim into opening it, trigger out-of-bounds write and execute arbitrary code on the target system.
Remediation
Install update from vendor's website.
References
- https://git.alpinelinux.org/aports/commit/?id=174183ffc582462ae8eaf468da032a6642e140c4
- https://git.alpinelinux.org/aports/commit/?id=9e2f5a5133c02cac8537d753874de3c9ba0ad559
- https://git.alpinelinux.org/aports/commit/?id=cd10d6d99b0bd648c2c7d300f927db55bbc1cf03
- https://git.alpinelinux.org/aports/commit/?id=e59828690fd9f113c4135307defdd4de09b962ad
- https://git.alpinelinux.org/aports/commit/?id=3f24b0ed71ac2a532796e4f065c755d1e92a6858