Arch Linux 804 Published by

A firefox security update has been released for Arch Linux to address multiple issues.



ASA-202012-25: firefox: multiple issues


Arch Linux Security Advisory ASA-202012-25
=========================================
Severity: High
Date : 2020-12-16
CVE-ID : CVE-2020-16042 CVE-2020-26971 CVE-2020-26972 CVE-2020-26973
CVE-2020-26974 CVE-2020-26976 CVE-2020-26978 CVE-2020-26979
CVE-2020-35111 CVE-2020-35113 CVE-2020-35114
Package : firefox
Type : multiple issues
Remote : Yes
Link :   https://security.archlinux.org/AVG-1362

Summary
======
The package firefox before version 84.0-1 is vulnerable to multiple
issues including arbitrary code execution, content spoofing and
information disclosure.

Resolution
=========
Upgrade to 84.0-1.

# pacman -Syu "firefox>?.0-1"

The problems have been fixed upstream in version 84.0.

Workaround
=========
None.

Description
==========
- CVE-2020-16042 (information disclosure)

An uninitialized use security issue has been found in the V8 component
of the chromium browser before version 87.0.4280.88 and Firefox before
84.0.

- CVE-2020-26971 (arbitrary code execution)

A security issue was found in Firefox before 84.0 and Thunderbird
before 78.6 where certain blit values provided by the user were not
properly constrained, leading to a heap buffer overflow on some video
drivers.

- CVE-2020-26972 (arbitrary code execution)

A security issue was found in Firefox before 84.0. The lifecycle of IPC
Actors allows managed actors to outlive their manager actors; and the
former must ensure that they are not attempting to use a dead actor
they have a reference to. Such a check was omitted in WebGL, resulting
in a use-after-free and a potentially exploitable crash.

- CVE-2020-26973 (content spoofing)

A security issue was found in Firefox before 84.0 and Thunderbird
before 78.6 where certain input to the CSS Sanitizer confused it,
resulting in incorrect components being removed. This could have been
used as a sanitizer bypass.

- CVE-2020-26974 (arbitrary code execution)

A security issue was found in Firefox before 84.0 and Thunderbird
before 78.6. When flex-basis was used on a table wrapper, a
StyleGenericFlexBasis object could have been incorrectly cast to the
wrong type. This resulted in a heap user-after-free, memory corruption,
and a potentially exploitable crash.

- CVE-2020-26976 (information disclosure)

A security issue was found in Firefox before 84.0. When an HTTPS page
was embedded in an HTTP page, and there was a service worker registered
for the former, the service worker could have intercepted the request
for the secure page despite the iframe not being a secure context due
to the (insecure) framing.

- CVE-2020-26978 (information disclosure)

A security issue was discovered in Firefox before 84.0 and Thunderbird
before 78.6. Using techniques that built on the slipstream research, a
malicious webpage could have exposed both an internal network's hosts
as well as services running on the user's local machine.

- CVE-2020-26979 (content spoofing)

A security issue was discovered in Firefox before 84.0. When a user
typed a URL in the address bar or the search bar and quickly hit the
enter key, a website could sometimes capture that event and then
redirect the user before navigation occurred to the desired, entered
address. To construct a convincing spoof the attacker would have had to
guess what the user was typing, perhaps by suggesting it.

- CVE-2020-35111 (information disclosure)

A security issue was discovered in Firefox before 84.0 and Thunderbird
before 78.6. When an extension with the proxy permission registered to
receive , the proxy.onRequest callback was not triggered for
view-source URLs. While web content cannot navigate to such URLs, a
user opening View Source could have inadvertently leaked their IP
address.

- CVE-2020-35113 (arbitrary code execution)

Mozilla developer Christian Holler reported memory safety bugs present
in Firefox 83, Firefox ESR 78.5 and Thunderbird 78.5. Some of these
bugs showed evidence of memory corruption and Mozilla presumes that
with enough effort some of these could have been exploited to run
arbitrary code.

- CVE-2020-35114 (arbitrary code execution)

Mozilla developers Christian Holler, Jan-Ivar Bruaroey, and Gabriele
Svelto reported memory safety bugs present in Firefox 83. Some of these
bugs showed evidence of memory corruption and Mozilla presumes that
with enough effort some of these could have been exploited to run
arbitrary code.

Impact
=====
A remote attacker might be able to spoof content, access sensitive
information or execute arbitrary code.

References
=========
  https://www.mozilla.org/en-US/security/advisories/mfsa2020-54/
  https://chromereleases.googleblog.com/2020/12/stable-channel-update-for-desktop.html
  https://crbug.com/1151890
  https://www.mozilla.org/en-US/security/advisories/mfsa2020-54/#CVE-2020-16042
  https://bugzilla.mozilla.org/show_bug.cgi?id79003
  https://www.mozilla.org/en-US/security/advisories/mfsa2020-54/#CVE-2020-26971
  https://www.mozilla.org/en-US/security/advisories/mfsa2020-56/#CVE-2020-26971
  https://bugzilla.mozilla.org/show_bug.cgi?id63466
  https://www.mozilla.org/en-US/security/advisories/mfsa2020-54/#CVE-2020-26972
  https://bugzilla.mozilla.org/show_bug.cgi?id71382
  https://www.mozilla.org/en-US/security/advisories/mfsa2020-54/#CVE-2020-26973
  https://www.mozilla.org/en-US/security/advisories/mfsa2020-56/#CVE-2020-26973
  https://bugzilla.mozilla.org/show_bug.cgi?id80084
  https://www.mozilla.org/en-US/security/advisories/mfsa2020-54/#CVE-2020-26974
  https://www.mozilla.org/en-US/security/advisories/mfsa2020-56/#CVE-2020-26974
  https://bugzilla.mozilla.org/show_bug.cgi?id81022
  https://www.mozilla.org/en-US/security/advisories/mfsa2020-54/#CVE-2020-26976
  https://bugzilla.mozilla.org/show_bug.cgi?id74343
  https://www.mozilla.org/en-US/security/advisories/mfsa2020-54/#CVE-2020-26978
  https://www.mozilla.org/en-US/security/advisories/mfsa2020-56/#CVE-2020-26978
  https://bugzilla.mozilla.org/show_bug.cgi?id77047
  https://www.mozilla.org/en-US/security/advisories/mfsa2020-54/#CVE-2020-26979
  https://bugzilla.mozilla.org/buglist.cgi?bug_id41287%2C1673299
  https://www.mozilla.org/en-US/security/advisories/mfsa2020-54/#CVE-2020-35111
  https://www.mozilla.org/en-US/security/advisories/mfsa2020-56/#CVE-2020-35111
  https://bugzilla.mozilla.org/show_bug.cgi?id57916
  https://www.mozilla.org/en-US/security/advisories/mfsa2020-54/#CVE-2020-35113
  https://www.mozilla.org/en-US/security/advisories/mfsa2020-56/#CVE-2020-35113
  https://bugzilla.mozilla.org/buglist.cgi?bug_id64831%2C1673589
  https://www.mozilla.org/en-US/security/advisories/mfsa2020-54/#CVE-2020-35114
  https://bugzilla.mozilla.org/buglist.cgi?bug_id07449%2C1640416%2C1656459%2C1669914%2C1673567
  https://security.archlinux.org/CVE-2020-16042
  https://security.archlinux.org/CVE-2020-26971
  https://security.archlinux.org/CVE-2020-26972
  https://security.archlinux.org/CVE-2020-26973
  https://security.archlinux.org/CVE-2020-26974
  https://security.archlinux.org/CVE-2020-26976
  https://security.archlinux.org/CVE-2020-26978
  https://security.archlinux.org/CVE-2020-26979
  https://security.archlinux.org/CVE-2020-35111
  https://security.archlinux.org/CVE-2020-35113
  https://security.archlinux.org/CVE-2020-35114