ASA-201803-13 log original external raw
[ASA-201803-13] firefox: arbitrary code execution |
---|
Arch Linux Security Advisory ASA-201803-13
==========================================
Severity: Critical
Date : 2018-03-18
CVE-ID : CVE-2018-5146
Package : firefox
Type : arbitrary code execution
Remote : Yes
Link : https://security.archlinux.org/AVG-657
Summary
=======
The package firefox before version 59.0.1-1 is vulnerable to arbitrary
code execution.
Resolution
==========
Upgrade to 59.0.1-1.
# pacman -Syu "firefox>=59.0.1-1"
The problem has been fixed upstream in version 59.0.1.
Workaround
==========
None.
Description
===========
An out of bounds memory write vulnerability has been discovered in
libvorbis before 1.3.6 while processing Vorbis audio data related to
codebooks that are not an exact divisor of the partition size.
Impact
======
A remote attacker is able to execute arbitrary code by tricking the
user into visiting a website with a vorbis audio file.
References
==========
https://www.mozilla.org/en-US/security/advisories/mfsa2018-08/#CVE-2018-5146
https://bugzilla.mozilla.org/show_bug.cgi?id=1446062
https://github.com/xiph/vorbis/commit/667ceb4aab60c1f74060143bb24e5f427b3cce5f
http://seclists.org/oss-sec/2018/q1/243
https://security.archlinux.org/CVE-2018-5146
|