Subject: [ASA-201803-13] firefox: arbitrary code execution Arch Linux Security Advisory ASA-201803-13 ========================================== Severity: Critical Date : 2018-03-18 CVE-ID : CVE-2018-5146 Package : firefox Type : arbitrary code execution Remote : Yes Link : https://security.archlinux.org/AVG-657 Summary ======= The package firefox before version 59.0.1-1 is vulnerable to arbitrary code execution. Resolution ========== Upgrade to 59.0.1-1. # pacman -Syu "firefox>=59.0.1-1" The problem has been fixed upstream in version 59.0.1. Workaround ========== None. Description =========== An out of bounds memory write vulnerability has been discovered in libvorbis before 1.3.6 while processing Vorbis audio data related to codebooks that are not an exact divisor of the partition size. Impact ====== A remote attacker is able to execute arbitrary code by tricking the user into visiting a website with a vorbis audio file. References ========== https://www.mozilla.org/en-US/security/advisories/mfsa2018-08/#CVE-2018-5146 https://bugzilla.mozilla.org/show_bug.cgi?id=1446062 https://github.com/xiph/vorbis/commit/667ceb4aab60c1f74060143bb24e5f427b3cce5f http://seclists.org/oss-sec/2018/q1/243 https://security.archlinux.org/CVE-2018-5146