Arch Linux Security Advisory ASA-201812-9
=========================================

Severity: Critical
Date    : 2018-12-12
CVE-ID  : CVE-2018-12405 CVE-2018-12406 CVE-2018-12407 CVE-2018-17466
          CVE-2018-18492 CVE-2018-18493 CVE-2018-18494 CVE-2018-18495
          CVE-2018-18497
Package : firefox
Type    : multiple issues
Remote  : Yes
Link    : https://security.archlinux.org/AVG-833

Summary
=======

The package firefox before version 64.0-1 is vulnerable to multiple
issues including arbitrary code execution, same-origin policy bypass
and access restriction bypass.

Resolution
==========

Upgrade to 64.0-1.

# pacman -Syu "firefox>=64.0-1"

The problems have been fixed upstream in version 64.0.

Workaround
==========

None.

Description
===========

- CVE-2018-12405 (arbitrary code execution)

Several memory safety bugs have been found in Firefox < 64.0. Some of
these bugs showed evidence of memory corruption and Mozilla presumes
that with enough effort some of these could be exploited to run
arbitrary code.

- CVE-2018-12406 (arbitrary code execution)

Several memory safety bugs have been found in Firefox < 64.0. Some of
these bugs showed evidence of memory corruption and Mozilla presumes
that with enough effort some of these could be exploited to run
arbitrary code.

- CVE-2018-12407 (arbitrary code execution)

A buffer overflow has been found in the Angle library used for WebGL
content by Firefox < 64.0, when drawing and validating elements with
the VertexBuffer11 module.

- CVE-2018-17466 (arbitrary code execution)

A buffer overflow and out-of-bounds read has been found in the
TextureStorage11 function of the Angle library, as used in the chromium
browser before 70.0.3538.67 and Firefox before 64.0.

- CVE-2018-18492 (arbitrary code execution)

A use-after-free has been found in Firefox < 64.0, after deleting a
selection element due to a weak reference to the select element in the
options collection.

- CVE-2018-18493 (arbitrary code execution)

A buffer overflow can occur in the Skia library use by Firefox < 64.0,
during buffer offset calculations with hardware accelerated canvas 2D
actions due to the use of 32-bit calculations instead of 64-bit.

- CVE-2018-18494 (same-origin policy bypass)

A same-origin policy violation has been found in Firefox < 64.0,
allowing the theft of cross-origin URL entries when using the
Javascript location property to cause a redirection to another site
using performance.getEntries().

- CVE-2018-18495 (access restriction bypass)

A security issue has been found in Firefox < 64.0, where WebExtension
content scripts can be loaded into about: pages in some circumstances,
in violation of the permissions granted to extensions. This could allow
an extension to interfere with the loading and usage of these pages and
use capabilities that were intended to be restricted from extensions.

- CVE-2018-18497 (access restriction bypass)

A security issue has been found in Firefox < 64.0, where limitations on
the URIs allowed to WebExtensions by the browser.windows.create API can
be bypassed when a pipe in the URL field is used within the extension
to load multiple pages as a single argument. This could allow a
malicious WebExtension to opened privileged about: or file: locations.

Impact
======

A remote attacker can access sensitive information, bypass security
measures and execute arbitrary code on the affected host.

References
==========

https://www.mozilla.org/en-US/security/advisories/mfsa2018-29/
https://www.mozilla.org/en-US/security/advisories/mfsa2018-29/#CVE-2018-12405
https://bugzilla.mozilla.org/buglist.cgi?bug_id=1494752%2C1498765%2C1503326%2C1505181%2C1500759%2C1504365%2C1506640%2C1503082%2C1502013%2C1510471
https://www.mozilla.org/en-US/security/advisories/mfsa2018-29/#CVE-2018-12406
https://bugzilla.mozilla.org/buglist.cgi?bug_id=1456947%2C1475669%2C1504816%2C1502886%2C1500064%2C1500310%2C1500696%2C1499198%2C1434490%2C1481745%2C1458129
https://www.mozilla.org/en-US/security/advisories/mfsa2018-29/#CVE-2018-12407
https://bugzilla.mozilla.org/show_bug.cgi?id=1505973
https://chromereleases.googleblog.com/2018/10/stable-channel-update-for-desktop.html
https://bugs.chromium.org/p/chromium/issues/detail?id=880906
https://www.mozilla.org/en-US/security/advisories/mfsa2018-29/#CVE-2018-17466
https://bugzilla.mozilla.org/show_bug.cgi?id=1488295
https://www.mozilla.org/en-US/security/advisories/mfsa2018-29/#CVE-2018-18492
https://bugzilla.mozilla.org/show_bug.cgi?id=1499861
https://www.mozilla.org/en-US/security/advisories/mfsa2018-29/#CVE-2018-18493
https://bugzilla.mozilla.org/show_bug.cgi?id=1504452
https://www.mozilla.org/en-US/security/advisories/mfsa2018-29/#CVE-2018-18494
https://bugzilla.mozilla.org/show_bug.cgi?id=1487964
https://www.mozilla.org/en-US/security/advisories/mfsa2018-29/#CVE-2018-18495
https://bugzilla.mozilla.org/show_bug.cgi?id=1427585
https://www.mozilla.org/en-US/security/advisories/mfsa2018-29/#CVE-2018-18497
https://bugzilla.mozilla.org/show_bug.cgi?id=1488180
https://security.archlinux.org/CVE-2018-12405
https://security.archlinux.org/CVE-2018-12406
https://security.archlinux.org/CVE-2018-12407
https://security.archlinux.org/CVE-2018-17466
https://security.archlinux.org/CVE-2018-18492
https://security.archlinux.org/CVE-2018-18493
https://security.archlinux.org/CVE-2018-18494
https://security.archlinux.org/CVE-2018-18495
https://security.archlinux.org/CVE-2018-18497