Arch Linux Security Advisory ASA-201903-11 ========================================== Severity: Critical Date : 2019-03-22 CVE-ID : CVE-2019-9788 CVE-2019-9789 CVE-2019-9790 CVE-2019-9791 CVE-2019-9792 CVE-2019-9793 CVE-2019-9795 CVE-2019-9796 CVE-2019-9797 CVE-2019-9799 CVE-2019-9802 CVE-2019-9803 CVE-2019-9805 CVE-2019-9806 CVE-2019-9807 CVE-2019-9808 CVE-2019-9809 Package : firefox Type : multiple issues Remote : Yes Link : https://security.archlinux.org/AVG-925 Summary ======= The package firefox before version 66.0-1 is vulnerable to multiple issues including arbitrary code execution, information disclosure, same-origin policy bypass, access restriction bypass, content spoofing and denial of service. Resolution ========== Upgrade to 66.0-1. # pacman -Syu "firefox>=66.0-1" The problems have been fixed upstream in version 66.0. Workaround ========== None. Description =========== - CVE-2019-9788 (arbitrary code execution) Several memory safety bugs have been found in Firefox before 66.0. Some of these bugs showed evidence of memory corruption and Mozilla presumes that with enough effort some of these could be exploited to run arbitrary code. - CVE-2019-9789 (arbitrary code execution) Several memory safety bugs have been found in Firefox before 66.0. Some of these bugs showed evidence of memory corruption and Mozilla presumes that with enough effort some of these could be exploited to run arbitrary code. - CVE-2019-9790 (arbitrary code execution) A use-after-free vulnerability can occur in Firefox before 66.0 when a raw pointer to a DOM element on a page is obtained using JavaScript and the element is then removed while still in use. This results in a potentially exploitable crash. - CVE-2019-9791 (arbitrary code execution) The type inference system in Firefox before 66.0 allows the compilation of functions that can cause type confusions between arbitrary objects when compiled through the IonMonkey just-in-time (JIT) compiler and when the constructor function is entered through on-stack replacement (OSR). This allows for possible arbitrary reading and writing of objects during an exploitable crash. - CVE-2019-9792 (arbitrary code execution) The IonMonkey just-in-time (JIT) compiler in Firefox before 66.0 can leak an internal JS_OPTIMIZED_OUT magic value to the running script during a bailout. This magic value can then be used by JavaScript to achieve memory corruption, which results in a potentially exploitable crash. - CVE-2019-9793 (arbitrary code execution) A mechanism was discovered in Firefox before 66.0 that removes some bounds checking for string, array, or typed array accesses if Spectre mitigations have been disabled. This vulnerability could allow an attacker to create an arbitrary value in compiled JavaScript, for which the range analysis will infer a fully controlled, incorrect range in circumstances where users have explicitly disabled Spectre mitigations. Note that Spectre mitigations are currently enabled for all users by default settings. - CVE-2019-9795 (arbitrary code execution) A vulnerability has been found in Firefox before 66.0; where type- confusion in the IonMonkey just-in-time (JIT) compiler could potentially be used by malicious JavaScript to trigger a potentially exploitable crash. - CVE-2019-9796 (arbitrary code execution) A use-after-free vulnerability can occur in Firefox before 66.0 when the SMIL animation controller incorrectly registers with the refresh driver twice when only a single registration is expected. When a registration is later freed with the removal of the animation controller element, the refresh driver incorrectly leaves a dangling pointer to the driver's observer array. - CVE-2019-9797 (same-origin policy bypass) Cross-origin images can be read in violation of the same-origin policy, in Firefox before 66.0, by exporting an image after using createImageBitmap to read the image and then rendering the resulting bitmap image within a canvas element. - CVE-2019-9799 (information disclosure) Insufficient bounds checking of data during inter-process communication in Firefox before 66.0 might allow a compromised content process to be able to read memory from the parent process under certain conditions. - CVE-2019-9802 (information disclosure) If a Sandbox content process is compromised in Firefox before 66.0, it can initiate an FTP download which will then use a child process to render the downloaded data. The downloaded data can then be passed to the Chrome process with an arbitrary file length supplied by an attacker, bypassing sandbox protections and allow for a potential memory read of adjacent data from the privileged Chrome process, which may include sensitive data. - CVE-2019-9803 (access restriction bypass) The Upgrade-Insecure-Requests (UIR) specification states that if UIR is enabled through Content Security Policy (CSP), navigation to a same- origin URL must be upgraded to HTTPS. Firefox before 66.0 will incorrectly navigate to an HTTP URL rather than perform the security upgrade requested by the CSP in some circumstances, allowing for potential man-in-the-middle attacks on the linked resources. - CVE-2019-9805 (information disclosure) A latent vulnerability exists in the Prio library in Firefox before 66.0 where data may be read from uninitialized memory for some functions, leading to potential memory corruption. - CVE-2019-9806 (denial of service) A vulnerability exists in Firefox before 66.0 during authorization prompting for FTP transaction where successive modal prompts are displayed and cannot be immediately dismissed. This allows for a denial of service (DOS) attack. - CVE-2019-9807 (content spoofing) When arbitrary text is sent over an FTP connection and a page reload is initiated in Firefox before 66.0, it is possible to create a modal alert message with this text as the content. This could potentially be used for social engineering attacks. - CVE-2019-9808 (content spoofing) If WebRTC permission is requested from documents with data: or blob: URLs in Firefox before 66.0, the permission notifications do not properly display the originating domain. The notification states "Unknown origin" as the requestee, leading to user confusion about which site is asking for this permission. - CVE-2019-9809 (denial of service) If the source for resources on a page is through an FTP connection in Firefox before 66.0, it is possible to trigger a series of modal alert messages for these resources through invalid credentials or locations. These messages cannot be immediately dismissed, allowing for a denial of service (DOS) attack. Impact ====== A remote attacker might be able to spoof origin of a permission request, bypass security measures, access sensitive information, crash the browser or execute arbitrary code. References ========== https://www.mozilla.org/en-US/security/advisories/mfsa2019-07/ https://www.mozilla.org/en-US/security/advisories/mfsa2019-07/#CVE-2019-9788 https://bugzilla.mozilla.org/buglist.cgi?bug_id=1518001%2C1521304%2C1521214%2C1506665%2C1516834%2C1518774%2C1524755%2C1523362%2C1524214%2C1529203 https://www.mozilla.org/en-US/security/advisories/mfsa2019-07/#CVE-2019-9789 https://bugzilla.mozilla.org/buglist.cgi?bug_id=1520483%2C1522987%2C1528199%2C1519337%2C1525549%2C1516179%2C1518524%2C1518331%2C1526579%2C1512567%2C1524335%2C1448505%2C1518821 https://www.mozilla.org/en-US/security/advisories/mfsa2019-07/#CVE-2019-9790 https://bugzilla.mozilla.org/show_bug.cgi?id=1525145 https://www.mozilla.org/en-US/security/advisories/mfsa2019-07/#CVE-2019-9791 https://bugzilla.mozilla.org/show_bug.cgi?id=1530958 https://www.mozilla.org/en-US/security/advisories/mfsa2019-07/#CVE-2019-9792 https://bugzilla.mozilla.org/show_bug.cgi?id=1532599 https://www.mozilla.org/en-US/security/advisories/mfsa2019-07/#CVE-2019-9793 https://bugzilla.mozilla.org/show_bug.cgi?id=1528829 https://www.mozilla.org/en-US/security/advisories/mfsa2019-07/#CVE-2019-9795 https://bugzilla.mozilla.org/show_bug.cgi?id=1514682 https://www.mozilla.org/en-US/security/advisories/mfsa2019-07/#CVE-2019-9796 https://bugzilla.mozilla.org/show_bug.cgi?id=1531277 https://www.mozilla.org/en-US/security/advisories/mfsa2019-07/#CVE-2019-9797 https://bugzilla.mozilla.org/show_bug.cgi?id=1528909 https://www.mozilla.org/en-US/security/advisories/mfsa2019-07/#CVE-2019-9799 https://bugzilla.mozilla.org/show_bug.cgi?id=1505678 https://www.mozilla.org/en-US/security/advisories/mfsa2019-07/#CVE-2019-9802 https://bugzilla.mozilla.org/show_bug.cgi?id=1415508 https://www.mozilla.org/en-US/security/advisories/mfsa2019-07/#CVE-2019-9803 https://bugzilla.mozilla.org/show_bug.cgi?id=1515863 https://bugzilla.mozilla.org/show_bug.cgi?id=1437009 https://w3c.github.io/webappsec-upgrade-insecure-requests/ https://www.mozilla.org/en-US/security/advisories/mfsa2019-07/#CVE-2019-9805 https://bugzilla.mozilla.org/show_bug.cgi?id=1521360 https://www.mozilla.org/en-US/security/advisories/mfsa2019-07/#CVE-2019-9806 https://bugzilla.mozilla.org/show_bug.cgi?id=1525267 https://www.mozilla.org/en-US/security/advisories/mfsa2019-07/#CVE-2019-9807 https://bugzilla.mozilla.org/show_bug.cgi?id=1362050 https://www.mozilla.org/en-US/security/advisories/mfsa2019-07/#CVE-2019-9808 https://bugzilla.mozilla.org/show_bug.cgi?id=1434634 https://www.mozilla.org/en-US/security/advisories/mfsa2019-07/#CVE-2019-9809 https://bugzilla.mozilla.org/show_bug.cgi?id=1282430 https://bugzilla.mozilla.org/show_bug.cgi?id=1523249 https://security.archlinux.org/CVE-2019-9788 https://security.archlinux.org/CVE-2019-9789 https://security.archlinux.org/CVE-2019-9790 https://security.archlinux.org/CVE-2019-9791 https://security.archlinux.org/CVE-2019-9792 https://security.archlinux.org/CVE-2019-9793 https://security.archlinux.org/CVE-2019-9795 https://security.archlinux.org/CVE-2019-9796 https://security.archlinux.org/CVE-2019-9797 https://security.archlinux.org/CVE-2019-9799 https://security.archlinux.org/CVE-2019-9802 https://security.archlinux.org/CVE-2019-9803 https://security.archlinux.org/CVE-2019-9805 https://security.archlinux.org/CVE-2019-9806 https://security.archlinux.org/CVE-2019-9807 https://security.archlinux.org/CVE-2019-9808 https://security.archlinux.org/CVE-2019-9809