Arch Linux Security Advisory ASA-201909-2
=========================================

Severity: High
Date    : 2019-09-04
CVE-ID  : CVE-2019-5849  CVE-2019-9812  CVE-2019-11734 CVE-2019-11735
          CVE-2019-11737 CVE-2019-11738 CVE-2019-11740 CVE-2019-11741
          CVE-2019-11742 CVE-2019-11743 CVE-2019-11744 CVE-2019-11746
          CVE-2019-11747 CVE-2019-11748 CVE-2019-11749 CVE-2019-11750
          CVE-2019-11752
Package : firefox
Type    : multiple issues
Remote  : Yes
Link    : https://security.archlinux.org/AVG-1036

Summary
=======

The package firefox before version 69.0-1 is vulnerable to multiple
issues including arbitrary code execution, cross-site scripting, same-
origin policy bypass, sandbox escape, access restriction bypass, denial
of service and information disclosure.

Resolution
==========

Upgrade to 69.0-1.

# pacman -Syu "firefox>=69.0-1"

The problems have been fixed upstream in version 69.0.

Workaround
==========

None.

Description
===========

- CVE-2019-5849 (information disclosure)

An out-of-bounds read vulnerability exists in the Skia graphics library
shipped in Firefox before 69.0, allowing for the possible leaking of
data from memory.

- CVE-2019-9812 (sandbox escape)

In Firefox before 69.0, given a compromised sandboxed content process
due to a separate vulnerability, it is possible to escape that sandbox
by loading accounts.firefox.com in that process and forcing a log-in to
a malicious Firefox Sync account. Preference settings that disable the
sandbox are then synchronized to the local machine and the compromised
browser would restart without the sandbox if a crash is triggered.

- CVE-2019-11734 (arbitrary code execution)

Several memory safety bugs have been found in Firefox before 69.0. Some
of these bugs showed evidence of memory corruption and Mozilla presumes
that with enough effort some of these could be exploited to run
arbitrary code.

- CVE-2019-11735 (arbitrary code execution)

Several memory safety bugs have been found in Firefox before 69.0. Some
of these bugs showed evidence of memory corruption and Mozilla presumes
that with enough effort some of these could be exploited to run
arbitrary code.

- CVE-2019-11737 (access restriction bypass)

In Firefox before 69.0, if a wildcard ('*') is specified for the host
in Content Security Policy (CSP) directives, any port or path
restriction of the directive will be ignored, leading to CSP directives
not being properly applied to content.

- CVE-2019-11738 (access restriction bypass)

In Firefox before 69.0, if a Content Security Policy (CSP) directive is
defined that uses a hash-based source that takes the empty string as
input, execution of any javascript: URIs will be allowed. This could
allow for malicious JavaScript content to be run, bypassing CSP
permissions.

- CVE-2019-11740 (arbitrary code execution)

Several memory safety bugs have been found in Firefox before 69.0. Some
of these bugs showed evidence of memory corruption and Mozilla presumes
that with enough effort some of these could be exploited to run
arbitrary code.

- CVE-2019-11741 (cross-site scripting)

In Firefox before 69.0, a compromised sandboxed content process can
perform a Universal Cross-site Scripting (UXSS) attack on content from
any site it can cause to be loaded in the same process. Because
addons.mozilla.org and accounts.firefox.com have close ties to the
Firefox product, malicious manipulation of these sites within the
browser can potentially be used to modify a user's Firefox
configuration. These two sites will now be isolated into their own
process and not allowed to be loaded in a standard content process.

- CVE-2019-11742 (same-origin policy bypass)

A same-origin policy violation can occur in Firefox before 69.0,
allowing the theft of cross-origin images through a combination of SVG
filters and a <canvas> element due to an error in how same-origin
policy is applied to cached image content. The resulting same-origin
policy violation could allow for data theft.

- CVE-2019-11743 (information disclosure)

In Firefox before 69.0, navigation events were not fully adhering to
the W3C's "Navigation-Timing Level 2" draft specification in some
instances for the unload event, which restricts access to detailed
timing attributes to only be same-origin. This resulted in potential
cross-origin information exposure of history through timing side-
channel attacks.

- CVE-2019-11744 (cross-site scripting)

A security issue has been found in Firefox before 69.0. Some HTML
elements, such as <title> and <textarea>, can contain literal angle
brackets without treating them as markup. It is possible to pass a
literal closing tag to .innerHTML on these elements, and subsequent
content after that will be parsed as if it were outside the tag. This
can lead to XSS if a site does not filter user input as strictly for
these elements as it does for other elements.

- CVE-2019-11746 (arbitrary code execution)

A use-after-free vulnerability can occur in Firefox before 69.0 while
manipulating video elements if the body is freed while still in use.
This results in a potentially exploitable crash.

- CVE-2019-11747 (access restriction bypass)

The "Forget about this site" feature in the History pane is intended to
remove all saved user data that indicates a user has visited a site.
This includes removing any HTTP Strict Transport Security (HSTS)
settings received from sites that use it. Due to a bug in Firefox
before 69.0, sites on the pre-load list also have their HSTS setting
removed. On the next visit to that site if the user specifies an http:
URL rather than secure https: they will not be protected by the pre-
loaded HSTS setting. After that visit the site's HSTS setting will be
restored.

- CVE-2019-11748 (access restriction bypass)

WebRTC in Firefox before 69.0 will honor persisted permissions given to
sites for access to microphone and camera resources even when in a
third-party context. In light of recent high profile vulnerabilities in
other software, a decision was made to no longer persist these
permissions. This avoids the possibility of trusted WebRTC resources
being invisibly embedded in web content and abusing permissions
previously given by users. Users will now be prompted for permissions
on each use.

- CVE-2019-11749 (information disclosure)

A vulnerability exists in the WebRTC component of Firefox before 69.0
where malicious web content can use probing techniques on the
getUserMedia API using constraints to reveal device properties of
cameras on the system without triggering a user prompt or notification.
This allows for the potential fingerprinting of users.

- CVE-2019-11750 (denial of service)

A type confusion vulnerability exists in the Spidermonkey component of
Firefox before 69.0, which results in a non-exploitable crash.

- CVE-2019-11752 (arbitrary code execution)

In Firefox before 69.0, it is possible to delete an IndexedDB key value
and subsequently try to extract it during conversion. This results in a
use-after-free and a potentially exploitable crash.

Impact
======

A remote attacker can bypass security measures, access sensitive
information or execute arbitrary code on the affected host.

References
==========

https://www.mozilla.org/en-US/security/advisories/mfsa2019-25/
https://www.mozilla.org/en-US/security/advisories/mfsa2019-25/#CVE-2019-5849
https://bugzilla.mozilla.org/show_bug.cgi?id=1555838
https://www.mozilla.org/en-US/security/advisories/mfsa2019-25/#CVE-2019-9812
https://bugzilla.mozilla.org/show_bug.cgi?id=1538008
https://bugzilla.mozilla.org/show_bug.cgi?id=1538015
https://www.mozilla.org/en-US/security/advisories/mfsa2019-25/#CVE-2019-11734
https://bugzilla.mozilla.org/buglist.cgi?bug_id=1352875%2C1536227%2C1557208%2C1560641
https://www.mozilla.org/en-US/security/advisories/mfsa2019-25/#CVE-2019-11735
https://bugzilla.mozilla.org/buglist.cgi?bug_id=1561404%2C1561484%2C1568047%2C1561912%2C1565744%2C1568858%2C1570358
https://www.mozilla.org/en-US/security/advisories/mfsa2019-25/#CVE-2019-11737
https://bugzilla.mozilla.org/show_bug.cgi?id=1388015
https://www.mozilla.org/en-US/security/advisories/mfsa2019-25/#CVE-2019-11738
https://bugzilla.mozilla.org/show_bug.cgi?id=1452037
https://www.mozilla.org/en-US/security/advisories/mfsa2019-25/#CVE-2019-11740
https://bugzilla.mozilla.org/buglist.cgi?bug_id=1563133%2C1573160
https://www.mozilla.org/en-US/security/advisories/mfsa2019-25/#CVE-2019-11741
https://bugzilla.mozilla.org/show_bug.cgi?id=1539595
https://www.mozilla.org/en-US/security/advisories/mfsa2019-25/#CVE-2019-11742
https://bugzilla.mozilla.org/show_bug.cgi?id=1559715
https://www.mozilla.org/en-US/security/advisories/mfsa2019-25/#CVE-2019-11743
https://bugzilla.mozilla.org/show_bug.cgi?id=1560495
https://www.mozilla.org/en-US/security/advisories/mfsa2019-25/#CVE-2019-11744
https://bugzilla.mozilla.org/show_bug.cgi?id=1562033
https://www.mozilla.org/en-US/security/advisories/mfsa2019-25/#CVE-2019-11746
https://bugzilla.mozilla.org/show_bug.cgi?id=1564449
https://www.mozilla.org/en-US/security/advisories/mfsa2019-25/#CVE-2019-11747
https://bugzilla.mozilla.org/show_bug.cgi?id=1564481
https://www.mozilla.org/en-US/security/advisories/mfsa2019-25/#CVE-2019-11748
https://bugzilla.mozilla.org/show_bug.cgi?id=1564588
https://www.mozilla.org/en-US/security/advisories/mfsa2019-25/#CVE-2019-11749
https://bugzilla.mozilla.org/show_bug.cgi?id=1565374
https://www.mozilla.org/en-US/security/advisories/mfsa2019-25/#CVE-2019-11750
https://bugzilla.mozilla.org/show_bug.cgi?id=1568397
https://www.mozilla.org/en-US/security/advisories/mfsa2019-25/#CVE-2019-11752
https://bugzilla.mozilla.org/show_bug.cgi?id=1501152
https://security.archlinux.org/CVE-2019-5849
https://security.archlinux.org/CVE-2019-9812
https://security.archlinux.org/CVE-2019-11734
https://security.archlinux.org/CVE-2019-11735
https://security.archlinux.org/CVE-2019-11737
https://security.archlinux.org/CVE-2019-11738
https://security.archlinux.org/CVE-2019-11740
https://security.archlinux.org/CVE-2019-11741
https://security.archlinux.org/CVE-2019-11742
https://security.archlinux.org/CVE-2019-11743
https://security.archlinux.org/CVE-2019-11744
https://security.archlinux.org/CVE-2019-11746
https://security.archlinux.org/CVE-2019-11747
https://security.archlinux.org/CVE-2019-11748
https://security.archlinux.org/CVE-2019-11749
https://security.archlinux.org/CVE-2019-11750
https://security.archlinux.org/CVE-2019-11752