Arch Linux Security Advisory ASA-202006-1 ========================================= Severity: High Date : 2020-06-02 CVE-ID : CVE-2020-12399 CVE-2020-12405 CVE-2020-12406 CVE-2020-12407 CVE-2020-12408 CVE-2020-12409 CVE-2020-12410 CVE-2020-12411 Package : firefox Type : multiple issues Remote : Yes Link : https://security.archlinux.org/AVG-1173 Summary ======= The package firefox before version 77.0-1 is vulnerable to multiple issues including arbitrary code execution, denial of service, private key recovery and content spoofing. Resolution ========== Upgrade to 77.0-1. # pacman -Syu "firefox>=77.0-1" The problems have been fixed upstream in version 77.0. Workaround ========== None. Description =========== - CVE-2020-12399 (private key recovery) NSS before 3.52.1, as used in Firefox before 77.0 and Thunderbird before 68.9.0, has shown timing differences when performing DSA signatures, which was exploitable and could eventually leak private keys. - CVE-2020-12405 (denial of service) When browsing a malicious page in Firefox before 77.0 and Thunderbird before 68.9.0, a race condition in our SharedWorkerService could occur and lead to a potentially exploitable crash. - CVE-2020-12406 (arbitrary code execution) Mozilla Developer Iain Ireland discovered a missing type check in Firefox before 77.0 and Thunderbird before 68.9.0 during unboxed objects removal, resulting in a crash. We presume that with enough effort that it could be exploited to run arbitrary code. - CVE-2020-12407 (denial of service) Mozilla Developer Nicolas Silva found that when using WebRender, Firefox would under certain conditions leak arbitrary GPU memory to the visible screen. The leaked memory content was visible to the user, but not observable from web content. - CVE-2020-12408 (content spoofing) When browsing a document hosted on an IP address, an attacker could insert certain characters to flip domain and path information in the address bar. - CVE-2020-12409 (content spoofing) When using certain blank characters in a URL, they where incorrectly rendered as spaces instead of an encoded URL. - CVE-2020-12410 (arbitrary code execution) Mozilla developers Tom Tung and Karl Tomlinson reported memory safety bugs present in Firefox 76, Firefox ESR 68.8 and Thunderbird before 68.9.0. Some of these bugs showed evidence of memory corruption and Mozilla presumes that with enough effort some of these could have been exploited to run arbitrary code. - CVE-2020-12411 (arbitrary code execution) Mozilla developers :Gijs (he/him), Randell Jesup reported memory safety bugs present in Firefox 76. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. Impact ====== A remote attacker might be able to recover private keys, spoof content, execute arbitrary code or crash the application. References ========== https://www.mozilla.org/en-US/security/advisories/mfsa2020-20/ https://bugzilla.mozilla.org/show_bug.cgi?id=1631576 https://hg.mozilla.org/projects/nss/rev/daa823a4a29bcef0fec33a379ec83857429aea2e https://bugzilla.mozilla.org/show_bug.cgi?id=1631618 https://bugzilla.mozilla.org/show_bug.cgi?id=1639590 https://bugzilla.mozilla.org/show_bug.cgi?id=1637112 https://bugzilla.mozilla.org/show_bug.cgi?id=1623888 https://bugzilla.mozilla.org/show_bug.cgi?id=1629506 https://bugzilla.mozilla.org/buglist.cgi?bug_id=1619305%2C1632717 https://bugzilla.mozilla.org/show_bug.cgi?id=1506173 https://security.archlinux.org/CVE-2020-12399 https://security.archlinux.org/CVE-2020-12405 https://security.archlinux.org/CVE-2020-12406 https://security.archlinux.org/CVE-2020-12407 https://security.archlinux.org/CVE-2020-12408 https://security.archlinux.org/CVE-2020-12409 https://security.archlinux.org/CVE-2020-12410 https://security.archlinux.org/CVE-2020-12411