Subject: [ASA-202011-12] firefox: multiple issues Arch Linux Security Advisory ASA-202011-12 ========================================== Severity: Critical Date : 2020-11-17 CVE-ID : CVE-2020-15999 CVE-2020-16012 CVE-2020-26951 CVE-2020-26952 CVE-2020-26953 CVE-2020-26956 CVE-2020-26958 CVE-2020-26959 CVE-2020-26960 CVE-2020-26961 CVE-2020-26962 CVE-2020-26963 CVE-2020-26965 CVE-2020-26967 CVE-2020-26968 CVE-2020-26969 Package : firefox Type : multiple issues Remote : Yes Link : https://security.archlinux.org/AVG-1279 Summary ======= The package firefox before version 83.0-1 is vulnerable to multiple issues including arbitrary code execution, access restriction bypass, content spoofing, cross-site scripting, information disclosure, insufficient validation, denial of service and incorrect calculation. Resolution ========== Upgrade to 83.0-1. # pacman -Syu "firefox>=83.0-1" The problems have been fixed upstream in version 83.0. Workaround ========== None. Description =========== - CVE-2020-15999 (arbitrary code execution) A heap buffer overflow has been found in freetype2 before 2.10.4. Malformed TTF files with PNG sbit glyphs can cause a heap buffer overflow in Load_SBit_Png as libpng uses the original 32-bit values, which are saved in png_struct. If the original width and/or height are greater than 65535, the allocated buffer won't be able to fit the bitmap. - CVE-2020-16012 (information disclosure) An information disclosure issue has been found in Firefox before 83.0 and chromium before 87.0.4280.66. When drawing a transparent image on top of an unknown cross-origin image, the Skia library drawImage function took a variable amount of time depending on the content of the underlying image. This resulted in potential cross-origin information exposure of image content through timing side-channel attacks. - CVE-2020-26951 (access restriction bypass) A parsing and event loading mismatch has been found in Firefox's SVG code before 83.0 and could have allowed load events to fire, even after sanitization. An attacker already capable of exploiting an XSS vulnerability in privileged internal pages could have used this attack to bypass the built-in sanitizer. - CVE-2020-26952 (arbitrary code execution) A security issue has been found in Firefox before 83.0 where incorrect bookkeeping of functions inlined during JIT compilation could have led to memory corruption and a potentially exploitable crash when handling out-of-memory errors. - CVE-2020-26953 (content spoofing) A security issue has been found in Firefox before 83.0 where it was possible to cause the browser to enter fullscreen mode without displaying the security UI; thus making it possible to attempt a phishing attack or otherwise confuse the user. - CVE-2020-26956 (cross-site scripting) A security issue has been found in Firefox before 83.0 where, in some cases, removing HTML elements during sanitization would keep existing SVG event handlers and therefore lead to XSS. - CVE-2020-26958 (access restriction bypass) Firefox before 83.0 did not block execution of scripts with incorrect MIME types when the response was intercepted and cached through a ServiceWorker. This could lead to a cross-site script inclusion vulnerability, or a Content Security Policy bypass. - CVE-2020-26959 (arbitrary code execution) A security issue has been found in Firefox before 83.0 where, during browser shutdown, reference decrementing could have occurred on a previously freed object, resulting in a use-after-free, memory corruption, and a potentially exploitable crash. - CVE-2020-26960 (arbitrary code execution) A security issue has been found in Firefox before 83.0 where, if the Compact() method was called on an nsTArray, the array could have been reallocated without updating other pointers, leading to a potential use-after-free and exploitable crash. - CVE-2020-26961 (insufficient validation) A security issue has been found in Firefox before 83.0 where, when DNS over HTTPS is in use, it intentionally filters RFC1918 and related IP ranges from the responses as these do not make sense coming from a DoH resolver. However when an IPv4 address was mapped through IPv6, these addresses were erroneously let through, leading to a potential DNS Rebinding attack. - CVE-2020-26962 (access restriction bypass) A security issue has been found in Firefox before 83.0, where cross- origin iframes that contained a login form could have been recognized by the login autofill service, and populated. This could have been used in clickjacking attacks, as well as be read across partitions in dynamic first party isolation. - CVE-2020-26963 (denial of service) A denial of service issue has been found in Firefox before 83.0, where repeated calls to the history and location interfaces could have been used to hang the browser. This was addressed by introducing rate- limiting to these API calls. - CVE-2020-26965 (information disclosure) An information disclosure issue has been found in Firefox before 83.0. Some websites have a feature "Show Password" where clicking a button will change a password field into a textbox field, revealing the typed password. If, when using a software keyboard that remembers user input, a user typed their password and used that feature, the type of the password field was changed, resulting in a keyboard layout change and the possibility for the software keyboard to remember the typed password. - CVE-2020-26967 (incorrect calculation) A security issue has been found in Firefox before 83.0 where, when listening for page changes with a Mutation Observer, a malicious web page could confuse Firefox Screenshots into interacting with elements other than those that it injected into the page. This would lead to internal errors and unexpected behavior in the Screenshots code. - CVE-2020-26968 (arbitrary code execution) Several memory safety issues have been found in Firefox before 83.0 and Firefox ESR before 78.4. Some of these bugs showed evidence of memory corruption and Mozilla presumes that with enough effort some of these could have been exploited to run arbitrary code. - CVE-2020-26969 (arbitrary code execution) Several memory safety issues have been found in Firefox before 83.0. Some of these bugs showed evidence of memory corruption and Mozilla presumes that with enough effort some of these could have been exploited to run arbitrary code. Impact ====== A remote attacker might be able to access sensitive information, bypass security measures, trick a user into performing unwanted actions, crash the browser or execute arbitrary code. References ========== https://www.mozilla.org/en-US/security/advisories/mfsa2020-50/ http://git.savannah.nongnu.org/cgit/freetype/freetype2.git/commit/?id=a3bab162b2ae616074c8877a04556932998aeacd https://savannah.nongnu.org/bugs/?59308 https://googleprojectzero.blogspot.com/p/rca-cve-2020-15999.html https://chromereleases.googleblog.com/2020/10/stable-channel-update-for-desktop_20.html https://www.mozilla.org/en-US/security/advisories/mfsa2020-50/#CVE-2020-16012 https://bugzilla.mozilla.org/show_bug.cgi?id=1642028 https://www.mozilla.org/en-US/security/advisories/mfsa2020-50/#CVE-2020-26951 https://bugzilla.mozilla.org/show_bug.cgi?id=1667113 https://www.mozilla.org/en-US/security/advisories/mfsa2020-50/#CVE-2020-26952 https://bugzilla.mozilla.org/show_bug.cgi?id=1667685 https://www.mozilla.org/en-US/security/advisories/mfsa2020-50/#CVE-2020-26953 https://bugzilla.mozilla.org/show_bug.cgi?id=1656741 https://www.mozilla.org/en-US/security/advisories/mfsa2020-50/#CVE-2020-26956 https://www.mozilla.org/en-US/security/advisories/mfsa2020-50/#CVE-2020-26958 https://bugzilla.mozilla.org/show_bug.cgi?id=1669355 https://www.mozilla.org/en-US/security/advisories/mfsa2020-50/#CVE-2020-26959 https://bugzilla.mozilla.org/show_bug.cgi?id=1669466 https://www.mozilla.org/en-US/security/advisories/mfsa2020-50/#CVE-2020-26960 https://bugzilla.mozilla.org/show_bug.cgi?id=1670358 https://www.mozilla.org/en-US/security/advisories/mfsa2020-50/#CVE-2020-26961 https://bugzilla.mozilla.org/show_bug.cgi?id=1672528 https://www.mozilla.org/en-US/security/advisories/mfsa2020-50/#CVE-2020-26962 https://bugzilla.mozilla.org/show_bug.cgi?id=610997 https://www.mozilla.org/en-US/security/advisories/mfsa2020-50/#CVE-2020-26963 https://bugzilla.mozilla.org/show_bug.cgi?id=1314912 https://www.mozilla.org/en-US/security/advisories/mfsa2020-50/#CVE-2020-26965 https://bugzilla.mozilla.org/show_bug.cgi?id=1661617 https://www.mozilla.org/en-US/security/advisories/mfsa2020-50/#CVE-2020-26967 https://bugzilla.mozilla.org/show_bug.cgi?id=1665820 https://www.mozilla.org/en-US/security/advisories/mfsa2020-50/#CVE-2020-26968 https://bugzilla.mozilla.org/buglist.cgi?bug_id=1551615%2C1607762%2C1656697%2C1657739%2C1660236%2C1667912%2C1671479%2C1671923 https://www.mozilla.org/en-US/security/advisories/mfsa2020-50/#CVE-2020-26969 https://bugzilla.mozilla.org/buglist.cgi?bug_id=1623920%2C1651705%2C1667872%2C1668876 https://security.archlinux.org/CVE-2020-15999 https://security.archlinux.org/CVE-2020-16012 https://security.archlinux.org/CVE-2020-26951 https://security.archlinux.org/CVE-2020-26952 https://security.archlinux.org/CVE-2020-26953 https://security.archlinux.org/CVE-2020-26956 https://security.archlinux.org/CVE-2020-26958 https://security.archlinux.org/CVE-2020-26959 https://security.archlinux.org/CVE-2020-26960 https://security.archlinux.org/CVE-2020-26961 https://security.archlinux.org/CVE-2020-26962 https://security.archlinux.org/CVE-2020-26963 https://security.archlinux.org/CVE-2020-26965 https://security.archlinux.org/CVE-2020-26967 https://security.archlinux.org/CVE-2020-26968 https://security.archlinux.org/CVE-2020-26969