Arch Linux Security Advisory ASA-201909-2
========================================
Severity: High
Date    : 2019-09-04
CVE-ID  : CVE-2019-5849  CVE-2019-9812  CVE-2019-11734 CVE-2019-11735
          CVE-2019-11737 CVE-2019-11738 CVE-2019-11740 CVE-2019-11741
          CVE-2019-11742 CVE-2019-11743 CVE-2019-11744 CVE-2019-11746
          CVE-2019-11747 CVE-2019-11748 CVE-2019-11749 CVE-2019-11750
          CVE-2019-11752
Package : firefox
Type    : multiple issues
Remote  : Yes
Link    : https://security.archlinux.org/AVG-1036

Summary
======
The package firefox before version 69.0-1 is vulnerable to multiple
issues including arbitrary code execution, cross-site scripting, same-
origin policy bypass, sandbox escape, access restriction bypass, denial
of service and information disclosure.

Resolution
=========
Upgrade to 69.0-1.

# pacman -Syu "firefox>=69.0-1"

The problems have been fixed upstream in version 69.0.

Workaround
=========
None.

Description
==========
- CVE-2019-5849 (information disclosure)

An out-of-bounds read vulnerability exists in the Skia graphics library
shipped in Firefox before 69.0, allowing for the possible leaking of
data from memory.

- CVE-2019-9812 (sandbox escape)

In Firefox before 69.0, given a compromised sandboxed content process
due to a separate vulnerability, it is possible to escape that sandbox
by loading accounts.firefox.com in that process and forcing a log-in to
a malicious Firefox Sync account. Preference settings that disable the
sandbox are then synchronized to the local machine and the compromised
browser would restart without the sandbox if a crash is triggered.

- CVE-2019-11734 (arbitrary code execution)

Several memory safety bugs have been found in Firefox before 69.0. Some
of these bugs showed evidence of memory corruption and Mozilla presumes
that with enough effort some of these could be exploited to run
arbitrary code.

- CVE-2019-11735 (arbitrary code execution)

Several memory safety bugs have been found in Firefox before 69.0. Some
of these bugs showed evidence of memory corruption and Mozilla presumes
that with enough effort some of these could be exploited to run
arbitrary code.

- CVE-2019-11737 (access restriction bypass)

In Firefox before 69.0, if a wildcard ('*') is specified for the host
in Content Security Policy (CSP) directives, any port or path
restriction of the directive will be ignored, leading to CSP directives
not being properly applied to content.

- CVE-2019-11738 (access restriction bypass)

In Firefox before 69.0, if a Content Security Policy (CSP) directive is
defined that uses a hash-based source that takes the empty string as
input, execution of any javascript: URIs will be allowed. This could
allow for malicious JavaScript content to be run, bypassing CSP
permissions.

- CVE-2019-11740 (arbitrary code execution)

Several memory safety bugs have been found in Firefox before 69.0. Some
of these bugs showed evidence of memory corruption and Mozilla presumes
that with enough effort some of these could be exploited to run
arbitrary code.

- CVE-2019-11741 (cross-site scripting)

In Firefox before 69.0, a compromised sandboxed content process can
perform a Universal Cross-site Scripting (UXSS) attack on content from
any site it can cause to be loaded in the same process. Because
addons.mozilla.org and accounts.firefox.com have close ties to the
Firefox product, malicious manipulation of these sites within the
browser can potentially be used to modify a user's Firefox
configuration. These two sites will now be isolated into their own
process and not allowed to be loaded in a standard content process.

- CVE-2019-11742 (same-origin policy bypass)

A same-origin policy violation can occur in Firefox before 69.0,
allowing the theft of cross-origin images through a combination of SVG
filters and a  element due to an error in how same-origin
policy is applied to cached image content. The resulting same-origin
policy violation could allow for data theft.

- CVE-2019-11743 (information disclosure)

In Firefox before 69.0, navigation events were not fully adhering to
the W3C's "Navigation-Timing Level 2" draft specification in some
instances for the unload event, which restricts access to detailed
timing attributes to only be same-origin. This resulted in potential
cross-origin information exposure of history through timing side-
channel attacks.

- CVE-2019-11744 (cross-site scripting)

A security issue has been found in Firefox before 69.0. Some HTML
elements, such as  and , can contain literal angle
brackets without treating them as markup. It is possible to pass a
literal closing tag to .innerHTML on these elements, and subsequent
content after that will be parsed as if it were outside the tag. This
can lead to XSS if a site does not filter user input as strictly for
these elements as it does for other elements.

- CVE-2019-11746 (arbitrary code execution)

A use-after-free vulnerability can occur in Firefox before 69.0 while
manipulating video elements if the body is freed while still in use.
This results in a potentially exploitable crash.

- CVE-2019-11747 (access restriction bypass)

The "Forget about this site" feature in the History pane is intended to
remove all saved user data that indicates a user has visited a site.
This includes removing any HTTP Strict Transport Security (HSTS)
settings received from sites that use it. Due to a bug in Firefox
before 69.0, sites on the pre-load list also have their HSTS setting
removed. On the next visit to that site if the user specifies an http:
URL rather than secure https: they will not be protected by the pre-
loaded HSTS setting. After that visit the site's HSTS setting will be
restored.

- CVE-2019-11748 (access restriction bypass)

WebRTC in Firefox before 69.0 will honor persisted permissions given to
sites for access to microphone and camera resources even when in a
third-party context. In light of recent high profile vulnerabilities in
other software, a decision was made to no longer persist these
permissions. This avoids the possibility of trusted WebRTC resources
being invisibly embedded in web content and abusing permissions
previously given by users. Users will now be prompted for permissions
on each use.

- CVE-2019-11749 (information disclosure)

A vulnerability exists in the WebRTC component of Firefox before 69.0
where malicious web content can use probing techniques on the
getUserMedia API using constraints to reveal device properties of
cameras on the system without triggering a user prompt or notification.
This allows for the potential fingerprinting of users.

- CVE-2019-11750 (denial of service)

A type confusion vulnerability exists in the Spidermonkey component of
Firefox before 69.0, which results in a non-exploitable crash.

- CVE-2019-11752 (arbitrary code execution)

In Firefox before 69.0, it is possible to delete an IndexedDB key value
and subsequently try to extract it during conversion. This results in a
use-after-free and a potentially exploitable crash.

Impact
=====
A remote attacker can bypass security measures, access sensitive
information or execute arbitrary code on the affected host.

References
=========
https://www.mozilla.org/en-US/security/advisories/mfsa2019-25/
https://www.mozilla.org/en-US/security/advisories/mfsa2019-25/#CVE-2019-5849
https://bugzilla.mozilla.org/show_bug.cgi?id=1555838
https://www.mozilla.org/en-US/security/advisories/mfsa2019-25/#CVE-2019-9812
https://bugzilla.mozilla.org/show_bug.cgi?id=1538008
https://bugzilla.mozilla.org/show_bug.cgi?id=1538015
https://www.mozilla.org/en-US/security/advisories/mfsa2019-25/#CVE-2019-11734
https://bugzilla.mozilla.org/buglist.cgi?bug_id=1352875%2C1536227%2C1557208%2C1560641
https://www.mozilla.org/en-US/security/advisories/mfsa2019-25/#CVE-2019-11735
https://bugzilla.mozilla.org/buglist.cgi?bug_id=1561404%2C1561484%2C1568047%2C1561912%2C1565744%2C1568858%2C1570358
https://www.mozilla.org/en-US/security/advisories/mfsa2019-25/#CVE-2019-11737
https://bugzilla.mozilla.org/show_bug.cgi?id=1388015
https://www.mozilla.org/en-US/security/advisories/mfsa2019-25/#CVE-2019-11738
https://bugzilla.mozilla.org/show_bug.cgi?id=1452037
https://www.mozilla.org/en-US/security/advisories/mfsa2019-25/#CVE-2019-11740
https://bugzilla.mozilla.org/buglist.cgi?bug_id=1563133%2C1573160
https://www.mozilla.org/en-US/security/advisories/mfsa2019-25/#CVE-2019-11741
https://bugzilla.mozilla.org/show_bug.cgi?id=1539595
https://www.mozilla.org/en-US/security/advisories/mfsa2019-25/#CVE-2019-11742
https://bugzilla.mozilla.org/show_bug.cgi?id=1559715
https://www.mozilla.org/en-US/security/advisories/mfsa2019-25/#CVE-2019-11743
https://bugzilla.mozilla.org/show_bug.cgi?id=1560495
https://www.mozilla.org/en-US/security/advisories/mfsa2019-25/#CVE-2019-11744
https://bugzilla.mozilla.org/show_bug.cgi?id=1562033
https://www.mozilla.org/en-US/security/advisories/mfsa2019-25/#CVE-2019-11746
https://bugzilla.mozilla.org/show_bug.cgi?id=1564449
https://www.mozilla.org/en-US/security/advisories/mfsa2019-25/#CVE-2019-11747
https://bugzilla.mozilla.org/show_bug.cgi?id=1564481
https://www.mozilla.org/en-US/security/advisories/mfsa2019-25/#CVE-2019-11748
https://bugzilla.mozilla.org/show_bug.cgi?id=1564588
https://www.mozilla.org/en-US/security/advisories/mfsa2019-25/#CVE-2019-11749
https://bugzilla.mozilla.org/show_bug.cgi?id=1565374
https://www.mozilla.org/en-US/security/advisories/mfsa2019-25/#CVE-2019-11750
https://bugzilla.mozilla.org/show_bug.cgi?id=1568397
https://www.mozilla.org/en-US/security/advisories/mfsa2019-25/#CVE-2019-11752
https://bugzilla.mozilla.org/show_bug.cgi?id=1501152
https://security.archlinux.org/CVE-2019-5849
https://security.archlinux.org/CVE-2019-9812
https://security.archlinux.org/CVE-2019-11734
https://security.archlinux.org/CVE-2019-11735
https://security.archlinux.org/CVE-2019-11737
https://security.archlinux.org/CVE-2019-11738
https://security.archlinux.org/CVE-2019-11740
https://security.archlinux.org/CVE-2019-11741
https://security.archlinux.org/CVE-2019-11742
https://security.archlinux.org/CVE-2019-11743
https://security.archlinux.org/CVE-2019-11744
https://security.archlinux.org/CVE-2019-11746
https://security.archlinux.org/CVE-2019-11747
https://security.archlinux.org/CVE-2019-11748
https://security.archlinux.org/CVE-2019-11749
https://security.archlinux.org/CVE-2019-11750
https://security.archlinux.org/CVE-2019-11752

ArchLinux: 201909-2: firefox: multiple issues

September 11, 2019

Summary

- CVE-2019-5849 (information disclosure) An out-of-bounds read vulnerability exists in the Skia graphics library shipped in Firefox before 69.0, allowing for the possible leaking of data from memory.
- CVE-2019-9812 (sandbox escape)
In Firefox before 69.0, given a compromised sandboxed content process due to a separate vulnerability, it is possible to escape that sandbox by loading accounts.firefox.com in that process and forcing a log-in to a malicious Firefox Sync account. Preference settings that disable the sandbox are then synchronized to the local machine and the compromised browser would restart without the sandbox if a crash is triggered.
- CVE-2019-11734 (arbitrary code execution)
Several memory safety bugs have been found in Firefox before 69.0. Some of these bugs showed evidence of memory corruption and Mozilla presumes that with enough effort some of these could be exploited to run arbitrary code.
- CVE-2019-11735 (arbitrary code execution)
Several memory safety bugs have been found in Firefox before 69.0. Some of these bugs showed evidence of memory corruption and Mozilla presumes that with enough effort some of these could be exploited to run arbitrary code.
- CVE-2019-11737 (access restriction bypass)
In Firefox before 69.0, if a wildcard ('*') is specified for the host in Content Security Policy (CSP) directives, any port or path restriction of the directive will be ignored, leading to CSP directives not being properly applied to content.
- CVE-2019-11738 (access restriction bypass)
In Firefox before 69.0, if a Content Security Policy (CSP) directive is defined that uses a hash-based source that takes the empty string as input, execution of any javascript: URIs will be allowed. This could allow for malicious JavaScript content to be run, bypassing CSP permissions.
- CVE-2019-11740 (arbitrary code execution)
Several memory safety bugs have been found in Firefox before 69.0. Some of these bugs showed evidence of memory corruption and Mozilla presumes that with enough effort some of these could be exploited to run arbitrary code.
- CVE-2019-11741 (cross-site scripting)
In Firefox before 69.0, a compromised sandboxed content process can perform a Universal Cross-site Scripting (UXSS) attack on content from any site it can cause to be loaded in the same process. Because addons.mozilla.org and accounts.firefox.com have close ties to the Firefox product, malicious manipulation of these sites within the browser can potentially be used to modify a user's Firefox configuration. These two sites will now be isolated into their own process and not allowed to be loaded in a standard content process.
- CVE-2019-11742 (same-origin policy bypass)
A same-origin policy violation can occur in Firefox before 69.0, allowing the theft of cross-origin images through a combination of SVG filters and a element due to an error in how same-origin policy is applied to cached image content. The resulting same-origin policy violation could allow for data theft.
- CVE-2019-11743 (information disclosure)
In Firefox before 69.0, navigation events were not fully adhering to the W3C's "Navigation-Timing Level 2" draft specification in some instances for the unload event, which restricts access to detailed timing attributes to only be same-origin. This resulted in potential cross-origin information exposure of history through timing side- channel attacks.
- CVE-2019-11744 (cross-site scripting)
A security issue has been found in Firefox before 69.0. Some HTML elements, such as and , can contain literal angle brackets without treating them as markup. It is possible to pass a literal closing tag to .innerHTML on these elements, and subsequent content after that will be parsed as if it were outside the tag. This can lead to XSS if a site does not filter user input as strictly for these elements as it does for other elements.
- CVE-2019-11746 (arbitrary code execution)
A use-after-free vulnerability can occur in Firefox before 69.0 while manipulating video elements if the body is freed while still in use. This results in a potentially exploitable crash.
- CVE-2019-11747 (access restriction bypass)
The "Forget about this site" feature in the History pane is intended to remove all saved user data that indicates a user has visited a site. This includes removing any HTTP Strict Transport Security (HSTS) settings received from sites that use it. Due to a bug in Firefox before 69.0, sites on the pre-load list also have their HSTS setting removed. On the next visit to that site if the user specifies an http: URL rather than secure https: they will not be protected by the pre- loaded HSTS setting. After that visit the site's HSTS setting will be restored.
- CVE-2019-11748 (access restriction bypass)
WebRTC in Firefox before 69.0 will honor persisted permissions given to sites for access to microphone and camera resources even when in a third-party context. In light of recent high profile vulnerabilities in other software, a decision was made to no longer persist these permissions. This avoids the possibility of trusted WebRTC resources being invisibly embedded in web content and abusing permissions previously given by users. Users will now be prompted for permissions on each use.
- CVE-2019-11749 (information disclosure)
A vulnerability exists in the WebRTC component of Firefox before 69.0 where malicious web content can use probing techniques on the getUserMedia API using constraints to reveal device properties of cameras on the system without triggering a user prompt or notification. This allows for the potential fingerprinting of users.
- CVE-2019-11750 (denial of service)
A type confusion vulnerability exists in the Spidermonkey component of Firefox before 69.0, which results in a non-exploitable crash.
- CVE-2019-11752 (arbitrary code execution)
In Firefox before 69.0, it is possible to delete an IndexedDB key value and subsequently try to extract it during conversion. This results in a use-after-free and a potentially exploitable crash.

Resolution

Upgrade to 69.0-1. # pacman -Syu "firefox>=69.0-1"
The problems have been fixed upstream in version 69.0.

References

https://www.mozilla.org/en-US/security/advisories/mfsa2019-25/ https://www.mozilla.org/en-US/security/advisories/mfsa2019-25/#CVE-2019-5849 https://bugzilla.mozilla.org/show_bug.cgi?id=1555838 https://www.mozilla.org/en-US/security/advisories/mfsa2019-25/#CVE-2019-9812 https://bugzilla.mozilla.org/show_bug.cgi?id=1538008 https://bugzilla.mozilla.org/show_bug.cgi?id=1538015 https://www.mozilla.org/en-US/security/advisories/mfsa2019-25/#CVE-2019-11734 https://bugzilla.mozilla.org/buglist.cgi?bug_id=1352875%2C1536227%2C1557208%2C1560641 https://www.mozilla.org/en-US/security/advisories/mfsa2019-25/#CVE-2019-11735 https://bugzilla.mozilla.org/buglist.cgi?bug_id=1561404%2C1561484%2C1568047%2C1561912%2C1565744%2C1568858%2C1570358 https://www.mozilla.org/en-US/security/advisories/mfsa2019-25/#CVE-2019-11737 https://bugzilla.mozilla.org/show_bug.cgi?id=1388015 https://www.mozilla.org/en-US/security/advisories/mfsa2019-25/#CVE-2019-11738 https://bugzilla.mozilla.org/show_bug.cgi?id=1452037 https://www.mozilla.org/en-US/security/advisories/mfsa2019-25/#CVE-2019-11740 https://bugzilla.mozilla.org/buglist.cgi?bug_id=1563133%2C1573160 https://www.mozilla.org/en-US/security/advisories/mfsa2019-25/#CVE-2019-11741 https://bugzilla.mozilla.org/show_bug.cgi?id=1539595 https://www.mozilla.org/en-US/security/advisories/mfsa2019-25/#CVE-2019-11742 https://bugzilla.mozilla.org/show_bug.cgi?id=1559715 https://www.mozilla.org/en-US/security/advisories/mfsa2019-25/#CVE-2019-11743 https://bugzilla.mozilla.org/show_bug.cgi?id=1560495 https://www.mozilla.org/en-US/security/advisories/mfsa2019-25/#CVE-2019-11744 https://bugzilla.mozilla.org/show_bug.cgi?id=1562033 https://www.mozilla.org/en-US/security/advisories/mfsa2019-25/#CVE-2019-11746 https://bugzilla.mozilla.org/show_bug.cgi?id=1564449 https://www.mozilla.org/en-US/security/advisories/mfsa2019-25/#CVE-2019-11747 https://bugzilla.mozilla.org/show_bug.cgi?id=1564481 https://www.mozilla.org/en-US/security/advisories/mfsa2019-25/#CVE-2019-11748 https://bugzilla.mozilla.org/show_bug.cgi?id=1564588 https://www.mozilla.org/en-US/security/advisories/mfsa2019-25/#CVE-2019-11749 https://bugzilla.mozilla.org/show_bug.cgi?id=1565374 https://www.mozilla.org/en-US/security/advisories/mfsa2019-25/#CVE-2019-11750 https://bugzilla.mozilla.org/show_bug.cgi?id=1568397 https://www.mozilla.org/en-US/security/advisories/mfsa2019-25/#CVE-2019-11752 https://bugzilla.mozilla.org/show_bug.cgi?id=1501152 https://security.archlinux.org/CVE-2019-5849 https://security.archlinux.org/CVE-2019-9812 https://security.archlinux.org/CVE-2019-11734 https://security.archlinux.org/CVE-2019-11735 https://security.archlinux.org/CVE-2019-11737 https://security.archlinux.org/CVE-2019-11738 https://security.archlinux.org/CVE-2019-11740 https://security.archlinux.org/CVE-2019-11741 https://security.archlinux.org/CVE-2019-11742 https://security.archlinux.org/CVE-2019-11743 https://security.archlinux.org/CVE-2019-11744 https://security.archlinux.org/CVE-2019-11746 https://security.archlinux.org/CVE-2019-11747 https://security.archlinux.org/CVE-2019-11748 https://security.archlinux.org/CVE-2019-11749 https://security.archlinux.org/CVE-2019-11750 https://security.archlinux.org/CVE-2019-11752

Severity
CVE-2019-11737 CVE-2019-11738 CVE-2019-11740 CVE-2019-11741
CVE-2019-11742 CVE-2019-11743 CVE-2019-11744 CVE-2019-11746
CVE-2019-11747 CVE-2019-11748 CVE-2019-11749 CVE-2019-11750
CVE-2019-11752
Package : firefox
Type : multiple issues
Remote : Yes
Link : https://security.archlinux.org/AVG-1036

Workaround

None.

Related News

The End of the Road for Linux 6.11: A Call to Upgrade to Kernel 6.12
3 - 5 min read
The Linux kernel community recently issued an EOL announcement regarding the 6.11 kernel series, urging sysadmins to upgrade quickly to 6.12 . This
A Linux Admin
3 - 6 min read
As 2025 approaches, we Linux admins are facing new and often unseen cloud-native security obstacles. While skilled at mitigating known risks,
Leveraging Insights from the Linux Foundation
3 - 5 min read
The Linux Foundation's recent Census III report provides critical insights for Linux administrators, information security professionals, and anyone
Chrome 131 Released: Emergency Security Update Fixes Over a Dozen Significant Vulns
3 - 6 min read
Google recently unveiled a critical security update to their popular web browser, Google Chrome, addressing over a dozen significant security
From Wayland Fixes to Security Boosts: Examining Qt 6.8.1
3 - 6 min read
The recent Qt 6.8.1 release brings significant updates and improvements, strengthening its reputation as a secure and reliable application
Exploring Arch Linux 2024.12.01: Security Implications & Notable Enhancements for Linux Admins
3 - 6 min read
The Arch Linux 2024.12.01 ISO release marks an impressive milestone, offering cutting-edge updates that enhance functionality, streamline
Deck the Halls with Enhanced Security: Linux Kernel 6.13
3 - 5 min read
As Linux admins and infosec professionals prepare for the holiday season, there's much cause for celebration this year! Linus Torvalds recently made
Lessons from Bootkitty: Securing Linux Systems Against UEFI Intrusions
3 - 5 min read
New Linux security threats mark critical junctures that challenge existing policies and test security protocols to their limit. One such milestone

Get the Latest News & Insights

Sign up to get the latest security news affecting Linux and open source delivered straight to your inbox.

© 2024 Guardian Digital, Inc All Rights Reserved