Arch Linux Security Advisory ASA-202011-12
=========================================
Severity: Critical
Date    : 2020-11-17
CVE-ID  : CVE-2020-15999 CVE-2020-16012 CVE-2020-26951 CVE-2020-26952
          CVE-2020-26953 CVE-2020-26956 CVE-2020-26958 CVE-2020-26959
          CVE-2020-26960 CVE-2020-26961 CVE-2020-26962 CVE-2020-26963
          CVE-2020-26965 CVE-2020-26967 CVE-2020-26968 CVE-2020-26969
Package : firefox
Type    : multiple issues
Remote  : Yes
Link    : https://security.archlinux.org/AVG-1279

Summary
======
The package firefox before version 83.0-1 is vulnerable to multiple
issues including arbitrary code execution, access restriction bypass,
content spoofing, cross-site scripting, information disclosure,
insufficient validation, denial of service and incorrect calculation.

Resolution
=========
Upgrade to 83.0-1.

# pacman -Syu "firefox>=83.0-1"

The problems have been fixed upstream in version 83.0.

Workaround
=========
None.

Description
==========
- CVE-2020-15999 (arbitrary code execution)

A heap buffer overflow has been found in freetype2 before 2.10.4.
Malformed TTF files with PNG sbit glyphs can cause a heap buffer
overflow in Load_SBit_Png as libpng uses the original 32-bit values,
which are saved in png_struct. If the original width and/or height are
greater than 65535, the allocated buffer won't be able to fit the
bitmap.

- CVE-2020-16012 (information disclosure)

An information disclosure issue has been found in Firefox before 83.0
and chromium before 87.0.4280.66. When drawing a transparent image on
top of an unknown cross-origin image, the Skia library drawImage
function took a variable amount of time depending on the content of the
underlying image. This resulted in potential cross-origin information
exposure of image content through timing side-channel attacks.

- CVE-2020-26951 (access restriction bypass)

A parsing and event loading mismatch has been found in Firefox's SVG
code before 83.0 and could have allowed load events to fire, even after
sanitization. An attacker already capable of exploiting an XSS
vulnerability in privileged internal pages could have used this attack
to bypass the built-in sanitizer.

- CVE-2020-26952 (arbitrary code execution)

A security issue has been found in Firefox before 83.0 where incorrect
bookkeeping of functions inlined during JIT compilation could have led
to memory corruption and a potentially exploitable crash when handling
out-of-memory errors.

- CVE-2020-26953 (content spoofing)

A security issue has been found in Firefox before 83.0 where it was
possible to cause the browser to enter fullscreen mode without
displaying the security UI; thus making it possible to attempt a
phishing attack or otherwise confuse the user.

- CVE-2020-26956 (cross-site scripting)

A security issue has been found in Firefox before 83.0 where, in some
cases, removing HTML elements during sanitization would keep existing
SVG event handlers and therefore lead to XSS.

- CVE-2020-26958 (access restriction bypass)

Firefox before 83.0 did not block execution of scripts with incorrect
MIME types when the response was intercepted and cached through a
ServiceWorker. This could lead to a cross-site script inclusion
vulnerability, or a Content Security Policy bypass.

- CVE-2020-26959 (arbitrary code execution)

A security issue has been found in Firefox before 83.0 where, during
browser shutdown, reference decrementing could have occurred on a
previously freed object, resulting in a use-after-free, memory
corruption, and a potentially exploitable crash.

- CVE-2020-26960 (arbitrary code execution)

A security issue has been found in Firefox before 83.0 where, if the
Compact() method was called on an nsTArray, the array could have been
reallocated without updating other pointers, leading to a potential
use-after-free and exploitable crash.

- CVE-2020-26961 (insufficient validation)

A security issue has been found in Firefox before 83.0 where, when DNS
over HTTPS is in use, it intentionally filters RFC1918 and related IP
ranges from the responses as these do not make sense coming from a DoH
resolver. However when an IPv4 address was mapped through IPv6, these
addresses were erroneously let through, leading to a potential DNS
Rebinding attack.

- CVE-2020-26962 (access restriction bypass)

A security issue has been found in Firefox before 83.0, where cross-origin iframes that contained a login form could have been recognized
by the login autofill service, and populated. This could have been used
in clickjacking attacks, as well as be read across partitions in
dynamic first party isolation.

- CVE-2020-26963 (denial of service)

A denial of service issue has been found in Firefox before 83.0, where
repeated calls to the history and location interfaces could have been
used to hang the browser. This was addressed by introducing rate-limiting to these API calls.

- CVE-2020-26965 (information disclosure)

An information disclosure issue has been found in Firefox before 83.0.
Some websites have a feature "Show Password" where clicking a button
will change a password field into a textbox field, revealing the typed
password. If, when using a software keyboard that remembers user input,
a user typed their password and used that feature, the type of the
password field was changed, resulting in a keyboard layout change and
the possibility for the software keyboard to remember the typed
password.

- CVE-2020-26967 (incorrect calculation)

A security issue has been found in Firefox before 83.0 where, when
listening for page changes with a Mutation Observer, a malicious web
page could confuse Firefox Screenshots into interacting with elements
other than those that it injected into the page. This would lead to
internal errors and unexpected behavior in the Screenshots code.

- CVE-2020-26968 (arbitrary code execution)

Several memory safety issues have been found in Firefox before 83.0 and
Firefox ESR before 78.4. Some of these bugs showed evidence of memory
corruption and Mozilla presumes that with enough effort some of these
could have been exploited to run arbitrary code.

- CVE-2020-26969 (arbitrary code execution)

Several memory safety issues have been found in Firefox before 83.0.
Some of these bugs showed evidence of memory corruption and Mozilla
presumes that with enough effort some of these could have been
exploited to run arbitrary code.

Impact
=====
A remote attacker might be able to access sensitive information, bypass
security measures, trick a user into performing unwanted actions, crash
the browser or execute arbitrary code.

References
=========
https://www.mozilla.org/en-US/security/advisories/mfsa2020-50/
http://git.savannah.nongnu.org/cgit/freetype/freetype2.git/commit/?id=a3bab162b2ae616074c8877a04556932998aeacd
https://savannah.nongnu.org/bugs/?59308
https://www.mozilla.org/en-US/security/advisories/mfsa2020-50/#CVE-2020-16012
https://bugzilla.mozilla.org/show_bug.cgi?id=1642028
https://www.mozilla.org/en-US/security/advisories/mfsa2020-50/#CVE-2020-26951
https://bugzilla.mozilla.org/show_bug.cgi?id=1667113
https://www.mozilla.org/en-US/security/advisories/mfsa2020-50/#CVE-2020-26952
https://bugzilla.mozilla.org/show_bug.cgi?id=1667685
https://www.mozilla.org/en-US/security/advisories/mfsa2020-50/#CVE-2020-26953
https://bugzilla.mozilla.org/show_bug.cgi?id=1656741
https://www.mozilla.org/en-US/security/advisories/mfsa2020-50/#CVE-2020-26956
https://www.mozilla.org/en-US/security/advisories/mfsa2020-50/#CVE-2020-26958
https://bugzilla.mozilla.org/show_bug.cgi?id=1669355
https://www.mozilla.org/en-US/security/advisories/mfsa2020-50/#CVE-2020-26959
https://bugzilla.mozilla.org/show_bug.cgi?id=1669466
https://www.mozilla.org/en-US/security/advisories/mfsa2020-50/#CVE-2020-26960
https://bugzilla.mozilla.org/show_bug.cgi?id=1670358
https://www.mozilla.org/en-US/security/advisories/mfsa2020-50/#CVE-2020-26961
https://bugzilla.mozilla.org/show_bug.cgi?id=1672528
https://www.mozilla.org/en-US/security/advisories/mfsa2020-50/#CVE-2020-26962
https://bugzilla.mozilla.org/show_bug.cgi?id=610997
https://www.mozilla.org/en-US/security/advisories/mfsa2020-50/#CVE-2020-26963
https://bugzilla.mozilla.org/show_bug.cgi?id=1314912
https://www.mozilla.org/en-US/security/advisories/mfsa2020-50/#CVE-2020-26965
https://bugzilla.mozilla.org/show_bug.cgi?id=1661617
https://www.mozilla.org/en-US/security/advisories/mfsa2020-50/#CVE-2020-26967
https://bugzilla.mozilla.org/show_bug.cgi?id=1665820
https://www.mozilla.org/en-US/security/advisories/mfsa2020-50/#CVE-2020-26968
https://bugzilla.mozilla.org/buglist.cgi?bug_id=1551615%2C1607762%2C1656697%2C1657739%2C1660236%2C1667912%2C1671479%2C1671923
https://www.mozilla.org/en-US/security/advisories/mfsa2020-50/#CVE-2020-26969
https://bugzilla.mozilla.org/buglist.cgi?bug_id=1623920%2C1651705%2C1667872%2C1668876
https://security.archlinux.org/CVE-2020-15999
https://security.archlinux.org/CVE-2020-16012
https://security.archlinux.org/CVE-2020-26951
https://security.archlinux.org/CVE-2020-26952
https://security.archlinux.org/CVE-2020-26953
https://security.archlinux.org/CVE-2020-26956
https://security.archlinux.org/CVE-2020-26958
https://security.archlinux.org/CVE-2020-26959
https://security.archlinux.org/CVE-2020-26960
https://security.archlinux.org/CVE-2020-26961
https://security.archlinux.org/CVE-2020-26962
https://security.archlinux.org/CVE-2020-26963
https://security.archlinux.org/CVE-2020-26965
https://security.archlinux.org/CVE-2020-26967
https://security.archlinux.org/CVE-2020-26968
https://security.archlinux.org/CVE-2020-26969

ArchLinux: 202011-12: firefox: multiple issues

November 18, 2020

Summary

- CVE-2020-15999 (arbitrary code execution) A heap buffer overflow has been found in freetype2 before 2.10.4. Malformed TTF files with PNG sbit glyphs can cause a heap buffer overflow in Load_SBit_Png as libpng uses the original 32-bit values, which are saved in png_struct. If the original width and/or height are greater than 65535, the allocated buffer won't be able to fit the bitmap.
- CVE-2020-16012 (information disclosure)
An information disclosure issue has been found in Firefox before 83.0 and chromium before 87.0.4280.66. When drawing a transparent image on top of an unknown cross-origin image, the Skia library drawImage function took a variable amount of time depending on the content of the underlying image. This resulted in potential cross-origin information exposure of image content through timing side-channel attacks.
- CVE-2020-26951 (access restriction bypass)
A parsing and event loading mismatch has been found in Firefox's SVG code before 83.0 and could have allowed load events to fire, even after sanitization. An attacker already capable of exploiting an XSS vulnerability in privileged internal pages could have used this attack to bypass the built-in sanitizer.
- CVE-2020-26952 (arbitrary code execution)
A security issue has been found in Firefox before 83.0 where incorrect bookkeeping of functions inlined during JIT compilation could have led to memory corruption and a potentially exploitable crash when handling out-of-memory errors.
- CVE-2020-26953 (content spoofing)
A security issue has been found in Firefox before 83.0 where it was possible to cause the browser to enter fullscreen mode without displaying the security UI; thus making it possible to attempt a phishing attack or otherwise confuse the user.
- CVE-2020-26956 (cross-site scripting)
A security issue has been found in Firefox before 83.0 where, in some cases, removing HTML elements during sanitization would keep existing SVG event handlers and therefore lead to XSS.
- CVE-2020-26958 (access restriction bypass)
Firefox before 83.0 did not block execution of scripts with incorrect MIME types when the response was intercepted and cached through a ServiceWorker. This could lead to a cross-site script inclusion vulnerability, or a Content Security Policy bypass.
- CVE-2020-26959 (arbitrary code execution)
A security issue has been found in Firefox before 83.0 where, during browser shutdown, reference decrementing could have occurred on a previously freed object, resulting in a use-after-free, memory corruption, and a potentially exploitable crash.
- CVE-2020-26960 (arbitrary code execution)
A security issue has been found in Firefox before 83.0 where, if the Compact() method was called on an nsTArray, the array could have been reallocated without updating other pointers, leading to a potential use-after-free and exploitable crash.
- CVE-2020-26961 (insufficient validation)
A security issue has been found in Firefox before 83.0 where, when DNS over HTTPS is in use, it intentionally filters RFC1918 and related IP ranges from the responses as these do not make sense coming from a DoH resolver. However when an IPv4 address was mapped through IPv6, these addresses were erroneously let through, leading to a potential DNS Rebinding attack.
- CVE-2020-26962 (access restriction bypass)
A security issue has been found in Firefox before 83.0, where cross-origin iframes that contained a login form could have been recognized by the login autofill service, and populated. This could have been used in clickjacking attacks, as well as be read across partitions in dynamic first party isolation.
- CVE-2020-26963 (denial of service)
A denial of service issue has been found in Firefox before 83.0, where repeated calls to the history and location interfaces could have been used to hang the browser. This was addressed by introducing rate-limiting to these API calls.
- CVE-2020-26965 (information disclosure)
An information disclosure issue has been found in Firefox before 83.0. Some websites have a feature "Show Password" where clicking a button will change a password field into a textbox field, revealing the typed password. If, when using a software keyboard that remembers user input, a user typed their password and used that feature, the type of the password field was changed, resulting in a keyboard layout change and the possibility for the software keyboard to remember the typed password.
- CVE-2020-26967 (incorrect calculation)
A security issue has been found in Firefox before 83.0 where, when listening for page changes with a Mutation Observer, a malicious web page could confuse Firefox Screenshots into interacting with elements other than those that it injected into the page. This would lead to internal errors and unexpected behavior in the Screenshots code.
- CVE-2020-26968 (arbitrary code execution)
Several memory safety issues have been found in Firefox before 83.0 and Firefox ESR before 78.4. Some of these bugs showed evidence of memory corruption and Mozilla presumes that with enough effort some of these could have been exploited to run arbitrary code.
- CVE-2020-26969 (arbitrary code execution)
Several memory safety issues have been found in Firefox before 83.0. Some of these bugs showed evidence of memory corruption and Mozilla presumes that with enough effort some of these could have been exploited to run arbitrary code.

Resolution

Upgrade to 83.0-1. # pacman -Syu "firefox>=83.0-1"
The problems have been fixed upstream in version 83.0.

References

https://www.mozilla.org/en-US/security/advisories/mfsa2020-50/ http://git.savannah.nongnu.org/cgit/freetype/freetype2.git/commit/?id=a3bab162b2ae616074c8877a04556932998aeacd https://savannah.nongnu.org/bugs/?59308 https://www.mozilla.org/en-US/security/advisories/mfsa2020-50/#CVE-2020-16012 https://bugzilla.mozilla.org/show_bug.cgi?id=1642028 https://www.mozilla.org/en-US/security/advisories/mfsa2020-50/#CVE-2020-26951 https://bugzilla.mozilla.org/show_bug.cgi?id=1667113 https://www.mozilla.org/en-US/security/advisories/mfsa2020-50/#CVE-2020-26952 https://bugzilla.mozilla.org/show_bug.cgi?id=1667685 https://www.mozilla.org/en-US/security/advisories/mfsa2020-50/#CVE-2020-26953 https://bugzilla.mozilla.org/show_bug.cgi?id=1656741 https://www.mozilla.org/en-US/security/advisories/mfsa2020-50/#CVE-2020-26956 https://www.mozilla.org/en-US/security/advisories/mfsa2020-50/#CVE-2020-26958 https://bugzilla.mozilla.org/show_bug.cgi?id=1669355 https://www.mozilla.org/en-US/security/advisories/mfsa2020-50/#CVE-2020-26959 https://bugzilla.mozilla.org/show_bug.cgi?id=1669466 https://www.mozilla.org/en-US/security/advisories/mfsa2020-50/#CVE-2020-26960 https://bugzilla.mozilla.org/show_bug.cgi?id=1670358 https://www.mozilla.org/en-US/security/advisories/mfsa2020-50/#CVE-2020-26961 https://bugzilla.mozilla.org/show_bug.cgi?id=1672528 https://www.mozilla.org/en-US/security/advisories/mfsa2020-50/#CVE-2020-26962 https://bugzilla.mozilla.org/show_bug.cgi?id=610997 https://www.mozilla.org/en-US/security/advisories/mfsa2020-50/#CVE-2020-26963 https://bugzilla.mozilla.org/show_bug.cgi?id=1314912 https://www.mozilla.org/en-US/security/advisories/mfsa2020-50/#CVE-2020-26965 https://bugzilla.mozilla.org/show_bug.cgi?id=1661617 https://www.mozilla.org/en-US/security/advisories/mfsa2020-50/#CVE-2020-26967 https://bugzilla.mozilla.org/show_bug.cgi?id=1665820 https://www.mozilla.org/en-US/security/advisories/mfsa2020-50/#CVE-2020-26968 https://bugzilla.mozilla.org/buglist.cgi?bug_id=1551615%2C1607762%2C1656697%2C1657739%2C1660236%2C1667912%2C1671479%2C1671923 https://www.mozilla.org/en-US/security/advisories/mfsa2020-50/#CVE-2020-26969 https://bugzilla.mozilla.org/buglist.cgi?bug_id=1623920%2C1651705%2C1667872%2C1668876 https://security.archlinux.org/CVE-2020-15999 https://security.archlinux.org/CVE-2020-16012 https://security.archlinux.org/CVE-2020-26951 https://security.archlinux.org/CVE-2020-26952 https://security.archlinux.org/CVE-2020-26953 https://security.archlinux.org/CVE-2020-26956 https://security.archlinux.org/CVE-2020-26958 https://security.archlinux.org/CVE-2020-26959 https://security.archlinux.org/CVE-2020-26960 https://security.archlinux.org/CVE-2020-26961 https://security.archlinux.org/CVE-2020-26962 https://security.archlinux.org/CVE-2020-26963 https://security.archlinux.org/CVE-2020-26965 https://security.archlinux.org/CVE-2020-26967 https://security.archlinux.org/CVE-2020-26968 https://security.archlinux.org/CVE-2020-26969

Severity
CVE-2020-26953 CVE-2020-26956 CVE-2020-26958 CVE-2020-26959
CVE-2020-26960 CVE-2020-26961 CVE-2020-26962 CVE-2020-26963
CVE-2020-26965 CVE-2020-26967 CVE-2020-26968 CVE-2020-26969
Package : firefox
Type : multiple issues
Remote : Yes
Link : https://security.archlinux.org/AVG-1279

Workaround

None.

Related News