Mageia 2023-0171: firefox/nss/rootcerts security update
Summary
In multiple cases browser prompts could have been obscured by popups
controlled by content. These could have led to potential user confusion and
spoofing attacks (CVE-2023-32205).
An out-of-bounds read could have led to a crash in the RLBox Expat driver
(CVE-2023-32206).
A missing delay in popup notifications could have made it possible for an
attacker to trick a user into granting permissions (CVE-2023-32207).
A type checking bug would have led to invalid wasm code being compiled,
causing a content process crash (CVE-2023-32211).
An attacker could have positioned a datalist element to obscure the address
bar (CVE-2023-32212).
When reading a file, an uninitialized value could have been used as read
limit, causing memory corruption in FileReader::DoReadData() (CVE-2023-32213).
Mozilla developers and community members Gabriele Svelto, Andrew Osmond, Emily
McDonough, Sebastian Hengst, Andrew McCreight and the Mozilla Fuzzing Team
reported memory safety bugs present in Firefox ESR 102.1...
References
- https://bugs.mageia.org/show_bug.cgi?id=31902
- https://groups.google.com/a/mozilla.org/g/dev-tech-crypto/c/tZjTXdS8GQs
- https://firefox-source-docs.mozilla.org/security/nss/releases/nss_3_89_1.html
- https://www.mozilla.org/en-US/security/advisories/mfsa2023-17/
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-32205
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-32206
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-32207
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-32211
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-32212
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-32213
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-32215
Resolution
MGASA-2023-0171 - Updated firefox/nss/rootcerts packages fix security vulnerability
SRPMS
- 8/core/firefox-102.11.0-1.mga8
- 8/core/firefox-l10n-102.11.0-1.mga8
- 8/core/nss-3.89.1-1.mga8
- 8/core/rootcerts-20230505.00-1.mga8
