SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Web Browser)  >   Mozilla Firefox Vendors:   Mozilla.org
(Oracle Issues Fix for Oracle Linux) Mozilla Firefox Multiple Bugs Let Remote Users Spoof the Address Bar, Bypass Security Restrictions, and Execute Arbitrary Code
SecurityTracker Alert ID:  1041651
SecurityTracker URL:  http://securitytracker.com/id/1041651
CVE Reference:   CVE-2017-16541, CVE-2018-12376, CVE-2018-12377, CVE-2018-12378, CVE-2018-12379   (Links to External Site)
Date:  Sep 14 2018
Impact:   Execution of arbitrary code via network, Modification of system information, User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  

Description:   Multiple vulnerabilities were reported in Mozilla Firefox. A remote user can cause arbitrary code to be executed on the target user's system. A remote user can bypass security controls on the target system. A remote user can spoof the address bar.

A remote user can use a 'javascript:' URI with JavaScript to insert text before the domain name to spoof the address bar [CVE-2018-12382]. Firefox for Android is affected.

A remote user can create specially crafted content that, when loaded by the target user, will execute arbitrary code on the target user's system.

A use-after-free memory error may occur in certain cases when refresh driver timers are refreshed [CVE-2018-12377].

A use-after-free memory error may occur when an IndexedDB index is deleted while still in use [CVE-2018-12378].

An out-of-bounds memory write error may occur when the Mozilla Updater opens a MAR format file that contains a very long item filename [CVE-2018-12379].

When the automount feature with autofs is used to create a mount point on the local file system, content can be loaded from this file system using a 'file:' URI without being processed via the proxy settings [CVE-2017-16541]. macOS is affected. Linux-based systems with autofs installed are also affected.

When the target user drags and drops an Outlook email message into the browser, a page navigation may occur [CVE-2018-12381]. Windows-based systems with Outlook installed are affected.

When a master password is set after version 58.0, unencrypted passwords are not deleted [CVE-2018-12383].

Other memory safety errors may occur [CVE-2018-12375, CVE-2018-12376].

Alex Gaynor, Andrei Cristian Petcu, Bogdan Tara, Boris Zbarsky, Christian Holler, Christoph Diehl, Filippo Cavallarin, Gary Kwong, Holger Fuhrmannek, Jana Squires, Jason Kratzer, Jed Davis, Jesse Ruderman, Jordi Chancel, Jurgen Gaeremyn, Karl Tomlinson, Looben Yang, Mats Palmgren, Nicolas Grunbaum, Nika Layzell, Nils, Sebastian Hengst, Ted Campbell, Tyson Smith, and Zhanjia Song reported these vulnerabilities.

Impact:   A remote user can create content that, when loaded by the target user, will execute arbitrary code on the target user's system.

A remote user can bypass security controls on the target system.

A remote user can spoof the address bar.

Solution:   Oracle has issued a fix for CVE-2017-16541, CVE-2018-12376, CVE-2018-12377, CVE-2018-12378, and CVE-2018-12379.

The Oracle Linux advisory is available at:

http://linux.oracle.com/errata/ELSA-2018-2692.html

Vendor URL:  linux.oracle.com/errata/ELSA-2018-2692.html (Links to External Site)
Cause:   Access control error, Input validation error, State error
Underlying OS:  Linux (Oracle)
Underlying OS Comments:  7

Message History:   This archive entry is a follow-up to the message listed below.
Sep 7 2018 Mozilla Firefox Multiple Bugs Let Remote Users Spoof the Address Bar, Bypass Security Restrictions, and Execute Arbitrary Code



 Source Message Contents

Subject:  [El-errata] ELSA-2018-2692 Critical: Oracle Linux 7 firefox security update

Oracle Linux Security Advisory ELSA-2018-2692

http://linux.oracle.com/errata/ELSA-2018-2692.html

The following updated rpms for Oracle Linux 7 have been uploaded to the 
Unbreakable Linux Network:

x86_64:
firefox-60.2.0-1.0.1.el7_5.i686.rpm
firefox-60.2.0-1.0.1.el7_5.x86_64.rpm


SRPMS:
http://oss.oracle.com/ol7/SRPMS-updates/firefox-60.2.0-1.0.1.el7_5.src.rpm



Description of changes:

[60.2.0-1.0.1]
- Add firefox-oracle-default-prefs.js and remove the corresponding Red 
Hat file

[60.2.0-1]
- Update to 60.2.0 ESR

[60.1.0-9]
- Do not set user agent (rhbz#1608065)
- GTK dialogs are localized now (rhbz#1619373)
- JNLP association works again (rhbz#1607457)

[60.1.0-8]
- Fixed homepage and bookmarks (rhbz#1606778)
- Fixed missing file associations in RHEL6 (rhbz#1613565)

[60.1.0-7]
- Run at-spi-bus if not running already (for the bundled gtk3)

[60.1.0-6]
- Fix for missing schemes for bundled gtk3

[60.1.0-5]
- Added mesa-libEGL dependency to gtk3/rhel6


_______________________________________________
El-errata mailing list
El-errata@oss.oracle.com
https://oss.oracle.com/mailman/listinfo/el-errata
 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC