(Oracle Issues Fix for Oracle Linux) Mozilla Firefox Multiple Bugs Let Remote Users Spoof the Address Bar, Bypass Security Restrictions, and Execute Arbitrary Code
SecurityTracker Alert ID: 1041651|
SecurityTracker URL: http://securitytracker.com/id/1041651
CVE-2017-16541, CVE-2018-12376, CVE-2018-12377, CVE-2018-12378, CVE-2018-12379
(Links to External Site)
Date: Sep 14 2018
Execution of arbitrary code via network, Modification of system information, User access via network|
Fix Available: Yes Vendor Confirmed: Yes |
Multiple vulnerabilities were reported in Mozilla Firefox. A remote user can cause arbitrary code to be executed on the target user's system. A remote user can bypass security controls on the target system. A remote user can spoof the address bar.|
A remote user can create specially crafted content that, when loaded by the target user, will execute arbitrary code on the target user's system.
A use-after-free memory error may occur in certain cases when refresh driver timers are refreshed [CVE-2018-12377].
A use-after-free memory error may occur when an IndexedDB index is deleted while still in use [CVE-2018-12378].
An out-of-bounds memory write error may occur when the Mozilla Updater opens a MAR format file that contains a very long item filename [CVE-2018-12379].
When the automount feature with autofs is used to create a mount point on the local file system, content can be loaded from this file system using a 'file:' URI without being processed via the proxy settings [CVE-2017-16541]. macOS is affected. Linux-based systems with autofs installed are also affected.
When the target user drags and drops an Outlook email message into the browser, a page navigation may occur [CVE-2018-12381]. Windows-based systems with Outlook installed are affected.
When a master password is set after version 58.0, unencrypted passwords are not deleted [CVE-2018-12383].
Other memory safety errors may occur [CVE-2018-12375, CVE-2018-12376].
Alex Gaynor, Andrei Cristian Petcu, Bogdan Tara, Boris Zbarsky, Christian Holler, Christoph Diehl, Filippo Cavallarin, Gary Kwong, Holger Fuhrmannek, Jana Squires, Jason Kratzer, Jed Davis, Jesse Ruderman, Jordi Chancel, Jurgen Gaeremyn, Karl Tomlinson, Looben Yang, Mats Palmgren, Nicolas Grunbaum, Nika Layzell, Nils, Sebastian Hengst, Ted Campbell, Tyson Smith, and Zhanjia Song reported these vulnerabilities.
A remote user can create content that, when loaded by the target user, will execute arbitrary code on the target user's system.|
A remote user can bypass security controls on the target system.
A remote user can spoof the address bar.
Oracle has issued a fix for CVE-2017-16541, CVE-2018-12376, CVE-2018-12377, CVE-2018-12378, and CVE-2018-12379.|
The Oracle Linux advisory is available at:
Vendor URL: linux.oracle.com/errata/ELSA-2018-2692.html (Links to External Site)
Access control error, Input validation error, State error|
|Underlying OS: Linux (Oracle)|
|Underlying OS Comments: 7|
This archive entry is a follow-up to the message listed below.|
Source Message Contents
Subject: [El-errata] ELSA-2018-2692 Critical: Oracle Linux 7 firefox security update|
Oracle Linux Security Advisory ELSA-2018-2692
The following updated rpms for Oracle Linux 7 have been uploaded to the
Unbreakable Linux Network:
Description of changes:
- Add firefox-oracle-default-prefs.js and remove the corresponding Red
- Update to 60.2.0 ESR
- Do not set user agent (rhbz#1608065)
- GTK dialogs are localized now (rhbz#1619373)
- JNLP association works again (rhbz#1607457)
- Fixed homepage and bookmarks (rhbz#1606778)
- Fixed missing file associations in RHEL6 (rhbz#1613565)
- Run at-spi-bus if not running already (for the bundled gtk3)
- Fix for missing schemes for bundled gtk3
- Added mesa-libEGL dependency to gtk3/rhel6
El-errata mailing list
Go to the Top of This SecurityTracker Archive Page