SB2018012501 - Debian update for firefox-esr 

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB2018012501

SB2018012501 - Debian update for firefox-esr

Published: January 25, 2018

Security Bulletin ID SB2018012501
Severity
High
Patch available
YES
Number of vulnerabilities 11
Exploitation vector Remote access
Highest impact Code execution

Breakdown by Severity

High 91% Low 9%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 11 secuirty vulnerabilities.


1) Memory corruption (CVE-ID: CVE-2018-5089)

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The weakness exists due to boundary error when handling malicious input. A remote attacker can trick the victim into visiting a specially crafted website, trigger mmeory corruption and execute arbitrary code with privileges of the current user.

Successful exploitation of the vulnerability may result in system compromise.

2) Use-after-free error (CVE-ID: CVE-2018-5091)

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The weakness exists due to use-after-free error during WebRTC connections when interacting with the DTMF timers. A remote attacker can trick the victim into visiting a specially crafted website, trigger memory corruption and execute arbitrary code with privileges of the current user.

Successful exploitation of the vulnerability may result in system compromise.

3) Integer overflow (CVE-ID: CVE-2018-5095)

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The weakness exists due to integer overflow in the Skia library when allocating memory for edge builders. A remote attacker can trick the victim into visiting a specially crafted website, trigger memory corruption and execute arbitrary code with privileges of the current user.

Successful exploitation of the vulnerability may result in system compromise.

4) Use-after-free error (CVE-ID: CVE-2018-5096)

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The weakness exists due to use-after-free error during WebRTC connections while editing events in form elements on a page. A remote attacker can trick the victim into visiting a specially crafted website, trigger memory corruption and execute arbitrary code with privileges of the current user.

Successful exploitation of the vulnerability may result in system compromise.

5) Use-after-free error (CVE-ID: CVE-2018-5097)

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The weakness exists due to use-after-free error during XSL transformations. A remote attacker can trick the victim into visiting a specially crafted website, trigger memory corruption and execute arbitrary code with privileges of the current user.

Successful exploitation of the vulnerability may result in system compromise.

6) Use-after-free error (CVE-ID: CVE-2018-5098)

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The weakness exists due to use-after-free error when manipulating form input elements. A remote attacker can trick the victim into visiting a specially crafted website, trigger memory corruption and execute arbitrary code with privileges of the current user.

Successful exploitation of the vulnerability may result in system compromise.

7) Use-after-free error (CVE-ID: CVE-2018-5099)

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The weakness exists due to use-after-free error in the widget listener. A remote attacker can trick the victim into visiting a specially crafted website, trigger memory corruption and execute arbitrary code with privileges of the current user.

Successful exploitation of the vulnerability may result in system compromise.

8) Use-after-free error (CVE-ID: CVE-2018-5102)

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The weakness exists due to use-after-free error when manipulating HTML media elements with media streams. A remote attacker can trick the victim into visiting a specially crafted website, trigger memory corruption and execute arbitrary code with privileges of the current user.

Successful exploitation of the vulnerability may result in system compromise.

9) Use-after-free error (CVE-ID: CVE-2018-5103)

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The weakness exists due to use-after-free error during mouse event handling. A remote attacker can trick the victim into visiting a specially crafted website, trigger memory corruption and execute arbitrary code with privileges of the current user.

Successful exploitation of the vulnerability may result in system compromise.

10) Use-after-free error (CVE-ID: CVE-2018-5104)

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The weakness exists due to use-after-free error during font face manipulation. A remote attacker can trick the victim into visiting a specially crafted website, trigger memory corruption and execute arbitrary code with privileges of the current user.

Successful exploitation of the vulnerability may result in system compromise.

11) Spoofing attack (CVE-ID: CVE-2018-5117)

The vulnerability allows a remote attacker to spoof browser address bar.

The vulnerability exists due to an error when right-to-left text is used in the addressbar with left-to-right alignment. A remote attacker can trick the victim into visiting a specially crafted website, and spoof the URL.


Remediation

Install update from vendor's website.

References