openEuler 22.03 LTS SP1 update for mozjs78

1) Permissions, Privileges, and Access Controls

EUVDB-ID: #VU74821

Risk: Low

CVSSv4.0: 5.9 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2023-29532

CWE-ID: CWE-264 - Permissions, Privileges, and Access Controls

Exploit availability: No

Description

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to the way Mozilla Maintenance Service handles write-locks when downloading updates from a SMB server. A local user can apply an unsigned update file by pointing the service at an update file on a malicious SMB server.

The vulnerability affects only Firefox for Windows.

Mitigation

Install updates from vendor's repository.

Vulnerable software versions

openEuler: 22.03 LTS SP1

libmozjs-91-0: before 91.6.0-5

mozjs91-debugsource: before 91.6.0-5

mozjs91-devel: before 91.6.0-5

mozjs91-debuginfo: before 91.6.0-5

mozjs91: before 91.6.0-5

CPE2.3

• cpe:2.3:o:openeuler:openeuler:22.03:LTS SP1:*:*:*:*:*:*
• cpe:2.3:o:openeuler:libmozjs-91-0:*:*:*:*:*:openeuler:*:*
• cpe:2.3:o:openeuler:mozjs91-debugsource:*:*:*:*:*:openeuler:*:*
• cpe:2.3:o:openeuler:mozjs91-devel:*:*:*:*:*:openeuler:*:*
• cpe:2.3:o:openeuler:mozjs91-debuginfo:*:*:*:*:*:openeuler:*:*
• cpe:2.3:o:openeuler:mozjs91:*:*:*:*:*:openeuler:*:*

External links

http://www.openeuler.org/en/security/security-bulletins/detail/?id=openEuler-SA-2024-1747

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.