advisories/26325.adv

type: security
subject: Updated firefox packages fix security vulnerabilities
CVE:
 - CVE-2019-20503
 - CVE-2020-6805
 - CVE-2020-6806
 - CVE-2020-6807
 - CVE-2020-6811
 - CVE-2020-6812
 - CVE-2020-6814
src:
  7:
   core:
     - firefox-68.6.0-1.mga7
     - firefox-l10n-68.6.0-1.mga7
     - nss-3.51.0-1.mga7
description: |
  Updated firefox packages fix security vulnerabilities:

  The inputs to sctp_load_addresses_from_init are verified by
  sctp_arethere_unrecognized_parameters; however, the two functions
  handled parameter bounds differently, resulting in out of bounds
  reads when parameters are partially outside a chunk (CVE-2019-20503).

  When removing data about an origin whose tab was recently closed,
  a use-after-free could occur in the Quota manager, resulting in a
  potentially exploitable crash (CVE-2020-6805).

  By carefully crafting promise resolutions, it was possible to cause an
  out-of-bounds read off the end of an array resized during script execution.
  This could have led to memory corruption and a potentially exploitable
  crash (CVE-2020-6806).

  When a device was changed while a stream was about to be destroyed, the
  stream-reinit task may have been executed after the stream was destroyed,
  causing a use-after-free and a potentially exploitable crash
  (CVE-2020-6807).

  The 'Copy as cURL' feature of Devtools' network tab did not properly escape
  the HTTP method of a request, which can be controlled by the website. If a
  user used the 'Copy as Curl' feature and pasted the command into a terminal,
  it could have resulted in command injection and arbitrary command execution
  (CVE-2020-6811).

  The first time AirPods are connected to an iPhone, they become named after
  the user's name by default (e.g. Jane Doe's AirPods.) Websites with camera
  or microphone permission are able to enumerate device names, disclosing the
  user's name. To resolve this issue, Firefox added a special case that
  renames devices containing the substring 'AirPods' to simply 'AirPods'
  (CVE-2020-6812).

  Mozilla developers and community members Byron Campen, Jason Kratzer, and
  Christian Holler reported memory safety bugs present in Firefox 73 and
  Firefox ESR 68.5. Some of these bugs showed evidence of memory corruption
  and we presume that with enough effort some of these could have been
  exploited to run arbitrary code (CVE-2020-6814).

  nss has been updated to 3.51 fixing various bugs and crashes.
references:
 - https://bugs.mageia.org/show_bug.cgi?id=26325
 - https://www.mozilla.org/en-US/security/advisories/mfsa2020-09/
 - https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.51_release_notes
ID: MGASA-2020-0141
1	type: security
2	subject: Updated firefox packages fix security vulnerabilities
3	CVE:
4	- CVE-2019-20503
5	- CVE-2020-6805
6	- CVE-2020-6806
7	- CVE-2020-6807
8	- CVE-2020-6811
9	- CVE-2020-6812
10	- CVE-2020-6814
11	src:
12	7:
13	core:
14	- firefox-68.6.0-1.mga7
15	- firefox-l10n-68.6.0-1.mga7
16	- nss-3.51.0-1.mga7
17	description: \|
18	Updated firefox packages fix security vulnerabilities:
19
20	The inputs to sctp_load_addresses_from_init are verified by
21	sctp_arethere_unrecognized_parameters; however, the two functions
22	handled parameter bounds differently, resulting in out of bounds
23	reads when parameters are partially outside a chunk (CVE-2019-20503).
24
25	When removing data about an origin whose tab was recently closed,
26	a use-after-free could occur in the Quota manager, resulting in a
27	potentially exploitable crash (CVE-2020-6805).
28
29	By carefully crafting promise resolutions, it was possible to cause an
30	out-of-bounds read off the end of an array resized during script execution.
31	This could have led to memory corruption and a potentially exploitable
32	crash (CVE-2020-6806).
33
34	When a device was changed while a stream was about to be destroyed, the
35	stream-reinit task may have been executed after the stream was destroyed,
36	causing a use-after-free and a potentially exploitable crash
37	(CVE-2020-6807).
38
39	The 'Copy as cURL' feature of Devtools' network tab did not properly escape
40	the HTTP method of a request, which can be controlled by the website. If a
41	user used the 'Copy as Curl' feature and pasted the command into a terminal,
42	it could have resulted in command injection and arbitrary command execution
43	(CVE-2020-6811).
44
45	The first time AirPods are connected to an iPhone, they become named after
46	the user's name by default (e.g. Jane Doe's AirPods.) Websites with camera
47	or microphone permission are able to enumerate device names, disclosing the
48	user's name. To resolve this issue, Firefox added a special case that
49	renames devices containing the substring 'AirPods' to simply 'AirPods'
50	(CVE-2020-6812).
51
52	Mozilla developers and community members Byron Campen, Jason Kratzer, and
53	Christian Holler reported memory safety bugs present in Firefox 73 and
54	Firefox ESR 68.5. Some of these bugs showed evidence of memory corruption
55	and we presume that with enough effort some of these could have been
56	exploited to run arbitrary code (CVE-2020-6814).
57
58	nss has been updated to 3.51 fixing various bugs and crashes.
59	references:
60	- https://bugs.mageia.org/show_bug.cgi?id=26325
61	- https://www.mozilla.org/en-US/security/advisories/mfsa2020-09/
62	- https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.51_release_notes
63	ID: MGASA-2020-0141