| Summary: | mozjs60 new security issues CVE-2019-1170[78] | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | David Walser <luigiwalser> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | normal | ||
| Priority: | Normal | CC: | andrewsfarm, geiger.david68210, herman.viaene, mageia, nicolas.salguero, sysadmin-bugs, tmb |
| Version: | 7 | Keywords: | advisory, validated_update |
| Target Milestone: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | MGA7-64-OK | ||
| Source RPM: | mozjs60-60.4.0-2.mga7.src.rpm, gjs-1.56.2-1.mga7.src.rpm | CVE: | CVE-2019-11707, CVE-2019-11708 |
| Status comment: | |||
|
Description
David Walser
2019-12-19 23:40:18 CET
David Walser
2019-12-19 23:40:31 CET
Whiteboard:
(none) =>
MGA7TOO No registered maintainer, so assigning globally. CC relatively recent committers MartinW and DavidG. CC:
(none) =>
geiger.david68210, mageia Suggested advisory: ======================== The updated packages fix security vulnerabilities: A type confusion vulnerability can occur when manipulating JavaScript objects due to issues in Array.pop. This can allow for an exploitable crash. We are aware of targeted attacks in the wild abusing this flaw. This vulnerability affects Firefox ESR < 60.7.1, Firefox < 67.0.3, and Thunderbird < 60.7.2. (CVE-2019-11707) Insufficient vetting of parameters passed with the Prompt:Open IPC message between child and parent processes can result in the non-sandboxed parent process opening web content chosen by a compromised child process. When combined with additional vulnerabilities this could result in executing arbitrary code on the user's computer. This vulnerability affects Firefox ESR < 60.7.2, Firefox < 67.0.4, and Thunderbird < 60.7.2. (CVE-2019-11708) References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11707 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11708 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/OS4TDQ75LLRCFOAXMPHTQE6XCPJGZQ6X/ https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/ZS2X4UWVWTNTNWOCAJYQO77GGSSI3H6K/ ======================== Updated packages in core/updates_testing: ======================== lib(64)mozjs60-60.9.0-1.mga7 lib(64)mozjs60-devel-60.9.0-1.mga7 gjs-1.56.2-1.1.mga7 gjs-common-1.56.2-1.1.mga7 lib(64)gjs0-1.56.2-1.1.mga7 lib(64)gjs-devel-1.56.2-1.1.mga7 lib(64)gjs-gir1.0-1.56.2-1.1.mga7 from SRPMS: mozjs60-60.9.0-1.mga7.src.rpm gjs-1.56.2-1.1.mga7.src.rpm Status:
NEW =>
ASSIGNED
Nicolas Salguero
2019-12-29 17:48:44 CET
Assignee:
pkg-bugs =>
qa-bugs Addendum to advisory: The mozjs60 package has been updated to version 60.9.0, fixing these issues and other bugs. The gjs package has been rebuilt against the updated mozjs60. MGA7-64 Plasma on Lenovo B50 No installation issues. No apparent ill effects on system, so like other Java stuff OK'ing on clean install. CC:
(none) =>
herman.viaene Validating. Advisory information in Comment 2 and Comment 3. CC:
(none) =>
andrewsfarm, sysadmin-bugs
Thomas Backlund
2020-01-05 14:24:50 CET
Keywords:
(none) =>
advisory An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2020-0009.html Resolution:
(none) =>
FIXED |