Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 925122 (CVE-2024-1554, CVE-2024-1555, CVE-2024-1556, CVE-2024-1557)

Summary: <www-client/firefox{-bin,}-{115.8.0,123.0}: multiple vulnerabilities
Product: Gentoo Security Reporter: John Helmert III <ajak>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: major CC: ajak, mozilla
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://www.mozilla.org/security/advisories/mfsa2024-05/
Whiteboard: A2 [glsa+]
Package list:
Runtime testing required: ---
Bug Depends on: 925215    
Bug Blocks: 925121    

Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2024-02-21 04:35:32 UTC
CVE-2024-1554 (https://bugzilla.mozilla.org/show_bug.cgi?id=1816390):

The `fetch()` API and navigation incorrectly shared the same cache, as the cache key did not include the optional headers `fetch()` may contain.  Under the correct circumstances, an attacker may have been able to poison the local browser cache by priming it with a `fetch()` response controlled by the additional headers. Upon navigation to the same URL, the user would see the cached response instead of the expected response. This vulnerability affects Firefox < 123.

CVE-2024-1555 (https://bugzilla.mozilla.org/show_bug.cgi?id=1873223):

When opening a website using the `firefox://` protocol handler, SameSite cookies were not properly respected. This vulnerability affects Firefox < 123.

CVE-2024-1556 (https://bugzilla.mozilla.org/show_bug.cgi?id=1870414):

The incorrect object was checked for NULL in the built-in profiler, potentially leading to invalid memory access and undefined behavior. *Note:* This issue only affects the application when the profiler is running. This vulnerability affects Firefox < 123.

CVE-2024-1557 (https://bugzilla.mozilla.org/buglist.cgi?bug_id=1746471%2C1848829%2C1864011%2C1869175%2C1869455%2C1869938%2C1871606):

Memory safety bugs present in Firefox 122. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 123.

Please stable when ready, thanks!
Comment 1 Larry the Git Cow gentoo-dev 2024-05-05 08:36:15 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/data/glsa.git/commit/?id=7baf69564d8804275ed39f9527422cbf060dcfc9

commit 7baf69564d8804275ed39f9527422cbf060dcfc9
Author:     GLSAMaker <glsamaker@gentoo.org>
AuthorDate: 2024-05-05 08:35:38 +0000
Commit:     Hans de Graaff <graaff@gentoo.org>
CommitDate: 2024-05-05 08:36:01 +0000

    [ GLSA 202405-15 ] Mozilla Firefox: Multiple Vulnerabilities
    
    Bug: https://bugs.gentoo.org/925122
    Signed-off-by: GLSAMaker <glsamaker@gentoo.org>
    Signed-off-by: Hans de Graaff <graaff@gentoo.org>

 glsa-202405-15.xml | 82 ++++++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 82 insertions(+)