Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 677856 (MFSA-2019-05) - <www-client/firefox{,-bin}-{60.5.1,65.0.1}: multiple vulnerabilities (MFSA-2019-05)
Summary: <www-client/firefox{,-bin}-{60.5.1,65.0.1}: multiple vulnerabilities (MFSA-20...
Status: RESOLVED FIXED
Alias: MFSA-2019-05
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: https://www.mozilla.org/en-US/securit...
Whiteboard: B2 [glsa+ cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2019-02-13 10:26 UTC by Thomas Deutschmann (RETIRED)
Modified: 2019-03-10 19:51 UTC (History)
1 user (show)

See Also:
Package list:
www-client/firefox-60.5.1
Runtime testing required: ---
stable-bot: sanity-check+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Thomas Deutschmann (RETIRED) gentoo-dev 2019-02-13 10:26:27 UTC
CVE-2018-18356: Use-after-free in Skia

Impact
    high

Description

A use-after-free vulnerability in the Skia library can occur when creating a path, leading to a potentially exploitable crash.
References


CVE-2019-5785: Integer overflow in Skia

Impact
    high

Description

An integer overflow vulnerability in the Skia library can occur after specific transform operations, leading to a potentially exploitable crash.
Comment 1 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2019-02-14 18:01:29 UTC
amd64 stable
Comment 2 Larry the Git Cow gentoo-dev 2019-02-15 18:21:20 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=81c8c0a4c54d61012d95a35c93caad42ec6681c3

commit 81c8c0a4c54d61012d95a35c93caad42ec6681c3
Author:     Thomas Deutschmann <whissi@gentoo.org>
AuthorDate: 2019-02-15 18:20:45 +0000
Commit:     Thomas Deutschmann <whissi@gentoo.org>
CommitDate: 2019-02-15 18:21:09 +0000

    www-client/firefox: security cleanup
    
    Bug: https://bugs.gentoo.org/677856
    Package-Manager: Portage-2.3.59, Repoman-2.3.12
    Signed-off-by: Thomas Deutschmann <whissi@gentoo.org>

 www-client/firefox/Manifest                 | 185 --------
 www-client/firefox/firefox-60.5.0-r1.ebuild | 420 -----------------
 www-client/firefox/firefox-65.0-r1.ebuild   | 688 ----------------------------
 www-client/firefox/firefox-65.0.ebuild      | 666 ---------------------------
 4 files changed, 1959 deletions(-)
Comment 3 Thomas Deutschmann (RETIRED) gentoo-dev 2019-02-15 18:21:46 UTC
x86 stable
Comment 4 Thomas Deutschmann (RETIRED) gentoo-dev 2019-02-15 18:22:11 UTC
Added to an existing GLSA.
Comment 5 GLSAMaker/CVETool Bot gentoo-dev 2019-03-10 19:51:05 UTC
This issue was resolved and addressed in
 GLSA 201903-04 at https://security.gentoo.org/glsa/201903-04
by GLSA coordinator Aaron Bauman (b-man).