Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 711290 - www-client/firefox: < 73 multiple vulnerabilities (CVE-2020-{6796,6797,6798,6799,6800,6801})
Summary: www-client/firefox: < 73 multiple vulnerabilities (CVE-2020-{6796,6797,6798,6...
Status: RESOLVED DUPLICATE of bug 709346
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2020-03-02 08:25 UTC by Ovidiu - Dan Bogat
Modified: 2020-03-07 15:32 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Ovidiu - Dan Bogat 2020-03-02 08:25:59 UTC
CVE-2020-6796 Detail:
A content process could have modified shared memory relating to crash reporting information, crash itself, and cause an out-of-bound write. This could have caused memory corruption and a potentially exploitable crash. This vulnerability affects Firefox < 73 and Firefox < ESR68.5.

CVE-2020-6798 Detail:
If a template tag was used in a select tag, the parser could be confused and allow JavaScript parsing and execution when it should not be allowed. A site that relied on the browser behaving correctly could suffer a cross-site scripting vulnerability as a result. In general, this flaw cannot be exploited through email in the Thunderbird product because scripting is disabled when reading mail, but is potentially a risk in browser or browser-like contexts. This vulnerability affects Thunderbird < 68.5, Firefox < 73, and Firefox < ESR68.5.

CVE-2020-6800 Detail:
Mozilla developers and community members reported memory safety bugs present in Firefox 72 and Firefox ESR 68.4. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. In general, these flaws cannot be exploited through email in the Thunderbird product because scripting is disabled when reading mail, but are potentially risks in browser or browser-like contexts. This vulnerability affects Thunderbird < 68.5, Firefox < 73, and Firefox < ESR68.5.

CVE-2020-6801 Detail:
Mozilla developers reported memory safety bugs present in Firefox 72. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 73.
Comment 2 Sam James archtester gentoo-dev Security 2020-03-02 15:57:57 UTC
Thanks: please CC the appropriate team in reports if you can.

Affects:
- <68.5 (ESR)
- <73

@arm, alpha, ia64, ppc: could you stabilise please?
Comment 3 Thomas Deutschmann gentoo-dev Security 2020-03-02 16:01:29 UTC

*** This bug has been marked as a duplicate of bug 709346 ***