Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 924844 (CVE-2024-0743, CVE-2024-0744, CVE-2024-0745, CVE-2024-0748, CVE-2024-0752, CVE-2024-0754) - <www-client/firefox{-bin,}-{115.7.0,122.0}: multiple vulnerabilities
Summary: <www-client/firefox{-bin,}-{115.7.0,122.0}: multiple vulnerabilities
Status: RESOLVED FIXED
Alias: CVE-2024-0743, CVE-2024-0744, CVE-2024-0745, CVE-2024-0748, CVE-2024-0752, CVE-2024-0754
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal major
Assignee: Gentoo Security
URL:
Whiteboard: A2 [glsa+]
Keywords:
Depends on:
Blocks: CVE-2024-0741, CVE-2024-0742, CVE-2024-0746, CVE-2024-0747, CVE-2024-0749, CVE-2024-0750, CVE-2024-0751, CVE-2024-0753, CVE-2024-0755, MFSA-2024-01, MFSA-2024-02, MFSA-2024-04
  Show dependency tree
 
Reported: 2024-02-18 00:04 UTC by John Helmert III
Modified: 2024-02-19 06:15 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2024-02-18 00:04:57 UTC
CVE-2024-0743 (https://bugzilla.mozilla.org/show_bug.cgi?id=1867408):

An unchecked return value in TLS handshake code could have caused a potentially exploitable crash. This vulnerability affects Firefox < 122.

CVE-2024-0744 (https://bugzilla.mozilla.org/show_bug.cgi?id=1871089):

In some circumstances, JIT compiled code could have dereferenced a wild pointer value. This could have led to an exploitable crash. This vulnerability affects Firefox < 122.

CVE-2024-0745 (https://bugzilla.mozilla.org/show_bug.cgi?id=1871838):

The WebAudio `OscillatorNode` object was susceptible to a stack buffer overflow. This could have led to a potentially exploitable crash. This vulnerability affects Firefox < 122.

CVE-2024-0748 (https://bugzilla.mozilla.org/show_bug.cgi?id=1783504):

A compromised content process could have updated the document URI. This could have allowed an attacker to set an arbitrary URI in the address bar or history. This vulnerability affects Firefox < 122.

CVE-2024-0752 (https://bugzilla.mozilla.org/show_bug.cgi?id=1866840):

A use-after-free crash could have occurred on macOS if a Firefox update were being applied on a very busy system. This could have resulted in an exploitable crash. This vulnerability affects Firefox < 122.

CVE-2024-0754 (https://bugzilla.mozilla.org/show_bug.cgi?id=1871605):

Some WASM source files could have caused a crash when loaded in devtools. This vulnerability affects Firefox < 122.

Just needs a GLSA.
Comment 1 Larry the Git Cow gentoo-dev 2024-02-19 06:11:05 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/data/glsa.git/commit/?id=7ce0edcd566673bd38d3ec90678a39ebc68b7aa7

commit 7ce0edcd566673bd38d3ec90678a39ebc68b7aa7
Author:     GLSAMaker <glsamaker@gentoo.org>
AuthorDate: 2024-02-19 05:59:26 +0000
Commit:     John Helmert III <ajak@gentoo.org>
CommitDate: 2024-02-19 06:10:22 +0000

    [ GLSA 202402-26 ] Mozilla Firefox: Multiple Vulnerabilities
    
    Bug: https://bugs.gentoo.org/924844
    Signed-off-by: GLSAMaker <glsamaker@gentoo.org>
    Signed-off-by: John Helmert III <ajak@gentoo.org>

 glsa-202402-26.xml | 88 ++++++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 88 insertions(+)