Mozilla announced a type confusion vuln in Firefox before 72.0.1 and 68.4.1: https://www.mozilla.org/en-US/security/advisories/mfsa2020-03/ They say: "We are aware of targeted attacks in the wild abusing this flaw."
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=428ac3e38385b44a42ead0629a4b1278c6597d3e commit 428ac3e38385b44a42ead0629a4b1278c6597d3e Author: Thomas Deutschmann <whissi@gentoo.org> AuthorDate: 2020-01-08 19:48:13 +0000 Commit: Thomas Deutschmann <whissi@gentoo.org> CommitDate: 2020-01-08 19:57:18 +0000 www-client/firefox-bin: bump to v68.4.1 Bug: https://bugs.gentoo.org/705000 Package-Manager: Portage-2.3.84, Repoman-2.3.20 Signed-off-by: Thomas Deutschmann <whissi@gentoo.org> www-client/firefox-bin/Manifest | 186 ++++++++++----------- ...bin-68.4.0.ebuild => firefox-bin-68.4.1.ebuild} | 0 2 files changed, 93 insertions(+), 93 deletions(-) https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=52d25a2b63a3bfec3286b49c806fe14d99478561 commit 52d25a2b63a3bfec3286b49c806fe14d99478561 Author: Thomas Deutschmann <whissi@gentoo.org> AuthorDate: 2020-01-08 19:45:13 +0000 Commit: Thomas Deutschmann <whissi@gentoo.org> CommitDate: 2020-01-08 19:57:17 +0000 www-client/firefox-bin: bump to v72.0.1 Bug: https://bugs.gentoo.org/705000 Package-Manager: Portage-2.3.84, Repoman-2.3.20 Signed-off-by: Thomas Deutschmann <whissi@gentoo.org> www-client/firefox-bin/Manifest | 186 ++++++++++----------- ...x-bin-72.0.ebuild => firefox-bin-72.0.1.ebuild} | 0 2 files changed, 93 insertions(+), 93 deletions(-) https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=59f51c34a211a1e87693fc07a00a3613e384dd79 commit 59f51c34a211a1e87693fc07a00a3613e384dd79 Author: Thomas Deutschmann <whissi@gentoo.org> AuthorDate: 2020-01-08 19:43:07 +0000 Commit: Thomas Deutschmann <whissi@gentoo.org> CommitDate: 2020-01-08 19:57:15 +0000 www-client/firefox: bump to v68.4.1 Bug: https://bugs.gentoo.org/705000 Package-Manager: Portage-2.3.84, Repoman-2.3.20 Signed-off-by: Thomas Deutschmann <whissi@gentoo.org> www-client/firefox/Manifest | 184 ++++++++++----------- ...firefox-68.4.0.ebuild => firefox-68.4.1.ebuild} | 0 2 files changed, 92 insertions(+), 92 deletions(-) https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=aa1e9e29d03bf63d0f17a507b646e8449d28af0b commit aa1e9e29d03bf63d0f17a507b646e8449d28af0b Author: Thomas Deutschmann <whissi@gentoo.org> AuthorDate: 2020-01-08 19:39:34 +0000 Commit: Thomas Deutschmann <whissi@gentoo.org> CommitDate: 2020-01-08 19:57:14 +0000 www-client/firefox: bump to v72.0.1 Bug: https://bugs.gentoo.org/705000 Package-Manager: Portage-2.3.84, Repoman-2.3.20 Signed-off-by: Thomas Deutschmann <whissi@gentoo.org> www-client/firefox/Manifest | 184 ++++++++++----------- .../{firefox-72.0.ebuild => firefox-72.0.1.ebuild} | 0 2 files changed, 92 insertions(+), 92 deletions(-)
From https://www.mozilla.org/en-US/security/advisories/MFSA-2020-02/: CVE-2019-17016: Bypass of @namespace CSS sanitization during pasting Impact high Description When pasting a <style> tag from the clipboard into a rich text editor, the CSS sanitizer incorrectly rewrites a @namespace rule. This could allow for injection into certain types of websites resulting in data exfiltration. CVE-2019-17017: Type Confusion in XPCVariant.cpp Impact high Description Due to a missing case handling object types, a type confusion vulnerability could occur, resulting in a crash. We presume that with enough effort that it could be exploited to run arbitrary code. CVE-2019-17022: CSS sanitization does not escape HTML tags Impact moderate Description When pasting a <style> tag from the clipboard into a rich text editor, the CSS sanitizer does not escape < and > characters. Because the resulting string is pasted directly into the text node of the element this does not result in a direct injection into the webpage; however, if a webpage subsequently copies the node's innerHTML, assigning it to another innerHTML, this would result in an XSS vulnerability. Two WYSIWYG editors were identified with this behavior, more may exist. CVE-2019-17024: Memory safety bugs fixed in Firefox 72 and Firefox ESR 68.4 Impact high Description Mozilla developers Jason Kratzer, Christian Holler, and Bob Clary reported memory safety bugs present in Firefox 71 and Firefox ESR 68.3. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code.
amd64 & x86 stable
Superseded by bug 709346.
This issue was resolved and addressed in GLSA 202003-02 at https://security.gentoo.org/glsa/202003-02 by GLSA coordinator Thomas Deutschmann (whissi).