Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 924844 (CVE-2024-0743, CVE-2024-0744, CVE-2024-0745, CVE-2024-0748, CVE-2024-0752, CVE-2024-0754) - <www-client/firefox{-bin,}-{115.7.0,122.0}: multiple vulnerabilities
Summary: <www-client/firefox{-bin,}-{115.7.0,122.0}: multiple vulnerabilities
Status: RESOLVED FIXED
Alias: CVE-2024-0743, CVE-2024-0744, CVE-2024-0745, CVE-2024-0748, CVE-2024-0752, CVE-2024-0754
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal major (vote)
Assignee: Gentoo Security
URL:
Whiteboard: A2 [glsa+]
Keywords:
Depends on:
Blocks: CVE-2024-0741, CVE-2024-0742, CVE-2024-0746, CVE-2024-0747, CVE-2024-0749, CVE-2024-0750, CVE-2024-0751, CVE-2024-0753, CVE-2024-0755, MFSA-2024-01, MFSA-2024-02, MFSA-2024-04
  Show dependency tree
 
Reported: 2024-02-18 00:04 UTC by John Helmert III
Modified: 2024-02-19 06:15 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2024-02-18 00:04:57 UTC 
CVE-2024-0743 (https://bugzilla.mozilla.org/show_bug.cgi?id=1867408):

An unchecked return value in TLS handshake code could have caused a potentially exploitable crash. This vulnerability affects Firefox < 122.

CVE-2024-0744 (https://bugzilla.mozilla.org/show_bug.cgi?id=1871089):

In some circumstances, JIT compiled code could have dereferenced a wild pointer value. This could have led to an exploitable crash. This vulnerability affects Firefox < 122.

CVE-2024-0745 (https://bugzilla.mozilla.org/show_bug.cgi?id=1871838):

The WebAudio `OscillatorNode` object was susceptible to a stack buffer overflow. This could have led to a potentially exploitable crash. This vulnerability affects Firefox < 122.

CVE-2024-0748 (https://bugzilla.mozilla.org/show_bug.cgi?id=1783504):

A compromised content process could have updated the document URI. This could have allowed an attacker to set an arbitrary URI in the address bar or history. This vulnerability affects Firefox < 122.

CVE-2024-0752 (https://bugzilla.mozilla.org/show_bug.cgi?id=1866840):

A use-after-free crash could have occurred on macOS if a Firefox update were being applied on a very busy system. This could have resulted in an exploitable crash. This vulnerability affects Firefox < 122.

CVE-2024-0754 (https://bugzilla.mozilla.org/show_bug.cgi?id=1871605):

Some WASM source files could have caused a crash when loaded in devtools. This vulnerability affects Firefox < 122.

Just needs a GLSA.
Comment 1 Larry the Git Cow gentoo-dev 2024-02-19 06:11:05 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/data/glsa.git/commit/?id=7ce0edcd566673bd38d3ec90678a39ebc68b7aa7

commit 7ce0edcd566673bd38d3ec90678a39ebc68b7aa7
Author:     GLSAMaker <glsamaker@gentoo.org>
AuthorDate: 2024-02-19 05:59:26 +0000
Commit:     John Helmert III <ajak@gentoo.org>
CommitDate: 2024-02-19 06:10:22 +0000

    [ GLSA 202402-26 ] Mozilla Firefox: Multiple Vulnerabilities
    
    Bug: https://bugs.gentoo.org/924844
    Signed-off-by: GLSAMaker <glsamaker@gentoo.org>
    Signed-off-by: John Helmert III <ajak@gentoo.org>

 glsa-202402-26.xml | 88 ++++++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 88 insertions(+)