ISN 2020-08: Firefox ESR Various Vulnerabilities
Announced 17 September 2020
Score: High
Several security issues, 8 rated as high, affect the Firefox ESR web browser on:
IGEL OS 11
IGEL OS 10
IGEL Linux 5
Details
It has been found that manipulating individual parts of a URL object could have caused an out-of-bounds read, leaking process memory to malicious JavaScript (CVE-2020-12418). Apart from that, by observing the stack trace for JavaScript errors in web workers, it was possible to leak the result of a cross-origin redirect (CVE-2020-15652. The WebRTC data channel could leak internal memory addresses to a peer, enabling them to bypass ASLR (CVE-2020-6514).
Another vulnerability allowed a malicious webpage to prompt the user to install an extension. Combined with user confusion, this could result in an unintended or malicious extension being installed (CVE-2020-15664).
Finally, a number of memory management bugs have been discovered (CVE-2020-12419, CVE-2020-12420, CVE-2020-15659, CVE-2020-15669).
Update Instructions
IGEL OS 11: Update to IGEL OS 11.04.130 or newer.
IGEL OS 10: An updated version is upcoming. When it is available, this document will be updated.
IGEL Linux 5: This version does not have the space required for the Firefox ESR update. IGEL recommends removing the web browser feature if possible: https://wiki.test.toolchain.igel.kreuzwerker.net/igellinux/en/features-2275613.html
References
Mozilla Foundation Security Advisory 2020-25: https://www.mozilla.org/en-US/security/advisories/mfsa2020-25/
Mozilla Foundation Security Advisory 2020-31: https://www.mozilla.org/en-US/security/advisories/mfsa2020-31/
Mozilla Foundation Security Advisory 2020-37: https://www.mozilla.org/en-US/security/advisories/mfsa2020-37/