Opened 3 years ago

Closed 3 years ago

#10863 closed defect (fixed)

firefox-60.0.2

Reported by: ken@… Owned by: ken@…
Priority: high Milestone: 8.3
Component: BOOK Version: SVN
Severity: normal Keywords:
Cc:

Description

In today's security announcements at lwn.net, Arch have updated to 60.0.2

Description

A heap-based buffer overflow has been found in the Skia component of the Firefox browser before 60.0.2, when rasterizing paths using a maliciously crafted SVG file with anti-aliasing turned off.

Impact

A remote attacker can execute arbitrary code via a crafted SVG file.

https://www.mozilla.org/en-US/security/advisories/mfsa2018-14/ - also fixed in 60.0.2ESR and 52.8.1 ESR

CVE-2018-6126 impact rated as high.

Change History (3)

comment:1 by ken@…, 3 years ago

Owner: changed from blfs-book to ken@…
Status: newassigned

Apart from the obvious change, minimum nss required version is 3.36.4 (release notes for that say it fixed a macOS problem) and some changes to apparently use PKCS12 - the release notes for nss-3.37.1 which is in the book include a PKCS12 bugfix, so we should be good to go. Currently building, the patches do apply.

comment:2 by ken@…, 3 years ago

Priority: normalhigh

comment:3 by ken@…, 3 years ago

Resolution: fixed
Status: assignedclosed
Note: See TracTickets for help on using tickets.