Opened 8 years ago
Closed 8 years ago
#10863 closed defect (fixed)
firefox-60.0.2
| Reported by: | Owned by: | ||
|---|---|---|---|
| Priority: | high | Milestone: | 8.3 |
| Component: | BOOK | Version: | SVN |
| Severity: | normal | Keywords: | |
| Cc: |
Description
In today's security announcements at lwn.net, Arch have updated to 60.0.2
Description
A heap-based buffer overflow has been found in the Skia component of the Firefox browser before 60.0.2, when rasterizing paths using a maliciously crafted SVG file with anti-aliasing turned off.
Impact
A remote attacker can execute arbitrary code via a crafted SVG file.
https://www.mozilla.org/en-US/security/advisories/mfsa2018-14/ - also fixed in 60.0.2ESR and 52.8.1 ESR
CVE-2018-6126 impact rated as high.
Change History (3)
comment:1 by , 8 years ago
| Owner: | changed from to |
|---|---|
| Status: | new → assigned |
comment:2 by , 8 years ago
| Priority: | normal → high |
|---|
Note:
See TracTickets
for help on using tickets.
Apart from the obvious change, minimum nss required version is 3.36.4 (release notes for that say it fixed a macOS problem) and some changes to apparently use PKCS12 - the release notes for nss-3.37.1 which is in the book include a PKCS12 bugfix, so we should be good to go. Currently building, the patches do apply.