firefox-52.8.0-1.0.1.AXS4
エラータID: AXSA:2018-3109:05
Mozilla Firefox is an open-source web browser, designed for standards compliance, performance, and portability.
This update upgrades Firefox to version 52.8.0 ESR.
Security Fix(es):
* Mozilla: Memory safety bugs fixed in Firefox 60 and Firefox ESR 52.8 (CVE-2018-5150)
* Mozilla: Backport critical security fixes in Skia (CVE-2018-5183)
* Mozilla: Use-after-free with SVG animations and clip paths (CVE-2018-5154)
* Mozilla: Use-after-free with SVG animations and text paths (CVE-2018-5155)
* Mozilla: Same-origin bypass of PDF Viewer to view protected PDF files (CVE-2018-5157)
* Mozilla: Malicious PDF can inject JavaScript into PDF Viewer (CVE-2018-5158)
* Mozilla: Integer overflow and out-of-bounds write in Skia (CVE-2018-5159)
* Mozilla: Lightweight themes can be installed without user interaction (CVE-2018-5168)
* Mozilla: Buffer overflow during UTF-8 to Unicode string conversion through legacy extension (CVE-2018-5178)
For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.
Asianux would like to thank the Mozilla project for reporting these issues. Upstream acknowledges Christoph Diehl, Randell Jesup, Tyson Smith, Alex Gaynor, Ronald Crane, Julian Hector, Kannan Vijayan, Jason Kratzer, Mozilla Developers, Nils, Wladimir Palant, Ivan Fratric, and Root Object as the original reporters.
CVE-2018-5150
** RESERVED **
This candidate has been reserved by an organization or individual that
will use it when announcing a new security problem. When the
candidate has been publicized, the details for this candidate will be provided.
CVE-2018-5154
** RESERVED **
This candidate has been reserved by an organization or individual that
will use it when announcing a new security problem. When the
candidate has been publicized, the details for this candidate will be provided.
CVE-2018-5155
** RESERVED **
This candidate has been reserved by an organization or individual that
will use it when announcing a new security problem. When the
candidate has been publicized, the details for this candidate will be provided.
CVE-2018-5157
** RESERVED **
This candidate has been reserved by an organization or individual that
will use it when announcing a new security problem. When the
candidate has been publicized, the details for this candidate will be provided.
CVE-2018-5158
** RESERVED **
This candidate has been reserved by an organization or individual that
will use it when announcing a new security problem. When the
candidate has been publicized, the details for this candidate will be provided.
CVE-2018-5159
** RESERVED **
This candidate has been reserved by an organization or individual that
will use it when announcing a new security problem. When the
candidate has been publicized, the details for this candidate will be provided.
CVE-2018-5168
** RESERVED **
This candidate has been reserved by an organization or individual that
will use it when announcing a new security problem. When the
candidate has been publicized, the details for this candidate will be provided.
CVE-2018-5178
** RESERVED **
This candidate has been reserved by an organization or individual that
will use it when announcing a new security problem. When the
candidate has been publicized, the details for this candidate will be provided.
CVE-2018-5183
** RESERVED **
This candidate has been reserved by an organization or individual that
will use it when announcing a new security problem. When the
candidate has been publicized, the details for this candidate will be provided.
Update packages.
Memory safety bugs were reported in Firefox 59, Firefox ESR 52.7, and Thunderbird 52.7. Some of these bugs showed evidence of memory corruption and we presume that with enough effort that some of these could be exploited to run arbitrary code. This vulnerability affects Thunderbird < 52.8, Thunderbird ESR < 52.8, Firefox < 60, and Firefox ESR < 52.8.
A use-after-free vulnerability can occur while enumerating attributes during SVG animations with clip paths. This results in a potentially exploitable crash. This vulnerability affects Thunderbird < 52.8, Thunderbird ESR < 52.8, Firefox < 60, and Firefox ESR < 52.8.
A use-after-free vulnerability can occur while adjusting layout during SVG animations with text paths. This results in a potentially exploitable crash. This vulnerability affects Thunderbird < 52.8, Thunderbird ESR < 52.8, Firefox < 60, and Firefox ESR < 52.8.
Same-origin protections for the PDF viewer can be bypassed, allowing a malicious site to intercept messages meant for the viewer. This could allow the site to retrieve PDF files restricted to viewing by an authenticated user on a third-party website. This vulnerability affects Firefox ESR < 52.8 and Firefox < 60.
The PDF viewer does not sufficiently sanitize PostScript calculator functions, allowing malicious JavaScript to be injected through a crafted PDF file. This JavaScript can then be run with the permissions of the PDF viewer by its worker. This vulnerability affects Firefox ESR < 52.8 and Firefox < 60.
An integer overflow can occur in the Skia library due to 32-bit integer use in an array without integer overflow checks, resulting in possible out-of-bounds writes. This could lead to a potentially exploitable crash triggerable by web content. This vulnerability affects Thunderbird < 52.8, Thunderbird ESR < 52.8, Firefox < 60, and Firefox ESR < 52.8.
Sites can bypass security checks on permissions to install lightweight themes by manipulating the "baseURI" property of the theme element. This could allow a malicious site to install a theme without user interaction which could contain offensive or embarrassing images. This vulnerability affects Thunderbird < 52.8, Thunderbird ESR < 52.8, Firefox < 60, and Firefox ESR < 52.8.
A buffer overflow was found during UTF8 to Unicode string conversion within JavaScript with extremely large amounts of data. This vulnerability requires the use of a malicious or vulnerable legacy extension in order to occur. This vulnerability affects Thunderbird ESR < 52.8, Thunderbird < 52.8, and Firefox ESR < 52.8.
Mozilla developers backported selected changes in the Skia library. These changes correct memory corruption issues including invalid buffer reads and writes during graphic operations. This vulnerability affects Thunderbird ESR < 52.8, Thunderbird < 52.8, and Firefox ESR < 52.8.
N/A
SRPMS
- firefox-52.8.0-1.0.1.AXS4.src.rpm
MD5: 2fd5690acc5f8d44cb0f16388f6e1a30
SHA-256: c068e2bc4b8fc49e6358faabf473f4eda9aeea3fbd91f064b6627d9058f4fbfc
Size: 369.83 MB
Asianux Server 4 for x86
- firefox-52.8.0-1.0.1.AXS4.i686.rpm
MD5: b189d712aa3c30133add57fc46e4275a
SHA-256: a10c852961d54a7829b6b4f8b8232b297c2e8948aa9a9f2bacf28587e59a354a
Size: 79.79 MB
Asianux Server 4 for x86_64
- firefox-52.8.0-1.0.1.AXS4.x86_64.rpm
MD5: a5aea99260ee66cf92ef3587922a2728
SHA-256: e4085a280892aa1d80fa8c7cd64bdcbe34ed4e98de5787eba091d10558f227de
Size: 79.34 MB - firefox-52.8.0-1.0.1.AXS4.i686.rpm
MD5: b189d712aa3c30133add57fc46e4275a
SHA-256: a10c852961d54a7829b6b4f8b8232b297c2e8948aa9a9f2bacf28587e59a354a
Size: 79.79 MB