[ASA-201906-19] firefox-developer-edition: arbitrary code execution

2019-06-19T00:00:00
ID ASA-201906-19
Type archlinux
Reporter ArchLinux
Modified 2019-06-19T00:00:00

Description

Arch Linux Security Advisory ASA-201906-19

Severity: Critical Date : 2019-06-19 CVE-ID : CVE-2019-11707 Package : firefox-developer-edition Type : arbitrary code execution Remote : Yes Link : https://security.archlinux.org/AVG-995

Summary

The package firefox-developer-edition before version 68.0b11-1 is vulnerable to arbitrary code execution.

Resolution

Upgrade to 68.0b11-1.

pacman -Syu "firefox-developer-edition>=68.0b11-1"

The problem has been fixed upstream in version 68.0b11.

Workaround

None.

Description

A type confusion vulnerability can occur when manipulating JavaScript objects due to issues in Array.pop, in Firefox before 67.0.3. This can allow for an exploitable crash. Mozilla has been made aware of targeted attacks in the wild abusing this flaw.

Impact

A remote attacker can execute arbitrary code via crafted Javascript code.

References

https://www.mozilla.org/en-US/security/advisories/mfsa2019-18 https://www.mozilla.org/en-US/security/advisories/mfsa2019-18/#CVE-2019-11707 https://bugzilla.mozilla.org/show_bug.cgi?id=1544386 https://security.archlinux.org/CVE-2019-11707