SB2020060238 - Use-after-free in firefox-esr (Alpine package)
Published: June 2, 2020
Security Bulletin ID
SB2020060238
Severity
High
Patch available
YES
Number of vulnerabilities
1
Exploitation vector
Remote access
Highest impact
Code execution
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 1 security vulnerability.
1) Use-after-free (CVE-ID: CVE-2020-12405)
The vulnerability allows a remote attacker to compromise vulnerable system.
The vulnerability exists due to a use-after-free error when in SharedWorkerService due to a race condition. A remote attacker can create a specially crafted web page, trick the victim into opening it, trigger a use-after-free error and execute arbitrary code on the target system.
Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.
Remediation
Install update from vendor's website.
References
- https://git.alpinelinux.org/aports/commit/?id=aadba671901181be240a1d151a9f3a04f2ce3ca5
- https://git.alpinelinux.org/aports/commit/?id=37e37d549603b29c55fafcde8f3732cfb9db1640
- https://git.alpinelinux.org/aports/commit/?id=c3bc99eb0be5fedab0fdd751a54afe87028c920b
- https://git.alpinelinux.org/aports/commit/?id=da1c1b9ae466f66ae95fc66418a02c3ae10be583
- https://git.alpinelinux.org/aports/commit/?id=5d9ca1b5fa041ac0d09e2bd2038f505e06c7d7f5
- https://git.alpinelinux.org/aports/commit/?id=b3181176e64948e2cd534829b0e3883aed67a27c
- https://git.alpinelinux.org/aports/commit/?id=66010d68451b4eac4d3f7315739fd156bd840f21
- https://git.alpinelinux.org/aports/commit/?id=8dc0bf1501171d97e4b280f12987e24bf3cc53f7