{"id":"MGASA-2020-0027","summary":"Updated firefox packages fix security vulnerability","details":"When pasting a \u003cstyle\u003e tag from the clipboard into a rich text editor, the CSS\nsanitizer incorrectly rewrites a @namespace rule. This could allow for\ninjection into certain types of websites resulting in data exfiltration\n(CVE-2019-17016).\n\nDue to a missing case handling object types, a type confusion vulnerability\ncould occur, resulting in a crash. We presume that with enough effort that it\ncould be exploited to run arbitrary code (CVE-2019-17017).\n\nWhen pasting a \u003cstyle\u003e tag from the clipboard into a rich text editor, the CSS\nsanitizer does not escape \u003c and \u003e characters. Because the resulting string is\npasted directly into the text node of the element this does not result in a\ndirect injection into the webpage; however, if a webpage subsequently copies\nthe node's innerHTML, assigning it to another innerHTML, this would result in\nan XSS vulnerability. Two WYSIWYG editors were identified with this behavior,\nmore may exist (CVE-2019-17022).\n\nMozilla developers reported memory safety bugs present in Firefox ESR 68.3.\nSome of these bugs showed evidence of memory corruption and we presume that\nwith enough effort some of these could have been exploited to run arbitrary\ncode (CVE-2019-17024).\n\nIncorrect alias information in IonMonkey JIT compiler for setting array\nelements could lead to a type confusion. We are aware of targeted attacks in\nthe wild abusing this flaw (CVE-2019-17026).\n","modified":"2026-04-16T00:10:34.944550311Z","published":"2020-01-09T20:11:02Z","upstream":["CVE-2019-17016","CVE-2019-17017","CVE-2019-17022","CVE-2019-17024","CVE-2019-17026"],"references":[{"type":"ADVISORY","url":"https://advisories.mageia.org/MGASA-2020-0027.html"},{"type":"REPORT","url":"https://bugs.mageia.org/show_bug.cgi?id=26027"},{"type":"ADVISORY","url":"https://www.mozilla.org/en-US/security/advisories/mfsa2020-02/"},{"type":"ADVISORY","url":"https://www.mozilla.org/en-US/security/advisories/mfsa2020-03/"},{"type":"WEB","url":"https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.48_release_notes"},{"type":"WEB","url":"https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.49_release_notes"},{"type":"WEB","url":"https://www.mozilla.org/en-US/firefox/68.4.0/releasenotes/"},{"type":"WEB","url":"https://www.mozilla.org/en-US/firefox/68.4.1/releasenotes/"}],"affected":[{"package":{"name":"firefox","ecosystem":"Mageia:7","purl":"pkg:rpm/mageia/firefox?arch=source&distro=mageia-7"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"68.4.1-1.mga7"}]}],"ecosystem_specific":{"section":"core"},"database_specific":{"source":"https://advisories.mageia.org/MGASA-2020-0027.json"}},{"package":{"name":"firefox-l10n","ecosystem":"Mageia:7","purl":"pkg:rpm/mageia/firefox-l10n?arch=source&distro=mageia-7"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"68.4.1-1.mga7"}]}],"ecosystem_specific":{"section":"core"},"database_specific":{"source":"https://advisories.mageia.org/MGASA-2020-0027.json"}},{"package":{"name":"nss","ecosystem":"Mageia:7","purl":"pkg:rpm/mageia/nss?arch=source&distro=mageia-7"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"3.49.0-1.mga7"}]}],"ecosystem_specific":{"section":"core"},"database_specific":{"source":"https://advisories.mageia.org/MGASA-2020-0027.json"}}],"schema_version":"1.7.5","credits":[{"name":"Mageia","contact":["https://wiki.mageia.org/en/Packages_Security_Team"],"type":"COORDINATOR"}]}