{"id":"MGASA-2022-0427","summary":"Updated firefox packages fix security vulnerability","details":"In libexpat through 2.4.9, there is a use-after free caused by overeager\ndestruction of a shared DTD in XML_ExternalEntityParserCreate in out-of-memory\nsituations (CVE-2022-43680).\n\nService Workers should not be able to infer information about opaque\ncross-origin responses; but timing information for cross-origin media combined\nwith Range requests might have allowed them to determine the presence or\nlength of a media file (CVE-2022-45403).\n\nThrough a series of popup and window.print() calls, an attacker can cause a\nwindow to go fullscreen without the user seeing the notification prompt,\nresulting in potential user confusion or spoofing attacks (CVE-2022-45404).\n\nFreeing arbitrary nsIInputStream's on a different thread than creation could\nhave led to a use-after-free and potentially exploitable crash\n(CVE-2022-45405).\n\nIf an out-of-memory condition occurred when creating a JavaScript global, a\nJavaScript realm may be deleted while references to it lived on in a\nBaseShape. This could lead to a use-after-free causing a potentially\nexploitable crash (CVE-2022-45406).\n\nThrough a series of popups that reuse windowName, an attacker can cause a\nwindow to go fullscreen without the user seeing the notification prompt,\nresulting in potential user confusion or spoofing attacks (CVE-2022-45408).\n\nThe garbage collector could have been aborted in several states and zones and\nGCRuntime::finishCollection may not have been called, leading to a\nuse-after-free and potentially exploitable crash (CVE-2022-45409).\n\nWhen a ServiceWorker intercepted a request with FetchEvent, the origin of the\nrequest was lost after the ServiceWorker took ownership of it. This had the\neffect of negating SameSite cookie protections. This was addressed in the spec\nand then in browsers (CVE-2022-45410).\n\nCross-Site Tracing occurs when a server will echo a request back via the Trace\nmethod, allowing an XSS attack to access to authorization headers and cookies\ninaccessible to JavaScript (such as cookies protected by HTTPOnly). To\nmitigate this attack, browsers placed limits on fetch() and XMLHttpRequest;\nhowever some webservers have implemented non-standard headers such as\nX-Http-Method-Override that override the HTTP method, and made this attack\npossible again. Firefox has applied the same mitigations to the use of this\nand similar headers (CVE-2022-45411).\n\nWhen resolving a symlink such as file:///proc/self/fd/1, an error message may\nbe produced where the symlink was resolved to a string containing unitialized\nmemory in the buffer (CVE-2022-45412).\n\nKeyboard events reference strings like \"KeyA\" that were at fixed, known, and\nwidely-spread addresses. Cache-based timing attacks such as Prime+Probe could\nhave possibly figured out which keys were being pressed (CVE-2022-45416).\n\nIf a custom mouse cursor is specified in CSS, under certain circumstances the\ncursor could have been drawn over the browser UI, resulting in potential user\nconfusion or spoofing attacks (CVE-2022-45418).\n\nUse tables inside of an iframe, an attacker could have caused iframe contents\nto be rendered outside the boundaries of the iframe, resulting in potential\nuser confusion or spoofing attacks (CVE-2022-45420).\n\nMozilla developers Andrew McCreight and Gabriele Svelto reported memory safety\nbugs present in Firefox ESR 102.4. Some of these bugs showed evidence of\nmemory corruption and we presume that with enough effort some of these could\nhave been exploited to run arbitrary code (CVE-2022-45421).\n","modified":"2026-04-16T00:12:00.394134266Z","published":"2022-11-17T20:45:15Z","upstream":["CVE-2022-43680","CVE-2022-45403","CVE-2022-45404","CVE-2022-45405","CVE-2022-45406","CVE-2022-45408","CVE-2022-45409","CVE-2022-45410","CVE-2022-45411","CVE-2022-45412","CVE-2022-45416","CVE-2022-45418","CVE-2022-45420","CVE-2022-45421"],"references":[{"type":"ADVISORY","url":"https://advisories.mageia.org/MGASA-2022-0427.html"},{"type":"REPORT","url":"https://bugs.mageia.org/show_bug.cgi?id=31128"},{"type":"WEB","url":"https://groups.google.com/a/mozilla.org/g/dev-tech-crypto/c/fHvKAhUTnLs"},{"type":"WEB","url":"https://firefox-source-docs.mozilla.org/security/nss/releases/nss_3_85.html"},{"type":"ADVISORY","url":"https://www.mozilla.org/en-US/security/advisories/mfsa2022-48/"}],"affected":[{"package":{"name":"firefox","ecosystem":"Mageia:8","purl":"pkg:rpm/mageia/firefox?arch=source&distro=mageia-8"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"102.5.0-1.mga8"}]}],"ecosystem_specific":{"section":"core"},"database_specific":{"source":"https://advisories.mageia.org/MGASA-2022-0427.json"}},{"package":{"name":"firefox-l10n","ecosystem":"Mageia:8","purl":"pkg:rpm/mageia/firefox-l10n?arch=source&distro=mageia-8"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"102.5.0-1.mga8"}]}],"ecosystem_specific":{"section":"core"},"database_specific":{"source":"https://advisories.mageia.org/MGASA-2022-0427.json"}},{"package":{"name":"nss","ecosystem":"Mageia:8","purl":"pkg:rpm/mageia/nss?arch=source&distro=mageia-8"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"3.85.0-1.mga8"}]}],"ecosystem_specific":{"section":"core"},"database_specific":{"source":"https://advisories.mageia.org/MGASA-2022-0427.json"}}],"schema_version":"1.7.5","credits":[{"name":"Mageia","contact":["https://wiki.mageia.org/en/Packages_Security_Team"],"type":"COORDINATOR"}]}