Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status

Mozilla Firefox: Remote code execution — GLSA 202101-04

A use-after-free in Mozilla Firefox's SCTP handling may allow remote code execution.

Affected packages

Package www-client/firefox on all architectures
Affected versions < 84.0.2
Unaffected versions >= 78.6.1
>= 84.0.2
Package www-client/firefox-bin on all architectures
Affected versions < 84.0.2
Unaffected versions >= 78.6.1
>= 84.0.2

Background

Mozilla Firefox is a popular open-source web browser from the Mozilla project.

Description

A use-after-free bug was discovered in Mozilla Firefox’s handling of SCTP.

Impact

A remote attacker could possibly execute arbitrary code with the privileges of the process, or cause a Denial of Service condition.

Workaround

There is no known workaround at this time.

Resolution

All Firefox ESR users should upgrade to the latest version:

 # emerge --sync
 # emerge --ask --oneshot --verbose
 ">=www-client/firefox-78.6.1:0/esr78"

All Firefox ESR binary users should upgrade to the latest version:

 # emerge --sync
 # emerge --ask --oneshot --verbose
 ">=www-client/firefox-bin-78.6.1:0/esr78"

All Firefox users should upgrade to the latest version:

 # emerge --sync
 # emerge --ask --oneshot --verbose ">=www-client/firefox-84.0.2"

All Firefox binary users should upgrade to the latest version:

 # emerge --sync
 # emerge --ask --oneshot --verbose ">=www-client/firefox-bin-84.0.2"

References

Release date
January 10, 2021

Latest revision
January 10, 2021: 1

Severity
normal

Exploitable
remote

Bugzilla entries