Arch Linux alert ASA-202105-5 (firefox) [LWN.net]

From:
               Jonas Witschel via arch-security <arch-security@lists.archlinux.org>
To:
               arch-security@lists.archlinux.org
Subject:
               [ASA-202105-5] firefox: arbitrary code execution
Date:
               Thu, 20 May 2021 20:04:04 +0200
Message-ID:
               <20210520180404.4wnpv3qaptsyddji@archlinux.org>
Cc:
               Jonas Witschel <diabonas@archlinux.org>
Arch Linux Security Advisory ASA-202105-5
=========================================

Severity: High
Date    : 2021-05-19
CVE-ID  : CVE-2021-29952
Package : firefox
Type    : arbitrary code execution
Remote  : Yes
Link    : https://security.archlinux.org/AVG-1917

Summary
=======

The package firefox before version 88.0.1-1 is vulnerable to arbitrary
code execution.

Resolution
==========

Upgrade to 88.0.1-1.

# pacman -Syu "firefox>=88.0.1-1"

The problem has been fixed upstream in version 88.0.1.

Workaround
==========

None.

Description
===========

A security issue has been found in Firefox before version 88.0.1. When
Web Render components were destructed, a race condition could have
caused undefined behavior, and Mozilla presumes that with enough effort
may have been exploitable to run arbitrary code.

Impact
======

A remote attacker could execute arbitrary code through a crafted HTML
page.

References
==========

https://www.mozilla.org/en-US/security/advisories/mfsa202...
https://bugzilla.mozilla.org/show_bug.cgi?id=1704227
https://security.archlinux.org/CVE-2021-29952

From:		Jonas Witschel via arch-security <arch-security@lists.archlinux.org>
To:		arch-security@lists.archlinux.org
Subject:		[ASA-202105-5] firefox: arbitrary code execution
Date:		Thu, 20 May 2021 20:04:04 +0200
Message-ID:		<20210520180404.4wnpv3qaptsyddji@archlinux.org>
Cc:		Jonas Witschel <diabonas@archlinux.org>