[ASA-202001-3] firefox: arbitrary code execution

Related Vulnerabilities: CVE-2019-17026  

Arch Linux Security Advisory ASA-202001-3 ========================================= Severity: Critical Date : 2020-01-10 CVE-ID : CVE-2019-17026 Package : firefox Type : arbitrary code execution Remote : Yes Link : https://security.archlinux.org/AVG-1085 Summary ======= The package firefox before version 72.0.1-1 is vulnerable to arbitrary code execution. Resolution ========== Upgrade to 72.0.1-1. # pacman -Syu "firefox>=72.0.1-1" The problem has been fixed upstream in version 72.0.1. Workaround ========== None. Description =========== A type confusion vulnerability has been found in Firefox before 72.0.1. Incorrect alias information in IonMonkey JIT compiler for setting array elements could lead to a type confusion with StoreElementHole and FallibleStoreElement. Mozilla is aware of targeted attacks in the wild abusing this flaw. Impact ====== A remote attacker can execute arbitrary code on the affected host. References ========== https://www.mozilla.org/en-US/security/advisories/mfsa2020-03/ https://www.mozilla.org/en-US/security/advisories/mfsa2020-03/#CVE-2019-17026 https://bugzilla.mozilla.org/show_bug.cgi?id=1607443 https://security.archlinux.org/CVE-2019-17026