MozillaFirefox-118.0.1-1.1 on GA media SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2024:13272-1 Final 1 1 2024-06-15T00:00:00Z current 2024-06-15T00:00:00Z 2024-06-15T00:00:00Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z MozillaFirefox-118.0.1-1.1 on GA media These are all security issues fixed in the MozillaFirefox-118.0.1-1.1 package on the GA media of openSUSE Tumbleweed. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-Tumbleweed-2024-13272 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/security/rating/ SUSE Security Ratings https://www.suse.com/security/cve/CVE-2023-5168/ SUSE CVE CVE-2023-5168 page https://www.suse.com/security/cve/CVE-2023-5169/ SUSE CVE CVE-2023-5169 page https://www.suse.com/security/cve/CVE-2023-5170/ SUSE CVE CVE-2023-5170 page https://www.suse.com/security/cve/CVE-2023-5171/ SUSE CVE CVE-2023-5171 page https://www.suse.com/security/cve/CVE-2023-5172/ SUSE CVE CVE-2023-5172 page https://www.suse.com/security/cve/CVE-2023-5173/ SUSE CVE CVE-2023-5173 page https://www.suse.com/security/cve/CVE-2023-5174/ SUSE CVE CVE-2023-5174 page https://www.suse.com/security/cve/CVE-2023-5175/ SUSE CVE CVE-2023-5175 page https://www.suse.com/security/cve/CVE-2023-5176/ SUSE CVE CVE-2023-5176 page https://www.suse.com/security/cve/CVE-2023-5217/ SUSE CVE CVE-2023-5217 page openSUSE Tumbleweed MozillaFirefox-118.0.1-1.1 MozillaFirefox-branding-upstream-118.0.1-1.1 MozillaFirefox-devel-118.0.1-1.1 MozillaFirefox-translations-common-118.0.1-1.1 MozillaFirefox-translations-other-118.0.1-1.1 MozillaFirefox-118.0.1-1.1 as a component of openSUSE Tumbleweed MozillaFirefox-branding-upstream-118.0.1-1.1 as a component of openSUSE Tumbleweed MozillaFirefox-devel-118.0.1-1.1 as a component of openSUSE Tumbleweed MozillaFirefox-translations-common-118.0.1-1.1 as a component of openSUSE Tumbleweed MozillaFirefox-translations-other-118.0.1-1.1 as a component of openSUSE Tumbleweed A compromised content process could have provided malicious data to `FilterNodeD2D1` resulting in an out-of-bounds write, leading to a potentially exploitable crash in a privileged process. *This bug only affects Firefox on Windows. Other operating systems are unaffected.* This vulnerability affects Firefox < 118, Firefox ESR < 115.3, and Thunderbird < 115.3. CVE-2023-5168 openSUSE Tumbleweed:MozillaFirefox-118.0.1-1.1 openSUSE Tumbleweed:MozillaFirefox-branding-upstream-118.0.1-1.1 openSUSE Tumbleweed:MozillaFirefox-devel-118.0.1-1.1 openSUSE Tumbleweed:MozillaFirefox-translations-common-118.0.1-1.1 openSUSE Tumbleweed:MozillaFirefox-translations-other-118.0.1-1.1 critical To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2023-5168.html CVE-2023-5168 https://bugzilla.suse.com/1215575 SUSE Bug 1215575 A compromised content process could have provided malicious data in a `PathRecording` resulting in an out-of-bounds write, leading to a potentially exploitable crash in a privileged process. This vulnerability affects Firefox < 118, Firefox ESR < 115.3, and Thunderbird < 115.3. CVE-2023-5169 openSUSE Tumbleweed:MozillaFirefox-118.0.1-1.1 openSUSE Tumbleweed:MozillaFirefox-branding-upstream-118.0.1-1.1 openSUSE Tumbleweed:MozillaFirefox-devel-118.0.1-1.1 openSUSE Tumbleweed:MozillaFirefox-translations-common-118.0.1-1.1 openSUSE Tumbleweed:MozillaFirefox-translations-other-118.0.1-1.1 critical To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2023-5169.html CVE-2023-5169 https://bugzilla.suse.com/1215575 SUSE Bug 1215575 In canvas rendering, a compromised content process could have caused a surface to change unexpectedly, leading to a memory leak of a privileged process. This memory leak could be used to effect a sandbox escape if the correct data was leaked. This vulnerability affects Firefox < 118. CVE-2023-5170 openSUSE Tumbleweed:MozillaFirefox-118.0.1-1.1 openSUSE Tumbleweed:MozillaFirefox-branding-upstream-118.0.1-1.1 openSUSE Tumbleweed:MozillaFirefox-devel-118.0.1-1.1 openSUSE Tumbleweed:MozillaFirefox-translations-common-118.0.1-1.1 openSUSE Tumbleweed:MozillaFirefox-translations-other-118.0.1-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2023-5170.html CVE-2023-5170 https://bugzilla.suse.com/1215575 SUSE Bug 1215575 During Ion compilation, a Garbage Collection could have resulted in a use-after-free condition, allowing an attacker to write two NUL bytes, and cause a potentially exploitable crash. This vulnerability affects Firefox < 118, Firefox ESR < 115.3, and Thunderbird < 115.3. CVE-2023-5171 openSUSE Tumbleweed:MozillaFirefox-118.0.1-1.1 openSUSE Tumbleweed:MozillaFirefox-branding-upstream-118.0.1-1.1 openSUSE Tumbleweed:MozillaFirefox-devel-118.0.1-1.1 openSUSE Tumbleweed:MozillaFirefox-translations-common-118.0.1-1.1 openSUSE Tumbleweed:MozillaFirefox-translations-other-118.0.1-1.1 critical To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2023-5171.html CVE-2023-5171 https://bugzilla.suse.com/1215575 SUSE Bug 1215575 A hashtable in the Ion Engine could have been mutated while there was a live interior reference, leading to a potential use-after-free and exploitable crash. This vulnerability affects Firefox < 118. CVE-2023-5172 openSUSE Tumbleweed:MozillaFirefox-118.0.1-1.1 openSUSE Tumbleweed:MozillaFirefox-branding-upstream-118.0.1-1.1 openSUSE Tumbleweed:MozillaFirefox-devel-118.0.1-1.1 openSUSE Tumbleweed:MozillaFirefox-translations-common-118.0.1-1.1 openSUSE Tumbleweed:MozillaFirefox-translations-other-118.0.1-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2023-5172.html CVE-2023-5172 https://bugzilla.suse.com/1215575 SUSE Bug 1215575 In a non-standard configuration of Firefox, an integer overflow could have occurred based on network traffic (possibly under influence of a local unprivileged webpage), leading to an out-of-bounds write to privileged process memory. *This bug only affects Firefox if a non-standard preference allowing non-HTTPS Alternate Services (`network.http.altsvc.oe`) is enabled.* This vulnerability affects Firefox < 118. CVE-2023-5173 openSUSE Tumbleweed:MozillaFirefox-118.0.1-1.1 openSUSE Tumbleweed:MozillaFirefox-branding-upstream-118.0.1-1.1 openSUSE Tumbleweed:MozillaFirefox-devel-118.0.1-1.1 openSUSE Tumbleweed:MozillaFirefox-translations-common-118.0.1-1.1 openSUSE Tumbleweed:MozillaFirefox-translations-other-118.0.1-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2023-5173.html CVE-2023-5173 https://bugzilla.suse.com/1215575 SUSE Bug 1215575 If Windows failed to duplicate a handle during process creation, the sandbox code may have inadvertently freed a pointer twice, resulting in a use-after-free and a potentially exploitable crash. *This bug only affects Firefox on Windows when run in non-standard configurations (such as using `runas`). Other operating systems are unaffected.* This vulnerability affects Firefox < 118, Firefox ESR < 115.3, and Thunderbird < 115.3. CVE-2023-5174 openSUSE Tumbleweed:MozillaFirefox-118.0.1-1.1 openSUSE Tumbleweed:MozillaFirefox-branding-upstream-118.0.1-1.1 openSUSE Tumbleweed:MozillaFirefox-devel-118.0.1-1.1 openSUSE Tumbleweed:MozillaFirefox-translations-common-118.0.1-1.1 openSUSE Tumbleweed:MozillaFirefox-translations-other-118.0.1-1.1 critical To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2023-5174.html CVE-2023-5174 https://bugzilla.suse.com/1215575 SUSE Bug 1215575 During process shutdown, it was possible that an `ImageBitmap` was created that would later be used after being freed from a different codepath, leading to a potentially exploitable crash. This vulnerability affects Firefox < 118. CVE-2023-5175 openSUSE Tumbleweed:MozillaFirefox-118.0.1-1.1 openSUSE Tumbleweed:MozillaFirefox-branding-upstream-118.0.1-1.1 openSUSE Tumbleweed:MozillaFirefox-devel-118.0.1-1.1 openSUSE Tumbleweed:MozillaFirefox-translations-common-118.0.1-1.1 openSUSE Tumbleweed:MozillaFirefox-translations-other-118.0.1-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2023-5175.html CVE-2023-5175 https://bugzilla.suse.com/1215575 SUSE Bug 1215575 Memory safety bugs present in Firefox 117, Firefox ESR 115.2, and Thunderbird 115.2. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 118, Firefox ESR < 115.3, and Thunderbird < 115.3. CVE-2023-5176 openSUSE Tumbleweed:MozillaFirefox-118.0.1-1.1 openSUSE Tumbleweed:MozillaFirefox-branding-upstream-118.0.1-1.1 openSUSE Tumbleweed:MozillaFirefox-devel-118.0.1-1.1 openSUSE Tumbleweed:MozillaFirefox-translations-common-118.0.1-1.1 openSUSE Tumbleweed:MozillaFirefox-translations-other-118.0.1-1.1 critical To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2023-5176.html CVE-2023-5176 https://bugzilla.suse.com/1215575 SUSE Bug 1215575 Heap buffer overflow in vp8 encoding in libvpx in Google Chrome prior to 117.0.5938.132 and libvpx 1.13.1 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High) CVE-2023-5217 openSUSE Tumbleweed:MozillaFirefox-118.0.1-1.1 openSUSE Tumbleweed:MozillaFirefox-branding-upstream-118.0.1-1.1 openSUSE Tumbleweed:MozillaFirefox-devel-118.0.1-1.1 openSUSE Tumbleweed:MozillaFirefox-translations-common-118.0.1-1.1 openSUSE Tumbleweed:MozillaFirefox-translations-other-118.0.1-1.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2023-5217.html CVE-2023-5217 https://bugzilla.suse.com/1215776 SUSE Bug 1215776 https://bugzilla.suse.com/1215778 SUSE Bug 1215778 https://bugzilla.suse.com/1215814 SUSE Bug 1215814 https://bugzilla.suse.com/1217559 SUSE Bug 1217559