SUSE-SU-2018:2298-1: important: Security update for MozillaFirefox

Fri Aug 10 07:08:05 MDT 2018

   SUSE Security Update: Security update for MozillaFirefox
______________________________________________________________________________

Announcement ID:    SUSE-SU-2018:2298-1
Rating:             important
References:         #1092548 #1096449 #1098998 
Cross-References:   CVE-2018-12359 CVE-2018-12360 CVE-2018-12362
                    CVE-2018-12363 CVE-2018-12364 CVE-2018-12365
                    CVE-2018-12366 CVE-2018-12368 CVE-2018-5150
                    CVE-2018-5154 CVE-2018-5155 CVE-2018-5156
                    CVE-2018-5157 CVE-2018-5158 CVE-2018-5159
                    CVE-2018-5168 CVE-2018-5178 CVE-2018-5183
                    CVE-2018-5188 CVE-2018-6126
Affected Products:
                    SUSE Linux Enterprise Module for Desktop Applications 15
______________________________________________________________________________

   An update that fixes 20 vulnerabilities is now available.

Description:

   This update for MozillaFirefox to the 52.9 ESR release fixes the following
   issues:

   These security issues were fixed:

   - Firefox ESR 52.9:
   - CVE-2018-5188 Memory safety bugs fixed in Firefox 60, Firefox ESR 60.1,
     and Firefox ESR 52.9 (bsc#1098998).
   - CVE-2018-12368 No warning when opening executable SettingContent-ms
     files (bsc#1098998).
   - CVE-2018-12366 Invalid data handling during QCMS transformations
     (bsc#1098998).
   - CVE-2018-12365 Compromised IPC child process can list local filenames
     (bsc#1098998).
   - CVE-2018-12364 CSRF attacks through 307 redirects and NPAPI plugins
     (bsc#1098998).
   - CVE-2018-12363 Use-after-free when appending DOM nodes (bsc#1098998).
   - CVE-2018-12362 Integer overflow in SSSE3 scaler (bsc#1098998).
   - CVE-2018-12360 Use-after-free when using focus() (bsc#1098998).
   - CVE-2018-5156 Media recorder segmentation fault when track type is
     changed during capture (bsc#1098998).
   - CVE-2018-12359 Buffer overflow using computed size of canvas element
     (bsc#1098998).

   - Firefox ESR 52.8:
   - CVE-2018-6126: Prevent heap buffer overflow in rasterizing paths in SVG
     with Skia (bsc#1096449).
   - CVE-2018-5183: Backport critical security fixes in Skia (bsc#1092548).
   - CVE-2018-5154: Use-after-free with SVG animations and clip paths
     (bsc#1092548).
   - CVE-2018-5155: Use-after-free with SVG animations and text paths
     (bsc#1092548).
   - CVE-2018-5157: Same-origin bypass of PDF Viewer to view protected PDF
     files (bsc#1092548).
   - CVE-2018-5158: Malicious PDF can inject JavaScript into PDF Viewer
     (bsc#1092548).
   - CVE-2018-5159: Integer overflow and out-of-bounds write in Skia
     (bsc#1092548).
   - CVE-2018-5168: Lightweight themes can be installed without user
     interaction (bsc#1092548).
   - CVE-2018-5178: Buffer overflow during UTF-8 to Unicode string conversion
     through legacy extension (bsc#1092548).
   - CVE-2018-5150: Memory safety bugs fixed in Firefox 60 and Firefox ESR
     52.8 (bsc#1092548).

   These non-security issues were fixed:

   - Various stability and regression fixes
   - Performance improvements to the Safe Browsing service to avoid slowdowns
     while updating site classification data

Patch Instructions:

   To install this SUSE Security Update use the SUSE recommended installation methods
   like YaST online_update or "zypper patch".

   Alternatively you can run the command listed for your product:

   - SUSE Linux Enterprise Module for Desktop Applications 15:

      zypper in -t patch SUSE-SLE-Module-Desktop-Applications-15-2018-1536=1

Package List:

   - SUSE Linux Enterprise Module for Desktop Applications 15 (aarch64 ppc64le s390x x86_64):

      MozillaFirefox-52.9.0esr-3.7.12
      MozillaFirefox-debuginfo-52.9.0esr-3.7.12
      MozillaFirefox-debugsource-52.9.0esr-3.7.12
      MozillaFirefox-translations-common-52.9.0esr-3.7.12
      MozillaFirefox-translations-other-52.9.0esr-3.7.12

   - SUSE Linux Enterprise Module for Desktop Applications 15 (aarch64 ppc64le x86_64):

      MozillaFirefox-devel-52.9.0esr-3.7.12

References:

   https://www.suse.com/security/cve/CVE-2018-12359.html
   https://www.suse.com/security/cve/CVE-2018-12360.html
   https://www.suse.com/security/cve/CVE-2018-12362.html
   https://www.suse.com/security/cve/CVE-2018-12363.html
   https://www.suse.com/security/cve/CVE-2018-12364.html
   https://www.suse.com/security/cve/CVE-2018-12365.html
   https://www.suse.com/security/cve/CVE-2018-12366.html
   https://www.suse.com/security/cve/CVE-2018-12368.html
   https://www.suse.com/security/cve/CVE-2018-5150.html
   https://www.suse.com/security/cve/CVE-2018-5154.html
   https://www.suse.com/security/cve/CVE-2018-5155.html
   https://www.suse.com/security/cve/CVE-2018-5156.html
   https://www.suse.com/security/cve/CVE-2018-5157.html
   https://www.suse.com/security/cve/CVE-2018-5158.html
   https://www.suse.com/security/cve/CVE-2018-5159.html
   https://www.suse.com/security/cve/CVE-2018-5168.html
   https://www.suse.com/security/cve/CVE-2018-5178.html
   https://www.suse.com/security/cve/CVE-2018-5183.html
   https://www.suse.com/security/cve/CVE-2018-5188.html
   https://www.suse.com/security/cve/CVE-2018-6126.html
   https://bugzilla.suse.com/1092548
   https://bugzilla.suse.com/1096449
   https://bugzilla.suse.com/1098998