{"id":"MGASA-2020-0427","summary":"Updated firefox and nss packages fix security vulnerabilities","details":"When drawing a transparent image on top of an unknown cross-origin image, the\nSkia library drawImage function took a variable amount of time depending on\nthe content of the underlying image. This resulted in potential cross-origin\ninformation exposure of image content through timing side-channel attacks\n(CVE-2020-16012).\n\nA parsing and event loading mismatch in Firefox's SVG code could have allowed\nload events to fire, even after sanitization. An attacker already capable of\nexploiting an XSS vulnerability in privileged internal pages could have used\nthis attack to bypass our built-in sanitizer (CVE-2020-26951).\n\nIt was possible to cause the browser to enter fullscreen mode without\ndisplaying the security UI; thus making it possible to attempt a phishing\nattack or otherwise confuse the user (CVE-2020-26953).\n\nIn some cases, removing HTML elements during sanitization would keep existing\nSVG event handlers and therefore lead to XSS (CVE-2020-26956).\n\nFirefox did not block execution of scripts with incorrect MIME types when the\nresponse was intercepted and cached through a ServiceWorker. This could lead\nto a cross-site script inclusion vulnerability, or a Content Security Policy\nbypass (CVE-2020-26958).\n\nDuring browser shutdown, reference decrementing could have occured on a\npreviously freed object, resulting in a use-after-free in WebRequestService,\nmemory corruption, and a potentially exploitable crash (CVE-2020-26959).\n\nIf the Compact() method was called on an nsTArray, the array could have been\nreallocated without updating other pointers, leading to a potential\nuse-after-free and exploitable crash (CVE-2020-26960).\n\nWhen DNS over HTTPS is in use, it intentionally filters RFC1918 and related IP\nranges from the responses as these do not make sense coming from a DoH\nresolver. However when an IPv4 address was mapped through IPv6, these\naddresses were erroneously let through, leading to a potential DNS Rebinding\nattack (CVE-2020-26961).\n\nSome websites have a feature \"Show Password\" where clicking a button will\nchange a password field into a textbook field, revealing the typed password.\nIf, when using a software keyboard that remembers user input, a user typed\ntheir password and used that feature, the type of the password field was\nchanged, resulting in a keyboard layout change and the possibility for the\nsoftware keyboard to remember the typed password (CVE-2020-26965).\n\nMozilla developers Steve Fink, Jason Kratzer, Randell Jesup, Christian Holler,\nand Byron Campen reported memory safety bugs present in Firefox ESR 78.4. Some\nof these bugs showed evidence of memory corruption and we presume that with\nenough effort some of these could have been exploited to run arbitrary code\n(CVE-2020-26968).\n","modified":"2026-02-04T04:26:39.538872Z","published":"2020-11-19T08:52:41Z","related":["CVE-2020-16012","CVE-2020-26951","CVE-2020-26953","CVE-2020-26956","CVE-2020-26958","CVE-2020-26959","CVE-2020-26960","CVE-2020-26961","CVE-2020-26965","CVE-2020-26968"],"references":[{"type":"ADVISORY","url":"https://advisories.mageia.org/MGASA-2020-0427.html"},{"type":"REPORT","url":"https://bugs.mageia.org/show_bug.cgi?id=27617"},{"type":"REPORT","url":"https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.59_release_notes"},{"type":"REPORT","url":"https://www.mozilla.org/en-US/security/advisories/mfsa2020-51/"}],"affected":[{"package":{"name":"nss","ecosystem":"Mageia:7","purl":"pkg:rpm/mageia/nss?arch=source&distro=mageia-7"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"3.59.0-1.mga7"}]}],"ecosystem_specific":{"section":"core"},"database_specific":{"source":"https://advisories.mageia.org/MGASA-2020-0427.json"}},{"package":{"name":"firefox","ecosystem":"Mageia:7","purl":"pkg:rpm/mageia/firefox?arch=source&distro=mageia-7"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"78.5.0-1.mga7"}]}],"ecosystem_specific":{"section":"core"},"database_specific":{"source":"https://advisories.mageia.org/MGASA-2020-0427.json"}},{"package":{"name":"firefox-l10n","ecosystem":"Mageia:7","purl":"pkg:rpm/mageia/firefox-l10n?arch=source&distro=mageia-7"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"78.5.0-1.mga7"}]}],"ecosystem_specific":{"section":"core"},"database_specific":{"source":"https://advisories.mageia.org/MGASA-2020-0427.json"}}],"schema_version":"1.7.3","credits":[{"name":"Mageia","contact":["https://wiki.mageia.org/en/Packages_Security_Team"],"type":"COORDINATOR"}]}