Advisories ยป MGASA-2022-0156

Updated firefox/nss/rootcerts packages fix security vulnerability

Publication date: 28 Apr 2022
Type: security
Affected Mageia releases : 8
CVE: CVE-2022-1097 , CVE-2022-1196 , CVE-2022-24713 , CVE-2022-28281 , CVE-2022-28282 , CVE-2022-28285 , CVE-2022-28286 , CVE-2022-28289 , CVE-2022-25235 , CVE-2022-25236 , CVE-2022-25315


NSSToken objects were referenced via direct points, and could have been
accessed in an unsafe way on different threads, leading to a use-after-free
and potentially exploitable crash (CVE-2022-1097).

After a VR Process is destroyed, a reference to it may have been retained and
used, leading to a use-after-free and potentially exploitable crash

The rust regex crate did not properly prevent crafted regular expressions from
taking an arbitrary amount of time during parsing. If an attacker was able to
supply input to this crate, they could have caused a denial of service in the
browser (CVE-2022-24713).

If a compromised content process sent an unexpected number of WebAuthN
Extensions in a Register command to the parent process, an out of bounds write
would have occurred leading to memory corruption and a potentially exploitable
crash (CVE-2022-28281).

By using a link with rel="localization" a use-after-free in
DocumentL10n::TranslateDocument could have been triggered by destroying an
object during JavaScript execution and then referencing the object through a
freed pointer, leading to a potential exploitable crash (CVE-2022-28282).

When generating the assembly code for MLoadTypedArrayElementHole, an incorrect
AliasSet was used in JIT Codegen. In conjunction with another vulnerability
this could have been used for an out of bounds memory read (CVE-2022-28285).

Due to a layout change, iframe contents could have been rendered outside of
its border. This could have led to user confusion or spoofing attacks

Mozilla developers and community members Nika Layzell (ni? for response), the
Mozilla Fuzzing Team, Andrew McCreight, Gabriele Svelto (pto) reported memory
safety bugs present in Firefox ESR 91.7. Some of these bugs showed evidence of
memory corruption and we presume that with enough effort some of these could
have been exploited to run arbitrary code (CVE-2022-28289).

xmltok_impl.c in Expat (aka libexpat) before 2.4.5 lacks certain validation of
encoding, such as checks for whether a UTF-8 character is valid in a certain
context. (CVE-2022-25235)
xmlparse.c in Expat (aka libexpat) before 2.4.5 allows attackers to insert
namespace-separator characters into namespace URIs. (CVE-2022-25236)

An integer overflow was found in expat. The issue occurs in storeRawNames ()
by abusing the m_buffer expansion logic to allow allocations very close to
INT_MAX and out-of-bounds heap writes. (CVE-2022-25315)