Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT Security Bulletin
ASB-2018.0063
Use-after-free in compositor
27 March 2018
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Mozilla Firefox
Operating System: UNIX variants (UNIX, Linux, OSX)
Windows
Impact/Access: Execute Arbitrary Code/Commands -- Remote with User Interaction
Resolution: Patch/Upgrade
CVE Names: CVE-2018-5148
Member content until: Thursday, April 26 2018
OVERVIEW
A critical vulnerability has been identified in compositor in:
o Mozilla Firefox prior to version 59.0.2, and
o Mozilla Firefox ESR prior to version 52.7.3 [1]
IMPACT
Mozilla have provided the following details regarding the
vulnerability:
" Use-after-free in compositor
Announced March 26, 2018
Fixed in Firefox 59.0.2, Firefox ESR 52.7.3
#CVE-2018-5148: Use-after-free in compositor
Reporter Jesse Schwartzentruber
Impact high
Description
A use-after-free vulnerability can occur in the compositor during
certain graphics operations when a raw pointer is used instead of
a reference counted one. This results in a potentially exploitable
crash." [1]
MITIGATION
Users are advised to update to the latest versions to address these
issues. [1]
REFERENCES
[1] Mozilla Foundation Security Advisory 2018-10
https://www.mozilla.org/en-US/security/advisories/mfsa2018-10/
AusCERT has made every effort to ensure that the information contained
in this document is accurate. However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBWrnPzYx+lLeg9Ub1AQgALQ/+IQ0iAv98Q/xI4Wj7tBOlPe4Tq6USn63T
XG9A8aVxL3t+QT40CqKF9YNWcXMM53kuTHOH/7rLSYcYec0ZruZs6tot2/4iNkoZ
/o2k8h3HfPwkStCtPuW2fdoBckV2sZj7CJVA5GW2nQCq/82sIuClaWNZOwgsmwDy
tKIlBTAybIZkWROMDLOHAMP/GQrRDARJrnypLizcD1SrcuB/wP5RPJvS/BMZDPVQ
zk5S0SKu0b6inHZMSlBj8aaSsZy4cl/4Mf8YoAjAWJjtC0QMDzfVXkWLn0jdkLtw
OvakEri+nuxVbOBGKQGZxs6F5PIbzPJ/wF2xw8ngRKpJZdpgRBacFKbohpzMhLzf
sj3m52+X1ZiVH3e4dlOzSjBAtyVjqjE+/Yo/CMTt5Uw2AxAsIxNumBquUqy9p4Kg
3MkBMlYDzybWn1XWu6KFfgs6TIAPOutOU/ChsZZFV1vwJneOXu8uLAygQKAecOaO
Ykw1zSY2zTOA+MPcihnNHQ5l4ArZWadRvYuoo7lfRSbZCQ80n6fls2HK6CignWfN
JWt7x74nphlIRiDQRn4DVmxiaFfjVACLGpah6HBdaooD9lU0ipNWRb9dMfTqytJK
jOkZlSx3n8U3RI83wtIOfDwFlLyP4nswHCaDyKNlajWom7vWVCyywlx8GAVXalrr
vjxFhBA7T4Y=
=7MIn
-----END PGP SIGNATURE-----