Operating System:

[WIN][UNIX/Linux]

Published:

14 December 2022

Protect yourself against future threats.

//Service

Phishing Take-Down

Drawing on our strong international CERT relationships we have a high success rate in delivering phishing take-downs.

Read more
Resources > Security Bulletins > ESB-2022.6479 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2022.6479
     MFSA 2022-52 Security Vulnerabilities fixed in Firefox ESR 102.6
                             14 December 2022

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           Firefox ESR
Publisher:         Mozilla
Operating System:  Windows
                   UNIX variants (UNIX, Linux, OSX)
Resolution:        Patch/Upgrade
CVE Names:         CVE-2022-46882 CVE-2022-46881 CVE-2022-46880
                   CVE-2022-46878 CVE-2022-46875 CVE-2022-46874
                   CVE-2022-46872  

Original Bulletin: 
   https://www.mozilla.org/en-US/security/advisories/mfsa2022-52/

Comment: CVSS (Max):  None available when published

- --------------------------BEGIN INCLUDED TEXT--------------------

Mozilla Foundation Security Advisory 2022-52

Security Vulnerabilities fixed in Firefox ESR 102.6

Announced: December 13, 2022
Impact:    high
Products:  Firefox ESR
Fixed in:  Firefox ESR 102.6

# CVE-2022-46880: Use-after-free in WebGL

Reporter: Atte Kettunen
Impact:   high

Description

A missing check related to tex units could have led to a use-after-free and
potentially exploitable crash.

References

  o Bug 1749292

# CVE-2022-46872: Arbitrary file read from a compromised content process

Reporter: Nika Layzell
Impact:   high

Description

An attacker who compromised a content process could have partially escaped the
sandbox to read arbitrary files via clipboard-related IPC messages.
This bug only affects Firefox for Linux. Other operating systems are
unaffected.

References

  o Bug 1799156

# CVE-2022-46881: Memory corruption in WebGL

Reporter: Karl and an Anonymous ASAN Nightly User
Impact:   high

Description

An optimization in WebGL was incorrect in some cases, and could have led to
memory corruption and a potentially exploitable crash.

References

  o Bug 1770930

# CVE-2022-46874: Drag and Dropped Filenames could have been truncated to
malicious extensions

Reporter: Matthias Zoellner
Impact:   moderate

Description

A file with a long filename could have had its filename truncated to remove the
valid extension, leaving a malicious extension in its place. This could
potentially led to user confusion and the execution of malicious code.

References

  o Bug 1746139

# CVE-2022-46875: Download Protections were bypassed by .atloc and .ftploc files
on Mac OS

Reporter: Dohyun Lee
Impact:   moderate

Description

The executable file warning was not presented when downloading .atloc and
.ftploc files, which can run commands on a user's computer.
Note: This issue only affected Mac OS operating systems. Other operating
systems are unaffected.

References

  o Bug 1786188

# CVE-2022-46882: Use-after-free in WebGL

Reporter: Irvan Kurniawan
Impact:   moderate

Description

A use-after-free in WebGL extensions could have led to a potentially
exploitable crash.

References

  o Bug 1789371

# CVE-2022-46878: Memory safety bugs fixed in Firefox 108 and Firefox ESR 102.6

Reporter: Mozilla developers
Impact:   high

Description

Mozilla developers Randell Jesup, Valentin Gosu, Olli Pettay, and the Mozilla
Fuzzing Team reported memory safety bugs present in Firefox 107 and Firefox ESR
102.5. Some of these bugs showed evidence of memory corruption and we presume
that with enough effort some of these could have been exploited to run
arbitrary code.

References

  o Memory safety bugs fixed in Firefox 108 and Firefox ESR 102.6

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: https://auscert.org.au/gpg-key/

iQIVAwUBY5kB7ckNZI30y1K9AQjF9BAAoHYQ+pEwA9FFy3iiE+OKf/jjkCAiWSX1
vJo4njR1UAT9arxeXGDup1ZsknX7bT7XD/N3jz4DBrisJurWFahhhMN+QbdnXUQB
deiijcemuUcWI9i3JpQ2oG/gif6LMzxYksWsHCAtoz1pej4kR3egn7Its/VaJTe7
2KHY0hV3T3l88AQiM0fVq321So/LV1YgNdCTN/KAV4oS3yryxDs2xfPEdW87l6fB
nsTal9TYXZm74Xrtu6vxlRzB4Z1QF6DazuvlUTVz0ZwydAFYkIsC/3pwg25y3P9x
qdKmxhUuoc3WXONm2+aIPTUI62VMBISyMOoexf1GUVDrIGjUFJAor4dwayD9b1Hx
2kharf3gQOXzOsDnBq5zFtU5di2BR6GcnVmEbRXyFPn2/TOHyNXy4wL2Byc8aZVT
bmcs1ZHLZAS8w14Fv1jhZObQxMCuh5nedP4EI9TGk7JZux/4++I13DtsICFdYl/A
/d06E3ALVsiItfT4m5ej0JoCRLoeLDlH2SpR3mqdgcFF3nNNxp8i0dxlDzLcHgFA
LcQ9Xj9uB2+xl3PqqFKoF1yv/lvKVtWZALmFV1x90UFTbmUdYScnuKG9NqTXLI01
H8Le5NJNL/DgWsiohnybesX+u8aqsVVgmQKpUGHrM6NEGvIeglOkECETTVhxVqCe
S/QKICV4b70=
=vSq0
-----END PGP SIGNATURE-----