Bug 1138872 - (CVE-2019-11708) EMU: VUL-0: CVE-2019-11708: MozillaFirefox,MozillaThunderbird: sandbox escape using Prompt:Open fixed in 67.0.4, 60.7.2 ESR (MFSA 2019-19 and MFSA 2019-20)
(CVE-2019-11708)
EMU: VUL-0: CVE-2019-11708: MozillaFirefox,MozillaThunderbird: sandbox escap...
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Major
: ---
Assigned To: Charles Robertson
Security Team bot
CVSSv2:NVD:CVE-2019-11708:10.0:(AV:N/...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2019-06-20 18:12 UTC by Andreas Stieger
Modified: 2022-09-06 16:41 UTC (History)
5 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Andreas Stieger 2019-06-20 18:12:16 UTC
https://www.mozilla.org/en-US/security/advisories/mfsa2019-19/

CVE-2019-11708: sandbox escape using Prompt:Open

Reporter: Coinbase Security
Impact: high

Insufficient vetting of parameters passed with the Prompt:Open IPC message between child and parent processes can result in the non-sandboxed parent process opening web content chosen by a compromised child process. When combined with additional vulnerabilities this could result in executing arbitrary code on the user's computer.

Fixed in Firefox 67.0.4, Firefox ESR 60.7.2

References:
https://bugzilla.mozilla.org/show_bug.cgi?id=1559858
Comment 1 Swamp Workflow Management 2019-06-20 19:40:11 UTC
This is an autogenerated message for OBS integration:
This bug (1138872) was mentioned in
https://build.opensuse.org/request/show/711213 42.3 / MozillaFirefox
https://build.opensuse.org/request/show/711214 15.0 / MozillaFirefox
https://build.opensuse.org/request/show/711215 Factory / MozillaFirefox
Comment 2 Swamp Workflow Management 2019-06-22 16:11:34 UTC
SUSE-SU-2019:1682-1: An update that fixes one vulnerability is now available.

Category: security (important)
Bug References: 1138872
CVE References: CVE-2019-11708
Sources used:
SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (src):    MozillaFirefox-60.7.2-3.48.1
SUSE Linux Enterprise Module for Open Buildservice Development Tools 15 (src):    MozillaFirefox-60.7.2-3.48.1
SUSE Linux Enterprise Module for Desktop Applications 15-SP1 (src):    MozillaFirefox-60.7.2-3.48.1
SUSE Linux Enterprise Module for Desktop Applications 15 (src):    MozillaFirefox-60.7.2-3.48.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 3 Swamp Workflow Management 2019-06-22 19:11:08 UTC
SUSE-SU-2019:1683-1: An update that fixes 6 vulnerabilities is now available.

Category: security (important)
Bug References: 1137595,1138872
CVE References: CVE-2019-11703,CVE-2019-11704,CVE-2019-11705,CVE-2019-11706,CVE-2019-11707,CVE-2019-11708
Sources used:
SUSE Linux Enterprise Workstation Extension 15-SP1 (src):    MozillaThunderbird-60.7.2-3.43.1
SUSE Linux Enterprise Workstation Extension 15 (src):    MozillaThunderbird-60.7.2-3.43.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 4 Swamp Workflow Management 2019-06-22 19:12:04 UTC
SUSE-SU-2019:1684-1: An update that fixes one vulnerability is now available.

Category: security (important)
Bug References: 1138872
CVE References: CVE-2019-11708
Sources used:
SUSE OpenStack Cloud 8 (src):    MozillaFirefox-60.7.2-109.80.1
SUSE OpenStack Cloud 7 (src):    MozillaFirefox-60.7.2-109.80.1
SUSE Linux Enterprise Software Development Kit 12-SP5 (src):    MozillaFirefox-60.7.2-109.80.1
SUSE Linux Enterprise Software Development Kit 12-SP4 (src):    MozillaFirefox-60.7.2-109.80.1
SUSE Linux Enterprise Software Development Kit 12-SP3 (src):    MozillaFirefox-60.7.2-109.80.1
SUSE Linux Enterprise Server for SAP 12-SP3 (src):    MozillaFirefox-60.7.2-109.80.1
SUSE Linux Enterprise Server for SAP 12-SP2 (src):    MozillaFirefox-60.7.2-109.80.1
SUSE Linux Enterprise Server for SAP 12-SP1 (src):    MozillaFirefox-60.7.2-109.80.1
SUSE Linux Enterprise Server 12-SP5 (src):    MozillaFirefox-60.7.2-109.80.1
SUSE Linux Enterprise Server 12-SP4 (src):    MozillaFirefox-60.7.2-109.80.1
SUSE Linux Enterprise Server 12-SP3-LTSS (src):    MozillaFirefox-60.7.2-109.80.1
SUSE Linux Enterprise Server 12-SP3 (src):    MozillaFirefox-60.7.2-109.80.1
SUSE Linux Enterprise Server 12-SP2-LTSS (src):    MozillaFirefox-60.7.2-109.80.1
SUSE Linux Enterprise Server 12-SP2-BCL (src):    MozillaFirefox-60.7.2-109.80.1
SUSE Linux Enterprise Server 12-SP1-LTSS (src):    MozillaFirefox-60.7.2-109.80.1
SUSE Linux Enterprise Server 12-LTSS (src):    MozillaFirefox-60.7.2-109.80.1
SUSE Linux Enterprise Desktop 12-SP5 (src):    MozillaFirefox-60.7.2-109.80.1
SUSE Linux Enterprise Desktop 12-SP4 (src):    MozillaFirefox-60.7.2-109.80.1
SUSE Linux Enterprise Desktop 12-SP3 (src):    MozillaFirefox-60.7.2-109.80.1
SUSE Enterprise Storage 5 (src):    MozillaFirefox-60.7.2-109.80.1
SUSE Enterprise Storage 4 (src):    MozillaFirefox-60.7.2-109.80.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 5 Swamp Workflow Management 2019-06-23 16:11:38 UTC
openSUSE-SU-2019:1594-1: An update that fixes two vulnerabilities is now available.

Category: security (critical)
Bug References: 1138614,1138872
CVE References: CVE-2019-11707,CVE-2019-11708
Sources used:
openSUSE Leap 42.3 (src):    MozillaThunderbird-60.7.2-98.1
Comment 6 Swamp Workflow Management 2019-06-24 10:10:39 UTC
This is an autogenerated message for OBS integration:
This bug (1138872) was mentioned in
https://build.opensuse.org/request/show/711281 Factory / MozillaThunderbird
https://build.opensuse.org/request/show/711282 42.3 / MozillaThunderbird
Comment 7 Swamp Workflow Management 2019-06-24 10:11:08 UTC
openSUSE-SU-2019:1595-1: An update that fixes one vulnerability is now available.

Category: security (important)
Bug References: 1138872
CVE References: CVE-2019-11708
Sources used:
openSUSE Leap 15.1 (src):    MozillaFirefox-60.7.2-lp151.2.7.1
Comment 9 Swamp Workflow Management 2019-06-24 13:38:44 UTC
openSUSE-SU-2019:1606-1: An update that fixes 6 vulnerabilities is now available.

Category: security (important)
Bug References: 1137595,1138872
CVE References: CVE-2019-11703,CVE-2019-11704,CVE-2019-11705,CVE-2019-11706,CVE-2019-11707,CVE-2019-11708
Sources used:
openSUSE Leap 15.1 (src):    MozillaThunderbird-60.7.2-lp151.2.7.1
openSUSE Leap 15.0 (src):    MozillaThunderbird-60.7.2-lp150.3.45.1
Comment 10 Swamp Workflow Management 2019-06-24 18:10:25 UTC
This is an autogenerated message for OBS integration:
This bug (1138872) was mentioned in
https://build.opensuse.org/request/show/711723 Backports:SLE-12 / MozillaThunderbird
Comment 11 Swamp Workflow Management 2019-06-28 13:12:17 UTC
openSUSE-SU-2019:1664-1: An update that fixes 22 vulnerabilities is now available.

Category: security (important)
Bug References: 1130694,1133267,1135824,1137595,1138872
CVE References: CVE-2018-18511,CVE-2019-11691,CVE-2019-11692,CVE-2019-11693,CVE-2019-11694,CVE-2019-11698,CVE-2019-11703,CVE-2019-11704,CVE-2019-11705,CVE-2019-11706,CVE-2019-11707,CVE-2019-11708,CVE-2019-5798,CVE-2019-7317,CVE-2019-9797,CVE-2019-9800,CVE-2019-9815,CVE-2019-9816,CVE-2019-9817,CVE-2019-9818,CVE-2019-9819,CVE-2019-9820
Sources used:
SUSE Package Hub for SUSE Linux Enterprise 12 (src):    MozillaThunderbird-60.7.2-85.1
Comment 12 Marcus Meissner 2019-07-04 15:23:39 UTC
as we now reestablished Firefox ESR60 on SLE11, can you also submit for

SUSE:SLE-11-SP1:Update MozillaFirefox
Comment 13 Charles Robertson 2019-07-09 16:05:43 UTC
(In reply to Marcus Meissner from comment #12)
> as we now reestablished Firefox ESR60 on SLE11, can you also submit for
> 
> SUSE:SLE-11-SP1:Update MozillaFirefox

Yes. FF 60.8 esr was just released and I shall get this updated today.
Comment 15 Swamp Workflow Management 2019-07-17 16:17:18 UTC
SUSE-SU-2019:14124-1: An update that fixes 12 vulnerabilities is now available.

Category: security (important)
Bug References: 1137792,1138614,1138872,1140868
CVE References: CVE-2019-11707,CVE-2019-11708,CVE-2019-11709,CVE-2019-11711,CVE-2019-11712,CVE-2019-11713,CVE-2019-11715,CVE-2019-11717,CVE-2019-11719,CVE-2019-11729,CVE-2019-11730,CVE-2019-9811
Sources used:
SUSE Linux Enterprise Server 11-SP4-LTSS (src):    MozillaFirefox-60.8.0esr-78.43.2

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 16 Marcus Meissner 2019-07-18 08:40:29 UTC
released