Mozilla Foundation Security Advisory 2019-05

Security vulnerabilities fixed in Firefox ESR 60.5.1

Announced
February 12, 2019
Impact
high
Products
Firefox ESR
Fixed in
  • Firefox ESR 60.5.1

#CVE-2018-18356: Use-after-free in Skia

Reporter
Tran Tien Hung of Viettel Cyber Security
Impact
high
Description

A use-after-free vulnerability in the Skia library can occur when creating a path, leading to a potentially exploitable crash.

References

#CVE-2019-5785: Integer overflow in Skia

Reporter
Ivan Fratric of Google Project Zero
Impact
high
Description

An integer overflow vulnerability in the Skia library can occur after specific transform operations, leading to a potentially exploitable crash.

References

#CVE-2018-18335: Buffer overflow in Skia with accelerated Canvas 2D

Reporter
Anonymous
Impact
high
Description

A buffer overflow vulnerability in the Skia library can occur with Canvas 2D acceleration on macOS. This issue was addressed by disabling Canvas 2D acceleration in Firefox ESR.
Note: this does not affect other versions and platforms where Canvas 2D acceleration is already disabled by default.

References