CVE-2020-15678
published 2020-10-01CVE-2020-15678: When recursing through graphical layers while scrolling, an iterator may have become invalid, resulting in a potential use-after-free. This occurs because the…
PriorityP345high8.8CVSS 3.1
AVNACLPRNUIRSUCHIHAH
EPSS
1.88%
76.9th percentile
When recursing through graphical layers while scrolling, an iterator may have become invalid, resulting in a potential use-after-free. This occurs because the function APZCTreeManager::ComputeClippedCompositionBounds did not follow iterator invalidation rules. This vulnerability affects Firefox < 81, Thunderbird < 78.3, and Firefox ESR < 78.3.
Affected
18 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | debian_linux | — | — |
| debian | debian_linux | — | — |
| debian | firefox | < firefox 81.0-1 (sid) | firefox 81.0-1 (sid) |
| debian | firefox-esr | < firefox 81.0-1 (sid) | firefox 81.0-1 (sid) |
| debian | thunderbird | < firefox 81.0-1 (sid) | firefox 81.0-1 (sid) |
| mozilla | firefox | < 81.0 | 81.0 |
| mozilla | firefox | — | — |
| mozilla | firefox | >= unspecified < 81 | 81 |
| mozilla | firefox_esr | < 78.3 | 78.3 |
| mozilla | firefox_esr | >= unspecified < 78.3 | 78.3 |
| mozilla | thunderbird | < 78.3 | 78.3 |
| mozilla | thunderbird | >= 0 < 1:78.3.1-1 | 1:78.3.1-1 |
| mozilla | thunderbird | >= 0 < 1:78.3.1-1 | 1:78.3.1-1 |
| mozilla | thunderbird | >= 0 < 1:78.3.1-1 | 1:78.3.1-1 |
| mozilla | thunderbird | >= 0 < 1:78.3.1-1 | 1:78.3.1-1 |
| mozilla | thunderbird | >= unspecified < 78.3 | 78.3 |
| opensuse | leap | — | — |
| opensuse | leap | — | — |
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv2.06.8MEDIUMAV:N/AC:M/Au:N/C:P/I:P/A:P
osv8.8HIGH
vendor_debian8.8HIGH
vendor_redhat8.8HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Ubuntu
Firefox vulnerabilities
vendor_ubuntu·2020-09-28
CVE-2020-15673 Firefox vulnerabilities
Title: Firefox vulnerabilities
Summary: Firefox could be made to crash or run programs as your login if it
opened a malicious website.
Multiple security issues were discovered in Firefox. If a user were
tricked in to opening a specially crafted website, an attacker could
potentially exploit these to cause a denial of service, conduct cross-site
scripting (XSS) attacks, spoof the site displayed in the download dialog,
or execute arbitrary code.
Instructions: After a standard system update you need to restart Firefox to make
all the necessary changes.
Red Hat
Mozilla: When recursing through layers while scrolling, an iterator may have become invalid, resulting in a potential use-after-free scenario
vendor_redhat·2020-09-22·CVSS 8.8
CVE-2020-15678 [HIGH] CWE-416 Mozilla: When recursing through layers while scrolling, an iterator may have become invalid, resulting in a potential use-after-free scenario
Mozilla: When recursing through layers while scrolling, an iterator may have become invalid, resulting in a potential use-after-free scenario
When recursing through graphical layers while scrolling, an iterator may have become invalid, resulting in a potential use-after-free. This occurs because the function APZCTreeManager::ComputeClippedCompositionBounds did not follow iterator invalidation rules. This vulnerability affects Firefox < 81, Thunderbird < 78.3, and Firefox ESR < 78.3.
The Mozilla Foundation Security Advisory describes this flaw as:
When recursing through graphical layers while scrolling, an iterator may have become invalid, resulting in a potential use-after-free. This occurs because the function `APZCTreeManager::ComputeClippedCompositionBounds` did not follow iterator in
Debian
CVE-2020-15678: firefox - When recursing through graphical layers while scrolling, an iterator may have be...
vendor_debian·2020·CVSS 8.8
CVE-2020-15678 [HIGH] CVE-2020-15678: firefox - When recursing through graphical layers while scrolling, an iterator may have be...
When recursing through graphical layers while scrolling, an iterator may have become invalid, resulting in a potential use-after-free. This occurs because the function APZCTreeManager::ComputeClippedCompositionBounds did not follow iterator invalidation rules. This vulnerability affects Firefox < 81, Thunderbird < 78.3, and Firefox ESR < 78.3.
Scope: local
sid: resolved (fixed in 81.0-1)
Mozilla
Mozilla Foundation Security Advisory 2020-44: CVE-2020-15678
vendor_mozilla·CVSS 8.8
CVE-2020-15678 [HIGH] Mozilla Foundation Security Advisory 2020-44: CVE-2020-15678
Mozilla Foundation Security Advisory 2020-44
CVE: CVE-2020-15678
Product: Thunderbird
Impact: high
Fixed in: Thunderbird 78.3
Mozilla
Mozilla Foundation Security Advisory 2020-43: CVE-2020-15678
vendor_mozilla·CVSS 8.8
CVE-2020-15678 [HIGH] Mozilla Foundation Security Advisory 2020-43: CVE-2020-15678
Mozilla Foundation Security Advisory 2020-43
CVE: CVE-2020-15678
Product: Firefox ESR
Impact: high
Fixed in: Firefox ESR 78.3
Mozilla
Mozilla Foundation Security Advisory 2020-42: CVE-2020-15678
vendor_mozilla·CVSS 8.8
CVE-2020-15678 [HIGH] Mozilla Foundation Security Advisory 2020-42: CVE-2020-15678
Mozilla Foundation Security Advisory 2020-42
CVE: CVE-2020-15678
Product: Firefox
Impact: high
Fixed in: Firefox 81
GHSA
GHSA-4rfx-gjvx-jp3h: When recursing through graphical layers while scrolling, an iterator may have become invalid, resulting in a potential use-after-free
ghsa_unreviewed·2022-05-24
CVE-2020-15678 [HIGH] CWE-416 GHSA-4rfx-gjvx-jp3h: When recursing through graphical layers while scrolling, an iterator may have become invalid, resulting in a potential use-after-free
When recursing through graphical layers while scrolling, an iterator may have become invalid, resulting in a potential use-after-free. This occurs because the function APZCTreeManager::ComputeClippedCompositionBounds did not follow iterator invalidation rules. This vulnerability affects Firefox < 81, Thunderbird < 78.3, and Firefox ESR < 78.3.
OSV
CVE-2020-15678: When recursing through graphical layers while scrolling, an iterator may have become invalid, resulting in a potential use-after-free
osv·2020-10-01·CVSS 8.8
CVE-2020-15678 [HIGH] CVE-2020-15678: When recursing through graphical layers while scrolling, an iterator may have become invalid, resulting in a potential use-after-free
When recursing through graphical layers while scrolling, an iterator may have become invalid, resulting in a potential use-after-free. This occurs because the function APZCTreeManager::ComputeClippedCompositionBounds did not follow iterator invalidation rules. This vulnerability affects Firefox < 81, Thunderbird < 78.3, and Firefox ESR < 78.3.
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2020-15678 Mozilla: When recursing through layers while scrolling, an iterator may have become invalid, resulting in a potential use-after-free scenario
bugzilla·2020-09-22·CVSS 8.8
CVE-2020-15678 [HIGH] CVE-2020-15678 Mozilla: When recursing through layers while scrolling, an iterator may have become invalid, resulting in a potential use-after-free scenario
CVE-2020-15678 Mozilla: When recursing through layers while scrolling, an iterator may have become invalid, resulting in a potential use-after-free scenario
When recursing through graphical layers while scrolling, an iterator may have become invalid, resulting in a potential use-after-free. This occurs because the function `APZCTreeManager::ComputeClippedCompositionBounds` did not follow iterator invalidation rules.
External Reference:
https://www.mozilla.org/en-US/security/advisories/mfsa2020-43/#CVE-2020-15678
Discussion:
Acknowledgments:
Name: the Mozilla project
Upstream: Lukas Bernhard
---
This issue has been addressed in the following products:
Red Hat Enterprise Linux 8.0 Update Services for SAP Solutions
Via RHSA-2020:3834 https://access.redhat.com/errata/RHSA-2020:3834
Bugzilla
AddressSanitizer: heap-use-after-free [@ ~BorrowedSourceSurface] with READ of size 8
bugzilla·2020-07-21
AddressSanitizer: heap-use-after-free [@ ~BorrowedSourceSurface] with READ of size 8
AddressSanitizer: heap-use-after-free [@ ~BorrowedSourceSurface] with READ of size 8
The attached crash information was submitted via the ASan Nightly Reporter on mozilla-central-asan-nightly revision 80.0a1-20200719090414-https://hg.mozilla.org/mozilla-central/rev/e785ebabf7e142898e31a6c81a4d43d44eff39e3.
For detailed crash information, see attachment.
Discussion:
Created attachment 9164969
Detailed Crash Information
---
This was discovered on Fedora 31, this box has an Nvidia RTX 2070 with the official 440.100 drivers. Window manager is xfce4. The following extra configuration options are set if it makes a difference:
```
gfx.webrender.all = true
fission.autostart = true
image.avif.enabled = true
```
No other information to share as this seems to have been found while randomly brow
http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00074.htmlhttp://lists.opensuse.org/opensuse-security-announce/2020-10/msg00077.htmlhttps://bugzilla.mozilla.org/show_bug.cgi?id=1660211https://lists.debian.org/debian-lts-announce/2020/10/msg00020.htmlhttps://security.gentoo.org/glsa/202010-02https://www.debian.org/security/2020/dsa-4770https://www.mozilla.org/security/advisories/mfsa2020-42/https://www.mozilla.org/security/advisories/mfsa2020-43/https://www.mozilla.org/security/advisories/mfsa2020-44/http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00074.htmlhttp://lists.opensuse.org/opensuse-security-announce/2020-10/msg00077.htmlhttps://bugzilla.mozilla.org/show_bug.cgi?id=1660211https://lists.debian.org/debian-lts-announce/2020/10/msg00020.htmlhttps://security.gentoo.org/glsa/202010-02https://www.debian.org/security/2020/dsa-4770https://www.mozilla.org/security/advisories/mfsa2020-42/https://www.mozilla.org/security/advisories/mfsa2020-43/https://www.mozilla.org/security/advisories/mfsa2020-44/
2020-10-01
Published