Bug 1789214 (CVE-2019-17026)

Summary: CVE-2019-17026 Mozilla: IonMonkey type confusion with StoreElementHole and FallibleStoreElement
Product: [Other] Security Response Reporter: Doran Moppert <dmoppert>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: urgent Docs Contact:
Priority: urgent    
Version: unspecifiedCC: apmukher, chuckebbert.lk, cschalle, gecko-bugs-nobody, jhorak, lastmikoi+rh, mbliss, pasteur, psampaio, rgiles, security-response-team, stransky
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: firefox 72.0.1, firefox 68.4.1, thunderbird 68.4.1 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2020-01-13 20:09:40 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1788028, 1788029, 1788030, 1788031, 1788032, 1788033, 1790248, 1790249, 1790250, 1790251, 1790252, 1790253    
Bug Blocks: 1787590    

Description Doran Moppert 2020-01-09 04:44:38 UTC 
Incorrect alias information in IonMonkey JIT compiler for setting array elements could lead to a type confusion. We are aware of targeted attacks in the wild abusing this flaw.



External Reference:

https://www.mozilla.org/en-US/security/advisories/mfsa2020-03/#CVE-2019-17026
Comment 1 Doran Moppert 2020-01-09 04:44:40 UTC 
Acknowledgments:

Name: the Mozilla project
Upstream: Qihoo 360 ATA
Comment 2 Huzaifa S. Sidhpurwala 2020-01-09 07:05:22 UTC 
*** Bug 1788980 has been marked as a duplicate of this bug. ***
Comment 3 errata-xmlrpc 2020-01-13 14:19:46 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6

Via RHSA-2020:0086 https://access.redhat.com/errata/RHSA-2020:0086
Comment 4 errata-xmlrpc 2020-01-13 14:38:51 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2020:0085 https://access.redhat.com/errata/RHSA-2020:0085
Comment 5 Product Security DevOps Team 2020-01-13 20:09:40 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2019-17026
Comment 10 errata-xmlrpc 2020-01-14 18:39:03 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2020:0111 https://access.redhat.com/errata/RHSA-2020:0111
Comment 11 errata-xmlrpc 2020-01-16 11:50:16 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6

Via RHSA-2020:0123 https://access.redhat.com/errata/RHSA-2020:0123
Comment 12 errata-xmlrpc 2020-01-16 11:57:59 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2020:0120 https://access.redhat.com/errata/RHSA-2020:0120
Comment 13 errata-xmlrpc 2020-01-16 12:53:00 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2020:0127 https://access.redhat.com/errata/RHSA-2020:0127
Comment 14 errata-xmlrpc 2020-01-30 09:02:29 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.0 Update Services for SAP Solutions

Via RHSA-2020:0292 https://access.redhat.com/errata/RHSA-2020:0292
Comment 15 errata-xmlrpc 2020-01-30 10:02:40 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.0 Update Services for SAP Solutions

Via RHSA-2020:0295 https://access.redhat.com/errata/RHSA-2020:0295