Discover Government News

Arch Linux Security Advisory ASA-201603-4
========================================
Severity: Critical
Date    : 2016-03-09
CVE-ID  : CVE-2016-1952 CVE-2016-1953 CVE-2016-1954 CVE-2016-1955
          CVE-2016-1956 CVE-2016-1957 CVE-2016-1958 CVE-2016-1959
          CVE-2016-1960 CVE-2016-1961 CVE-2016-1962 CVE-2016-1963
          CVE-2016-1964 CVE-2016-1965 CVE-2016-1966 CVE-2016-1967
          CVE-2016-1968 CVE-2016-1970 CVE-2016-1971 CVE-2016-1972
          CVE-2016-1973 CVE-2016-1974 CVE-2016-1975 CVE-2016-1976
          CVE-2016-1977 CVE-2016-2790 CVE-2016-2791 CVE-2016-2792
          CVE-2016-2793 CVE-2016-2794 CVE-2016-2795 CVE-2016-2796
          CVE-2016-2797 CVE-2016-2798 CVE-2016-2799 CVE-2016-2800
          CVE-2016-2801 CVE-2016-2802
Package : firefox
Type    : multiple issues
Remote  : Yes
Link    : https://wiki.archlinux.org/title/CVE

Summary
======
The package firefox before version 45.0-1 is vulnerable to multiple
issues including but not limited to arbitrary code execution,
same-origin bypass, adressbar spoofing, information disclosure, denial
of service and privilege escalation.

Resolution
=========
Upgrade to 45.0-1.

# pacman -Syu "firefox>=45.0-1"

The problems have been fixed upstream in version 45.0.

Workaround
=========
None.

Description
==========
- CVE-2016-1952 CVE-2016-1953 (arbitrary code execution)

Mozilla developers fixed several memory safety bugs in the browser
engine used in Firefox and other Mozilla-based products. Some of these
bugs showed evidence of memory corruption under certain circumstances,
and we presume that with enough effort at least some of these could be
exploited to run arbitrary code.

- CVE-2016-1954 (privilege escalation)

Security researcher Nicolas Golubovic reported that a malicious page can
overwrite files on the user's machine using Content Security Policy
(CSP) violation reports. The file contents are restricted to the JSON
format of the report. In many cases overwriting a local file may simply
be destructive, breaking the functionality of that file. The CSP error
reports can include HTML fragments which could be rendered by browsers.
If a user has disabled add-on signing and has installed an "unpacked"
add-on, a malicious page could overwrite one of the add-on resources.
Depending on how this resource is used, this could lead to privilege
escalation.

- CVE-2016-1955 (information disclosure)

Security researcher Muneaki Nishimura (nishimunea) of Recruit
Technologies Co.,Ltd. reported that Content Security Policy (CSP)
violation reports contained full path information for cross-origin
iframe navigations in violation of the CSP specification. This could
result in information disclosure.

- CVE-2016-1956 (denial of service)

Security researcher Ucha Gobejishvili reported a denial of service (DOS)
attack when doing certain WebGL operations in a canvas requiring an
unusually large amount buffer to be allocated from video memory. This
resulted in memory resource exhaustion with some Intel video cards,
requiring the computer to be rebooted to return functionality. This was
resolved by putting in additional checks on the amount of memory to be
allocated during graphics processing.

- CVE-2016-1957 (resource consumption)

Security researchers Jose Martinez and Romina Santillan reported a
memory leak in the libstagefright library when array destruction occurs
during MPEG4 video file processing.

- CVE-2016-1958 (addressbar spoofing)

Security researcher Abdulrahman Alqabandi reported an issue where an
attacker can load an arbitrary web page but the addressbar's displayed
URL will be blank or filled with page defined content. This can be used
to obfuscate which page is currently loaded and allows for an attacker
to spoof an existing page without the malicious page's address being
displayed correctly.

- CVE-2016-1959 (denial of service)

Security researcher Looben Yang reported a mechanism where the Clients
API in Service Workers can be used to trigger an out-of-bounds read in
ServiceWorkerManager. This results in a potentially exploitable crash.

- CVE-2016-1960 (arbitrary code execution)

Security researcher ca0nguyen, working with HP's Zero Day Initiative,
reported a use-after-free issue in the HTML5 string parser when parsing
a particular set of table-related tags in a foreign fragment context
such as SVG. This results in a potentially exploitable crash.

- CVE-2016-1961 (arbitrary code execution)

Security researcher lokihardt, working with HP's Zero Day Initiative,
reported a use-after-free issue in the SetBody function of HTMLDocument.
This results in a potentially exploitable crash.

- CVE-2016-1962 (arbitrary code execution)

Security researcher Dominique Hazaël-Massieux reported a use-after-free
issue when using multiple WebRTC data channel connections. This causes a
potentially exploitable crash when a data channel connection is freed
from within a call through it.

- CVE-2016-1977 CVE-2016-2790 CVE-2016-2791 CVE-2016-2792 CVE-2016-2793
  CVE-2016-2794 CVE-2016-2795 CVE-2016-2796 CVE-2016-2797 CVE-2016-2798
  CVE-2016-2799 CVE-2016-2800 CVE-2016-2801 CVE-2016-2802
  (buffer overflow)

Security researcher Holger Fuhrmannek and Mozilla security engineer
Tyson Smith reported a number of security vulnerabilities in the
Graphite 2 library affecting version 1.3.5.
The issue reported by Holger Fuhrmannek is a mechanism to induce stack
corruption with a malicious graphite font. This leads to a potentially
exploitable crash when the font is loaded.
Tyson Smith used the Address Sanitizer tool in concert with a custom
software fuzzer to find a series of uninitialized memory, out-of-bounds
read, and out-of-bounds write errors when working with fuzzed graphite
fonts.

- CVE-2016-1963 (denial of service)

Security researcher Oriol reported memory corruption when local files
are modified (by either the user or another program) at the same time
being read using the FileReader API. This flaw requires that input be
taken from a local file in order to be triggered and cannot be triggered
by web content. This results in a potentially exploitable crash when
triggered.

- CVE-2016-1964 (arbitrary code execution)

Security researcher Nicolas Grégoire used the Address Sanitizer to find
a use-after-free during XML transformation operations. This results in a
potentially exploitable crash triggerable by web content.

- CVE-2016-1965 (addressbar spoofing)

Security researcher Tsubasa Iinuma reported a mechanism where the
displayed addressbar can be spoofed to users. This issue involves using
history navigation in concert with the Location protocol property. After
navigating from a malicious page to another, if the user navigates back
to the initial page, the displayed URL will not reflect the reloaded
page. This could be used to trick users into potentially treating the
page as a different and trusted site.

- CVE-2016-1966 (remote code execution)

The Communications Electronics Security Group (UK) of the GCHQ reported
a dangling pointer dereference within the Netscape Plugin Application
Programming Interface (NPAPI) that could lead to the NPAPI subsystem
crashing. This issue requires a maliciously crafted NPAPI plugin in
concert with scripted web content, resulting in a potentially
exploitable crash when triggered.

- CVE-2016-1967 (same-origin policy bypass)

Security researcher Jordi Chancel discovered a variant of Mozilla
Foundation Security Advisory 2015-136 which was fixed in Firefox 43. In
the original bug, it was possible to read cross-origin URLs following a
redirect if performance.getEntries() was used along with an iframe to
host a page. Navigating back in history through script, content was
pulled from the browser cache for the redirected location instead of
going to the original location. In the newly reported variant issue, it
was found that if a browser session was restored, history navigation
would still allow for the same attack as content was restored from the
browser cache. This is a same-origin policy violation and could allow
for data theft.

- CVE-2016-1968 (remote code execution)

Security researcher Luke Li reported a pointer underflow bug in the
Brotli library's decompression that leads to a buffer overflow. This
results in a potentially exploitable crash when triggered.

- CVE-2016-1970 CVE-2016-1971 CVE-2016-1972 CVE-2016-1975 CVE-2016-197
  (denial of service)

Security researcher Ronald Crane reported five "moderate" rated
vulnerabilities affecting released code that were found through code
inspection. These included the following issues in WebRTC: an integer
underflow, a missing status check, race condition, and a use of deleted
pointers to create new object. A race condition in LibVPX was also
identified. These do not all have clear mechanisms to be exploited
through web content but are vulnerable if a mechanism can be found to
trigger them.

- CVE-2016-1973 (use-after-free)

Security researcher Ronald Crane reported a race condition in
GetStaticInstance in WebRTC which results in a use-after-free. This
could result in a potentially exploitable crash. This issue was found
through code inspection and does not have clear mechanism to be
exploited through web content but is vulnerable if a mechanism can be
found to trigger it.

- CVE-2016-1974 (denial of service)

Security researcher Ronald Crane reported an out-of-bounds read
following a failed allocation in the HTML parser while working with
unicode strings. This can also affect the parsing of XML and SVG format
data. This leads to a potentially exploitable crash.

Impact
=====
A remote attacker is able to execute arbitrary code, bypass the
same-origin policy, spoof the adressbar, disclose sensitive information,
perform a denial of service attack and escalation privileges via various
vulnerabilities.

References
=========
https://www.mozilla.org/en-US/security/known-vulnerabilities/firefox/#firefox45
https://access.redhat.com/security/cve/CVE-2016-1952
https://access.redhat.com/security/cve/CVE-2016-1953
https://access.redhat.com/security/cve/CVE-2016-1954
https://access.redhat.com/security/cve/CVE-2016-1955
https://access.redhat.com/security/cve/CVE-2016-1956
https://access.redhat.com/security/cve/CVE-2016-1957
https://access.redhat.com/security/cve/CVE-2016-1958
https://access.redhat.com/security/cve/CVE-2016-1959
https://access.redhat.com/security/cve/CVE-2016-1960
https://access.redhat.com/security/cve/CVE-2016-1961
https://access.redhat.com/security/cve/CVE-2016-1962
https://access.redhat.com/security/cve/CVE-2016-1963
https://access.redhat.com/security/cve/CVE-2016-1964
https://access.redhat.com/security/cve/CVE-2016-1965
https://access.redhat.com/security/cve/CVE-2016-1966
https://access.redhat.com/security/cve/CVE-2016-1967
https://access.redhat.com/security/cve/CVE-2016-1968
https://access.redhat.com/security/cve/CVE-2016-1970
https://access.redhat.com/security/cve/CVE-2016-1971
https://access.redhat.com/security/cve/CVE-2016-1972
https://access.redhat.com/security/cve/CVE-2016-1973
https://access.redhat.com/security/cve/CVE-2016-1974
https://access.redhat.com/security/cve/CVE-2016-1975
https://access.redhat.com/security/cve/CVE-2016-1976
https://access.redhat.com/security/cve/CVE-2016-1977
https://access.redhat.com/security/cve/CVE-2016-2790
https://access.redhat.com/security/cve/CVE-2016-2791
https://access.redhat.com/security/cve/CVE-2016-2792
https://access.redhat.com/security/cve/CVE-2016-2793
https://access.redhat.com/security/cve/CVE-2016-2794
https://access.redhat.com/security/cve/CVE-2016-2795
https://access.redhat.com/security/cve/CVE-2016-2796
https://access.redhat.com/security/cve/CVE-2016-2797
https://access.redhat.com/security/cve/CVE-2016-2798
https://access.redhat.com/security/cve/CVE-2016-2799
https://access.redhat.com/security/cve/CVE-2016-2800
https://access.redhat.com/security/cve/CVE-2016-2801
https://access.redhat.com/security/cve/CVE-2016-2802

ArchLinux: 201603-4: firefox: multiple issues

March 9, 2016

Summary

- CVE-2016-1952 CVE-2016-1953 (arbitrary code execution) Mozilla developers fixed several memory safety bugs in the browser engine used in Firefox and other Mozilla-based products. Some of these bugs showed evidence of memory corruption under certain circumstances, and we presume that with enough effort at least some of these could be exploited to run arbitrary code.
- CVE-2016-1954 (privilege escalation)
Security researcher Nicolas Golubovic reported that a malicious page can overwrite files on the user's machine using Content Security Policy (CSP) violation reports. The file contents are restricted to the JSON format of the report. In many cases overwriting a local file may simply be destructive, breaking the functionality of that file. The CSP error reports can include HTML fragments which could be rendered by browsers. If a user has disabled add-on signing and has installed an "unpacked" add-on, a malicious page could overwrite one of the add-on resources. Depending on how this resource is used, this could lead to privilege escalation.
- CVE-2016-1955 (information disclosure)
Security researcher Muneaki Nishimura (nishimunea) of Recruit Technologies Co.,Ltd. reported that Content Security Policy (CSP) violation reports contained full path information for cross-origin iframe navigations in violation of the CSP specification. This could result in information disclosure.
- CVE-2016-1956 (denial of service)
Security researcher Ucha Gobejishvili reported a denial of service (DOS) attack when doing certain WebGL operations in a canvas requiring an unusually large amount buffer to be allocated from video memory. This resulted in memory resource exhaustion with some Intel video cards, requiring the computer to be rebooted to return functionality. This was resolved by putting in additional checks on the amount of memory to be allocated during graphics processing.
- CVE-2016-1957 (resource consumption)
Security researchers Jose Martinez and Romina Santillan reported a memory leak in the libstagefright library when array destruction occurs during MPEG4 video file processing.
- CVE-2016-1958 (addressbar spoofing)
Security researcher Abdulrahman Alqabandi reported an issue where an attacker can load an arbitrary web page but the addressbar's displayed URL will be blank or filled with page defined content. This can be used to obfuscate which page is currently loaded and allows for an attacker to spoof an existing page without the malicious page's address being displayed correctly.
- CVE-2016-1959 (denial of service)
Security researcher Looben Yang reported a mechanism where the Clients API in Service Workers can be used to trigger an out-of-bounds read in ServiceWorkerManager. This results in a potentially exploitable crash.
- CVE-2016-1960 (arbitrary code execution)
Security researcher ca0nguyen, working with HP's Zero Day Initiative, reported a use-after-free issue in the HTML5 string parser when parsing a particular set of table-related tags in a foreign fragment context such as SVG. This results in a potentially exploitable crash.
- CVE-2016-1961 (arbitrary code execution)
Security researcher lokihardt, working with HP's Zero Day Initiative, reported a use-after-free issue in the SetBody function of HTMLDocument. This results in a potentially exploitable crash.
- CVE-2016-1962 (arbitrary code execution)
Security researcher Dominique Hazaël-Massieux reported a use-after-free issue when using multiple WebRTC data channel connections. This causes a potentially exploitable crash when a data channel connection is freed from within a call through it.
- CVE-2016-1977 CVE-2016-2790 CVE-2016-2791 CVE-2016-2792 CVE-2016-2793 CVE-2016-2794 CVE-2016-2795 CVE-2016-2796 CVE-2016-2797 CVE-2016-2798 CVE-2016-2799 CVE-2016-2800 CVE-2016-2801 CVE-2016-2802 (buffer overflow)
Security researcher Holger Fuhrmannek and Mozilla security engineer Tyson Smith reported a number of security vulnerabilities in the Graphite 2 library affecting version 1.3.5. The issue reported by Holger Fuhrmannek is a mechanism to induce stack corruption with a malicious graphite font. This leads to a potentially exploitable crash when the font is loaded. Tyson Smith used the Address Sanitizer tool in concert with a custom software fuzzer to find a series of uninitialized memory, out-of-bounds read, and out-of-bounds write errors when working with fuzzed graphite fonts.
- CVE-2016-1963 (denial of service)
Security researcher Oriol reported memory corruption when local files are modified (by either the user or another program) at the same time being read using the FileReader API. This flaw requires that input be taken from a local file in order to be triggered and cannot be triggered by web content. This results in a potentially exploitable crash when triggered.
- CVE-2016-1964 (arbitrary code execution)
Security researcher Nicolas Grégoire used the Address Sanitizer to find a use-after-free during XML transformation operations. This results in a potentially exploitable crash triggerable by web content.
- CVE-2016-1965 (addressbar spoofing)
Security researcher Tsubasa Iinuma reported a mechanism where the displayed addressbar can be spoofed to users. This issue involves using history navigation in concert with the Location protocol property. After navigating from a malicious page to another, if the user navigates back to the initial page, the displayed URL will not reflect the reloaded page. This could be used to trick users into potentially treating the page as a different and trusted site.
- CVE-2016-1966 (remote code execution)
The Communications Electronics Security Group (UK) of the GCHQ reported a dangling pointer dereference within the Netscape Plugin Application Programming Interface (NPAPI) that could lead to the NPAPI subsystem crashing. This issue requires a maliciously crafted NPAPI plugin in concert with scripted web content, resulting in a potentially exploitable crash when triggered.
- CVE-2016-1967 (same-origin policy bypass)
Security researcher Jordi Chancel discovered a variant of Mozilla Foundation Security Advisory 2015-136 which was fixed in Firefox 43. In the original bug, it was possible to read cross-origin URLs following a redirect if performance.getEntries() was used along with an iframe to host a page. Navigating back in history through script, content was pulled from the browser cache for the redirected location instead of going to the original location. In the newly reported variant issue, it was found that if a browser session was restored, history navigation would still allow for the same attack as content was restored from the browser cache. This is a same-origin policy violation and could allow for data theft.
- CVE-2016-1968 (remote code execution)
Security researcher Luke Li reported a pointer underflow bug in the Brotli library's decompression that leads to a buffer overflow. This results in a potentially exploitable crash when triggered.
- CVE-2016-1970 CVE-2016-1971 CVE-2016-1972 CVE-2016-1975 CVE-2016-197 (denial of service)
Security researcher Ronald Crane reported five "moderate" rated vulnerabilities affecting released code that were found through code inspection. These included the following issues in WebRTC: an integer underflow, a missing status check, race condition, and a use of deleted pointers to create new object. A race condition in LibVPX was also identified. These do not all have clear mechanisms to be exploited through web content but are vulnerable if a mechanism can be found to trigger them.
- CVE-2016-1973 (use-after-free)
Security researcher Ronald Crane reported a race condition in GetStaticInstance in WebRTC which results in a use-after-free. This could result in a potentially exploitable crash. This issue was found through code inspection and does not have clear mechanism to be exploited through web content but is vulnerable if a mechanism can be found to trigger it.
- CVE-2016-1974 (denial of service)
Security researcher Ronald Crane reported an out-of-bounds read following a failed allocation in the HTML parser while working with unicode strings. This can also affect the parsing of XML and SVG format data. This leads to a potentially exploitable crash.

Resolution

Upgrade to 45.0-1. # pacman -Syu "firefox>=45.0-1"
The problems have been fixed upstream in version 45.0.

References

https://www.mozilla.org/en-US/security/known-vulnerabilities/firefox/#firefox45 https://access.redhat.com/security/cve/CVE-2016-1952 https://access.redhat.com/security/cve/CVE-2016-1953 https://access.redhat.com/security/cve/CVE-2016-1954 https://access.redhat.com/security/cve/CVE-2016-1955 https://access.redhat.com/security/cve/CVE-2016-1956 https://access.redhat.com/security/cve/CVE-2016-1957 https://access.redhat.com/security/cve/CVE-2016-1958 https://access.redhat.com/security/cve/CVE-2016-1959 https://access.redhat.com/security/cve/CVE-2016-1960 https://access.redhat.com/security/cve/CVE-2016-1961 https://access.redhat.com/security/cve/CVE-2016-1962 https://access.redhat.com/security/cve/CVE-2016-1963 https://access.redhat.com/security/cve/CVE-2016-1964 https://access.redhat.com/security/cve/CVE-2016-1965 https://access.redhat.com/security/cve/CVE-2016-1966 https://access.redhat.com/security/cve/CVE-2016-1967 https://access.redhat.com/security/cve/CVE-2016-1968 https://access.redhat.com/security/cve/CVE-2016-1970 https://access.redhat.com/security/cve/CVE-2016-1971 https://access.redhat.com/security/cve/CVE-2016-1972 https://access.redhat.com/security/cve/CVE-2016-1973 https://access.redhat.com/security/cve/CVE-2016-1974 https://access.redhat.com/security/cve/CVE-2016-1975 https://access.redhat.com/security/cve/CVE-2016-1976 https://access.redhat.com/security/cve/CVE-2016-1977 https://access.redhat.com/security/cve/CVE-2016-2790 https://access.redhat.com/security/cve/CVE-2016-2791 https://access.redhat.com/security/cve/CVE-2016-2792 https://access.redhat.com/security/cve/CVE-2016-2793 https://access.redhat.com/security/cve/CVE-2016-2794 https://access.redhat.com/security/cve/CVE-2016-2795 https://access.redhat.com/security/cve/CVE-2016-2796 https://access.redhat.com/security/cve/CVE-2016-2797 https://access.redhat.com/security/cve/CVE-2016-2798 https://access.redhat.com/security/cve/CVE-2016-2799 https://access.redhat.com/security/cve/CVE-2016-2800 https://access.redhat.com/security/cve/CVE-2016-2801 https://access.redhat.com/security/cve/CVE-2016-2802

Severity
CVE-2016-1956 CVE-2016-1957 CVE-2016-1958 CVE-2016-1959
CVE-2016-1960 CVE-2016-1961 CVE-2016-1962 CVE-2016-1963
CVE-2016-1964 CVE-2016-1965 CVE-2016-1966 CVE-2016-1967
CVE-2016-1968 CVE-2016-1970 CVE-2016-1971 CVE-2016-1972
CVE-2016-1973 CVE-2016-1974 CVE-2016-1975 CVE-2016-1976
CVE-2016-1977 CVE-2016-2790 CVE-2016-2791 CVE-2016-2792
CVE-2016-2793 CVE-2016-2794 CVE-2016-2795 CVE-2016-2796
CVE-2016-2797 CVE-2016-2798 CVE-2016-2799 CVE-2016-2800
CVE-2016-2801 CVE-2016-2802
Package : firefox
Type : multiple issues
Remote : Yes
Link : https://wiki.archlinux.org/title/CVE

Workaround

None.

Related News