Arch Linux Security Advisory ASA-201604-15
=========================================
Severity: Critical
Date    : 2016-04-30
CVE-ID  : CVE-2016-2804 CVE-2016-2805 CVE-2016-2806 CVE-2016-2807
CVE-2016-2808 CVE-2016-2811 CVE-2016-2812 CVE-2016-2814 CVE-2016-2816
CVE-2016-2817 CVE-2016-2820
Package : firefox
Type    : multiple issues
Remote  : Yes
Link    : https://wiki.archlinux.org/title/CVE

Summary
======
The package firefox before version 46.0-2 is vulnerable to multiple
issues, up to arbitrary code execution.

Resolution
=========
Upgrade to 46.0-2.

# pacman -Syu "firefox>=46.0-2"

The problem has been fixed upstream in version 46.0.

Workaround
=========
None.

Description
==========
- CVE-2016-2804:

Gary Kwong, Christian Holler, Andrew McCreight, Boris Zbarsky, and Steve
Fink reported memory safety problems and crashes that are fixed in
Firefox 46.

- CVE-2016-2805:

Christian Holler reported a memory safety problem that is fixed in
Firefox ESR 38.8.

- CVE-2016-2806:

Gary Kwong, Christian Holler, Jesse Ruderman, Mats Palmgren, Carsten
Book, Boris Zbarsky, David Bolter, and Randell Jesup reported memory
safety problems and crashes that are fixed in Firefox ESR 45.1 and
Firefox 46.

- CVE-2016-2807:

Christian Holler, Tyson Smith, and Phil Ringalda reported memory safety
problems and crashes that are fixed in Firefox ESR 45.1, Firefox ESR
38.8 and Firefox 46.

- CVE-2016-2808:

The CESG, the Information Security Arm of GCHQ, reported that the
JavaScript .watch() method could be used to overflow the 32-bit
generation count of the underlying HashMap, resulting in a write to an
invalid entry. Under the right conditions this write could lead to
arbitrary code execution. The overflow takes considerable time and a
malicious page would require a user to keep it open for the duration of
the attack.

- CVE-2016-2811, CVE-2016-2812:

Security researcher Looben Yang reported two issues discovered in
Service Workers using Address Sanitizer.

The first of these is a use-after-free vulnerability caused by a
ServiceWorkerInfo object being kept active beyond the life its owning
registration. When it is later called through this registration, a
use-after-free results.

In the second issue, a race condition leading to a buffer overflow was
found in the ServiceWorkerManager. This leads to a potentially
exploitable crash when triggered.

- CVE-2016-2814:

Using Address Sanitizer, security researcher Sascha Just reported a
buffer overflow in the libstagefright library due to issues with the
handling of CENC offsets and the sizes table. This results in a
potentially exploitable crash triggerable through web content.

- CVE-2016-2816:

Security researcher Muneaki Nishimura (nishimunea) of Recruit
Technologies Co., Ltd. reported that Content Security Policy (CSP) is
not applied correctly to web content sent with the
multipart/x-mixed-replace MIME type. This allows for script to run in
instances where CSP should block it, leading to a failure to prevent
potential cross-site scripting (XSS) and other attacks against the web page.

- CVE-2016-2817:

Security researcher Muneaki Nishimura (nishimunea) of Recruit
Technologies Co., Ltd. reported that the chrome.tabs.update API for web
extensions allows for navigation to javascript: URLs without additional
permissions. This can used to elevate privilege for a universal
cross-site scripting (XSS) attack by a malicious web extension. It can
also be used to inject content into other extensions if they load
content within browser tabs.

- CVE-2016-2820:

Mozilla engineer Mark Goodwin discovered that the Firefox Health Report
(about:healthreport) accepts certain events from any content document
present in the remote-report iframe. If there were another vulnerability
that allowed the injection of web content into the Firefox Health Report
iframe, this content could change the sharing preferences of a user by
firing the appropriate events at it s containing page.


Impact
=====
A remote attacker can bypass security policies, cause a denial of
service or execute arbitrary code on the affected host.

References
=========
https://www.mozilla.org/en-US/security/known-vulnerabilities/firefox/#firefox46
https://www.mozilla.org/en-US/security/advisories/mfsa2016-39/
https://www.mozilla.org/en-US/security/advisories/mfsa2016-42/
https://www.mozilla.org/en-US/security/advisories/mfsa2016-44/
https://www.mozilla.org/en-US/security/advisories/mfsa2016-45/
https://www.mozilla.org/en-US/security/advisories/mfsa2016-46/
https://www.mozilla.org/en-US/security/advisories/mfsa2016-47/
https://www.mozilla.org/en-US/security/advisories/mfsa2016-48/
https://access.redhat.com/security/cve/CVE-2016-2804
https://access.redhat.com/security/cve/CVE-2016-2805
https://access.redhat.com/security/cve/CVE-2016-2806
https://access.redhat.com/security/cve/CVE-2016-2807
https://access.redhat.com/security/cve/CVE-2016-2808
https://access.redhat.com/security/cve/CVE-2016-2811
https://access.redhat.com/security/cve/CVE-2016-2812
https://access.redhat.com/security/cve/CVE-2016-2814
https://access.redhat.com/security/cve/CVE-2016-2816
https://access.redhat.com/security/cve/CVE-2016-2817
https://access.redhat.com/security/cve/CVE-2016-2820

ArchLinux: 201604-15: firefox: multiple issues

April 30, 2016

Summary

- CVE-2016-2804: Gary Kwong, Christian Holler, Andrew McCreight, Boris Zbarsky, and Steve Fink reported memory safety problems and crashes that are fixed in Firefox 46.
- CVE-2016-2805:
Christian Holler reported a memory safety problem that is fixed in Firefox ESR 38.8.
- CVE-2016-2806:
Gary Kwong, Christian Holler, Jesse Ruderman, Mats Palmgren, Carsten Book, Boris Zbarsky, David Bolter, and Randell Jesup reported memory safety problems and crashes that are fixed in Firefox ESR 45.1 and Firefox 46.
- CVE-2016-2807:
Christian Holler, Tyson Smith, and Phil Ringalda reported memory safety problems and crashes that are fixed in Firefox ESR 45.1, Firefox ESR 38.8 and Firefox 46.
- CVE-2016-2808:
The CESG, the Information Security Arm of GCHQ, reported that the JavaScript .watch() method could be used to overflow the 32-bit generation count of the underlying HashMap, resulting in a write to an invalid entry. Under the right conditions this write could lead to arbitrary code execution. The overflow takes considerable time and a malicious page would require a user to keep it open for the duration of the attack.
- CVE-2016-2811, CVE-2016-2812:
Security researcher Looben Yang reported two issues discovered in Service Workers using Address Sanitizer.
The first of these is a use-after-free vulnerability caused by a ServiceWorkerInfo object being kept active beyond the life its owning registration. When it is later called through this registration, a use-after-free results.
In the second issue, a race condition leading to a buffer overflow was found in the ServiceWorkerManager. This leads to a potentially exploitable crash when triggered.
- CVE-2016-2814:
Using Address Sanitizer, security researcher Sascha Just reported a buffer overflow in the libstagefright library due to issues with the handling of CENC offsets and the sizes table. This results in a potentially exploitable crash triggerable through web content.
- CVE-2016-2816:
Security researcher Muneaki Nishimura (nishimunea) of Recruit Technologies Co., Ltd. reported that Content Security Policy (CSP) is not applied correctly to web content sent with the multipart/x-mixed-replace MIME type. This allows for script to run in instances where CSP should block it, leading to a failure to prevent potential cross-site scripting (XSS) and other attacks against the web page.
- CVE-2016-2817:
Security researcher Muneaki Nishimura (nishimunea) of Recruit Technologies Co., Ltd. reported that the chrome.tabs.update API for web extensions allows for navigation to javascript: URLs without additional permissions. This can used to elevate privilege for a universal cross-site scripting (XSS) attack by a malicious web extension. It can also be used to inject content into other extensions if they load content within browser tabs.
- CVE-2016-2820:
Mozilla engineer Mark Goodwin discovered that the Firefox Health Report (about:healthreport) accepts certain events from any content document present in the remote-report iframe. If there were another vulnerability that allowed the injection of web content into the Firefox Health Report iframe, this content could change the sharing preferences of a user by firing the appropriate events at it s containing page.

Resolution

Upgrade to 46.0-2. # pacman -Syu "firefox>=46.0-2"
The problem has been fixed upstream in version 46.0.

References

https://www.mozilla.org/en-US/security/known-vulnerabilities/firefox/#firefox46 https://www.mozilla.org/en-US/security/advisories/mfsa2016-39/ https://www.mozilla.org/en-US/security/advisories/mfsa2016-42/ https://www.mozilla.org/en-US/security/advisories/mfsa2016-44/ https://www.mozilla.org/en-US/security/advisories/mfsa2016-45/ https://www.mozilla.org/en-US/security/advisories/mfsa2016-46/ https://www.mozilla.org/en-US/security/advisories/mfsa2016-47/ https://www.mozilla.org/en-US/security/advisories/mfsa2016-48/ https://access.redhat.com/security/cve/CVE-2016-2804 https://access.redhat.com/security/cve/CVE-2016-2805 https://access.redhat.com/security/cve/CVE-2016-2806 https://access.redhat.com/security/cve/CVE-2016-2807 https://access.redhat.com/security/cve/CVE-2016-2808 https://access.redhat.com/security/cve/CVE-2016-2811 https://access.redhat.com/security/cve/CVE-2016-2812 https://access.redhat.com/security/cve/CVE-2016-2814 https://access.redhat.com/security/cve/CVE-2016-2816 https://access.redhat.com/security/cve/CVE-2016-2817 https://access.redhat.com/security/cve/CVE-2016-2820

Severity
CVE-2016-2808 CVE-2016-2811 CVE-2016-2812 CVE-2016-2814 CVE-2016-2816
CVE-2016-2817 CVE-2016-2820
Package : firefox
Type : multiple issues
Remote : Yes
Link : https://wiki.archlinux.org/title/CVE

Workaround

None.

Related News

23.Tablet Connections Esm H320
2 - 3 min read
The release of Ubuntu 24.04 LTS , also known as Noble Numbat, brings various security enhancements and exciting new features . These improvements
4.Lock AbstractDigital Esm H320
2 - 3 min read
Tails 6.2 is a new Linux distribution release that expands its multilingual support and improves security features. The distribution is a
19.Laptop Bed Esm H320
2 - 3 min read
AlmaLinux 9.4 beta has been released and provides compelling reasons to consider it for desktop usage. While AlmaLinux is primarily known as a
32.Lock Code Circular Esm H320
2 - 3 min read
Linux admins and security practitioners face significant challenges in keeping their Linux systems secure amidst the constant threat of kernel bugs.
1.Penguin Landscape Esm H320
2 - 3 min read
A significant security threat, known as the Spectre v2 exploit, has been observed targeting Linux systems running on modern Intel processors. Let's
10.FingerPrint Locks Esm H320
2 - 3 min read
The recent release of I2P 2.5.0 , an anonymous P2P network that protects against online censorship, surveillance, and monitoring, has brought a slew
24.Key Code Esm H320
2 - 3 min read
The Akira ransomware group has extorted approximately $42 million from over 250 victims since January 1, 2024. The group initially focused on
5.ShakingHands Esm H320
2 - 3 min read
At The Linux Foundation's Open Source Summit North America , Linus Torvalds, the creator of Linux, discussed various topics related to Linux
Sign Up

Get the Latest News & Insights

Sign up to get the latest security news affecting Linux and open source delivered straight to your inbox.

© 2024 Guardian Digital, Inc All Rights Reserved