ArchLinux: 201611-16: firefox: multiple issues
Summary
- CVE-2016-5289 (arbitrary code execution)
Mozilla developers and community members Christian Holler, Andrew
McCreight, Dan Minor, Tyson Smith, Jon Coppeard, Jan-Ivar Bruaroey,
Jesse Ruderman, and Markus Stange reported memory safety bugs present
in Firefox 49. Some of these bugs showed evidence of memory corruption
and we presume that with enough effort that some of these could be
exploited to run arbitrary code.
- CVE-2016-5290 (arbitrary code execution)
Mozilla developers and community members Olli Pettay, Christian Holler,
Ehsan Akhgari, Jon Coppeard, Gary Kwong, Tooru Fujisawa, Philipp, and
Randell Jesup reported memory safety bugs present in Firefox 49 and
Firefox ESR 45.4. Some of these bugs showed evidence of memory
corruption and we presume that with enough effort that some of these
could be exploited to run arbitrary code.
- CVE-2016-5291 (same-origin policy bypass)
A same-origin policy bypass with local shortcut files to load arbitrary
local content from disk.
- CVE-2016-5292 (arbitrary code execution)
During URL parsing, a maliciously crafted URL can cause a potentially
exploitable crash.
- CVE-2016-5296 (arbitrary code execution)
A heap-buffer-overflow in Cairo when processing SVG content caused by
compiler optimization, resulting in a potentially exploitable crash.
- CVE-2016-5297 (arbitrary code execution)
An error in argument length checking in JavaScript, leading to
potential integer overflows or other bounds checking issues.
- CVE-2016-9063 (arbitrary code execution)
An integer overflow during the parsing of XML using the Expat library.
- CVE-2016-9064 (insufficient validation)
Add-on updates failed to verify that the add-on ID inside the signed
package matched the ID of the add-on being updated. An attacker who
could perform a man-in-the-middle attack on the user's connection to
the update server and defeat the certificate pinning protection could
provide a malicious signed add-on instead of a valid update.
- CVE-2016-9066 (arbitrary code execution)
A buffer overflow resulting in a potentially exploitable crash due to
memory allocation issues when handling large amounts of incoming data.
- CVE-2016-9067 (arbitrary code execution)
Two heap-use-after-free errors during DOM operations in
nsINode::ReplaceOrInsertBefore resulting in potentially exploitable
crashes.
- CVE-2016-9068 (arbitrary code execution)
A heap-use-after-free in nsRefreshDriver during web animations when
working with timelines resulting in a potentially exploitable crash.
- CVE-2016-9070 (same-origin policy bypass)
A maliciously crafted page loaded to the sidebar through a bookmark can
reference a privileged chrome window and engage in limited JavaScript
operations violating cross-origin protections.
- CVE-2016-9071 (information disclosure)
Content Security Policy combined with HTTP to HTTPS redirection can be
used by malicious server to verify whether a known site is within a
user's browser history.
- CVE-2016-9073 (sandbox escape)
WebExtensions can bypass security checks to load privileged URLs and
potentially escape the WebExtension sandbox.
- CVE-2016-9075 (privilege escalation)
An issue where WebExtensions can use the mozAddonManager API to elevate
privilege due to privileged pages being allowed in the permissions
list. This allows a malicious extension to then install additional
extensions without explicit user permission.
- CVE-2016-9076 (content spoofing)
An issue where a select dropdown menu can be used to cover location
bar content, resulting in potential spoofing attacks. This attack
requires e10s to be enabled in order to function.
- CVE-2016-9077 (information disclosure)
Canvas allows the use of the feDisplacementMap filter on images loaded
cross-origin. The rendering by the filter is variable depending on the
input pixel, allowing for timing attacks when the images are loaded
from third party locations.
Resolution
Upgrade to 50.0-1.
# pacman -Syu "firefox>=50.0-1"
The problems have been fixed upstream in version 50.0.
References
https://www.mozilla.org/en-US/security/advisories/mfsa2016-89/ https://www.mozilla.org/en-US/security/advisories/mfsa2016-89/ https://www.mozilla.org/en-US/security/advisories/mfsa2016-89/ https://www.mozilla.org/en-US/security/advisories/mfsa2016-89/ https://www.mozilla.org/en-US/security/advisories/mfsa2016-89/ https://www.mozilla.org/en-US/security/advisories/mfsa2016-89/ https://www.mozilla.org/en-US/security/advisories/mfsa2016-89/ https://www.mozilla.org/en-US/security/advisories/mfsa2016-89/ https://www.mozilla.org/en-US/security/advisories/mfsa2016-89/ https://www.mozilla.org/en-US/security/advisories/mfsa2016-89/ https://www.mozilla.org/en-US/security/advisories/mfsa2016-89/ https://www.mozilla.org/en-US/security/advisories/mfsa2016-89/ https://www.mozilla.org/en-US/security/advisories/mfsa2016-89/ https://www.mozilla.org/en-US/security/advisories/mfsa2016-89/ https://www.mozilla.org/en-US/security/advisories/mfsa2016-89/ https://www.mozilla.org/en-US/security/advisories/mfsa2016-89/ https://www.mozilla.org/en-US/security/advisories/mfsa2016-89/ https://www.mozilla.org/en-US/security/advisories/mfsa2016-89/ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5289 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5290 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5291 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5292 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5296 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5297 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9063 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9064 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9066 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9067 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9068 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9070 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9071 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9073 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9075 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9076 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9077
![Dist Arch](/images/distros/dist-arch.png)
Workaround
None.