ArchLinux: 201704-6: firefox: multiple issues
Summary
- CVE-2017-5429 (arbitrary code execution)
Mozilla developers and community members Christian Holler, Jon
Coppeard, Marcia Knous, David Baron, Mats Palmgren, Ronald Crane, Bob
Clary, and Chris Peterson reported memory safety bugs present in
Firefox 52, Firefox ESR 45.8, and Firefox ESR 52. Some of these bugs
showed evidence of memory corruption and we presume that with enough
effort that some of these could be exploited to run arbitrary code.
- CVE-2017-5430 (arbitrary code execution)
Mozilla developers and community members Christian Holler, Jon
Coppeard, Milan Sreckovic, Tyson Smith, Ronald Crane, Randell Jesup,
Philipp, Tooru Fujisawa, and Kan-Ru Chen reported memory safety bugs
present in Firefox 52 and Firefox ESR 52. Some of these bugs showed
evidence of memory corruption and we presume that with enough effort
that some of these could be exploited to run arbitrary code.
- CVE-2017-5432 (arbitrary code execution)
A use-after-free vulnerability has been found in Firefox < 53. It
occurs during certain text input selection and results in a potentially
exploitable crash.
- CVE-2017-5433 (arbitrary code execution)
A use-after-free vulnerability has been found in Firefox < 53, It
occurs in SMIL animation functions when pointers to animation elements
in an array are dropped from the animation controller while still in
use. This results in a potentially exploitable crash.
- CVE-2017-5434 (arbitrary code execution)
A use-after-free vulnerability has been found in Firefox < 53. It
occurs when redirecting focus handling and results in a potentially
exploitable crash.
- CVE-2017-5435 (arbitrary code execution)
A use-after-free vulnerability has been found in Firefox < 53. It
occurs during transaction processing in the editor during design mode
interactions and results in a potentially exploitable crash.
- CVE-2017-5436 (arbitrary code execution)
An out-of-bounds write has been found in the Graphite 2 library,
triggered with a maliciously crafted Graphite font. This results in a
potentially exploitable crash. This issue was fixed in the Graphite 2
library as well as Mozilla products.
- CVE-2017-5437 (denial of service)
Three vulnerabilities were reported in the Libevent library that allow
for out-of-bounds reads and denial of service (DoS) attacks:
CVE-2016-10195, CVE-2016-10196, and CVE-2016-10197. These were fixed in
the Libevent library and these changes were ported to Mozilla code in
Firefox 53.
- CVE-2017-5438 (arbitrary code execution)
A use-after-free vulnerability has been found in Firefox < 53, during
XSLT processing due to the result handler being held by a freed handler
during handling. This results in a potentially exploitable crash.
- CVE-2017-5439 (arbitrary code execution)
A use-after-free vulnerability has been found in Firefox < 53, during
XSLT processing due to poor handling of template parameters. This
results in a potentially exploitable crash.
- CVE-2017-5440 (arbitrary code execution)
A use-after-free vulnerability has been found in Firefox < 53, during
XSLT processing due to a failure to propagate error conditions during
matching while evaluating context, leading to objects being used when
they no longer exist. This results in a potentially exploitable crash.
- CVE-2017-5441 (arbitrary code execution)
A use-after-free vulnerability when holding a selection during scroll
events has been found in Firefox < 53. This results in a potentially
exploitable crash.
- CVE-2017-5442 (arbitrary code execution)
A use-after-free vulnerability during changes in style when
manipulating DOM elements has been found in Firefox < 53. This results
in a potentially exploitable crash.
- CVE-2017-5443 (arbitrary code execution)
An out-of-bounds write vulnerability has been found in Firefox < 53,
while decoding improperly formed BinHex format archives.
- CVE-2017-5444 (information disclosure)
A buffer overflow vulnerability has been found in Firefox < 53, while
parsing application/http-index-format format content when the header
contains improperly formatted data. This allows for an out-of-bounds
read of data from memory.
- CVE-2017-5445 (information disclosure)
A vulnerability has been found in Firefox < 53, while parsing
application/http-index-format format content where uninitialized values
are used to create an array. This could allow the reading of
uninitialized memory into the arrays affected.
- CVE-2017-5446 (arbitrary code execution)
An out-of-bounds read has been found in Firefox < 53, when an HTTP/2
connection to a servers sends DATA frames with incorrect data content.
This leads to a potentially exploitable crash.
- CVE-2017-5447 (arbitrary code execution)
An out-of-bounds read has been found in Firefox < 53, during the
processing of glyph widths while rendering text layout. This results in
a potentially exploitable crash and could allow an attacker to read
otherwise inaccessible memory.
- CVE-2017-5448 (arbitrary code execution)
A security issue has been found in Firefox < 53, an out-of-bounds write
in ClearKeyDecryptor while decrypting some Clearkey-encrypted media
content. The ClearKeyDecryptor code runs within the Gecko Media Plugin
(GMP) sandbox. If a second mechanism is found to escape the sandbox,
this vulnerability allows for the writing of arbitrary data within
memory, resulting in a potentially exploitable crash.
- CVE-2017-5449 (arbitrary code execution)
A possibly exploitable crash has been found in Firefox < 53, triggered
during layout and manipulation of bidirectional unicode text in concert
with CSS animations.
- CVE-2017-5451 (content spoofing)
A security issue has been found in Firefox < 53, allowing to spoof the
addressbar through the user interaction on the addressbar and the
onblur event. The event could be used by script to affect text display
to make the loaded site appear to be different from the one actually
loaded within the addressbar.
- CVE-2017-5453 (content spoofing)
A security issue has been found in Firefox < 53, allowing to inject
static HTML into the RSS reader preview page due to a failure to escape
characters sent as URL parameters for a feed's TITLE element. This
vulnerability allows for spoofing but no scripted content can be run.
- CVE-2017-5454 (access restriction bypass)
A security issue has been found in Firefox < 53, allowing to bypass
file system access protections in the sandbox to use the file picker to
access different files than those selected in the file picker through
the use of relative paths. This allows for read only access to the
local file system.
- CVE-2017-5455 (access restriction bypass)
A security issue has been found in Firefox < 53. The internal feed
reader APIs that crossed the sandbox barrier allowed for a sandbox
escape and escalation of privilege if combined with another
vulnerability that resulted in remote code execution inside the
sandboxed process.
- CVE-2017-5456 (arbitrary filesystem access)
A security issue has been found in Firefox < 53, allowing to bypass
file system access protections in the sandbox using the file system
request constructor through an IPC message. This allows for read and
write access to the local file system.
- CVE-2017-5458 (cross-site scripting)
An issue has been found in Firefox < 53. When a javascript: URL is drag
and dropped by a user into the addressbar, the URL will be processed
and executed. This allows for users to be socially engineered to
execute an XSS attack on themselves.
- CVE-2017-5459 (arbitrary code execution)
A buffer overflow has been found in the WebGL part of Firefox < 53.
It's triggerable by web content, resulting in a potentially exploitable
crash.
- CVE-2017-5460 (arbitrary code execution)
A use-after-free vulnerability has been found in Firefox < 53. It's
located in frame selection, triggered by a combination of malicious
script content and key presses by a user. This results in a potentially
exploitable crash.
- CVE-2017-5461 (arbitrary code execution)
An out-of-bounds write during Base64 decoding operation has been found
in the Network Security Services (NSS) library due to insufficient
memory being allocated to the buffer.
An attacker could use this flaw to create a specially crafted
certificate which, when parsed by NSS, could cause it to crash or
execute arbitrary code, using the permissions of the user running an
application compiled against the NSS library. The issue has been fixed
in releases 3.29.5 and 3.30.1.
- CVE-2017-5464 (arbitrary code execution)
A security issue has been found in Firefox < 53. During DOM
manipulations of the accessibility tree through script, the DOM tree
can become out of sync with the accessibility tree, leading to memory
corruption and a potentially exploitable crash.
- CVE-2017-5465 (information disclosure)
An out-of-bounds read has been found in Firefox < 53, while processing
SVG content in ConvolvePixel. This results in a crash and also allows
for otherwise inaccessible memory being copied into SVG graphic
content, which could then displayed.
- CVE-2017-5466 (cross-site scripting)
An origin confusion issue has been found in Firefox < 53. If a page is
loaded from an original site through a hyperlink and contains a
redirect to a data:text/html URL, triggering a reload will run the
reloaded data:text/html page with its origin set incorrectly. This
allows for a cross-site scripting (XSS) attack.
- CVE-2017-5467 (denial of service)
A potential memory corruption and crash has been found in Firefox < 53,
when using Skia content when drawing content outside of the bounds of a
clipping region.
- CVE-2017-5468 (denial of service)
An issue with incorrect ownership model of privateBrowsing information
exposed through developer tools has been found in Firefox < 53. This
can result in a non-exploitable crash when manually triggered during
debugging.
- CVE-2017-5469 (arbitrary code execution)
Several potential buffer overflows in generated code, due to the
CVE-2016-6354 issue in Flex, have been fixed in Firefox 53.
Resolution
Upgrade to 53.0-1.
# pacman -Syu "firefox>=53.0-1"
The problems have been fixed upstream in version 53.0.
References
https://www.mozilla.org/en-US/security/advisories/mfsa2017-10/ https://www.mozilla.org/en-US/security/advisories/mfsa2017-10/#CVE-2017-5429 https://bugzilla.mozilla.org/buglist.cgi?bug_id=1343261%2C1350844%2C1341096%2C1342823%2C1348894%2C1348941%2C1349340%2C1352926%2C1353088%2C https://www.mozilla.org/en-US/security/advisories/mfsa2017-10/#CVE-2017-5430 https://bugzilla.mozilla.org/buglist.cgi?bug_id=1342101%2C1340482%2C1344686%2C1329796%2C1346419%2C1349621%2C1344081%2C1344305%2C1348143%2C1349719%2C1353476%2C1337418%2C1346140%2C1339722 https://www.mozilla.org/en-US/security/advisories/mfsa2017-10/#CVE-2017-5432 https://bugzilla.mozilla.org/show_bug.cgi?id=1346654 https://www.mozilla.org/en-US/security/advisories/mfsa2017-10/#CVE-2017-5433 https://bugzilla.mozilla.org/show_bug.cgi?id=1347168 https://www.mozilla.org/en-US/security/advisories/mfsa2017-10/#CVE-2017-5434 https://bugzilla.mozilla.org/show_bug.cgi?id=1349946 https://www.mozilla.org/en-US/security/advisories/mfsa2017-10/#CVE-2017-5435 https://bugzilla.mozilla.org/show_bug.cgi?id=1350683 https://www.mozilla.org/en-US/security/advisories/mfsa2017-10/#CVE-2017-5436 https://bugzilla.mozilla.org/show_bug.cgi?id=1345461 https://www.mozilla.org/en-US/security/advisories/mfsa2017-10/#CVE-2017-5437 https://bugzilla.mozilla.org/show_bug.cgi?id=1343453 https://www.mozilla.org/en-US/security/advisories/mfsa2017-10/#CVE-2017-5438 https://bugzilla.mozilla.org/show_bug.cgi?id=1336828 https://www.mozilla.org/en-US/security/advisories/mfsa2017-10/#CVE-2017-5439 https://bugzilla.mozilla.org/show_bug.cgi?id=1336830 https://www.mozilla.org/en-US/security/advisories/mfsa2017-10/#CVE-2017-5440 https://bugzilla.mozilla.org/show_bug.cgi?id=1336832 https://www.mozilla.org/en-US/security/advisories/mfsa2017-10/#CVE-2017-5441 https://bugzilla.mozilla.org/show_bug.cgi?id=1343795 https://www.mozilla.org/en-US/security/advisories/mfsa2017-10/#CVE-2017-5442 https://bugzilla.mozilla.org/show_bug.cgi?id=1347979 https://www.mozilla.org/en-US/security/advisories/mfsa2017-10/#CVE-2017-5443 https://bugzilla.mozilla.org/show_bug.cgi?id=1342661 https://www.mozilla.org/en-US/security/advisories/mfsa2017-10/#CVE-2017-5444 https://bugzilla.mozilla.org/show_bug.cgi?id=1344461 https://www.mozilla.org/en-US/security/advisories/mfsa2017-10/#CVE-2017-5445 https://bugzilla.mozilla.org/show_bug.cgi?id=1344467 https://www.mozilla.org/en-US/security/advisories/mfsa2017-10/#CVE-2017-5446 https://bugzilla.mozilla.org/show_bug.cgi?id=1343505 https://www.mozilla.org/en-US/security/advisories/mfsa2017-10/#CVE-2017-5447 https://bugzilla.mozilla.org/show_bug.cgi?id=1343552 https://www.mozilla.org/en-US/security/advisories/mfsa2017-10/#CVE-2017-5448 https://bugzilla.mozilla.org/show_bug.cgi?id=1346648 https://www.mozilla.org/en-US/security/advisories/mfsa2017-10/#CVE-2017-5449 https://bugzilla.mozilla.org/show_bug.cgi?id=1340127 https://www.mozilla.org/en-US/security/advisories/mfsa2017-10/#CVE-2017-5451 https://bugzilla.mozilla.org/show_bug.cgi?id=1273537 https://www.mozilla.org/en-US/security/advisories/mfsa2017-10/#CVE-2017-5453 https://bugzilla.mozilla.org/show_bug.cgi?id=1321247 https://www.mozilla.org/en-US/security/advisories/mfsa2017-10/#CVE-2017-5454 https://bugzilla.mozilla.org/show_bug.cgi?id=1349276 https://www.mozilla.org/en-US/security/advisories/mfsa2017-10/#CVE-2017-5455 https://bugzilla.mozilla.org/show_bug.cgi?id=1341191 https://www.mozilla.org/en-US/security/advisories/mfsa2017-10/#CVE-2017-5456 https://bugzilla.mozilla.org/show_bug.cgi?id=1344415 https://www.mozilla.org/en-US/security/advisories/mfsa2017-10/#CVE-2017-5458 https://bugzilla.mozilla.org/show_bug.cgi?id=1229426 https://www.mozilla.org/en-US/security/advisories/mfsa2017-10/#CVE-2017-5459 https://bugzilla.mozilla.org/show_bug.cgi?id=1333858 https://www.mozilla.org/en-US/security/advisories/mfsa2017-10/#CVE-2017-5460 https://bugzilla.mozilla.org/show_bug.cgi?id=1343642 https://www.mozilla.org/en-US/security/advisories/mfsa2017-10/#CVE-2017-5461 https://bugzilla.mozilla.org/show_bug.cgi?id=1344380 https://hg.mozilla.org/projects/nss/rev/ac34db053672 https://www.mozilla.org/en-US/security/advisories/mfsa2017-10/#CVE-2017-5464 https://bugzilla.mozilla.org/show_bug.cgi?id=1347075 https://www.mozilla.org/en-US/security/advisories/mfsa2017-10/#CVE-2017-5465 https://bugzilla.mozilla.org/show_bug.cgi?id=1347617 https://www.mozilla.org/en-US/security/advisories/mfsa2017-10/#CVE-2017-5466 https://bugzilla.mozilla.org/show_bug.cgi?id=1353975 https://www.mozilla.org/en-US/security/advisories/mfsa2017-10/#CVE-2017-5467 https://bugzilla.mozilla.org/show_bug.cgi?id=1347262 https://www.mozilla.org/en-US/security/advisories/mfsa2017-10/#CVE-2017-5468 https://bugzilla.mozilla.org/show_bug.cgi?id=1329521 https://www.mozilla.org/en-US/security/advisories/mfsa2017-10/#CVE-2017-5469 https://bugzilla.mozilla.org/show_bug.cgi?id=1292534 https://security.archlinux.org/CVE-2017-5429 https://security.archlinux.org/CVE-2017-5430 https://security.archlinux.org/CVE-2017-5432 https://security.archlinux.org/CVE-2017-5433 https://security.archlinux.org/CVE-2017-5434 https://security.archlinux.org/CVE-2017-5435 https://security.archlinux.org/CVE-2017-5436 https://security.archlinux.org/CVE-2017-5437 https://security.archlinux.org/CVE-2017-5438 https://security.archlinux.org/CVE-2017-5439 https://security.archlinux.org/CVE-2017-5440 https://security.archlinux.org/CVE-2017-5441 https://security.archlinux.org/CVE-2017-5442 https://security.archlinux.org/CVE-2017-5443 https://security.archlinux.org/CVE-2017-5444 https://security.archlinux.org/CVE-2017-5445 https://security.archlinux.org/CVE-2017-5446 https://security.archlinux.org/CVE-2017-5447 https://security.archlinux.org/CVE-2017-5448 https://security.archlinux.org/CVE-2017-5449 https://security.archlinux.org/CVE-2017-5451 https://security.archlinux.org/CVE-2017-5453 https://security.archlinux.org/CVE-2017-5454 https://security.archlinux.org/CVE-2017-5455 https://security.archlinux.org/CVE-2017-5456 https://security.archlinux.org/CVE-2017-5458 https://security.archlinux.org/CVE-2017-5459 https://security.archlinux.org/CVE-2017-5460 https://security.archlinux.org/CVE-2017-5461 https://security.archlinux.org/CVE-2017-5464 https://security.archlinux.org/CVE-2017-5465 https://security.archlinux.org/CVE-2017-5466 https://security.archlinux.org/CVE-2017-5467 https://security.archlinux.org/CVE-2017-5468 https://security.archlinux.org/CVE-2017-5469
Workaround
None.