icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons_061

Mozilla Firefox < 45.0 Multiple Vulnerabilities

High

Synopsis

The remote host has a web browser installed that is vulnerable to multiple attack vectors.

Description

The version of Firefox installed on the remote host is prior to 45.0 and is affected by multiple vulnerabilities :

- Mozilla Network Security Services (NSS) contains an overflow condition. The issue is triggered as user-supplied input is not properly validated when parsing ASN.1 structures. With a specially crafted certificate, a context-dependent attacker can cause a heap-based buffer overflow, resulting in a denial of service or potentially allowing the execution of arbitrary code. (CVE-2016-1950) - A flaw exists in the 'ValueNumberer::fixupOSROnlyLoop()' function in 'jit/ValueNumbering.cpp' that is triggered as user-supplied input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code. (CVE-2016-1952) - A flaw in the 'Downscaler::BeginFrame()' function in 'image/Downscaler.cpp' exists that is triggered when failing to compute filters for image downscaling. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code. (CVE-2016-1952) - A flaw exists that is triggered as user-supplied input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code. (CVE-2016-1952, CVE-2016-1953) - A flaw exists in the 'JSScript::maybeSweepTypes()' function in 'vm/TypeInference.cpp' that is triggered as user-supplied input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code. (CVE-2016-1952) - A flaw exists in the 'DispatchEvents()' function in 'layout/style/nsAnimationManager.h' and 'layout/style/nsTransitionManager.h' that is triggered as user-supplied input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code. (CVE-2016-1952) - A flaw exists in 'dom/base/Console.cpp' that is triggered as user-supplied input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code. (CVE-2016-1952) - A flaw exists in the 'PeerConnectionMedia::SelfDestruct_m()' function in 'media/webrtc/signaling/src/peerconnection/PeerConnectionMedia.cpp' that is triggered as user-supplied input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code. (CVE-2016-1952) - A flaw exists in the 'nsICODecoder::ReadDirEntry()' function in 'image/decoders/nsICODecoder.cpp' that is triggered when rendering ICO sub-images. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code. (CVE-2016-1953) - A flaw exists in the 'nsIDNService::IDNA2008ToUnicode()' function in 'netwerk/dns/nsIDNService.cpp' that is triggered as user-supplied input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code. (CVE-2016-1953) - A flaw exists that is triggered as user-supplied input is not properly validated when handling image decoding. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code. (CVE-2016-1953) - A flaw exists in the 'DiscardTransferables()' function in 'vm/StructuredClone.cpp' that is triggered as user-supplied input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code. (CVE-2016-1953) - A flaw exits in the 'Assembler::GetCF32Target()' function in 'jit/arm/Assembler-arm.cpp' that is triggered as user-supplied input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code. (CVE-2016-1953) - A flaw exists in the 'GetPcScript()' function in 'jit/JitFrames.cpp' that is triggered as user-supplied input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code. (CVE-2016-1953) - A flaw exists in the 'JSFunction::isDerivedClassConstructor()' function in 'js/src/jsfun.cpp' that is triggered when handling lazy self-hosted functions. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code. (CVE-2016-1953) - A flaw exists in 'js/src/jit/Lowering.cpp' that is triggered as user-supplied input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code. (CVE-2016-1953) - A flaw exits in the 'EventListenerManager::HandleEventInternal()' function in 'dom/events/EventListenerManager.cpp'. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code. (CVE-2016-1953) - A flaw exists in 'layout/base/nsRefreshDriver.cpp' that is triggered when handling transition events. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code. (CVE-2016-1953) - A flaw exists in 'dom/media/systemservices/CamerasChild.cpp' that is triggered as user-supplied input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code. (CVE-2016-1953) - A flaw exists in 'dom/xslt/xslt/txMozillaTextOutput.cpp' that is triggered as user-supplied input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code. (CVE-2016-1953) - A flaw exists in 'dom/gamepad/windows/WindowsGamepad.cpp' that is triggered when handling 'WindowsGamepadService' shutdown. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code. (CVE-2016-1953) - A flaw exists in the 'nsCSPContext::SendReports()' function in 'dom/security/nsCSPContext.cpp' that is triggered during the handling of Content Security Policy (CSP) violation reports. This may allow a context-dependent attacker to overwrite arbitrary files on a user's machine and potentially gain elevated privileges. (CVE-2016-1954) - A flaw exists in 'dom/security/nsCSPContext.cpp' that is due to Content Security Policy (CSP) violation reports containing full path information for cross-origin iframe navigations in violation of the CSP specification. This may allow a context-dependent attacker to gain unauthorized access to sensitive information. (CVE-2016-1955) - A flaw exists in 'gfx/gl/GLContext.cpp' when using Intel Video cards that is triggered when performing WebGL operations that require a large amount buffer to be allocated from video memory. This may allow a context-dependent to cause a consumption of memory resources that will persist until the system has been restarted. (CVE-2016-1956) - Google Stagefright contains a flaw that is triggered during the handling of array destruction during MPEG4 video file processing. This may allow a context-dependent attacker to cause a memory leak, with unspecified consequences. (CVE-2016-1957) - An unspecified flaw exists that may allow a context-dependent attacker to spoof the user's address bar. No further details have been provided. (CVE-2016-1958) - A flaw exists in Service Worker Manager that is triggered when handling the Clients API. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code. (CVE-2016-1959) - A flaw exists in use-after-free error in the HTML5 string parser. The issue is triggered when parsing a set of table-related tags in a foreign fragment context such as SVG. This may allow a context-dependent attacker to dereference already freed memory and potentially execute arbitrary code. (CVE-2016-1960) - A flaw exists in use-after-free error in the 'nsHTMLDocument::SetBody()' function in 'dom/html/nsHTMLDocument.cpp'. This may allow a context-dependent attacker to dereference already freed memory and potentially execute arbitrary code. (CVE-2016-1961) - A flaw exists in use-after-free error in 'netwerk/sctp/datachannel/DataChannel.cpp' when using multiple 'WebRTC' data channel connections and freeing a data channel connection from within a call. This may allow a context-dependent attacker to dereference already freed memory and potentially execute arbitrary code. (CVE-2016-1962) - A flaw exists in the 'FileReader::DoReadData()' function in 'dom/base/FileReader.cpp'. The issue is triggered as user-supplied input is not properly validated when handling modifications to local files that occur while they are being read with the FileReader API. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code. (CVE-2016-1963) - A flaw exists in use-after-free error in the 'txAttribute::execute()' function in 'dom/xslt/xslt/txInstructions.cpp' that is triggered when handling XML transformation operations. This may allow a context-dependent attacker to dereference already freed memory and potentially execute arbitrary code. (CVE-2016-1964) - A flaw exists in the 'nsLocation::SetProtocol()' function in 'dom/base/nsLocation.cpp' that is triggered when handling history navigation in combination with the location protocol property. This may allow a context-dependent attacker to spoof the contents of the address bar. (CVE-2016-1965) - A flaw exists that is triggered when handling history navigation in a restored browser session. This may potentially allow a context-dependent attacker to gain unauthorized access to cross-origin URL information. (CVE-2016-1967) - A pointer underflow condition exists in the 'Brotli' library. The issue is triggered as user-supplied input is not properly validated when the library is performing decompression. This may allow a context-dependent attacker to cause a buffer overflow, potentially allowing the execution of arbitrary code. (CVE-2016-1968) - A use-after-free flaw exists in the Netscape Plugin Application Programming Interface (NPAPI) plugin within the 'nsNPObjWrapper::GetNewOrUsed()' function in 'dom/plugins/base/nsJSNPRuntime.cpp'. The issue is triggered when handling malicious scripted web content in concert with the plugin. This may allow a context-dependent attacker to dereference already freed memory and potentially execute arbitrary code. (CVE-2016-1966) - An integer underflow condition exists in the 'srtp_unprotect()' function in 'netwerk/srtp/src/srtp/srtp.c' that is triggered when handling SRTP packet lenghts. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code. (CVE-2016-1970) - A flaw exists in the 'I420VideoFrame::CreateFrame()' function in WebRTC. The issue is triggered as user-supplied input is not properly validated due to a missing status check. This may potentially allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code. (CVE-2016-1971) - 'ibvpx' contains a use-after-free error in 'vpx_ports/vpx_once.h' related to a race condition. This may allow a context-dependent attacker to dereference already freed memory and potentially execute arbitrary code. (CVE-2016-1972) - A race condition exists in 'dom/media/systemservices/CamerasChild.h'. The issue is triggered as user-supplied input is not properly validated when handling block-level statistics. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code. (CVE-2016-1975) - A use-after-free flaw exists in 'DesktopDisplayDevice::operator=' in 'media/webrtc/trunk/webrtc/modules/desktop_capture/desktop_device_info.cc'. This may allow a context-dependent attacker to dereference already freed memory and potentially execute arbitrary code. (CVE-2016-1976) - A flaw exists in use-after-free error that is triggered by a race condition in 'GetStaticInstance' in WebRTC. This may allow a context-dependent attacker to dereference already freed memory and potentially execute arbitrary code. (CVE-2016-1973) - A flaw exists in the 'nsScannerString::AppendUnicodeTo()' function in 'parser/htmlparser/nsScannerString.cpp'. The issue is triggered when the program fails to allocate memory during handling of unicode strings. This may allow a context-dependent attacker to potentially execute arbitrary code. (CVE-2016-1974) - Mozilla Network Security Services (NSS) contains a use-after-free error in the 'PK11_ImportDERPrivateKeyInfoAndReturnKey()' function. The issue is triggered when handling DER encoded keys. This may allow a context-dependent attacker to dereference already freed memory and potentially execute arbitrary code. (CVE-2016-1979)

The Graphite/Libgraphite component used in Mozilla Firefox contains the following vulnerabilities :

- An out-of-bounds write flaw exists in the 'setAttr()' function that is triggered when handling maliciously crafted fonts. This may allow a context-dependent attacker to potentially execute arbitrary code. (CVE-2016-1969) - A flaw exists in the 'Machine::Code::decoder::analysis::set_ref()' function. The issue is triggered as user-supplied input is not properly validated. With a specially crafted font, a context-dependent attacker can corrupt memory to cause a denial of service in a process linked against the library or potentially execute arbitrary code. (CVE-2016-1977) - A flaw exists in the 'GetTableInfo()' function in 'TtfUtil.cpp' related to the use of uninitialized memory when handling a specially crafted font. This may allow a context-dependent attacker to have an unspecified impact. (CVE-2016-2790) - An out-of-bounds read flaw exists in the 'GlyphCache::glyph()' function that is triggered when handling maliciously crafted fonts. This may allow a context-dependent attacker to crash a process linked against the library or potentially disclose memory contents. (CVE-2016-2791) - An out-of-bounds read flaw exist in the 'getAttr()' function in 'Slot.cpp' that is triggered when handling maliciously crafted fonts. This may allow a context-dependent attacker to crash a process linked against the library or potentially disclose memory contents. (CVE-2016-2792) - An out-of-bounds read flaw in 'CachedCmap.cpp' that is triggered when handling maliciously crafted fonts. This may allow a context-dependent attacker to crash a process linked against the library or potentially disclose memory contents. (CVE-2016-2793) - An out-of-bounds read flaw in the 'CmapSubtable12NextCodepoint()' function in 'TtfUtil.cpp' that is triggered when handling maliciously crafted fonts. This may allow a context-dependent attacker to crash a process linked against the library or potentially disclose memory contents. (CVE-2016-2794) - A flaw exists in the 'FileFace::get_table_fn()' function related to the use of uninitialized memory when handling a specially crafted font. This may allow a context-dependent attacker to have an unspecified impact. (CVE-2016-2795) - An out-of-bounds write flaw exixts in the 'vm::Machine::Code::Code()' function that is triggered when handling maliciously crafted fonts. This may allow a context-dependent attacker to potentially execute arbitrary code. (CVE-2016-2796) - An out-of-bounds read flaw exists in the 'CmapSubtable12Lookup()' function in 'TtfUtil.cpp' that is triggered when handling maliciously crafted fonts. This may allow a context-dependent attacker to crash a process linked against the library or potentially disclose memory contents. (CVE-2016-2797) - An out-of-bounds read flaw exists in the 'GlyphCache::Loader::Loader()' function that is triggered when handling maliciously crafted fonts. This may allow a context-dependent attacker to crash a process linked against the library or potentially disclose memory contents. (CVE-2016-2798) - An out-of-bounds write flaw exists in the 'setAttr()' function in 'Slot.cpp' that is triggered when handling maliciously crafted fonts. This may allow a context-dependent attacker to potentially execute arbitrary code. (CVE-2016-2799) - An out-of-bounds read flaw exists in the 'getAttr()' function in 'Slot.cpp' that is triggered when handling maliciously crafted fonts. This may allow a context-dependent attacker to crash a process linked against the library or potentially disclose memory contents. (CVE-2016-2800) - An out-of-bounds read flaw exists in the 'CmapSubtable12Lookup()' function in 'TtfUtil.cpp' that is triggered when handling maliciously crafted fonts. This may allow a context-dependent attacker to crash a process linked against the library or potentially disclose memory contents. (CVE-2016-2801) - An out-of-bounds read flaw existsin the 'CmapSubtable4NextCodepoint()' function in 'TtfUtil.cpp' that is triggered when handling maliciously crafted fonts. This may allow a context-dependent attacker to crash a process linked against the library or potentially disclose memory contents. (CVE-2016-2802)

Solution

Upgrade to Firefox 45 or later.