openSUSE-SU-2016:0731

openSUSE-SU-2016:0733

http://www.mozilla.org/security/announce/2016/mfsa2016-29.html

1035215

USN-2917-1

USN-2917-2

USN-2917-3

https://bugzilla.mozilla.org/show_bug.cgi?id=1246956

GLSA-201605-06

The specific version of Firefox that the system is running is reportedly affected by the following vulnerabilities:

- Mozilla Firefox contains a flaw in the ValueNumberer::fixupOSROnlyLoop() function in jit/ValueNumbering.cpp that is triggered as user-supplied input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code. (CVE-2016-1952)

- Mozilla Firefox contains a flaw in the Downscaler::BeginFrame() function in image/Downscaler.cpp that is triggered when failing to compute filters for image downscaling. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code. (CVE-2016-1952)

- Mozilla Firefox contains a flaw that is triggered as user-supplied input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code. (CVE-2016-1952)

- Mozilla Firefox contains a flaw in the JSScript::maybeSweepTypes() function in vm/TypeInference.cpp that is triggered as user-supplied input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code. (CVE-2016-1952)

- Mozilla Firefox contains a flaw that is triggered as user-supplied input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code. (CVE-2016-1952)

- Mozilla Firefox contains a flaw in the DispatchEvents() function in layout/style/nsAnimationManager.h and layout/style/nsTransitionManager.h that is triggered as user-supplied input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code. (CVE-2016-1952)

- Mozilla Firefox contains a flaw in dom/base/Console.cpp that is triggered as user-supplied input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code. (CVE-2016-1952)

- Mozilla Firefox contains a flaw in the PeerConnectionMedia::SelfDestruct_m() function in media/webrtc/signaling/src/peerconnection/PeerConnectionMedia.cpp that is triggered as user-supplied input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code. (CVE-2016-1952)

- Mozilla Firefox contains a flaw that is triggered as user-supplied input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code. (CVE-2016-1952)

- Mozilla Firefox contains a flaw in the nsICODecoder::ReadDirEntry() function in image/decoders/nsICODecoder.cpp that is triggered when rendering ICO sub-images. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code. (CVE-2016-1953)

- Mozilla Firefox contains a flaw in the nsIDNService::IDNA2008ToUnicode() function in netwerk/dns/nsIDNService.cpp that is triggered as user-supplied input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code. (CVE-2016-1953)

- Mozilla Firefox contains a flaw that is triggered as user-supplied input is not properly validated when handling image decoding. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code. (CVE-2016-1953)

- Mozilla Firefox contains a flaw in the DiscardTransferables() function in vm/StructuredClone.cpp that is triggered as user-supplied input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code. (CVE-2016-1953)

- Mozilla Firefox contains a flaw in the Assembler::GetCF32Target() function in jit/arm/Assembler-arm.cpp that is triggered as user-supplied input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code. (CVE-2016-1953)

- Mozilla Firefox contains a flaw in the GetPcScript() function in jit/JitFrames.cpp that is triggered as user-supplied input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code. (CVE-2016-1953)

- Mozilla Firefox contains a flaw in the JSFunction::isDerivedClassConstructor() function in js/src/jsfun.cpp that is triggered when handling lazy self-hosted functions. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code. (CVE-2016-1953)

- Mozilla Firefox contains a flaw in js/src/jit/Lowering.cpp that is triggered as user-supplied input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code. (CVE-2016-1953)

- Mozilla Firefox contains a flaw that is triggered as user-supplied input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code. (CVE-2016-1953)

- Mozilla Firefox contains a flaw in the EventListenerManager::HandleEventInternal() function in dom/events/EventListenerManager.cpp. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code. (CVE-2016-1953)

- Mozilla Firefox contains a flaw in layout/base/nsRefreshDriver.cpp that is triggered when handling transition events. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code. (CVE-2016-1953)

- Mozilla Firefox contains a flaw in dom/media/systemservices/CamerasChild.cpp that is triggered as user-supplied input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code. (CVE-2016-1953)

- libvpx contains a flaw in the vp8_mb_init_dequantizer() function in vp8/decoder/decodeframe.c that is triggered as user-supplied input is not properly validated. With specially crafted media content, a context-dependent attacker can corrupt memory and potentially execute arbitrary code. (CVE-2016-1953)

- libvpx contains a flaw in the vp8_loop_filter_frame_init() function in media/libvpx/vp8/common/loopfilter.c that is triggered as user-supplied input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code. (CVE-2016-1953)

- Mozilla Firefox contains a flaw that is triggered as user-supplied input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code. (CVE-2016-1953)

- Mozilla Firefox contains a flaw in dom/xslt/xslt/txMozillaTextOutput.cpp that is triggered as user-supplied input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code. (CVE-2016-1953)

- Mozilla Firefox contains a flaw in dom/gamepad/windows/WindowsGamepad.cpp that is triggered when handling WindowsGamepadService shutdown. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code. (CVE-2016-1953)

- Mozilla Firefox contains a flaw in the nsCSPContext::SendReports() function in dom/security/nsCSPContext.cpp that is triggered during the handling of Content Security Policy (CSP) violation reports. This may allow a context-dependent attacker to overwrite arbitrary files on a user's machine and potentially gain elevated privileges. (CVE-2016-1954)

- Mozilla Firefox contains a flaw in dom/security/nsCSPContext.cpp that is due to Content Security Policy (CSP) violation reports containing full path information for cross-origin iframe navigations in violation of the CSP specification. This may allow a context-dependent attacker to gain unauthorized access to sensitive information. (CVE-2016-1955)

- Mozilla Firefox contains a flaw in gfx/gl/GLContext.cpp when using Intel Video cards that is triggered when performing WebGL operations that require a large amount buffer to be allocated from video memory. This may allow a context-dependent to cause a consumption of memory resources that will persist until the system has been restarted. (CVE-2016-1956)

- Google Stagefright contains a flaw that is triggered during the handling of array destruction during MPEG4 video file processing. This may allow a context-dependent attacker to cause a memory leak, with unspecified consequences.
 (CVE-2016-1957)

- Mozilla Firefox contains an unspecified flaw that may allow a context-dependent attacker to spoof the user's address bar. No further details have been provided. (CVE-2016-1958)

- Mozilla Firefox contains a flaw in Service Worker Manager that is triggered when handling the Clients API. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code. (CVE-2016-1959)

- Mozilla Firefox contains a use-after-free error in the HTML5 string parser. The issue is triggered when parsing a set of table-related tags in a foreign fragment context such as SVG. This may allow a context-dependent attacker to dereference already freed memory and potentially execute arbitrary code. (CVE-2016-1960)

- Mozilla Firefox contains a use-after-free error in the nsHTMLDocument::SetBody() function in dom/html/nsHTMLDocument.cpp. This may allow a context-dependent attacker to dereference already freed memory and potentially execute arbitrary code. (CVE-2016-1961)

- Mozilla Firefox contains a use-after-free error in netwerk/sctp/datachannel/DataChannel.cpp when using multiple WebRTC data channel connections and freeing a data channel connection from within a call. This may allow a context-dependent attacker to dereference already freed memory and potentially execute arbitrary code. (CVE-2016-1962)

- Mozilla Firefox contains a flaw in the FileReader::DoReadData() function in dom/base/FileReader.cpp. The issue is triggered as user-supplied input is not properly validated when handling modifications to local files that occur while they are being read with the FileReader API. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code. (CVE-2016-1963)

- Mozilla Firefox contains a use-after-free error in the txAttribute::execute() function in dom/xslt/xslt/txInstructions.cpp that is triggered when handling XML transformation operations. This may allow a context-dependent attacker to dereference already freed memory and potentially execute arbitrary code. (CVE-2016-1964)

- Mozilla Firefox contains a flaw in the nsLocation::SetProtocol() function in dom/base/nsLocation.cpp that is triggered when handling history navigation in combination with the location protocol property. This may allow a context-dependent attacker to spoof the contents of the address bar. (CVE-2016-1965)

- Mozilla Firefox contains a flaw that is triggered when handling history navigation in a restored browser session. This may potentially allow a context-dependent attacker to gain unauthorized access to cross-origin URL information. (CVE-2016-1967)

- Mozilla Firefox contains a pointer underflow condition in the Brotli library. The issue is triggered as user-supplied input is not properly validated when the library is performing decompression. This may allow a context-dependent attacker to cause a buffer overflow, potentially allowing the execution of arbitrary code. (CVE-2016-1968)

- Mozilla Firefox contains a use-after-free flaw in the Netscape Plugin Application Programming Interface (NPAPI) plugin within the nsNPObjWrapper::GetNewOrUsed() function in dom/plugins/base/nsJSNPRuntime.cpp. The issue is triggered when handling malicious scripted web content in concert with the plugin. This may allow a context-dependent attacker to dereference already freed memory and potentially execute arbitrary code. (CVE-2016-1966)

- Mozilla Firefox contains an integer underflow condition in the srtp_unprotect() function in netwerk/srtp/src/srtp/srtp.c that is triggered when handling SRTP packet lenghts. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code. (CVE-2016-1970)

- Mozilla Firefox contains a flaw in the I420VideoFrame::CreateFrame() function in WebRTC. The issue is triggered as user-supplied input is not properly validated due to a missing status check. This may potentially allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code. (CVE-2016-1971)

- Mozilla Firefox contains a race condition in dom/media/systemservices/CamerasChild.h. The issue is triggered as user-supplied input is not properly validated when handling block-level statistics. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code. (CVE-2016-1975)

- Mozilla Firefox contains a use-after-free flaw in DesktopDisplayDevice::operator= in media/webrtc/trunk/webrtc/modules/desktop_capture/desktop_device_info.cc. This may allow a context-dependent attacker to dereference already freed memory and potentially execute arbitrary code. (CVE-2016-1976)

- libvpx contains a use-after-free error in vpx_ports/vpx_once.h related to a race condition. This may allow a context-dependent attacker to dereference already freed memory and potentially execute arbitrary code.
 (CVE-2016-1972)

- Mozilla Firefox contains a use-after-free error that is triggered by a race condition in GetStaticInstance in WebRTC. This may allow a context-dependent attacker to dereference already freed memory and potentially execute arbitrary code. (CVE-2016-1973)

- Mozilla Firefox contains a flaw in the nsScannerString::AppendUnicodeTo() function in parser/htmlparser/nsScannerString.cpp. The issue is triggered when the program fails to allocate memory during handling of unicode strings. This may allow a context-dependent attacker to potentially execute arbitrary code. (CVE-2016-1974)

- Mozilla Network Security Services (NSS) contains a use-after-free error in the PK11_ImportDERPrivateKeyInfoAndReturnKey() function. The issue is triggered when handling DER encoded keys. This may allow a context-dependent attacker to dereference already freed memory and potentially execute arbitrary code.
 (CVE-2016-1979)

- Graphite/Libgraphite contains a flaw in the Machine::Code::decoder::analysis::set_ref() function. The issue is triggered as user-supplied input is not properly validated. With a specially crafted font, a context-dependent attacker can corrupt memory to cause a denial of service in a process linked against the library or potentially execute arbitrary code. (CVE-2016-1977)

- Graphite/Libgraphite contains a flaw in the GetTableInfo() function in TtfUtil.cpp related to the use of uninitialized memory when handling a specially crafted font. This may allow a context-dependent attacker to have an unspecified impact. (CVE-2016-2790)

- Graphite/Libgraphite contains an out-of-bounds read flaw in the GlyphCache::glyph() function that is triggered when handling maliciously crafted fonts. This may allow a context-dependent attacker to crash a process linked against the library or potentially disclose memory contents. (CVE-2016-2791)

- Graphite/Libgraphite contains an out-of-bounds read flaw in the getAttr() function in Slot.cpp that is triggered when handling maliciously crafted fonts. This may allow a context-dependent attacker to crash a process linked against the library or potentially disclose memory contents. (CVE-2016-2792)

- Graphite/Libgraphite contains an out-of-bounds read flaw in CachedCmap.cpp that is triggered when handling maliciously crafted fonts. This may allow a context-dependent attacker to crash a process linked against the library or potentially disclose memory contents. (CVE-2016-2793)

- Graphite/Libgraphite contains an out-of-bounds read flaw in the CmapSubtable12NextCodepoint() function in TtfUtil.cpp that is triggered when handling maliciously crafted fonts. This may allow a context-dependent attacker to crash a process linked against the library or potentially disclose memory contents. (CVE-2016-2794)

- Graphite/Libgraphite contains a flaw in the FileFace::get_table_fn() function related to the use of uninitialized memory when handling a specially crafted font. This may allow a context-dependent attacker to have an unspecified impact. (CVE-2016-2795)

- Graphite/Libgraphite contains an out-of-bounds write flaw in the vm::Machine::Code::Code() function that is triggered when handling maliciously crafted fonts. This may allow a context-dependent attacker to potentially execute arbitrary code. (CVE-2016-2796)

- Graphite/Libgraphite contains an out-of-bounds read flaw in the CmapSubtable12Lookup() function in TtfUtil.cpp that is triggered when handling maliciously crafted fonts. This may allow a context-dependent attacker to crash a process linked against the library or potentially disclose memory contents. (CVE-2016-2797)

- Graphite/Libgraphite contains an out-of-bounds read flaw in the GlyphCache::Loader::Loader() function that is triggered when handling maliciously crafted fonts. This may allow a context-dependent attacker to crash a process linked against the library or potentially disclose memory contents. (CVE-2016-2798)

- Graphite/Libgraphite contains an out-of-bounds write flaw in the setAttr() function in Slot.cpp that is triggered when handling maliciously crafted fonts. This may allow a context-dependent attacker to potentially execute arbitrary code. (CVE-2016-2799)

- Graphite/Libgraphite contains an out-of-bounds read flaw in the getAttr() function in Slot.cpp that is triggered when handling maliciously crafted fonts. This may allow a context-dependent attacker to crash a process linked against the library or potentially disclose memory contents. (CVE-2016-2800)

- Graphite/Libgraphite contains an out-of-bounds read flaw in the CmapSubtable12Lookup() function in TtfUtil.cpp that is triggered when handling maliciously crafted fonts. This may allow a context-dependent attacker to crash a process linked against the library or potentially disclose memory contents. (CVE-2016-2801)

- Graphite/Libgraphite contains an out-of-bounds read flaw in the CmapSubtable4NextCodepoint() function in TtfUtil.cpp that is triggered when handling maliciously crafted fonts. This may allow a context-dependent attacker to crash a process linked against the library or potentially disclose memory contents. (CVE-2016-2802)

- Graphite/Libgraphite contains an out-of-bounds write flaw in the setAttr() function that is triggered when handling maliciously crafted fonts. This may allow a context-dependent attacker to potentially execute arbitrary code. (CVE-2016-1969)

The remote host is affected by the vulnerability described in GLSA-201605-06 (Mozilla Products: Multiple vulnerabilities)

    Multiple vulnerabilities have been discovered in Firefox, NSS, NSPR, and       Thunderbird. Please review the CVE identifiers referenced below for       details.
  Impact :

    A remote attacker could entice a user to view a specially crafted web       page or email, possibly resulting in execution of arbitrary code or a       Denial of Service condition. Furthermore, a remote attacker may be able       to perform Man-in-the-Middle attacks, obtain sensitive information, spoof       the address bar, conduct clickjacking attacks, bypass security       restrictions and protection mechanisms, or have other unspecified       impacts.
  Workaround :

    There is no known workaround at this time.

USN-2917-1 fixed vulnerabilities in Firefox. This update caused several web compatibility regressions.

This update fixes the problem.

We apologize for the inconvenience.

Francis Gabriel discovered a buffer overflow during ASN.1 decoding in NSS. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit this to cause a denial of service via application crash, or execute arbitrary code with the privileges of the user invoking Firefox. (CVE-2016-1950)

Bob Clary, Christoph Diehl, Christian Holler, Andrew McCreight, Daniel Holbert, Jesse Ruderman, Randell Jesup, Carsten Book, Gian-Carlo Pascutto, Tyson Smith, Andrea Marchesini, and Jukka Jylanki discovered multiple memory safety issues in Firefox. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit these to cause a denial of service via application crash, or execute arbitrary code with the privileges of the user invoking Firefox. (CVE-2016-1952, CVE-2016-1953)

Nicolas Golubovic discovered that CSP violation reports can be used to overwrite local files. If a user were tricked in to opening a specially crafted website with addon signing disabled and unpacked addons installed, an attacker could potentially exploit this to gain additional privileges.
(CVE-2016-1954)

Muneaki Nishimura discovered that CSP violation reports contained full paths for cross-origin iframe navigations. An attacker could potentially exploit this to steal confidential data. (CVE-2016-1955)

Ucha Gobejishvili discovered that performing certain WebGL operations resulted in memory resource exhaustion with some Intel GPUs, requiring a reboot. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit this to cause a denial of service.
(CVE-2016-1956)

Jose Martinez and Romina Santillan discovered a memory leak in libstagefright during MPEG4 video file processing in some circumstances. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit this to cause a denial of service via memory exhaustion. (CVE-2016-1957)

Abdulrahman Alqabandi discovered that the addressbar could be blank or filled with page defined content in some circumstances. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit this to conduct URL spoofing attacks.
(CVE-2016-1958)

Looben Yang discovered an out-of-bounds read in Service Worker Manager. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit this to cause a denial of service via application crash, or execute arbitrary code with the privileges of the user invoking Firefox. (CVE-2016-1959)

A use-after-free was discovered in the HTML5 string parser.
If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit this to cause a denial of service via application crash, or execute arbitrary code with the privileges of the user invoking Firefox. (CVE-2016-1960)

A use-after-free was discovered in the SetBody function of HTMLDocument. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit this to cause a denial of service via application crash, or execute arbitrary code with the privileges of the user invoking Firefox. (CVE-2016-1961)

Dominique Hazael-Massieux discovered a use-after-free when using multiple WebRTC data channels. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit this to cause a denial of service via application crash, or execute arbitrary code with the privileges of the user invoking Firefox. (CVE-2016-1962)

It was discovered that Firefox crashes when local files are modified whilst being read by the FileReader API. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit this to execute arbitrary code with the privileges of the user invoking Firefox.
(CVE-2016-1963)

Nicolas Gregoire discovered a use-after-free during XML transformations. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit this to cause a denial of service via application crash, or execute arbitrary code with the privileges of the user invoking Firefox. (CVE-2016-1964)

Tsubasa Iinuma discovered a mechanism to cause the addressbar to display an incorrect URL, using history navigations and the Location protocol property. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit this to conduct URL spoofing attacks. (CVE-2016-1965)

A memory corruption issues was discovered in the NPAPI subsystem. If a user were tricked in to opening a specially crafted website with a malicious plugin installed, an attacker could potentially exploit this to cause a denial of service via application crash, or execute arbitrary code with the privileges of the user invoking Firefox.
(CVE-2016-1966)

Jordi Chancel discovered a same-origin-policy bypass when using performance.getEntries and history navigation with session restore. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit this to steal confidential data. (CVE-2016-1967)

Luke Li discovered a buffer overflow during Brotli decompression in some circumstances. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit this to cause a denial of service via application crash, or execute arbitrary code with the privileges of the user invoking Firefox. (CVE-2016-1968)

Ronald Crane discovered a use-after-free in GetStaticInstance in WebRTC. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit this to cause a denial of service via application crash, or execute arbitrary code with the privileges of the user invoking Firefox. (CVE-2016-1973)

Ronald Crane discovered an out-of-bounds read following a failed allocation in the HTML parser in some circumstances.
If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit this to cause a denial of service via application crash, or execute arbitrary code with the privileges of the user invoking Firefox. (CVE-2016-1974)

Holger Fuhrmannek, Tyson Smith and Holger Fuhrmannek reported multiple memory safety issues in the Graphite 2 library. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit these to cause a denial of service via application crash, or execute arbitrary code with the privileges of the user invoking Firefox. (CVE-2016-1977, CVE-2016-2790, CVE-2016-2791, CVE-2016-2792, CVE-2016-2793, CVE-2016-2794, CVE-2016-2795, CVE-2016-2796, CVE-2016-2797, CVE-2016-2798, CVE-2016-2799, CVE-2016-2800, CVE-2016-2801, CVE-2016-2802).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

USN-2917-1 fixed vulnerabilities in Firefox. This update caused several regressions that could result in search engine settings being lost, the list of search providers appearing empty or the location bar breaking after typing an invalid URL. This update fixes the problem.

We apologize for the inconvenience.

Francis Gabriel discovered a buffer overflow during ASN.1 decoding in NSS. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit this to cause a denial of service via application crash, or execute arbitrary code with the privileges of the user invoking Firefox. (CVE-2016-1950)

Bob Clary, Christoph Diehl, Christian Holler, Andrew McCreight, Daniel Holbert, Jesse Ruderman, Randell Jesup, Carsten Book, Gian-Carlo Pascutto, Tyson Smith, Andrea Marchesini, and Jukka Jylanki discovered multiple memory safety issues in Firefox. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit these to cause a denial of service via application crash, or execute arbitrary code with the privileges of the user invoking Firefox. (CVE-2016-1952, CVE-2016-1953)

Nicolas Golubovic discovered that CSP violation reports can be used to overwrite local files. If a user were tricked in to opening a specially crafted website with addon signing disabled and unpacked addons installed, an attacker could potentially exploit this to gain additional privileges.
(CVE-2016-1954)

Muneaki Nishimura discovered that CSP violation reports contained full paths for cross-origin iframe navigations. An attacker could potentially exploit this to steal confidential data. (CVE-2016-1955)

Ucha Gobejishvili discovered that performing certain WebGL operations resulted in memory resource exhaustion with some Intel GPUs, requiring a reboot. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit this to cause a denial of service.
(CVE-2016-1956)

Jose Martinez and Romina Santillan discovered a memory leak in libstagefright during MPEG4 video file processing in some circumstances. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit this to cause a denial of service via memory exhaustion. (CVE-2016-1957)

Abdulrahman Alqabandi discovered that the addressbar could be blank or filled with page defined content in some circumstances. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit this to conduct URL spoofing attacks.
(CVE-2016-1958)

Looben Yang discovered an out-of-bounds read in Service Worker Manager. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit this to cause a denial of service via application crash, or execute arbitrary code with the privileges of the user invoking Firefox. (CVE-2016-1959)

A use-after-free was discovered in the HTML5 string parser.
If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit this to cause a denial of service via application crash, or execute arbitrary code with the privileges of the user invoking Firefox. (CVE-2016-1960)

A use-after-free was discovered in the SetBody function of HTMLDocument. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit this to cause a denial of service via application crash, or execute arbitrary code with the privileges of the user invoking Firefox. (CVE-2016-1961)

Dominique Hazael-Massieux discovered a use-after-free when using multiple WebRTC data channels. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit this to cause a denial of service via application crash, or execute arbitrary code with the privileges of the user invoking Firefox. (CVE-2016-1962)

It was discovered that Firefox crashes when local files are modified whilst being read by the FileReader API. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit this to execute arbitrary code with the privileges of the user invoking Firefox.
(CVE-2016-1963)

Nicolas Gregoire discovered a use-after-free during XML transformations. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit this to cause a denial of service via application crash, or execute arbitrary code with the privileges of the user invoking Firefox. (CVE-2016-1964)

Tsubasa Iinuma discovered a mechanism to cause the addressbar to display an incorrect URL, using history navigations and the Location protocol property. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit this to conduct URL spoofing attacks. (CVE-2016-1965)

A memory corruption issues was discovered in the NPAPI subsystem. If a user were tricked in to opening a specially crafted website with a malicious plugin installed, an attacker could potentially exploit this to cause a denial of service via application crash, or execute arbitrary code with the privileges of the user invoking Firefox.
(CVE-2016-1966)

Jordi Chancel discovered a same-origin-policy bypass when using performance.getEntries and history navigation with session restore. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit this to steal confidential data. (CVE-2016-1967)

Luke Li discovered a buffer overflow during Brotli decompression in some circumstances. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit this to cause a denial of service via application crash, or execute arbitrary code with the privileges of the user invoking Firefox. (CVE-2016-1968)

Ronald Crane discovered a use-after-free in GetStaticInstance in WebRTC. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit this to cause a denial of service via application crash, or execute arbitrary code with the privileges of the user invoking Firefox. (CVE-2016-1973)

Ronald Crane discovered an out-of-bounds read following a failed allocation in the HTML parser in some circumstances.
If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit this to cause a denial of service via application crash, or execute arbitrary code with the privileges of the user invoking Firefox. (CVE-2016-1974)

Holger Fuhrmannek, Tyson Smith and Holger Fuhrmannek reported multiple memory safety issues in the Graphite 2 library. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit these to cause a denial of service via application crash, or execute arbitrary code with the privileges of the user invoking Firefox. (CVE-2016-1977, CVE-2016-2790, CVE-2016-2791, CVE-2016-2792, CVE-2016-2793, CVE-2016-2794, CVE-2016-2795, CVE-2016-2796, CVE-2016-2797, CVE-2016-2798, CVE-2016-2799, CVE-2016-2800, CVE-2016-2801, CVE-2016-2802).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The version of Firefox installed on the remote host is prior to 45.0 and is affected by multiple vulnerabilities : 

 - Mozilla Network Security Services (NSS) contains an overflow condition. The issue is triggered as user-supplied input is not properly validated when parsing ASN.1 structures. With a specially crafted certificate, a context-dependent attacker can cause a heap-based buffer overflow, resulting in a denial of service or potentially allowing the execution of arbitrary code. (CVE-2016-1950) 
 - A flaw exists in the 'ValueNumberer::fixupOSROnlyLoop()' function in 'jit/ValueNumbering.cpp' that is triggered as user-supplied input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code. (CVE-2016-1952)
 - A flaw in the 'Downscaler::BeginFrame()' function in 'image/Downscaler.cpp' exists that is triggered when failing to compute filters for image downscaling. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code. (CVE-2016-1952)
 - A flaw exists that is triggered as user-supplied input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code. (CVE-2016-1952, CVE-2016-1953)
 - A flaw exists in the 'JSScript::maybeSweepTypes()' function in 'vm/TypeInference.cpp' that is triggered as user-supplied input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code. (CVE-2016-1952)
 - A flaw exists in the 'DispatchEvents()' function in 'layout/style/nsAnimationManager.h' and 'layout/style/nsTransitionManager.h' that is triggered as user-supplied input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code. (CVE-2016-1952)
 - A flaw exists in 'dom/base/Console.cpp' that is triggered as user-supplied input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code. (CVE-2016-1952)
 - A flaw exists in the 'PeerConnectionMedia::SelfDestruct_m()' function in 'media/webrtc/signaling/src/peerconnection/PeerConnectionMedia.cpp' that is triggered as user-supplied input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code. (CVE-2016-1952)
 - A flaw exists in the 'nsICODecoder::ReadDirEntry()' function in 'image/decoders/nsICODecoder.cpp' that is triggered when rendering ICO sub-images. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code. (CVE-2016-1953)
 - A flaw exists in the 'nsIDNService::IDNA2008ToUnicode()' function in 'netwerk/dns/nsIDNService.cpp' that is triggered as user-supplied input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code. (CVE-2016-1953)
 - A flaw exists that is triggered as user-supplied input is not properly validated when handling image decoding. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code. (CVE-2016-1953)
 - A flaw exists in the 'DiscardTransferables()' function in 'vm/StructuredClone.cpp' that is triggered as user-supplied input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code. (CVE-2016-1953)
 - A flaw exits in the 'Assembler::GetCF32Target()' function in 'jit/arm/Assembler-arm.cpp' that is triggered as user-supplied input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code. (CVE-2016-1953)
 - A flaw exists in the 'GetPcScript()' function in 'jit/JitFrames.cpp' that is triggered as user-supplied input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code. (CVE-2016-1953)
 - A flaw exists in the 'JSFunction::isDerivedClassConstructor()' function in 'js/src/jsfun.cpp' that is triggered when handling lazy self-hosted functions. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code. (CVE-2016-1953)
 - A flaw exists in 'js/src/jit/Lowering.cpp' that is triggered as user-supplied input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code. (CVE-2016-1953)
 - A flaw exits in the 'EventListenerManager::HandleEventInternal()' function in 'dom/events/EventListenerManager.cpp'. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code. (CVE-2016-1953)
 - A flaw exists in 'layout/base/nsRefreshDriver.cpp' that is triggered when handling transition events. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code. (CVE-2016-1953)
 - A flaw exists in 'dom/media/systemservices/CamerasChild.cpp' that is triggered as user-supplied input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code. (CVE-2016-1953)
 - A flaw exists in 'dom/xslt/xslt/txMozillaTextOutput.cpp' that is triggered as user-supplied input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code. (CVE-2016-1953)
 - A flaw exists in 'dom/gamepad/windows/WindowsGamepad.cpp' that is triggered when handling 'WindowsGamepadService' shutdown. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code. (CVE-2016-1953)
 - A flaw exists in the 'nsCSPContext::SendReports()' function in 'dom/security/nsCSPContext.cpp' that is triggered during the handling of Content Security Policy (CSP) violation reports. This may allow a context-dependent attacker to overwrite arbitrary files on a user's machine and potentially gain elevated privileges. (CVE-2016-1954)
 - A flaw exists in 'dom/security/nsCSPContext.cpp' that is due to Content Security Policy (CSP) violation reports containing full path information for cross-origin iframe navigations in violation of the CSP specification. This may allow a context-dependent attacker to gain unauthorized access to sensitive information. (CVE-2016-1955)
 - A flaw exists in 'gfx/gl/GLContext.cpp' when using Intel Video cards that is triggered when performing WebGL operations that require a large amount buffer to be allocated from video memory. This may allow a context-dependent to cause a consumption of memory resources that will persist until the system has been restarted. (CVE-2016-1956)
 - Google Stagefright contains a flaw that is triggered during the handling of array destruction during MPEG4 video file processing. This may allow a context-dependent attacker to cause a memory leak, with unspecified consequences. (CVE-2016-1957)
 - An unspecified flaw exists that may allow a context-dependent attacker to spoof the user's address bar. No further details have been provided. (CVE-2016-1958)
 - A flaw exists  in Service Worker Manager that is triggered when handling the Clients API. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code. (CVE-2016-1959)
 - A flaw exists in  use-after-free error in the HTML5 string parser. The issue is triggered when parsing a set of table-related tags in a foreign fragment context such as SVG. This may allow a context-dependent attacker to dereference already freed memory and potentially execute arbitrary code. (CVE-2016-1960)
 - A flaw exists in use-after-free error in the 'nsHTMLDocument::SetBody()' function in 'dom/html/nsHTMLDocument.cpp'. This may allow a context-dependent attacker to dereference already freed memory and potentially execute arbitrary code. (CVE-2016-1961)
 - A flaw exists in use-after-free error in 'netwerk/sctp/datachannel/DataChannel.cpp' when using multiple 'WebRTC' data channel connections and freeing a data channel connection from within a call. This may allow a context-dependent attacker to dereference already freed memory and potentially execute arbitrary code. (CVE-2016-1962)
 - A flaw exists in the 'FileReader::DoReadData()' function in 'dom/base/FileReader.cpp'. The issue is triggered as user-supplied input is not properly validated when handling modifications to local files that occur while they are being read with the FileReader API. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code. (CVE-2016-1963)
 - A flaw exists in use-after-free error in the 'txAttribute::execute()' function in 'dom/xslt/xslt/txInstructions.cpp' that is triggered when handling XML transformation operations. This may allow a context-dependent attacker to dereference already freed memory and potentially execute arbitrary code. (CVE-2016-1964)
 - A flaw exists in the 'nsLocation::SetProtocol()' function in 'dom/base/nsLocation.cpp' that is triggered when handling history navigation in combination with the location protocol property. This may allow a context-dependent attacker to spoof the contents of the address bar. (CVE-2016-1965)
 - A flaw exists that is triggered when handling history navigation in a restored browser session. This may potentially allow a context-dependent attacker to gain unauthorized access to cross-origin URL information. (CVE-2016-1967)
 - A pointer underflow condition exists in the 'Brotli' library. The issue is triggered as user-supplied input is not properly validated when the library is performing decompression. This may allow a context-dependent attacker to cause a buffer overflow, potentially allowing the execution of arbitrary code. (CVE-2016-1968)
 - A use-after-free flaw exists in the Netscape Plugin Application Programming Interface (NPAPI) plugin within the 'nsNPObjWrapper::GetNewOrUsed()' function in 'dom/plugins/base/nsJSNPRuntime.cpp'. The issue is triggered when handling malicious scripted web content in concert with the plugin. This may allow a context-dependent attacker to dereference already freed memory and potentially execute arbitrary code. (CVE-2016-1966)
 - An integer underflow condition exists in the 'srtp_unprotect()' function in 'netwerk/srtp/src/srtp/srtp.c' that is triggered when handling SRTP packet lenghts. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code. (CVE-2016-1970)
 - A flaw exists in the 'I420VideoFrame::CreateFrame()' function in WebRTC. The issue is triggered as user-supplied input is not properly validated due to a missing status check. This may potentially allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code. (CVE-2016-1971)
 - 'ibvpx' contains a use-after-free error in 'vpx_ports/vpx_once.h' related to a race condition. This may allow a context-dependent attacker to dereference already freed memory and potentially execute arbitrary code. (CVE-2016-1972)
 - A race condition exists in 'dom/media/systemservices/CamerasChild.h'. The issue is triggered as user-supplied input is not properly validated when handling block-level statistics. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code. (CVE-2016-1975)
 - A use-after-free flaw exists in 'DesktopDisplayDevice::operator=' in 'media/webrtc/trunk/webrtc/modules/desktop_capture/desktop_device_info.cc'. This may allow a context-dependent attacker to dereference already freed memory and potentially execute arbitrary code. (CVE-2016-1976)
 - A flaw exists in use-after-free error that is triggered by a race condition in 'GetStaticInstance' in WebRTC. This may allow a context-dependent attacker to dereference already freed memory and potentially execute arbitrary code. (CVE-2016-1973)
 - A flaw exists in the 'nsScannerString::AppendUnicodeTo()' function in 'parser/htmlparser/nsScannerString.cpp'. The issue is triggered when the program fails to allocate memory during handling of unicode strings. This may allow a context-dependent attacker to potentially execute arbitrary code. (CVE-2016-1974)
 - Mozilla Network Security Services (NSS) contains a use-after-free error in the 'PK11_ImportDERPrivateKeyInfoAndReturnKey()' function. The issue is triggered when handling DER encoded keys. This may allow a context-dependent attacker to dereference already freed memory and potentially execute arbitrary code. (CVE-2016-1979)

 The Graphite/Libgraphite component used in Mozilla Firefox contains the following vulnerabilities : 

 - An out-of-bounds write flaw exists in the 'setAttr()' function that is triggered when handling maliciously crafted fonts. This may allow a context-dependent attacker to potentially execute arbitrary code. (CVE-2016-1969)
 - A flaw exists in the 'Machine::Code::decoder::analysis::set_ref()' function. The issue is triggered as user-supplied input is not properly validated. With a specially crafted font, a context-dependent attacker can corrupt memory to cause a denial of service in a process linked against the library or potentially execute arbitrary code. (CVE-2016-1977)
 - A flaw exists in the 'GetTableInfo()' function in 'TtfUtil.cpp' related to the use of uninitialized memory when handling a specially crafted font. This may allow a context-dependent attacker to have an unspecified impact. (CVE-2016-2790)
 - An out-of-bounds read flaw exists in the 'GlyphCache::glyph()' function that is triggered when handling maliciously crafted fonts. This may allow a context-dependent attacker to crash a process linked against the library or potentially disclose memory contents. (CVE-2016-2791)
 - An out-of-bounds read flaw exist in the 'getAttr()' function in 'Slot.cpp' that is triggered when handling maliciously crafted fonts. This may allow a context-dependent attacker to crash a process linked against the library or potentially disclose memory contents. (CVE-2016-2792)
 - An out-of-bounds read flaw in 'CachedCmap.cpp' that is triggered when handling maliciously crafted fonts. This may allow a context-dependent attacker to crash a process linked against the library or potentially disclose memory contents. (CVE-2016-2793)
 - An out-of-bounds read flaw in the 'CmapSubtable12NextCodepoint()' function in 'TtfUtil.cpp' that is triggered when handling maliciously crafted fonts. This may allow a context-dependent attacker to crash a process linked against the library or potentially disclose memory contents. (CVE-2016-2794)
 - A flaw exists in the 'FileFace::get_table_fn()' function related to the use of uninitialized memory when handling a specially crafted font. This may allow a context-dependent attacker to have an unspecified impact. (CVE-2016-2795)
 - An out-of-bounds write flaw exixts in the 'vm::Machine::Code::Code()' function that is triggered when handling maliciously crafted fonts. This may allow a context-dependent attacker to potentially execute arbitrary code. (CVE-2016-2796)
 - An out-of-bounds read flaw exists in the 'CmapSubtable12Lookup()' function in 'TtfUtil.cpp' that is triggered when handling maliciously crafted fonts. This may allow a context-dependent attacker to crash a process linked against the library or potentially disclose memory contents. (CVE-2016-2797)
 - An out-of-bounds read flaw exists in the 'GlyphCache::Loader::Loader()' function that is triggered when handling maliciously crafted fonts. This may allow a context-dependent attacker to crash a process linked against the library or potentially disclose memory contents. (CVE-2016-2798)
 - An out-of-bounds write flaw exists in the 'setAttr()' function in 'Slot.cpp' that is triggered when handling maliciously crafted fonts. This may allow a context-dependent attacker to potentially execute arbitrary code. (CVE-2016-2799)
 - An out-of-bounds read flaw exists in the 'getAttr()' function in 'Slot.cpp' that is triggered when handling maliciously crafted fonts. This may allow a context-dependent attacker to crash a process linked against the library or potentially disclose memory contents. (CVE-2016-2800)
 - An out-of-bounds read flaw exists in the 'CmapSubtable12Lookup()' function in 'TtfUtil.cpp' that is triggered when handling maliciously crafted fonts. This may allow a context-dependent attacker to crash a process linked against the library or potentially disclose memory contents. (CVE-2016-2801)
 - An out-of-bounds read flaw existsin the 'CmapSubtable4NextCodepoint()' function in 'TtfUtil.cpp' that is triggered when handling maliciously crafted fonts. This may allow a context-dependent attacker to crash a process linked against the library or potentially disclose memory contents. (CVE-2016-2802)

This update for MozillaFirefox, mozilla-nspr, mozilla-nss fixes the following issues :

MozillaFirefox was updated to Firefox 45.0 (boo#969894)

  - requires NSPR 4.12 / NSS 3.21.1

  - Instant browser tab sharing through Hello

  - Synced Tabs button in button bar

  - Tabs synced via Firefox Accounts from other devices are     now shown in dropdown area of Awesome Bar when searching

  - Introduce a new preference (network.dns.blockDotOnion)     to allow blocking .onion at the DNS level

  - Tab Groups (Panorama) feature removed

  - MFSA 2016-16/CVE-2016-1952/CVE-2016-1953 Miscellaneous     memory safety hazards

  - MFSA 2016-17/CVE-2016-1954 (bmo#1243178) Local file     overwriting and potential privilege escalation through     CSP reports

  - MFSA 2016-18/CVE-2016-1955 (bmo#1208946) CSP reports     fail to strip location information for embedded iframe     pages

  - MFSA 2016-19/CVE-2016-1956 (bmo#1199923) Linux video     memory DOS with Intel drivers

  - MFSA 2016-20/CVE-2016-1957 (bmo#1227052) Memory leak in     libstagefright when deleting an array during MP4     processing

  - MFSA 2016-21/CVE-2016-1958 (bmo#1228754) Displayed page     address can be overridden

  - MFSA 2016-22/CVE-2016-1959 (bmo#1234949) Service Worker     Manager out-of-bounds read in Service Worker Manager

  - MFSA 2016-23/CVE-2016-1960/ZDI-CAN-3545 (bmo#1246014)     Use-after-free in HTML5 string parser

  - MFSA 2016-24/CVE-2016-1961/ZDI-CAN-3574 (bmo#1249377)     Use-after-free in SetBody

  - MFSA 2016-25/CVE-2016-1962 (bmo#1240760) Use-after-free     when using multiple WebRTC data channels

  - MFSA 2016-26/CVE-2016-1963 (bmo#1238440) Memory     corruption when modifying a file being read by     FileReader

  - MFSA 2016-27/CVE-2016-1964 (bmo#1243335) Use-after-free     during XML transformations

  - MFSA 2016-28/CVE-2016-1965 (bmo#1245264) Addressbar     spoofing though history navigation and Location protocol     property

  - MFSA 2016-29/CVE-2016-1967 (bmo#1246956) Same-origin     policy violation using perfomance.getEntries and history     navigation with session restore

  - MFSA 2016-30/CVE-2016-1968 (bmo#1246742) Buffer overflow     in Brotli decompression

  - MFSA 2016-31/CVE-2016-1966 (bmo#1246054) Memory     corruption with malicious NPAPI plugin

  - MFSA 2016-32/CVE-2016-1970/CVE-2016-1971/CVE-2016-1975/     CVE-2016-1976/CVE-2016-1972 WebRTC and LibVPX     vulnerabilities found through code inspection

  - MFSA 2016-33/CVE-2016-1973 (bmo#1219339) Use-after-free     in GetStaticInstance in WebRTC

  - MFSA 2016-34/CVE-2016-1974 (bmo#1228103) Out-of-bounds     read in HTML parser following a failed allocation

  - MFSA 2016-35/CVE-2016-1950 (bmo#1245528) Buffer overflow     during ASN.1 decoding in NSS (fixed by requiring 3.21.1)

  - MFSA 2016-36/CVE-2016-1979 (bmo#1185033) Use-after-free     during processing of DER encoded keys in NSS (fixed by     requiring 3.21.1)

  - MFSA 2016-37/CVE-2016-1977/CVE-2016-2790/CVE-2016-2791/     CVE-2016-2792/CVE-2016-2793/CVE-2016-2794/CVE-2016-2795/     CVE-2016-2796/CVE-2016-2797/CVE-2016-2798/CVE-2016-2799/     CVE-2016-2800/CVE-2016-2801/CVE-2016-2802 Font     vulnerabilities in the Graphite 2 library

    mozilla-nspr was updated to version 4.12

  - added a PR_GetEnvSecure function, which attempts to     detect if the program is being executed with elevated     privileges, and returns NULL if detected. It is     recommended to use this function in general purpose     library code.

  - fixed a memory allocation bug related to the PR_*printf     functions

  - exported API PR_DuplicateEnvironment, which had already     been added in NSPR 4.10.9

  - added support for FreeBSD aarch64

  - several minor correctness and compatibility fixes

    mozilla-nss was updated to NSS 3.21.1 (bmo#969894)

  - required for Firefox 45.0

  - MFSA 2016-35/CVE-2016-1950 (bmo#1245528) Buffer overflow     during ASN.1 decoding in NSS (fixed by requiring 3.21.1)

  - MFSA 2016-36/CVE-2016-1979 (bmo#1185033) Use-after-free     during processing of DER encoded keys in NSS (fixed by     requiring 3.21.1)

This update for MozillaFirefox, mozilla-nspr, mozilla-nss fixes the following issues :

MozillaFirefox was updated to Firefox 45.0 (boo#969894)

  - requires NSPR 4.12 / NSS 3.21.1

  - Instant browser tab sharing through Hello

  - Synced Tabs button in button bar

  - Tabs synced via Firefox Accounts from other devices are     now shown in dropdown area of Awesome Bar when searching

  - Introduce a new preference (network.dns.blockDotOnion)     to allow blocking .onion at the DNS level

  - Tab Groups (Panorama) feature removed

  - MFSA 2016-16/CVE-2016-1952/CVE-2016-1953 Miscellaneous     memory safety hazards

  - MFSA 2016-17/CVE-2016-1954 (bmo#1243178) Local file     overwriting and potential privilege escalation through     CSP reports

  - MFSA 2016-18/CVE-2016-1955 (bmo#1208946) CSP reports     fail to strip location information for embedded iframe     pages

  - MFSA 2016-19/CVE-2016-1956 (bmo#1199923) Linux video     memory DOS with Intel drivers

  - MFSA 2016-20/CVE-2016-1957 (bmo#1227052) Memory leak in     libstagefright when deleting an array during MP4     processing

  - MFSA 2016-21/CVE-2016-1958 (bmo#1228754) Displayed page     address can be overridden

  - MFSA 2016-22/CVE-2016-1959 (bmo#1234949) Service Worker     Manager out-of-bounds read in Service Worker Manager

  - MFSA 2016-23/CVE-2016-1960/ZDI-CAN-3545 (bmo#1246014)     Use-after-free in HTML5 string parser

  - MFSA 2016-24/CVE-2016-1961/ZDI-CAN-3574 (bmo#1249377)     Use-after-free in SetBody

  - MFSA 2016-25/CVE-2016-1962 (bmo#1240760) Use-after-free     when using multiple WebRTC data channels

  - MFSA 2016-26/CVE-2016-1963 (bmo#1238440) Memory     corruption when modifying a file being read by     FileReader

  - MFSA 2016-27/CVE-2016-1964 (bmo#1243335) Use-after-free     during XML transformations

  - MFSA 2016-28/CVE-2016-1965 (bmo#1245264) Addressbar     spoofing though history navigation and Location protocol     property

  - MFSA 2016-29/CVE-2016-1967 (bmo#1246956) Same-origin     policy violation using perfomance.getEntries and history     navigation with session restore

  - MFSA 2016-30/CVE-2016-1968 (bmo#1246742) Buffer overflow     in Brotli decompression

  - MFSA 2016-31/CVE-2016-1966 (bmo#1246054) Memory     corruption with malicious NPAPI plugin

  - MFSA 2016-32/CVE-2016-1970/CVE-2016-1971/CVE-2016-1975/     CVE-2016-1976/CVE-2016-1972 WebRTC and LibVPX     vulnerabilities found through code inspection

  - MFSA 2016-33/CVE-2016-1973 (bmo#1219339) Use-after-free     in GetStaticInstance in WebRTC

  - MFSA 2016-34/CVE-2016-1974 (bmo#1228103) Out-of-bounds     read in HTML parser following a failed allocation

  - MFSA 2016-35/CVE-2016-1950 (bmo#1245528) Buffer overflow     during ASN.1 decoding in NSS (fixed by requiring 3.21.1)

  - MFSA 2016-36/CVE-2016-1979 (bmo#1185033) Use-after-free     during processing of DER encoded keys in NSS (fixed by     requiring 3.21.1)

  - MFSA 2016-37/CVE-2016-1977/CVE-2016-2790/CVE-2016-2791/     CVE-2016-2792/CVE-2016-2793/CVE-2016-2794/CVE-2016-2795/     CVE-2016-2796/CVE-2016-2797/CVE-2016-2798/CVE-2016-2799/     CVE-2016-2800/CVE-2016-2801/CVE-2016-2802 Font     vulnerabilities in the Graphite 2 library

mozilla-nspr was updated to version 4.12

  - added a PR_GetEnvSecure function, which attempts to     detect if the program is being executed with elevated     privileges, and returns NULL if detected. It is     recommended to use this function in general purpose     library code.

  - fixed a memory allocation bug related to the PR_*printf     functions

  - exported API PR_DuplicateEnvironment, which had already     been added in NSPR 4.10.9

  - added support for FreeBSD aarch64

  - several minor correctness and compatibility fixes

mozilla-nss was updated to NSS 3.21.1 (bmo#969894)

  - required for Firefox 45.0

  - MFSA 2016-35/CVE-2016-1950 (bmo#1245528) Buffer overflow     during ASN.1 decoding in NSS (fixed by requiring 3.21.1)

  - MFSA 2016-36/CVE-2016-1979 (bmo#1185033) Use-after-free     during processing of DER encoded keys in NSS (fixed by     requiring 3.21.1)

The version of Firefox installed on the remote Windows host is prior to 45. It is, therefore, affected by multiple vulnerabilities, the majority of which are remote code execution vulnerabilities. An unauthenticated, remote attacker can exploit these issues by convincing a user to visit a specially crafted website, resulting in the execution of arbitrary code in the context of the current user.

The version of Firefox installed on the remote Mac OS X host is prior to 45. It is, therefore, affected by multiple vulnerabilities, the majority of which are remote code execution vulnerabilities. An unauthenticated, remote attacker can exploit these issues by convincing a user to visit a specially crafted website, resulting in the execution of arbitrary code in the context of the current user.

Francis Gabriel discovered a buffer overflow during ASN.1 decoding in NSS. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit this to cause a denial of service via application crash, or execute arbitrary code with the privileges of the user invoking Firefox. (CVE-2016-1950)

Bob Clary, Christoph Diehl, Christian Holler, Andrew McCreight, Daniel Holbert, Jesse Ruderman, Randell Jesup, Carsten Book, Gian-Carlo Pascutto, Tyson Smith, Andrea Marchesini, and Jukka Jylanki discovered multiple memory safety issues in Firefox. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit these to cause a denial of service via application crash, or execute arbitrary code with the privileges of the user invoking Firefox. (CVE-2016-1952, CVE-2016-1953)

Nicolas Golubovic discovered that CSP violation reports can be used to overwrite local files. If a user were tricked in to opening a specially crafted website with addon signing disabled and unpacked addons installed, an attacker could potentially exploit this to gain additional privileges. (CVE-2016-1954)

Muneaki Nishimura discovered that CSP violation reports contained full paths for cross-origin iframe navigations. An attacker could potentially exploit this to steal confidential data. (CVE-2016-1955)

Ucha Gobejishvili discovered that performing certain WebGL operations resulted in memory resource exhaustion with some Intel GPUs, requiring a reboot. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit this to cause a denial of service. (CVE-2016-1956)

Jose Martinez and Romina Santillan discovered a memory leak in libstagefright during MPEG4 video file processing in some circumstances. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit this to cause a denial of service via memory exhaustion. (CVE-2016-1957)

Abdulrahman Alqabandi discovered that the addressbar could be blank or filled with page defined content in some circumstances. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit this to conduct URL spoofing attacks.
(CVE-2016-1958)

Looben Yang discovered an out-of-bounds read in Service Worker Manager. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit this to cause a denial of service via application crash, or execute arbitrary code with the privileges of the user invoking Firefox. (CVE-2016-1959)

A use-after-free was discovered in the HTML5 string parser. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit this to cause a denial of service via application crash, or execute arbitrary code with the privileges of the user invoking Firefox. (CVE-2016-1960)

A use-after-free was discovered in the SetBody function of HTMLDocument. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit this to cause a denial of service via application crash, or execute arbitrary code with the privileges of the user invoking Firefox. (CVE-2016-1961)

Dominique Hazael-Massieux discovered a use-after-free when using multiple WebRTC data channels. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit this to cause a denial of service via application crash, or execute arbitrary code with the privileges of the user invoking Firefox.
(CVE-2016-1962)

It was discovered that Firefox crashes when local files are modified whilst being read by the FileReader API. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit this to execute arbitrary code with the privileges of the user invoking Firefox. (CVE-2016-1963)

Nicolas Gregoire discovered a use-after-free during XML transformations. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit this to cause a denial of service via application crash, or execute arbitrary code with the privileges of the user invoking Firefox. (CVE-2016-1964)

Tsubasa Iinuma discovered a mechanism to cause the addressbar to display an incorrect URL, using history navigations and the Location protocol property. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit this to conduct URL spoofing attacks. (CVE-2016-1965)

A memory corruption issues was discovered in the NPAPI subsystem. If a user were tricked in to opening a specially crafted website with a malicious plugin installed, an attacker could potentially exploit this to cause a denial of service via application crash, or execute arbitrary code with the privileges of the user invoking Firefox.
(CVE-2016-1966)

Jordi Chancel discovered a same-origin-policy bypass when using performance.getEntries and history navigation with session restore. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit this to steal confidential data.
(CVE-2016-1967)

Luke Li discovered a buffer overflow during Brotli decompression in some circumstances. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit this to cause a denial of service via application crash, or execute arbitrary code with the privileges of the user invoking Firefox. (CVE-2016-1968)

Ronald Crane discovered a use-after-free in GetStaticInstance in WebRTC. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit this to cause a denial of service via application crash, or execute arbitrary code with the privileges of the user invoking Firefox. (CVE-2016-1973)

Ronald Crane discovered an out-of-bounds read following a failed allocation in the HTML parser in some circumstances. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit this to cause a denial of service via application crash, or execute arbitrary code with the privileges of the user invoking Firefox. (CVE-2016-1974)

Holger Fuhrmannek, Tyson Smith and Holger Fuhrmannek reported multiple memory safety issues in the Graphite 2 library. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit these to cause a denial of service via application crash, or execute arbitrary code with the privileges of the user invoking Firefox. (CVE-2016-1977, CVE-2016-2790, CVE-2016-2791, CVE-2016-2792, CVE-2016-2793, CVE-2016-2794, CVE-2016-2795, CVE-2016-2796, CVE-2016-2797, CVE-2016-2798, CVE-2016-2799, CVE-2016-2800, CVE-2016-2801, CVE-2016-2802).

Mozilla Foundation reports :

MFSA 2016-16 Miscellaneous memory safety hazards (rv:45.0 / rv:38.7)

MFSA 2016-17 Local file overwriting and potential privilege escalation through CSP reports

MFSA 2016-18 CSP reports fail to strip location information for embedded iframe pages

MFSA 2016-19 Linux video memory DOS with Intel drivers

MFSA 2016-20 Memory leak in libstagefright when deleting an array during MP4 processing

MFSA 2016-21 Displayed page address can be overridden

MFSA 2016-22 Service Worker Manager out-of-bounds read in Service Worker Manager

MFSA 2016-23 Use-after-free in HTML5 string parser

MFSA 2016-24 Use-after-free in SetBody

MFSA 2016-25 Use-after-free when using multiple WebRTC data channels

MFSA 2016-26 Memory corruption when modifying a file being read by FileReader

MFSA 2016-27 Use-after-free during XML transformations

MFSA 2016-28 Addressbar spoofing though history navigation and Location protocol property

MFSA 2016-29 Same-origin policy violation using perfomance.getEntries and history navigation with session restore

MFSA 2016-31 Memory corruption with malicious NPAPI plugin

MFSA 2016-32 WebRTC and LibVPX vulnerabilities found through code inspection

MFSA 2016-33 Use-after-free in GetStaticInstance in WebRTC

MFSA 2016-34 Out-of-bounds read in HTML parser following a failed allocation

ID	Name	Product	Family	Severity
802023	Firefox < 45 Multiple Vulnerabilities	Log Correlation Engine	Web Clients	critical
91379	GLSA-201605-06 : Mozilla Products: Multiple vulnerabilities (Logjam) (SLOTH)	Nessus	Gentoo Local Security Checks	critical
90598	Ubuntu 12.04 LTS / 14.04 LTS / 15.10 : firefox regressions (USN-2917-3)	Nessus	Ubuntu Local Security Checks	critical
90421	Ubuntu 12.04 LTS / 14.04 LTS / 15.10 : firefox regressions (USN-2917-2)	Nessus	Ubuntu Local Security Checks	critical
9207	Mozilla Firefox < 45.0 Multiple Vulnerabilities	Nessus Network Monitor	Web Clients	high
89915	openSUSE Security Update : Firefox (openSUSE-2016-334)	Nessus	SuSE Local Security Checks	critical
89913	openSUSE Security Update : MozillaFirefox / mozilla-nspr / mozilla-nss (openSUSE-2016-332)	Nessus	SuSE Local Security Checks	critical
89875	Firefox < 45 Multiple Vulnerabilities	Nessus	Windows	high
89873	Firefox < 45 Multiple Vulnerabilities (Mac OS X)	Nessus	MacOS X Local Security Checks	high
89826	Ubuntu 12.04 LTS / 14.04 / 15.10 : firefox vulnerabilities (USN-2917-1)	Nessus	Ubuntu Local Security Checks	critical
89765	FreeBSD : mozilla -- multiple vulnerabilities (2225c5b4-1e5a-44fc-9920-b3201c384a15)	Nessus	FreeBSD Local Security Checks	critical

CVE-2016-1967

Description

References

Details

Risk Information

CVSS v2.0

CVSS v3.0

Vulnerable Software

Configuration 1

Tenable Plugins