openSUSE-SU-2016:1552

openSUSE-SU-2016:1557

http://www.mozilla.org/security/announce/2016/mfsa2016-54.html

1036057

USN-2993-1

https://bugzilla.mozilla.org/show_bug.cgi?id=1193093

Versions of Mozilla Firefox earlier than 47.0 are unpatched for the following vulnerabilities :

 - Multiple memory corruption issues exist that allow an unauthenticated, remote attacker to execute arbitrary code. (CVE-2016-2815, CVE-2016-2818)
 - An overflow condition exists that is triggered when handling HTML5 fragments in foreign contexts (e.g., under <svg> nodes).  An unauthenticated, remote attacker can exploit this to cause a heap-based buffer overflow, resulting in the execution of arbitrary code. (CVE-2016-2819)
 - A use-after-free error exists that is triggered when deleting DOM table elements in 'contenteditable' mode.  An unauthenticated, remote attacker can exploit this to dereference already freed memory, resulting in the execution of arbitrary code. (CVE-2016-2821)
 - A spoofing vulnerability exists due to improper handling of SELECT elements.  An unauthenticated, remote attacker can exploit this to spoof the contents of the address bar. (CVE-2016-2822)
 - A same-origin bypass vulnerability exists that is triggered when handling 'location.host' property values set after the creation of invalid 'data:' URIs.  An unauthenticated, remote attacker can exploit this to partially bypass same-origin policy protections. (CVE-2016-2825)
 - A use-after-free error exists that is triggered when destroying the recycle pool of a texture used during the processing of WebGL content.  An unauthenticated, remote attacker can exploit this to dereference already freed memory, resulting in the execution of arbitrary code. (CVE-2016-2828)
 - A flaw exists in 'browser/modules/webrtcUI.jsm' that is triggered when handling a large number of permission requests over a small period of time.  An unauthenticated, remote attacker can exploit this to cause the incorrect icon to be displayed in a given permission request, potentially resulting in a user approving unintended permission requests. (CVE-2016-2829)
 - A flaw exists that is triggered when handling paired fullscreen and pointerlock requests in combination with closing windows.  An unauthenticated, remote attacker can exploit this to create an unauthorized pointerlock, resulting in a denial of service condition.  Additionally, an attacker can exploit this to conduct spoofing and clickjacking attacks. (CVE-2016-2831)
 - An information disclosure vulnerability exists that is triggered when handling CSS pseudo-classes.  An unauthenticated, remote attacker can exploit this disclose a list of installed plugins. (CVE-2016-2832)
 - A Content Security Policy (CSP) bypass exists that is triggered when handling specially crafted cross-domain Java applets.  An unauthenticated, remote attacker can exploit this to bypass the CSP and conduct cross-site scripting attacks. (CVE-2016-2833)
 - Multiple unspecified flaws exist in the Mozilla Network Security Services (NSS) component that allow an attacker to have an unspecified impact. (CVE-2016-2834)

This update to Mozilla Firefox 47 fixes the following issues (boo#983549) :

Security fixes :

  - CVE-2016-2815/CVE-2016-2818: Miscellaneous memory safety     hazards (boo#983638 MFSA 2016-49)

  - CVE-2016-2819: Buffer overflow parsing HTML5 fragments     (boo#983655 MFSA 2016-50)

  - CVE-2016-2821: Use-after-free deleting tables from a     contenteditable document (boo#983653 MFSA 2016-51)

  - CVE-2016-2822: Addressbar spoofing though the SELECT     element (boo#983652 MFSA 2016-52)

  - CVE-2016-2824: Out-of-bounds write with WebGL shader     (boo#983651 MFSA 2016-53)

  - CVE-2016-2825: Partial same-origin-policy through     setting location.host through data URI (boo#983649 MFSA     2016-54)

  - CVE-2016-2828: Use-after-free when textures are used in     WebGL operations after recycle pool destruction     (boo#983646 MFSA 2016-56)

  - CVE-2016-2829: Incorrect icon displayed on permissions     notifications (boo#983644 MFSA 2016-57)

  - CVE-2016-2831: Entering fullscreen and persistent     pointerlock without user permission (boo#983643 MFSA     2016-58)

  - CVE-2016-2832: Information disclosure of disabled     plugins through CSS pseudo-classes (boo#983632 MFSA     2016-59)

  - CVE-2016-2833: Java applets bypass CSP protections     (boo#983640 MFSA 2016-60)

Mozilla NSS was updated to 3.23 to address the following vulnerabilities :

  - CVE-2016-2834: Memory safety bugs (boo#983639     MFSA-2016-61)

    The following non-security changes are included :

  - Enable VP9 video codec for users with fast machines

  - Embedded YouTube videos now play with HTML5 video if     Flash is not installed

  - View and search open tabs from your smartphone or     another computer in a sidebar

  - Allow no-cache on back/forward navigations for https     resources

    The following packaging changes are included :

  - boo#981695: cleanup configure options, notably removing     GStreamer support which is gone from FF

  - boo#980384: enable build with PIE and full relro on     x86_64

    The following new functionality is provided :

  - ChaCha20/Poly1305 cipher and TLS cipher suites now     supported

  - The list of TLS extensions sent in the TLS handshake has     been reordered to increase compatibility of the Extended     Master Secret with with servers

This update to Mozilla Firefox 47 fixes the following issues (boo#983549) :

Security fixes :

  - CVE-2016-2815/CVE-2016-2818: Miscellaneous memory safety     hazards (boo#983638 MFSA 2016-49)

  - CVE-2016-2819: Buffer overflow parsing HTML5 fragments     (boo#983655 MFSA 2016-50)

  - CVE-2016-2821: Use-after-free deleting tables from a     contenteditable document (boo#983653 MFSA 2016-51)

  - CVE-2016-2822: Addressbar spoofing though the SELECT     element (boo#983652 MFSA 2016-52)

  - CVE-2016-2824: Out-of-bounds write with WebGL shader     (boo#983651 MFSA 2016-53)

  - CVE-2016-2825: Partial same-origin-policy through     setting location.host through data URI (boo#983649 MFSA     2016-54)

  - CVE-2016-2828: Use-after-free when textures are used in     WebGL operations after recycle pool destruction     (boo#983646 MFSA 2016-56)

  - CVE-2016-2829: Incorrect icon displayed on permissions     notifications (boo#983644 MFSA 2016-57)

  - CVE-2016-2831: Entering fullscreen and persistent     pointerlock without user permission (boo#983643 MFSA     2016-58)

  - CVE-2016-2832: Information disclosure of disabled     plugins through CSS pseudo-classes (boo#983632 MFSA     2016-59)

  - CVE-2016-2833: Java applets bypass CSP protections     (boo#983640 MFSA 2016-60)

Mozilla NSS was updated to 3.23 to address the following vulnerabilities :

  - CVE-2016-2834: Memory safety bugs (boo#983639     MFSA-2016-61) The following non-security changes are     included :

  - Enable VP9 video codec for users with fast machines

  - Embedded YouTube videos now play with HTML5 video if     Flash is not installed

  - View and search open tabs from your smartphone or     another computer in a sidebar

  - Allow no-cache on back/forward navigations for https     resources

The following packaging changes are included :

  - boo#981695: cleanup configure options, notably removing     GStreamer support which is gone from FF

  - boo#980384: enable build with PIE and full relro on     x86_64

The following new functionality is provided :

  - ChaCha20/Poly1305 cipher and TLS cipher suites now     supported

  - The list of TLS extensions sent in the TLS handshake has     been reordered to increase compatibility of the Extended     Master Secret with with servers

Christian Holler, Gary Kwong, Jesse Ruderman, Tyson Smith, Timothy Nikkel, Sylvestre Ledru, Julian Seward, Olli Pettay, Karl Tomlinson, Christoph Diehl, Julian Hector, Jan de Mooij, Mats Palmgren, and Tooru Fujisawa discovered multiple memory safety issues in Firefox. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit these to cause a denial of service via application crash, or execute arbitrary code. (CVE-2016-2815, CVE-2016-2818)

A buffer overflow was discovered when parsing HTML5 fragments in some circumstances. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit this to cause a denial of service via application crash, or execute arbitrary code.
(CVE-2016-2819)

A use-after-free was discovered in contenteditable mode in some circumstances. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit this to cause a denial of service via application crash, or execute arbitrary code.
(CVE-2016-2821)

Jordi Chancel discovered a way to use a persistent menu within a <select> element and place this in an arbitrary location. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit this to spoof the addressbar contents.
(CVE-2016-2822)

Armin Razmdjou that the location.host property can be set to an arbitrary string after creating an invalid data: URI. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit this to bypass some same-origin protections.
(CVE-2016-2825)

A use-after-free was discovered when processing WebGL content in some circumstances. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit this to cause a denial of service via application crash, or execute arbitrary code.
(CVE-2016-2828)

Tim McCormack discovered that the permissions notification can show the wrong icon when a page requests several permissions in quick succession. An attacker could potentially exploit this by tricking the user in to giving consent for access to the wrong resource.
(CVE-2016-2829)

It was discovered that a pointerlock can be created in a fullscreen window without user consent in some circumstances, and this pointerlock cannot be cancelled without quitting Firefox. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit this to cause a denial of service or conduct clickjacking attacks. (CVE-2016-2831)

John Schoenick discovered that CSS pseudo-classes can leak information about plugins that are installed but disabled. An attacker could potentially exploit this to fingerprint users. (CVE-2016-2832)

Matt Wobensmith discovered that Content Security Policy (CSP) does not block the loading of cross-domain Java applets when specified by policy. An attacker could potentially exploit this to bypass CSP protections and conduct cross-site scripting (XSS) attacks.
(CVE-2016-2833)

In addition, multiple unspecified security issues were discovered in NSS. (CVE-2016-2834).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The version of Firefox installed on the remote Windows host is prior to 47. It is, therefore, affected by multiple vulnerabilities :

  - Multiple memory corruption issues exist that allow an     unauthenticated, remote attacker to execute arbitrary     code. (CVE-2016-2815, CVE-2016-2818)

  - An overflow condition exists that is triggered when     handling HTML5 fragments in foreign contexts (e.g.,     under <svg> nodes). An unauthenticated, remote attacker     can exploit this to cause a heap-based buffer overflow,     resulting in the execution of arbitrary code.
    (CVE-2016-2819)

  - A use-after-free error exists that is triggered when     deleting DOM table elements in 'contenteditable' mode.
    An unauthenticated, remote attacker can exploit this to     dereference already freed memory, resulting in the     execution of arbitrary code. (CVE-2016-2821)

  - A spoofing vulnerability exists due to improper handling     of SELECT elements. An unauthenticated, remote attacker     can exploit this to spoof the contents of the address     bar. (CVE-2016-2822)

  - An out-of-bounds write error exists in the ANGLE     graphics library due to improper size checking while     writing to an array during WebGL shader operations. An     unauthenticated, remote attacker can exploit this to     execute arbitrary code. (CVE-2016-2824)

  - A same-origin bypass vulnerability exists that is     triggered when handling location.host property values     set after the creation of invalid 'data:' URIs. An     unauthenticated, remote attacker can exploit this to     partially bypass same-origin policy protections.
    (CVE-2016-2825)

  - A privilege escalation vulnerability exists in the     Windows updater utility due to improper extraction of     files from MAR archives. A local attacker can exploit     this to replace the extracted files, allowing the     attacker to gain elevated privileges. (CVE-2016-2826)

  - A use-after-free error exists that is triggered when     destroying the recycle pool of a texture used during the     processing of WebGL content. An unauthenticated, remote     attacker can exploit this to dereference already freed     memory, resulting in the execution of arbitrary code.
    (CVE-2016-2828)

  - A flaw exists in browser/modules/webrtcUI.jsm that is     triggered when handling a large number of permission     requests over a small period of time. An     unauthenticated, remote attacker can exploit this to     cause the incorrect icon to be displayed in a given     permission request, potentially resulting in a user     approving unintended permission requests.
    (CVE-2016-2829)

  - A flaw exists that is triggered when handling paired     fullscreen and pointerlock requests in combination with     closing windows. An unauthenticated, remote attacker can     exploit this to create an unauthorized pointerlock,     resulting in a denial of service condition.
    Additionally, an attacker can exploit this to conduct     spoofing and clickjacking attacks. (CVE-2016-2831)

  - An information disclosure vulnerability exists that is     triggered when handling CSS pseudo-classes. An     unauthenticated, remote attacker can exploit this     disclose a list of installed plugins. (CVE-2016-2832)

  - A Content Security Policy (CSP) bypass exists that is     triggered when handling specially crafted cross-domain     Java applets. An unauthenticated, remote attacker can     exploit this to bypass the CSP and conduct cross-site     scripting attacks. (CVE-2016-2833)

  - Multiple unspecified flaws exist in the Mozilla Network     Security Services (NSS) component that allow an attacker     to have an unspecified impact. (CVE-2016-2834)

The version of Firefox installed on the remote Mac OS X host is prior to 47. It is, therefore, affected by multiple vulnerabilities :

  - Multiple memory corruption issues exist that allow an     unauthenticated, remote attacker to execute arbitrary     code. (CVE-2016-2815, CVE-2016-2818)

  - An overflow condition exists that is triggered when     handling HTML5 fragments in foreign contexts (e.g.,     under <svg> nodes). An unauthenticated, remote attacker     can exploit this to cause a heap-based buffer overflow,     resulting in the execution of arbitrary code.
    (CVE-2016-2819)

  - A use-after-free error exists that is triggered when     deleting DOM table elements in 'contenteditable' mode.
    An unauthenticated, remote attacker can exploit this to     dereference already freed memory, resulting in the     execution of arbitrary code. (CVE-2016-2821)

  - A spoofing vulnerability exists due to improper handling     of SELECT elements. An unauthenticated, remote attacker     can exploit this to spoof the contents of the address     bar. (CVE-2016-2822)

  - A same-origin bypass vulnerability exists that is     triggered when handling location.host property values     set after the creation of invalid 'data:' URIs. An     unauthenticated, remote attacker can exploit this to     partially bypass same-origin policy protections.
    (CVE-2016-2825)

  - A use-after-free error exists that is triggered when     destroying the recycle pool of a texture used during the     processing of WebGL content. An unauthenticated, remote     attacker can exploit this to dereference already freed     memory, resulting in the execution of arbitrary code.
    (CVE-2016-2828)

  - A flaw exists in browser/modules/webrtcUI.jsm that is     triggered when handling a large number of permission     requests over a small period of time. An     unauthenticated, remote attacker can exploit this to     cause the incorrect icon to be displayed in a given     permission request, potentially resulting in a user     approving unintended permission requests.
    (CVE-2016-2829)

  - A flaw exists that is triggered when handling paired     fullscreen and pointerlock requests in combination with     closing windows. An unauthenticated, remote attacker can     exploit this to create an unauthorized pointerlock,     resulting in a denial of service condition.
    Additionally, an attacker can exploit this to conduct     spoofing and clickjacking attacks. (CVE-2016-2831)

  - An information disclosure vulnerability exists that is     triggered when handling CSS pseudo-classes. An     unauthenticated, remote attacker can exploit this     disclose a list of installed plugins. (CVE-2016-2832)

  - A Content Security Policy (CSP) bypass exists that is     triggered when handling specially crafted cross-domain     Java applets. An unauthenticated, remote attacker can     exploit this to bypass the CSP and conduct cross-site     scripting attacks. (CVE-2016-2833)

  - Multiple unspecified flaws exist in the Mozilla Network     Security Services (NSS) component that allow an attacker     to have an unspecified impact. (CVE-2016-2834)

Mozilla Foundation reports :

MFSA 2016-49 Miscellaneous memory safety hazards (rv:47.0 / rv:45.2)

MFSA 2016-50 Buffer overflow parsing HTML5 fragments

MFSA 2016-51 Use-after-free deleting tables from a contenteditable document

MFSA 2016-52 Addressbar spoofing though the SELECT element

MFSA 2016-54 Partial same-origin-policy through setting location.host through data URI

MFSA 2016-56 Use-after-free when textures are used in WebGL operations after recycle pool destruction

MFSA 2016-57 Incorrect icon displayed on permissions notifications

MFSA 2016-58 Entering fullscreen and persistent pointerlock without user permission

MFSA 2016-59 Information disclosure of disabled plugins through CSS pseudo-classes

MFSA 2016-60 Java applets bypass CSP protections

ID	Name	Product	Family	Severity
9383	Mozilla Firefox < 47.0 Multiple Vulnerabilities	Nessus Network Monitor	Web Clients	high
91589	openSUSE Security Update : MozillaFirefox / mozilla-nss (openSUSE-2016-714)	Nessus	SuSE Local Security Checks	high
91586	openSUSE Security Update : MozillaFirefox / mozilla-nss (openSUSE-2016-704)	Nessus	SuSE Local Security Checks	high
91557	Ubuntu 12.04 LTS / 14.04 LTS / 15.10 / 16.04 LTS : firefox vulnerabilities (USN-2993-1)	Nessus	Ubuntu Local Security Checks	high
91547	Firefox < 47 Multiple Vulnerabilities	Nessus	Windows	high
91545	Firefox < 47 Multiple Vulnerabilities (Mac OS X)	Nessus	MacOS X Local Security Checks	high
91509	FreeBSD : mozilla -- multiple vulnerabilities (8065d37b-8e7c-4707-a608-1b0a2b8509c3)	Nessus	FreeBSD Local Security Checks	medium

CVE-2016-2825

Description

References

Details

Risk Information

CVSS v2.0

CVSS v3.0

Vulnerable Software

Configuration 1

Configuration 2

Configuration 3

Tenable Plugins