96696

1037966

https://bugzilla.mozilla.org/show_bug.cgi?id=1321814

https://www.mozilla.org/security/advisories/mfsa2017-05/

https://www.mozilla.org/security/advisories/mfsa2017-06/

This update for MozillaFirefox to ESR 45.8 fixes the following issues:
Security issues fixed (bsc#1028391) :

  - CVE-2017-5402: Use-after-free working with events in     FontFace objects

  - CVE-2017-5410: Memory corruption during JavaScript     garbage collection incremental sweeping

  - CVE-2017-5400: asm.js JIT-spray bypass of ASLR and DEP

  - CVE-2017-5401: Memory Corruption when handling     ErrorResult

  - CVE-2017-5407: Pixel and history stealing via     floating-point timing side channel with SVG filters

  - CVE-2017-5404: Use-after-free working with ranges in     selections

  - CVE-2017-5405: FTP response codes can cause use of     uninitialized values for ports

  - CVE-2017-5408: Cross-origin reading of video captions in     violation of CORS

  - CVE-2017-5409: File deletion via callback parameter in     Mozilla Windows Updater and Maintenance Service

  - CVE-2017-5398: Memory safety bugs fixed in Firefox 52     and Firefox ESR 45.8 Bugfixes :

  - fix crashes on Itanium (bsc#1027527)

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This update for MozillaFirefox to ESR 45.8 fixes the following issues:
Security issues fixed (bsc#1028391) :

  - CVE-2017-5402: Use-after-free working with events in     FontFace objects

  - CVE-2017-5410: Memory corruption during JavaScript     garbage collection incremental sweeping

  - CVE-2017-5400: asm.js JIT-spray bypass of ASLR and DEP

  - CVE-2017-5401: Memory Corruption when handling     ErrorResult

  - CVE-2017-5407: Pixel and history stealing via     floating-point timing side channel with SVG filters

  - CVE-2017-5404: Use-after-free working with ranges in     selections

  - CVE-2017-5405: FTP response codes can cause use of     uninitialized values for ports

  - CVE-2017-5408: Cross-origin reading of video captions in     violation of CORS

  - CVE-2017-5409: File deletion via callback parameter in     Mozilla Windows Updater and Maintenance Service

  - CVE-2017-5398: Memory safety bugs fixed in Firefox 52     and Firefox ESR 45.8

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The version of Mozilla Firefox installed on the remote Windows host is prior to 52.0. It is, therefore, affected by multiple vulnerabilities :

  - Mozilla developers and community members Boris Zbarsky,     Christian Holler, Honza Bambas, Jon Coppeard, Randell     Jesup, Andre Bargull, Kan-Ru Chen, and Nathan Froyd     reported memory safety bugs present in Firefox 51 and     Firefox ESR 45.7. Some of these bugs showed evidence of     memory corruption and we presume that with enough     effort that some of these could be exploited to run     arbitrary code. (CVE-2017-5398)

  - Mozilla developers and community members Carsten Book,     Calixte Denizet, Christian Holler, Andrew McCreight,     David Bolter, David Keeler, Jon Coppeard, Tyson Smith,     Ronald Crane, Tooru Fujisawa, Ben Kelly, Bob Owen, Jed     Davis, Julian Seward, Julian Hector, Philipp, Markus     Stange, and Andre Bargull reported memory safety bugs     present in Firefox 51. Some of these bugs showed     evidence of memory corruption and we presume that with     enough effort that some of these could be exploited to     run arbitrary code. (CVE-2017-5399)

  - JIT-spray targeting asm.js combined with a heap spray     allows for a bypass of ASLR and DEP protections leading     to potential memory corruption attacks. (CVE-2017-5400)

  - A crash triggerable by web content in which an     ErrorResult references unassigned memory due to a logic     error. The resulting crash may be exploitable.
    (CVE-2017-5401)

  - A use-after-free can occur when events are fired for a     FontFace object after the object has been already been     destroyed while working with fonts. This results in a     potentially exploitable crash. (CVE-2017-5402)

  - When adding a range to an object in the DOM, it is     possible to use addRange to add the range to an     incorrect root object. This triggers a use-after-free,     resulting in a potentially exploitable crash.
    (CVE-2017-5403)

  - A use-after-free error can occur when manipulating     ranges in selections with one node inside a native     anonymous tree and one node outside of it. This results     in a potentially exploitable crash. (CVE-2017-5404)

  - Certain response codes in FTP connections can result in     the use of uninitialized values for ports in FTP     operations. (CVE-2017-5405)

  - A segmentation fault can occur in the Skia graphics     library during some canvas operations due to issues     with mask/clip intersection and empty masks.
    (CVE-2017-5406)

  - Using SVG filters that don't use the fixed point math     implementation on a target iframe, a malicious page can     extract pixel values from a targeted user. This can be     used to extract history information and read text     values across domains. This violates same-origin policy     and leads to information disclosure. (CVE-2017-5407)

  - Video files loaded video captions cross-origin without     checking for the presence of CORS headers permitting     such cross-origin use, leading to potential information     disclosure for video captions. (CVE-2017-5408)

  - The Mozilla Windows updater can be called by a     non-privileged user to delete an arbitrary local file     by passing a special path to the callback parameter     through the Mozilla Maintenance Service, which has     privileged access. Note: This attack requires local     system access and only affects Windows. Other operating     systems are not affected. (CVE-2017-5409)

  - Memory corruption resulting in a potentially     exploitable crash during garbage collection of     JavaScript due errors in how incremental sweeping is     managed for memory cleanup. (CVE-2017-5410)

  - A use-after-free can occur during buffer storage     operations within the ANGLE graphics library, used for     WebGL content. The buffer storage can be freed while     still in use in some circumstances, leading to a     potentially exploitable crash. Note: This issue is in     libGLES, which is only in use on Windows. Other     operating systems are not affected. (CVE-2017-5411)

  - A buffer overflow read during SVG filter color value     operations, resulting in data exposure. (CVE-2017-5412)

  - A segmentation fault can occur during some     bidirectional layout operations. (CVE-2017-5413)

  - The file picker dialog can choose and display the wrong     local default directory when instantiated. On some     operating systems, this can lead to information     disclosure, such as the operating system or the local     account name. (CVE-2017-5414)

  - An attack can use a blob URL and script to spoof an     arbitrary addressbar URL prefaced by blob: as the     protocol, leading to user confusion and further     spoofing attacks. (CVE-2017-5415)

  - In certain circumstances a networking event listener     can be prematurely released. This appears to result in     a null dereference in practice. (CVE-2017-5416)

  - When dragging content from the primary browser pane to     the addressbar on a malicious site, it is possible to     change the addressbar so that the displayed location     following navigation does not match the URL of the     newly loaded page. This allows for spoofing attacks.
    (CVE-2017-5417)

  - An out of bounds read error occurs when parsing some     HTTP digest authorization responses, resulting in     information leakage through the reading of random     memory containing matches to specifically set patterns.
    (CVE-2017-5418)

  - If a malicious site repeatedly triggers a modal     authentication prompt, eventually the browser UI will     become non-responsive, requiring shutdown through the     operating system. This is a denial of service (DOS)     attack. (CVE-2017-5419)

  - A javascript: url loaded by a malicious page can     obfuscate its location by blanking the URL displayed in     the addressbar, allowing for an attacker to spoof an     existing page without the malicious page's address     being displayed correctly. (CVE-2017-5420)

  - A malicious site could spoof the contents of the print     preview window if popup windows are enabled, resulting     in user confusion of what site is currently loaded.
    (CVE-2017-5421)

  - If a malicious site uses the view-source: protocol in a     series within a single hyperlink, it can trigger a     non-exploitable browser crash when the hyperlink is     selected. This was fixed by no longer making     view-source: linkable. (CVE-2017-5422)

  - A non-existent chrome.manifest file will attempt to be     loaded during startup from the primary installation     directory. If a malicious user with local access puts     chrome.manifest and other referenced files in this     directory, they will be loaded and activated during     startup. This could result in malicious software being     added without consent or modification of referenced     installed files. (CVE-2017-5427)

Note that Tenable Network Security has extracted the preceding description block directly from the Mozilla security advisories.
Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The version of Mozilla Firefox ESR installed on the remote Windows host is prior to 45.8. It is, therefore, affected by multiple vulnerabilities :

  - Mozilla developers and community members Boris Zbarsky,     Christian Holler, Honza Bambas, Jon Coppeard, Randell     Jesup, Andre Bargull, Kan-Ru Chen, and Nathan Froyd     reported memory safety bugs present in Firefox 51 and     Firefox ESR 45.7. Some of these bugs showed evidence of     memory corruption and we presume that with enough     effort that some of these could be exploited to run     arbitrary code. (CVE-2017-5398)

  - JIT-spray targeting asm.js combined with a heap spray     allows for a bypass of ASLR and DEP protections leading     to potential memory corruption attacks. (CVE-2017-5400)

  - A crash triggerable by web content in which an     ErrorResult references unassigned memory due to a logic     error. The resulting crash may be exploitable.
    (CVE-2017-5401)

  - A use-after-free can occur when events are fired for a     FontFace object after the object has been already been     destroyed while working with fonts. This results in a     potentially exploitable crash. (CVE-2017-5402)

  - A use-after-free error can occur when manipulating     ranges in selections with one node inside a native     anonymous tree and one node outside of it. This results     in a potentially exploitable crash. (CVE-2017-5404)

  - Certain response codes in FTP connections can result in     the use of uninitialized values for ports in FTP     operations. (CVE-2017-5405)

  - Using SVG filters that don't use the fixed point math     implementation on a target iframe, a malicious page can     extract pixel values from a targeted user. This can be     used to extract history information and read text     values across domains. This violates same-origin policy     and leads to information disclosure. (CVE-2017-5407)

  - Video files loaded video captions cross-origin without     checking for the presence of CORS headers permitting     such cross-origin use, leading to potential information     disclosure for video captions. (CVE-2017-5408)

  - The Mozilla Windows updater can be called by a     non-privileged user to delete an arbitrary local file     by passing a special path to the callback parameter     through the Mozilla Maintenance Service, which has     privileged access. Note: This attack requires local     system access and only affects Windows. Other operating     systems are not affected. (CVE-2017-5409)

  - Memory corruption resulting in a potentially     exploitable crash during garbage collection of     JavaScript due errors in how incremental sweeping is     managed for memory cleanup. (CVE-2017-5410)

Note that Tenable Network Security has extracted the preceding description block directly from the Mozilla security advisories.
Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Mozilla Foundation reports :

Please reference CVE/URL list for details

Versions of Mozilla Firefox ESR earlier than 45.8 are unpatched for the following vulnerabilities :

 - An unspecified flaw exists that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
 - A flaw exists in 'js/src/jsgc.cpp' that is triggered as certain input is not properly validated when handling zone groups. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
 - An unspecified flaw exists in 'netwerk/streamconv/converters/nsMultiMixedConv.cpp' that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
 - A flaw exists in 'netwerk/cache/nsDiskCacheDeviceSQL.cpp' that is triggered when handling cache eviction. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.- A use-after-free condition exists that is triggered when handling NPAPI plugin references. This may allow a context-dependent attacker to dereference already freed memory and potentially execute arbitrary code.
 - A flaw exists in 'dom/base/nsDocument.cpp' that is triggered when handling frame request callbacks rescheduling. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
 - A flaw exists in the 'js::array_sort()' function in 'js/src/jsarray.cpp' that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
 - A flaw exists in the 'cairo_cff_font_write_cid_fontdict()' function in 'cairo-cff-subset.c' that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to corrupt memory and crash a process linked against the library or potentially execute arbitrary code.
 - A use-after-free error exists in the 'FontFaceSet' class in 'layout/style/FontFaceSet.cpp' that is triggered when handling events for FontFace objects. This may allow a context-dependent attacker to dereference already freed memory and potentially execute arbitrary code.
 - A flaw exists in the JavaScript Garbage Collection mechanism that is triggered during incremental sweeping on memory cleanups. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
 - A flaw exists in 'dom/bindings/ErrorResult.h' that is triggered when handling ErrorResult references. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
 - A use-after-free error exists that is triggered when handling ranges in selections with one node inside and one node outside of a native anonymous tree. This may allow a context-dependent attacker to dereference already freed memory and potentially execute arbitrary code.
 - A flaw exists in the 'HTMLTrackElement::LoadResource()' function in 'dom/html/HTMLTrackElement.cpp' that is triggered as CORS headers are not checked when loading video captions. This may allow a context-dependent attacker to disclose video captions.
 - A path truncation flaw exist in the 'NS_main()' function in 'toolkit/mozapps/update/updater/updater.cpp' that is triggered when passing callback parameters through the Mozilla Maintenance Service. This may allow a local attacker to delete arbitrary files with elevated privileges.
 - A flaw exists in the 'FilterNodeLightingSoftware::SetAttribute()' function template in 'gfx/2d/FilterNodeSoftware.cpp' that is triggered when handling subnormal surfaceScale values. With a specially crafted SVG filter, a context-dependent attacker can perform a side-channel attack, potentially resulting in disclosure of history information or text values across domains.

Versions of Mozilla Firefox prior to 52 are unpatched for the following vulnerabilities :

 - A flaw exists that is triggered when using a JIT-spray targeting 'asm.js' in conjunction with a heap spray that may allow a context-dependent attacker to bypass the Data Execution Protection (DEP) and Address Space Layout Randomization (ASLR) protection mechanisms.
 - A flaw exists in the 'txMozillaXMLOutput::createResultDocument()' function in 'dom/xslt/xslt/txMozillaXMLOutput.cpp' that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
 - An unspecified flaw exists in 'dom/network/UDPSocketParent.cpp' that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
 - An unspecified flaw exists that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
 - An unspecified flaw exists in 'js/src/jit/arm/MacroAssembler-arm.cpp' that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
 - A flaw exists in the 'nsDocShell::CreateAboutBlankContentViewer()' function in 'docshell/base/nsDocShell.cpp' that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
 - An unspecified flaw exists that is triggered as certain input is not properly validated when handling SMIL RAII objects. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
 - An unspecified flaw exists that is triggered as certain input is not properly validated when handling accessibles. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
 - A flaw exists in the 'trace()' function in 'xpcom/base/CycleCollectedJSContext.cpp' that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
 - An integer underflow condition exists in the 'apply_lookup()' function in 'hb-ot-layout-gsubgpos-private.hh' that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to corrupt memory and crash a process linked against the library or potentially execute arbitrary code.
 - A flaw exists in the 'nsWebBrowser::RemoveWebBrowserListener()' function in 'embedding/browser/nsWebBrowser.cpp' that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
 - An unspecified flaw exists in 'dom/u2f/U2F.cpp' that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
 - A flaw exists in the 'Element::DescribeAttribute()' function in 'dom/base/Element.cpp' that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
 - A flaw exists in 'xpcom/ds/nsSupportsArray.cpp' that is triggered when handling 'nsISupportsArrays'. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
 - An unspecified flaw exists in 'dom/workers/ServiceWorkerPrivate.cpp' that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
 - An unspecified flaw exists in 'layout/printing/nsPrintEngine.cpp' that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
 - A flaw exists in 'netwerk/cache2/CacheIndex.cpp' that is triggered when handling cache index serialization. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
 - An unspecified flaw exists in 'media/webrtc/trunk/webrtc/modules/video_coding/rtt_filter.cc' that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
 - An unspecified flaw exists related to the camera system service that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
 - A flaw exists in 'js/src/jsgc.cpp' that is triggered as certain input is not properly validated when handling zone groups. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
 - An unspecified flaw exists in 'netwerk/streamconv/converters/nsMultiMixedConv.cpp' that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
 - A flaw exists in 'netwerk/cache/nsDiskCacheDeviceSQL.cpp' that is triggered when handling cache eviction. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
 - A use-after-free condition exists that is triggered when handling NPAPI plugin references. This may allow a context-dependent attacker to dereference already freed memory and potentially execute arbitrary code.
 - A flaw exists in 'dom/base/nsDocument.cpp' that is triggered when handling frame request callbacks rescheduling. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
 - A flaw exists in the 'js::array_sort()' function in 'js/src/jsarray.cpp' that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
 - A flaw exists in the 'cairo_cff_font_write_cid_fontdict()' function in 'cairo-cff-subset.c' that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to corrupt memory and crash a process linked against the library or potentially execute arbitrary code.
 - A use-after-free error exists that is triggered when using addRange to add the range to an incorrect root object. This may allow a context-dependent attacker to dereference already freed memory and potentially execute arbitrary code.
 - A use-after-free error exists in the 'FontFaceSet' class in 'layout/style/FontFaceSet.cpp' that is triggered when handling events for FontFace objects. This may allow a context-dependent attacker to dereference already freed memory and potentially execute arbitrary code.
 - A flaw exists in the JavaScript Garbage Collection mechanism that is triggered during incremental sweeping on memory cleanups. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
 - A flaw exists in 'dom/bindings/ErrorResult.h' that is triggered when handling 'ErrorResult' references. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
 - A use-after-free error exists that is triggered when handling ranges in selections with one node inside and one node outside of a native anonymous tree. This may allow a context-dependent attacker to dereference already freed memory and potentially execute arbitrary code.
 - An out-of-bounds read flaw exists that is triggered when handling SVG filter color value operations. This may allow a context-dependent attacker to potentially disclose sensitive memory contents.
 - A flaw exists in the 'HTMLTrackElement::LoadResource()' function in 'dom/html/HTMLTrackElement.cpp' that is triggered as CORS headers are not checked when loading video captions. This may allow a context-dependent attacker to disclose video captions.
 - A path truncation flaw exist in the 'NS_main()' function in 'toolkit/mozapps/update/updater/updater.cpp' that is triggered when passing callback parameters through the Mozilla Maintenance Service. This may allow a local attacker to delete arbitrary files with elevated privileges.
 - A flaw exists in the 'FilterNodeLightingSoftware::SetAttribute()' function template in 'gfx/2d/FilterNodeSoftware.cpp' that is triggered when handling subnormal surfaceScale values. With a specially crafted SVG filter, a context-dependent attacker can perform a side-channel attack, potentially resulting in disclosure of history information or text values across domains.
 - An out-of-bounds access flaw exists that is triggered when handling bidirectional layout operations. This may allow a context-dependent attacker to have an unspecified impact. No further details have been provided by the vendor.
 - A flaw exists in the 'Location' class in 'dom/base/Location.cpp' that is triggered when using a Blob URL. This may allow a context-dependent attacker to spoof the address bar.
 - A flaw exists in the 'HTMLInputElement' class in 'dom/html/HTMLInputElement.cpp' that is triggered when handling the local default directory for a file picker dialog. This may allow a context-dependent attacker to disclose information e.g. about the operating system or the local account name.

ID	Name	Product	Family	Severity
97832	SUSE SLES11 Security Update : MozillaFirefox (SUSE-SU-2017:0732-1)	Nessus	SuSE Local Security Checks	critical
97825	SUSE SLED12 / SLES12 Security Update : MozillaFirefox (SUSE-SU-2017:0714-1)	Nessus	SuSE Local Security Checks	critical
97639	Mozilla Firefox < 52.0 Multiple Vulnerabilities	Nessus	Windows	high
97638	Mozilla Firefox ESR < 45.8 Multiple Vulnerabilities	Nessus	Windows	high
97592	FreeBSD : mozilla -- multiple vulnerabilities (96eca031-1313-4daf-9be2-9d6e1c4f1eb5)	Nessus	FreeBSD Local Security Checks	critical
9987	Mozilla Firefox ESR < 45.8 Multiple Vulnerabilities	Nessus Network Monitor	Web Clients	high
9986	Mozilla Firefox < 52 Multiple Vulnerabilities	Nessus Network Monitor	Web Clients	critical

CVE-2017-5409

Description

References

Details

Risk Information

CVSS v2.0

CVSS v3.0

Vulnerable Software

Configuration 1

Configuration 2

Tenable Plugins