96692

1037966

https://bugzilla.mozilla.org/show_bug.cgi?id=1321719

https://www.mozilla.org/security/advisories/mfsa2017-05/

USN-3216-1 fixed vulnerabilities in Firefox. The update resulted in a startup crash when Firefox is used with XRDP. This update fixes the problem.

We apologize for the inconvenience.

Multiple security issues were discovered in Firefox. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit these to bypass same origin restrictions, obtain sensitive information, spoof the addressbar, spoof the print dialog, cause a denial of service via application crash or hang, or execute arbitrary code. (CVE-2017-5398, CVE-2017-5399, CVE-2017-5400, CVE-2017-5401, CVE-2017-5402, CVE-2017-5403, CVE-2017-5404, CVE-2017-5405, CVE-2017-5406, CVE-2017-5407, CVE-2017-5408, CVE-2017-5410, CVE-2017-5412, CVE-2017-5413, CVE-2017-5414, CVE-2017-5415, CVE-2017-5416, CVE-2017-5417, CVE-2017-5418, CVE-2017-5419, CVE-2017-5420, CVE-2017-5421, CVE-2017-5422, CVE-2017-5426, CVE-2017-5427).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This update for MozillaFirefox and mozilla-nss fixes the following issues :

MozillaFirefox was updated to Firefox 52.0 (boo#1028391)

  - requires NSS >= 3.28.3

  - Pages containing insecure password fields now display a     warning directly within username and password fields.

  - Send and open a tab from one device to another with Sync

  - Removed NPAPI support for plugins other than Flash.
    Silverlight, Java, Acrobat and the like are no longer     supported.

  - Removed Battery Status API to reduce fingerprinting of     users by trackers

  - MFSA 2017-05 CVE-2017-5400: asm.js JIT-spray bypass of     ASLR and DEP (bmo#1334933) CVE-2017-5401: Memory     Corruption when handling ErrorResult (bmo#1328861)     CVE-2017-5402: Use-after-free working with events in     FontFace objects (bmo#1334876) CVE-2017-5403:
    Use-after-free using addRange to add range to an     incorrect root object (bmo#1340186) CVE-2017-5404:
    Use-after-free working with ranges in selections     (bmo#1340138) CVE-2017-5406: Segmentation fault in Skia     with canvas operations (bmo#1306890) CVE-2017-5407:
    Pixel and history stealing via floating-point timing     side channel with SVG filters (bmo#1336622)     CVE-2017-5410: Memory corruption during JavaScript     garbage collection incremental sweeping (bmo#1330687)     CVE-2017-5408: Cross-origin reading of video captions in     violation of CORS (bmo#1313711) CVE-2017-5412: Buffer     overflow read in SVG filters (bmo#1328323)     CVE-2017-5413: Segmentation fault during bidirectional     operations (bmo#1337504) CVE-2017-5414: File picker can     choose incorrect default directory (bmo#1319370)     CVE-2017-5415: Addressbar spoofing through blob URL     (bmo#1321719) CVE-2017-5416: Null dereference crash in     HttpChannel (bmo#1328121) CVE-2017-5417: Addressbar     spoofing by draging and dropping URLs (bmo#791597)     CVE-2017-5426: Gecko Media Plugin sandbox is not started     if seccomp-bpf filter is running (bmo#1257361)     CVE-2017-5427: Non-existent chrome.manifest file loaded     during startup (bmo#1295542) CVE-2017-5418: Out of     bounds read when parsing HTTP digest authorization     responses (bmo#1338876) CVE-2017-5419: Repeated     authentication prompts lead to DOS attack (bmo#1312243)     CVE-2017-5420: Javascript: URLs can obfuscate addressbar     location (bmo#1284395) CVE-2017-5405: FTP response codes     can cause use of uninitialized values for ports     (bmo#1336699) CVE-2017-5421: Print preview spoofing     (bmo#1301876) CVE-2017-5422: DOS attack by using     view-source: protocol repeatedly in one hyperlink     (bmo#1295002) CVE-2017-5399: Memory safety bugs fixed in     Firefox 52 CVE-2017-5398: Memory safety bugs fixed in     Firefox 52 and Firefox ESR 45.8

mozilla-nss was updated to NSS 3.28.3

  - This is a patch release to fix binary compatibility     issues. NSS version 3.28, 3.28.1 and 3.28.2 contained     changes that were in violation with the NSS     compatibility promise. ECParams, which is part of the     public API of the freebl/softokn parts of NSS, had been     changed to include an additional attribute. That size     increase caused crashes or malfunctioning with     applications that use that data structure directly, or     indirectly through ECPublicKey, ECPrivateKey,     NSSLOWKEYPublicKey, NSSLOWKEYPrivateKey, or potentially     other data structures that reference ECParams. The     change has been reverted to the original state in bug     bmo#1334108. SECKEYECPublicKey had been extended with a     new attribute, named 'encoding'. If an application     passed type SECKEYECPublicKey to NSS (as part of     SECKEYPublicKey), the NSS library read the uninitialized     attribute. With this NSS release     SECKEYECPublicKey.encoding is deprecated. NSS no longer     reads the attribute, and will always set it to     ECPoint_Undefined. See bug bmo#1340103.

  - requires NSPR >= 4.13.1

  - update to NSS 3.28.2 This is a stability and     compatibility release. Below is a summary of the     changes.

  - Fixed a NSS 3.28 regression in the signature scheme     flexibility that causes connectivity issues between iOS     8 clients and NSS servers with ECDSA certificates     (bmo#1334114)

  - Fixed a possible crash on some Windows systems     (bmo#1323150)

  - Fixed a compatibility issue with TLS clients that do not     provide a list of supported key exchange groups     (bmo#1330612)

The version of Mozilla Firefox installed on the remote Windows host is prior to 52.0. It is, therefore, affected by multiple vulnerabilities :

  - Mozilla developers and community members Boris Zbarsky,     Christian Holler, Honza Bambas, Jon Coppeard, Randell     Jesup, Andre Bargull, Kan-Ru Chen, and Nathan Froyd     reported memory safety bugs present in Firefox 51 and     Firefox ESR 45.7. Some of these bugs showed evidence of     memory corruption and we presume that with enough     effort that some of these could be exploited to run     arbitrary code. (CVE-2017-5398)

  - Mozilla developers and community members Carsten Book,     Calixte Denizet, Christian Holler, Andrew McCreight,     David Bolter, David Keeler, Jon Coppeard, Tyson Smith,     Ronald Crane, Tooru Fujisawa, Ben Kelly, Bob Owen, Jed     Davis, Julian Seward, Julian Hector, Philipp, Markus     Stange, and Andre Bargull reported memory safety bugs     present in Firefox 51. Some of these bugs showed     evidence of memory corruption and we presume that with     enough effort that some of these could be exploited to     run arbitrary code. (CVE-2017-5399)

  - JIT-spray targeting asm.js combined with a heap spray     allows for a bypass of ASLR and DEP protections leading     to potential memory corruption attacks. (CVE-2017-5400)

  - A crash triggerable by web content in which an     ErrorResult references unassigned memory due to a logic     error. The resulting crash may be exploitable.
    (CVE-2017-5401)

  - A use-after-free can occur when events are fired for a     FontFace object after the object has been already been     destroyed while working with fonts. This results in a     potentially exploitable crash. (CVE-2017-5402)

  - When adding a range to an object in the DOM, it is     possible to use addRange to add the range to an     incorrect root object. This triggers a use-after-free,     resulting in a potentially exploitable crash.
    (CVE-2017-5403)

  - A use-after-free error can occur when manipulating     ranges in selections with one node inside a native     anonymous tree and one node outside of it. This results     in a potentially exploitable crash. (CVE-2017-5404)

  - Certain response codes in FTP connections can result in     the use of uninitialized values for ports in FTP     operations. (CVE-2017-5405)

  - A segmentation fault can occur in the Skia graphics     library during some canvas operations due to issues     with mask/clip intersection and empty masks.
    (CVE-2017-5406)

  - Using SVG filters that don't use the fixed point math     implementation on a target iframe, a malicious page can     extract pixel values from a targeted user. This can be     used to extract history information and read text     values across domains. This violates same-origin policy     and leads to information disclosure. (CVE-2017-5407)

  - Video files loaded video captions cross-origin without     checking for the presence of CORS headers permitting     such cross-origin use, leading to potential information     disclosure for video captions. (CVE-2017-5408)

  - The Mozilla Windows updater can be called by a     non-privileged user to delete an arbitrary local file     by passing a special path to the callback parameter     through the Mozilla Maintenance Service, which has     privileged access. Note: This attack requires local     system access and only affects Windows. Other operating     systems are not affected. (CVE-2017-5409)

  - Memory corruption resulting in a potentially     exploitable crash during garbage collection of     JavaScript due errors in how incremental sweeping is     managed for memory cleanup. (CVE-2017-5410)

  - A use-after-free can occur during buffer storage     operations within the ANGLE graphics library, used for     WebGL content. The buffer storage can be freed while     still in use in some circumstances, leading to a     potentially exploitable crash. Note: This issue is in     libGLES, which is only in use on Windows. Other     operating systems are not affected. (CVE-2017-5411)

  - A buffer overflow read during SVG filter color value     operations, resulting in data exposure. (CVE-2017-5412)

  - A segmentation fault can occur during some     bidirectional layout operations. (CVE-2017-5413)

  - The file picker dialog can choose and display the wrong     local default directory when instantiated. On some     operating systems, this can lead to information     disclosure, such as the operating system or the local     account name. (CVE-2017-5414)

  - An attack can use a blob URL and script to spoof an     arbitrary addressbar URL prefaced by blob: as the     protocol, leading to user confusion and further     spoofing attacks. (CVE-2017-5415)

  - In certain circumstances a networking event listener     can be prematurely released. This appears to result in     a null dereference in practice. (CVE-2017-5416)

  - When dragging content from the primary browser pane to     the addressbar on a malicious site, it is possible to     change the addressbar so that the displayed location     following navigation does not match the URL of the     newly loaded page. This allows for spoofing attacks.
    (CVE-2017-5417)

  - An out of bounds read error occurs when parsing some     HTTP digest authorization responses, resulting in     information leakage through the reading of random     memory containing matches to specifically set patterns.
    (CVE-2017-5418)

  - If a malicious site repeatedly triggers a modal     authentication prompt, eventually the browser UI will     become non-responsive, requiring shutdown through the     operating system. This is a denial of service (DOS)     attack. (CVE-2017-5419)

  - A javascript: url loaded by a malicious page can     obfuscate its location by blanking the URL displayed in     the addressbar, allowing for an attacker to spoof an     existing page without the malicious page's address     being displayed correctly. (CVE-2017-5420)

  - A malicious site could spoof the contents of the print     preview window if popup windows are enabled, resulting     in user confusion of what site is currently loaded.
    (CVE-2017-5421)

  - If a malicious site uses the view-source: protocol in a     series within a single hyperlink, it can trigger a     non-exploitable browser crash when the hyperlink is     selected. This was fixed by no longer making     view-source: linkable. (CVE-2017-5422)

  - A non-existent chrome.manifest file will attempt to be     loaded during startup from the primary installation     directory. If a malicious user with local access puts     chrome.manifest and other referenced files in this     directory, they will be loaded and activated during     startup. This could result in malicious software being     added without consent or modification of referenced     installed files. (CVE-2017-5427)

Note that Tenable Network Security has extracted the preceding description block directly from the Mozilla security advisories.
Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The version of Mozilla Firefox installed on the remote macOS or Mac OS X host is prior to 52.0. It is, therefore, affected by multiple vulnerabilities :

  - Mozilla developers and community members Boris Zbarsky,     Christian Holler, Honza Bambas, Jon Coppeard, Randell     Jesup, Andre Bargull, Kan-Ru Chen, and Nathan Froyd     reported memory safety bugs present in Firefox 51 and     Firefox ESR 45.7. Some of these bugs showed evidence of     memory corruption and we presume that with enough     effort that some of these could be exploited to run     arbitrary code. (CVE-2017-5398)

  - Mozilla developers and community members Carsten Book,     Calixte Denizet, Christian Holler, Andrew McCreight,     David Bolter, David Keeler, Jon Coppeard, Tyson Smith,     Ronald Crane, Tooru Fujisawa, Ben Kelly, Bob Owen, Jed     Davis, Julian Seward, Julian Hector, Philipp, Markus     Stange, and Andre Bargull reported memory safety bugs     present in Firefox 51. Some of these bugs showed     evidence of memory corruption and we presume that with     enough effort that some of these could be exploited to     run arbitrary code. (CVE-2017-5399)

  - JIT-spray targeting asm.js combined with a heap spray     allows for a bypass of ASLR and DEP protections leading     to potential memory corruption attacks. (CVE-2017-5400)

  - A crash triggerable by web content in which an     ErrorResult references unassigned memory due to a logic     error. The resulting crash may be exploitable.
    (CVE-2017-5401)

  - A use-after-free can occur when events are fired for a     FontFace object after the object has been already been     destroyed while working with fonts. This results in a     potentially exploitable crash. (CVE-2017-5402)

  - When adding a range to an object in the DOM, it is     possible to use addRange to add the range to an     incorrect root object. This triggers a use-after-free,     resulting in a potentially exploitable crash.
    (CVE-2017-5403)

  - A use-after-free error can occur when manipulating     ranges in selections with one node inside a native     anonymous tree and one node outside of it. This results     in a potentially exploitable crash. (CVE-2017-5404)

  - Certain response codes in FTP connections can result in     the use of uninitialized values for ports in FTP     operations. (CVE-2017-5405)

  - A segmentation fault can occur in the Skia graphics     library during some canvas operations due to issues     with mask/clip intersection and empty masks.
    (CVE-2017-5406)

  - Using SVG filters that don't use the fixed point math     implementation on a target iframe, a malicious page can     extract pixel values from a targeted user. This can be     used to extract history information and read text     values across domains. This violates same-origin policy     and leads to information disclosure. (CVE-2017-5407)

  - Video files loaded video captions cross-origin without     checking for the presence of CORS headers permitting     such cross-origin use, leading to potential information     disclosure for video captions. (CVE-2017-5408)

  - Memory corruption resulting in a potentially     exploitable crash during garbage collection of     JavaScript due errors in how incremental sweeping is     managed for memory cleanup. (CVE-2017-5410)

  - A buffer overflow read during SVG filter color value     operations, resulting in data exposure. (CVE-2017-5412)

  - A segmentation fault can occur during some     bidirectional layout operations. (CVE-2017-5413)

  - The file picker dialog can choose and display the wrong     local default directory when instantiated. On some     operating systems, this can lead to information     disclosure, such as the operating system or the local     account name. (CVE-2017-5414)

  - An attack can use a blob URL and script to spoof an     arbitrary addressbar URL prefaced by blob: as the     protocol, leading to user confusion and further     spoofing attacks. (CVE-2017-5415)

  - In certain circumstances a networking event listener     can be prematurely released. This appears to result in     a null dereference in practice. (CVE-2017-5416)

  - When dragging content from the primary browser pane to     the addressbar on a malicious site, it is possible to     change the addressbar so that the displayed location     following navigation does not match the URL of the     newly loaded page. This allows for spoofing attacks.
    (CVE-2017-5417)

  - An out of bounds read error occurs when parsing some     HTTP digest authorization responses, resulting in     information leakage through the reading of random     memory containing matches to specifically set patterns.
    (CVE-2017-5418)

  - If a malicious site repeatedly triggers a modal     authentication prompt, eventually the browser UI will     become non-responsive, requiring shutdown through the     operating system. This is a denial of service (DOS)     attack. (CVE-2017-5419)

  - A javascript: url loaded by a malicious page can     obfuscate its location by blanking the URL displayed in     the addressbar, allowing for an attacker to spoof an     existing page without the malicious page's address     being displayed correctly. (CVE-2017-5420)

  - A malicious site could spoof the contents of the print     preview window if popup windows are enabled, resulting     in user confusion of what site is currently loaded.
    (CVE-2017-5421)

  - If a malicious site uses the view-source: protocol in a     series within a single hyperlink, it can trigger a     non-exploitable browser crash when the hyperlink is     selected. This was fixed by no longer making     view-source: linkable. (CVE-2017-5422)

  - The Gecko Media Plugin sandbox allows access to local     files that match specific regular expressions. On OS     OX, this matching allows access to some data in     subdirectories of /private/var that could expose     personal or temporary data. This has been updated to     not allow access to /private/var and its     subdirectories. Note: this issue only affects OS X.
    Other operating systems are not affected.
    (CVE-2017-5425)

  - A non-existent chrome.manifest file will attempt to be     loaded during startup from the primary installation     directory. If a malicious user with local access puts     chrome.manifest and other referenced files in this     directory, they will be loaded and activated during     startup. This could result in malicious software being     added without consent or modification of referenced     installed files. (CVE-2017-5427)

Note that Tenable Network Security has extracted the preceding description block directly from the Mozilla security advisories.
Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Multiple security issues were discovered in Firefox. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit these to bypass same origin restrictions, obtain sensitive information, spoof the addressbar, spoof the print dialog, cause a denial of service via application crash or hang, or execute arbitrary code. (CVE-2017-5398, CVE-2017-5399, CVE-2017-5400, CVE-2017-5401, CVE-2017-5402, CVE-2017-5403, CVE-2017-5404, CVE-2017-5405, CVE-2017-5406, CVE-2017-5407, CVE-2017-5408, CVE-2017-5410, CVE-2017-5412, CVE-2017-5413, CVE-2017-5414, CVE-2017-5415, CVE-2017-5416, CVE-2017-5417, CVE-2017-5418, CVE-2017-5419, CVE-2017-5420, CVE-2017-5421, CVE-2017-5422, CVE-2017-5426, CVE-2017-5427).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Mozilla Foundation reports :

Please reference CVE/URL list for details

Versions of Mozilla Firefox prior to 52 are unpatched for the following vulnerabilities :

 - A flaw exists that is triggered when using a JIT-spray targeting 'asm.js' in conjunction with a heap spray that may allow a context-dependent attacker to bypass the Data Execution Protection (DEP) and Address Space Layout Randomization (ASLR) protection mechanisms.
 - A flaw exists in the 'txMozillaXMLOutput::createResultDocument()' function in 'dom/xslt/xslt/txMozillaXMLOutput.cpp' that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
 - An unspecified flaw exists in 'dom/network/UDPSocketParent.cpp' that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
 - An unspecified flaw exists that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
 - An unspecified flaw exists in 'js/src/jit/arm/MacroAssembler-arm.cpp' that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
 - A flaw exists in the 'nsDocShell::CreateAboutBlankContentViewer()' function in 'docshell/base/nsDocShell.cpp' that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
 - An unspecified flaw exists that is triggered as certain input is not properly validated when handling SMIL RAII objects. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
 - An unspecified flaw exists that is triggered as certain input is not properly validated when handling accessibles. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
 - A flaw exists in the 'trace()' function in 'xpcom/base/CycleCollectedJSContext.cpp' that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
 - An integer underflow condition exists in the 'apply_lookup()' function in 'hb-ot-layout-gsubgpos-private.hh' that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to corrupt memory and crash a process linked against the library or potentially execute arbitrary code.
 - A flaw exists in the 'nsWebBrowser::RemoveWebBrowserListener()' function in 'embedding/browser/nsWebBrowser.cpp' that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
 - An unspecified flaw exists in 'dom/u2f/U2F.cpp' that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
 - A flaw exists in the 'Element::DescribeAttribute()' function in 'dom/base/Element.cpp' that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
 - A flaw exists in 'xpcom/ds/nsSupportsArray.cpp' that is triggered when handling 'nsISupportsArrays'. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
 - An unspecified flaw exists in 'dom/workers/ServiceWorkerPrivate.cpp' that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
 - An unspecified flaw exists in 'layout/printing/nsPrintEngine.cpp' that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
 - A flaw exists in 'netwerk/cache2/CacheIndex.cpp' that is triggered when handling cache index serialization. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
 - An unspecified flaw exists in 'media/webrtc/trunk/webrtc/modules/video_coding/rtt_filter.cc' that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
 - An unspecified flaw exists related to the camera system service that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
 - A flaw exists in 'js/src/jsgc.cpp' that is triggered as certain input is not properly validated when handling zone groups. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
 - An unspecified flaw exists in 'netwerk/streamconv/converters/nsMultiMixedConv.cpp' that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
 - A flaw exists in 'netwerk/cache/nsDiskCacheDeviceSQL.cpp' that is triggered when handling cache eviction. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
 - A use-after-free condition exists that is triggered when handling NPAPI plugin references. This may allow a context-dependent attacker to dereference already freed memory and potentially execute arbitrary code.
 - A flaw exists in 'dom/base/nsDocument.cpp' that is triggered when handling frame request callbacks rescheduling. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
 - A flaw exists in the 'js::array_sort()' function in 'js/src/jsarray.cpp' that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
 - A flaw exists in the 'cairo_cff_font_write_cid_fontdict()' function in 'cairo-cff-subset.c' that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to corrupt memory and crash a process linked against the library or potentially execute arbitrary code.
 - A use-after-free error exists that is triggered when using addRange to add the range to an incorrect root object. This may allow a context-dependent attacker to dereference already freed memory and potentially execute arbitrary code.
 - A use-after-free error exists in the 'FontFaceSet' class in 'layout/style/FontFaceSet.cpp' that is triggered when handling events for FontFace objects. This may allow a context-dependent attacker to dereference already freed memory and potentially execute arbitrary code.
 - A flaw exists in the JavaScript Garbage Collection mechanism that is triggered during incremental sweeping on memory cleanups. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
 - A flaw exists in 'dom/bindings/ErrorResult.h' that is triggered when handling 'ErrorResult' references. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
 - A use-after-free error exists that is triggered when handling ranges in selections with one node inside and one node outside of a native anonymous tree. This may allow a context-dependent attacker to dereference already freed memory and potentially execute arbitrary code.
 - An out-of-bounds read flaw exists that is triggered when handling SVG filter color value operations. This may allow a context-dependent attacker to potentially disclose sensitive memory contents.
 - A flaw exists in the 'HTMLTrackElement::LoadResource()' function in 'dom/html/HTMLTrackElement.cpp' that is triggered as CORS headers are not checked when loading video captions. This may allow a context-dependent attacker to disclose video captions.
 - A path truncation flaw exist in the 'NS_main()' function in 'toolkit/mozapps/update/updater/updater.cpp' that is triggered when passing callback parameters through the Mozilla Maintenance Service. This may allow a local attacker to delete arbitrary files with elevated privileges.
 - A flaw exists in the 'FilterNodeLightingSoftware::SetAttribute()' function template in 'gfx/2d/FilterNodeSoftware.cpp' that is triggered when handling subnormal surfaceScale values. With a specially crafted SVG filter, a context-dependent attacker can perform a side-channel attack, potentially resulting in disclosure of history information or text values across domains.
 - An out-of-bounds access flaw exists that is triggered when handling bidirectional layout operations. This may allow a context-dependent attacker to have an unspecified impact. No further details have been provided by the vendor.
 - A flaw exists in the 'Location' class in 'dom/base/Location.cpp' that is triggered when using a Blob URL. This may allow a context-dependent attacker to spoof the address bar.
 - A flaw exists in the 'HTMLInputElement' class in 'dom/html/HTMLInputElement.cpp' that is triggered when handling the local default directory for a file picker dialog. This may allow a context-dependent attacker to disclose information e.g. about the operating system or the local account name.

ID	Name	Product	Family	Severity
99121	Ubuntu 12.04 LTS / 14.04 LTS / 16.04 LTS / 16.10 : firefox regression (USN-3216-2)	Nessus	Ubuntu Local Security Checks	critical
97747	openSUSE Security Update : MozillaFirefox / mozilla-nss (openSUSE-2017-344)	Nessus	SuSE Local Security Checks	critical
97639	Mozilla Firefox < 52.0 Multiple Vulnerabilities	Nessus	Windows	critical
97637	Mozilla Firefox < 52.0 Multiple Vulnerabilities (macOS)	Nessus	MacOS X Local Security Checks	critical
97600	Ubuntu 12.04 LTS / 14.04 LTS / 16.04 LTS / 16.10 : firefox vulnerabilities (USN-3216-1)	Nessus	Ubuntu Local Security Checks	critical
97592	FreeBSD : mozilla -- multiple vulnerabilities (96eca031-1313-4daf-9be2-9d6e1c4f1eb5)	Nessus	FreeBSD Local Security Checks	critical
9986	Mozilla Firefox < 52 Multiple Vulnerabilities	Nessus Network Monitor	Web Clients	critical

CVE-2017-5415

Description

References

Details

Risk Information

CVSS v2.0

CVSS v3.0

Vulnerable Software

Configuration 1

Tenable Plugins