When entered directly, Reader Mode did not strip the username and password section of URLs displayed in the addressbar. This can be used for spoofing the domain of the current page. This vulnerability affects Firefox < 54.

The remote NewStart CGSL host, running version MAIN 4.05, has firefox packages installed that are affected by multiple vulnerabilities:

  - A buffer overflow can occur when rendering canvas     content while adjusting the height and width of the     canvas element dynamically, causing data to be written     outside of the currently computed boundaries. This     results in a potentially exploitable crash. This     vulnerability affects Thunderbird < 60, Thunderbird <     52.9, Firefox ESR < 60.1, Firefox ESR < 52.9, and     Firefox < 61. (CVE-2018-12359)

  - A use-after-free vulnerability can occur when deleting     an input element during a mutation event handler     triggered by focusing that element. This results in a     potentially exploitable crash. This vulnerability     affects Thunderbird < 60, Thunderbird < 52.9, Firefox     ESR < 60.1, Firefox ESR < 52.9, and Firefox < 61.
    (CVE-2018-12360)

  - An integer overflow can occur during graphics operations     done by the Supplemental Streaming SIMD Extensions 3     (SSSE3) scaler, resulting in a potentially exploitable     crash. This vulnerability affects Thunderbird < 60,     Thunderbird < 52.9, Firefox ESR < 60.1, Firefox ESR <     52.9, and Firefox < 61. (CVE-2018-12362)

  - A use-after-free vulnerability can occur when script     uses mutation events to move DOM nodes between     documents, resulting in the old document that held the     node being freed but the node still having a pointer     referencing it. This results in a potentially     exploitable crash. This vulnerability affects     Thunderbird < 60, Thunderbird < 52.9, Firefox ESR <     60.1, Firefox ESR < 52.9, and Firefox < 61.
    (CVE-2018-12363)

  - NPAPI plugins, such as Adobe Flash, can send non-simple     cross-origin requests, bypassing CORS by making a same-     origin POST that does a 307 redirect to the target site.
    This allows for a malicious site to engage in cross-site     request forgery (CSRF) attacks. This vulnerability     affects Thunderbird < 60, Thunderbird < 52.9, Firefox     ESR < 60.1, Firefox ESR < 52.9, and Firefox < 61.
    (CVE-2018-12364)

  - A compromised IPC child process can escape the content     sandbox and list the names of arbitrary files on the     file system without user consent or interaction. This     could result in exposure of private local files. This     vulnerability affects Thunderbird < 60, Thunderbird <     52.9, Firefox ESR < 60.1, Firefox ESR < 52.9, and     Firefox < 61. (CVE-2018-12365)

  - An invalid grid size during QCMS (color profile)     transformations can result in the out-of-bounds read     interpreted as a float value. This could leak private     data into the output. This vulnerability affects     Thunderbird < 60, Thunderbird < 52.9, Firefox ESR <     60.1, Firefox ESR < 52.9, and Firefox < 61.
    (CVE-2018-12366)

  - A vulnerability can occur when capturing a media stream     when the media source type is changed as the capture is     occurring. This can result in stream data being cast to     the wrong type causing a potentially exploitable crash.
    This vulnerability affects Thunderbird < 60, Firefox ESR     < 60.1, Firefox ESR < 52.9, and Firefox < 61.
    (CVE-2018-5156)

  - Memory safety bugs present in Firefox 60, Firefox ESR     60, and Firefox ESR 52.8. Some of these bugs showed     evidence of memory corruption and we presume that with     enough effort that some of these could be exploited to     run arbitrary code. This vulnerability affects     Thunderbird < 60, Thunderbird < 52.9, Firefox ESR <     60.1, Firefox ESR < 52.9, and Firefox < 61.
    (CVE-2018-5188)

  - A precision error in Skia in Google Chrome prior to     67.0.3396.62 allowed a remote attacker to perform an out     of bounds memory write via a crafted HTML page.
    (CVE-2018-6126)

  - When entered directly, Reader Mode did not strip the     username and password section of URLs displayed in the     addressbar. This can be used for spoofing the domain of     the current page. This vulnerability affects Firefox <     54. (CVE-2017-7762)

  - Memory safety bugs present in Firefox 61 and Firefox ESR     60.1. Some of these bugs showed evidence of memory     corruption and we presume that with enough effort that     some of these could be exploited to run arbitrary code.
    This vulnerability affects Firefox < 62, Firefox ESR <     60.2, and Thunderbird < 60.2.1. (CVE-2018-12376)

  - A use-after-free vulnerability can occur when refresh     driver timers are refreshed in some circumstances during     shutdown when the timer is deleted while still in use.
    This results in a potentially exploitable crash. This     vulnerability affects Firefox < 62, Firefox ESR < 60.2,     and Thunderbird < 60.2.1. (CVE-2018-12377)

  - A use-after-free vulnerability can occur when an     IndexedDB index is deleted while still in use by     JavaScript code that is providing payload values to be     stored. This results in a potentially exploitable crash.
    This vulnerability affects Firefox < 62, Firefox ESR <     60.2, and Thunderbird < 60.2.1. (CVE-2018-12378)

  - When the Mozilla Updater opens a MAR format file which     contains a very long item filename, an out-of-bounds     write can be triggered, leading to a potentially     exploitable crash. This requires running the Mozilla     Updater manually on the local system with the malicious     MAR file in order to occur. This vulnerability affects     Firefox < 62, Firefox ESR < 60.2, and Thunderbird <     60.2.1. (CVE-2018-12379)

  - If a user saved passwords before Firefox 58 and then     later set a master password, an unencrypted copy of     these passwords is still accessible. This is because the     older stored password file was not deleted when the data     was copied to a new format starting in Firefox 58. The     new master password is added only on the new file. This     could allow the exposure of stored password data outside     of user expectations. This vulnerability affects Firefox     < 62, Firefox ESR < 60.2.1, and Thunderbird < 60.2.1.
    (CVE-2018-12383)

  - A vulnerability in register allocation in JavaScript can     lead to type confusion, allowing for an arbitrary read     and write. This leads to remote code execution inside     the sandboxed content process when triggered. This     vulnerability affects Firefox ESR < 60.2.2 and Firefox <     62.0.3. (CVE-2018-12386)

  - A vulnerability where the JavaScript JIT compiler     inlines Array.prototype.push with multiple arguments     that results in the stack pointer being off by 8 bytes     after a bailout. This leaks a memory address to the     calling function which can be used as part of an exploit     inside the sandboxed content process. This vulnerability     affects Firefox ESR < 60.2.2 and Firefox < 62.0.3.
    (CVE-2018-12387)

  - Firefox proxy settings can be bypassed by using the     automount feature with autofs to create a mount point on     the local file system. Content can be loaded from this     mounted file system directly using a `file:` URI,     bypassing configured proxy settings. This issue only     affects OS X in default configuration; on Linux systems,     autofs must also be installed for the vulnerability to     occur. (CVE-2017-16541)

  - Mozilla developers and community members reported memory     safety bugs present in Firefox ESR 60.2. Some of these     bugs showed evidence of memory corruption and we presume     that with enough effort that some of these could be     exploited to run arbitrary code. This vulnerability     affects Firefox ESR < 60.3 and Thunderbird < 60.3.
    (CVE-2018-12389)

  - When manipulating user events in nested loops while     opening a document through script, it is possible to     trigger a potentially exploitable crash due to poor     event handling. This vulnerability affects Firefox < 63,     Firefox ESR < 60.3, and Thunderbird < 60.3.
    (CVE-2018-12392)

  - By rewriting the Host: request headers using the     webRequest API, a WebExtension can bypass domain     restrictions through domain fronting. This would allow     access to domains that share a host that are otherwise     restricted. This vulnerability affects Firefox ESR <     60.3 and Firefox < 63. (CVE-2018-12395)

  - A vulnerability where a WebExtension can run content     scripts in disallowed contexts following navigation or     other events. This allows for potential privilege     escalation by the WebExtension on sites where content     scripts should not be run. This vulnerability affects     Firefox ESR < 60.3 and Firefox < 63. (CVE-2018-12396)

  - A WebExtension can request access to local files without     the warning prompt stating that the extension will     Access your data for all websites being displayed to     the user. This allows extensions to run content scripts     in local pages without permission warnings when a local     file is opened. This vulnerability affects Firefox ESR <     60.3 and Firefox < 63. (CVE-2018-12397)

  - A potentially exploitable crash in TransportSecurityInfo     used for SSL can be triggered by data stored in the     local cache in the user profile directory. This issue is     only exploitable in combination with another     vulnerability allowing an attacker to write data into     the local cache or from locally installed malware. This     issue also triggers a non-exploitable startup crash for     users switching between the Nightly and Release versions     of Firefox if the same profile is used. This     vulnerability affects Thunderbird < 60.2.1, Firefox ESR     < 60.2.1, and Firefox < 62.0.2. (CVE-2018-12385)

  - Mozilla developers and community members reported memory     safety bugs present in Firefox 62 and Firefox ESR 60.2.
    Some of these bugs showed evidence of memory corruption     and we presume that with enough effort that some of     these could be exploited to run arbitrary code. This     vulnerability affects Firefox < 63, Firefox ESR < 60.3,     and Thunderbird < 60.3. (CVE-2018-12390)

  - A potential vulnerability was found in 32-bit builds     where an integer overflow during the conversion of     scripts to an internal UTF-16 representation could     result in allocating a buffer too small for the     conversion. This leads to a possible out-of-bounds     write. *Note: 64-bit builds are not vulnerable to this     issue.*. This vulnerability affects Firefox < 63,     Firefox ESR < 60.3, and Thunderbird < 60.3.
    (CVE-2018-12393)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote NewStart CGSL host, running version CORE 5.04 / MAIN 5.04, has firefox packages installed that are affected by multiple vulnerabilities:

  - A buffer overflow can occur when rendering canvas     content while adjusting the height and width of the     canvas element dynamically, causing data to be written     outside of the currently computed boundaries. This     results in a potentially exploitable crash. This     vulnerability affects Thunderbird < 60, Thunderbird <     52.9, Firefox ESR < 60.1, Firefox ESR < 52.9, and     Firefox < 61. (CVE-2018-12359)

  - A use-after-free vulnerability can occur when deleting     an input element during a mutation event handler     triggered by focusing that element. This results in a     potentially exploitable crash. This vulnerability     affects Thunderbird < 60, Thunderbird < 52.9, Firefox     ESR < 60.1, Firefox ESR < 52.9, and Firefox < 61.
    (CVE-2018-12360)

  - An integer overflow can occur during graphics operations     done by the Supplemental Streaming SIMD Extensions 3     (SSSE3) scaler, resulting in a potentially exploitable     crash. This vulnerability affects Thunderbird < 60,     Thunderbird < 52.9, Firefox ESR < 60.1, Firefox ESR <     52.9, and Firefox < 61. (CVE-2018-12362)

  - A use-after-free vulnerability can occur when script     uses mutation events to move DOM nodes between     documents, resulting in the old document that held the     node being freed but the node still having a pointer     referencing it. This results in a potentially     exploitable crash. This vulnerability affects     Thunderbird < 60, Thunderbird < 52.9, Firefox ESR <     60.1, Firefox ESR < 52.9, and Firefox < 61.
    (CVE-2018-12363)

  - NPAPI plugins, such as Adobe Flash, can send non-simple     cross-origin requests, bypassing CORS by making a same-     origin POST that does a 307 redirect to the target site.
    This allows for a malicious site to engage in cross-site     request forgery (CSRF) attacks. This vulnerability     affects Thunderbird < 60, Thunderbird < 52.9, Firefox     ESR < 60.1, Firefox ESR < 52.9, and Firefox < 61.
    (CVE-2018-12364)

  - A compromised IPC child process can escape the content     sandbox and list the names of arbitrary files on the     file system without user consent or interaction. This     could result in exposure of private local files. This     vulnerability affects Thunderbird < 60, Thunderbird <     52.9, Firefox ESR < 60.1, Firefox ESR < 52.9, and     Firefox < 61. (CVE-2018-12365)

  - An invalid grid size during QCMS (color profile)     transformations can result in the out-of-bounds read     interpreted as a float value. This could leak private     data into the output. This vulnerability affects     Thunderbird < 60, Thunderbird < 52.9, Firefox ESR <     60.1, Firefox ESR < 52.9, and Firefox < 61.
    (CVE-2018-12366)

  - A vulnerability can occur when capturing a media stream     when the media source type is changed as the capture is     occurring. This can result in stream data being cast to     the wrong type causing a potentially exploitable crash.
    This vulnerability affects Thunderbird < 60, Firefox ESR     < 60.1, Firefox ESR < 52.9, and Firefox < 61.
    (CVE-2018-5156)

  - Memory safety bugs present in Firefox 60, Firefox ESR     60, and Firefox ESR 52.8. Some of these bugs showed     evidence of memory corruption and we presume that with     enough effort that some of these could be exploited to     run arbitrary code. This vulnerability affects     Thunderbird < 60, Thunderbird < 52.9, Firefox ESR <     60.1, Firefox ESR < 52.9, and Firefox < 61.
    (CVE-2018-5188)

  - A precision error in Skia in Google Chrome prior to     67.0.3396.62 allowed a remote attacker to perform an out     of bounds memory write via a crafted HTML page.
    (CVE-2018-6126)

  - A use-after-free vulnerability can occur while     enumerating attributes during SVG animations with clip     paths. This results in a potentially exploitable crash.
    This vulnerability affects Thunderbird < 52.8,     Thunderbird ESR < 52.8, Firefox < 60, and Firefox ESR <     52.8. (CVE-2018-5154)

  - A use-after-free vulnerability can occur while adjusting     layout during SVG animations with text paths. This     results in a potentially exploitable crash. This     vulnerability affects Thunderbird < 52.8, Thunderbird     ESR < 52.8, Firefox < 60, and Firefox ESR < 52.8.
    (CVE-2018-5155)

  - Same-origin protections for the PDF viewer can be     bypassed, allowing a malicious site to intercept     messages meant for the viewer. This could allow the site     to retrieve PDF files restricted to viewing by an     authenticated user on a third-party website. This     vulnerability affects Firefox ESR < 52.8 and Firefox <     60. (CVE-2018-5157)

  - The PDF viewer does not sufficiently sanitize PostScript     calculator functions, allowing malicious JavaScript to     be injected through a crafted PDF file. This JavaScript     can then be run with the permissions of the PDF viewer     by its worker. This vulnerability affects Firefox ESR <     52.8 and Firefox < 60. (CVE-2018-5158)

  - An integer overflow can occur in the Skia library due to     32-bit integer use in an array without integer overflow     checks, resulting in possible out-of-bounds writes. This     could lead to a potentially exploitable crash     triggerable by web content. This vulnerability affects     Thunderbird < 52.8, Thunderbird ESR < 52.8, Firefox <     60, and Firefox ESR < 52.8. (CVE-2018-5159)

  - A buffer overflow was found during UTF8 to Unicode     string conversion within JavaScript with extremely large     amounts of data. This vulnerability requires the use of     a malicious or vulnerable legacy extension in order to     occur. This vulnerability affects Thunderbird ESR <     52.8, Thunderbird < 52.8, and Firefox ESR < 52.8.
    (CVE-2018-5178)

  - Mozilla developers backported selected changes in the     Skia library. These changes correct memory corruption     issues including invalid buffer reads and writes during     graphic operations. This vulnerability affects     Thunderbird ESR < 52.8, Thunderbird < 52.8, and Firefox     ESR < 52.8. (CVE-2018-5183)

  - A use-after-free vulnerability can occur in the     compositor during certain graphics operations when a raw     pointer is used instead of a reference counted one. This     results in a potentially exploitable crash. This     vulnerability affects Firefox ESR < 52.7.3 and Firefox <     59.0.2. (CVE-2018-5148)

  - When entered directly, Reader Mode did not strip the     username and password section of URLs displayed in the     addressbar. This can be used for spoofing the domain of     the current page. This vulnerability affects Firefox <     54. (CVE-2017-7762)

  - Memory safety bugs present in Firefox 61 and Firefox ESR     60.1. Some of these bugs showed evidence of memory     corruption and we presume that with enough effort that     some of these could be exploited to run arbitrary code.
    This vulnerability affects Firefox < 62, Firefox ESR <     60.2, and Thunderbird < 60.2.1. (CVE-2018-12376)

  - A use-after-free vulnerability can occur when refresh     driver timers are refreshed in some circumstances during     shutdown when the timer is deleted while still in use.
    This results in a potentially exploitable crash. This     vulnerability affects Firefox < 62, Firefox ESR < 60.2,     and Thunderbird < 60.2.1. (CVE-2018-12377)

  - A use-after-free vulnerability can occur when an     IndexedDB index is deleted while still in use by     JavaScript code that is providing payload values to be     stored. This results in a potentially exploitable crash.
    This vulnerability affects Firefox < 62, Firefox ESR <     60.2, and Thunderbird < 60.2.1. (CVE-2018-12378)

  - When the Mozilla Updater opens a MAR format file which     contains a very long item filename, an out-of-bounds     write can be triggered, leading to a potentially     exploitable crash. This requires running the Mozilla     Updater manually on the local system with the malicious     MAR file in order to occur. This vulnerability affects     Firefox < 62, Firefox ESR < 60.2, and Thunderbird <     60.2.1. (CVE-2018-12379)

  - If a user saved passwords before Firefox 58 and then     later set a master password, an unencrypted copy of     these passwords is still accessible. This is because the     older stored password file was not deleted when the data     was copied to a new format starting in Firefox 58. The     new master password is added only on the new file. This     could allow the exposure of stored password data outside     of user expectations. This vulnerability affects Firefox     < 62, Firefox ESR < 60.2.1, and Thunderbird < 60.2.1.
    (CVE-2018-12383)

  - A vulnerability in register allocation in JavaScript can     lead to type confusion, allowing for an arbitrary read     and write. This leads to remote code execution inside     the sandboxed content process when triggered. This     vulnerability affects Firefox ESR < 60.2.2 and Firefox <     62.0.3. (CVE-2018-12386)

  - A vulnerability where the JavaScript JIT compiler     inlines Array.prototype.push with multiple arguments     that results in the stack pointer being off by 8 bytes     after a bailout. This leaks a memory address to the     calling function which can be used as part of an exploit     inside the sandboxed content process. This vulnerability     affects Firefox ESR < 60.2.2 and Firefox < 62.0.3.
    (CVE-2018-12387)

  - Firefox proxy settings can be bypassed by using the     automount feature with autofs to create a mount point on     the local file system. Content can be loaded from this     mounted file system directly using a `file:` URI,     bypassing configured proxy settings. This issue only     affects OS X in default configuration; on Linux systems,     autofs must also be installed for the vulnerability to     occur. (CVE-2017-16541)

  - Mozilla developers and community members reported memory     safety bugs present in Firefox ESR 60.2. Some of these     bugs showed evidence of memory corruption and we presume     that with enough effort that some of these could be     exploited to run arbitrary code. This vulnerability     affects Firefox ESR < 60.3 and Thunderbird < 60.3.
    (CVE-2018-12389)

  - When manipulating user events in nested loops while     opening a document through script, it is possible to     trigger a potentially exploitable crash due to poor     event handling. This vulnerability affects Firefox < 63,     Firefox ESR < 60.3, and Thunderbird < 60.3.
    (CVE-2018-12392)

  - By rewriting the Host: request headers using the     webRequest API, a WebExtension can bypass domain     restrictions through domain fronting. This would allow     access to domains that share a host that are otherwise     restricted. This vulnerability affects Firefox ESR <     60.3 and Firefox < 63. (CVE-2018-12395)

  - A vulnerability where a WebExtension can run content     scripts in disallowed contexts following navigation or     other events. This allows for potential privilege     escalation by the WebExtension on sites where content     scripts should not be run. This vulnerability affects     Firefox ESR < 60.3 and Firefox < 63. (CVE-2018-12396)

  - A WebExtension can request access to local files without     the warning prompt stating that the extension will     Access your data for all websites being displayed to     the user. This allows extensions to run content scripts     in local pages without permission warnings when a local     file is opened. This vulnerability affects Firefox ESR <     60.3 and Firefox < 63. (CVE-2018-12397)

  - A potentially exploitable crash in TransportSecurityInfo     used for SSL can be triggered by data stored in the     local cache in the user profile directory. This issue is     only exploitable in combination with another     vulnerability allowing an attacker to write data into     the local cache or from locally installed malware. This     issue also triggers a non-exploitable startup crash for     users switching between the Nightly and Release versions     of Firefox if the same profile is used. This     vulnerability affects Thunderbird < 60.2.1, Firefox ESR     < 60.2.1, and Firefox < 62.0.2. (CVE-2018-12385)

  - Mozilla developers and community members reported memory     safety bugs present in Firefox 62 and Firefox ESR 60.2.
    Some of these bugs showed evidence of memory corruption     and we presume that with enough effort that some of     these could be exploited to run arbitrary code. This     vulnerability affects Firefox < 63, Firefox ESR < 60.3,     and Thunderbird < 60.3. (CVE-2018-12390)

  - A potential vulnerability was found in 32-bit builds     where an integer overflow during the conversion of     scripts to an internal UTF-16 representation could     result in allocating a buffer too small for the     conversion. This leads to a possible out-of-bounds     write. *Note: 64-bit builds are not vulnerable to this     issue.*. This vulnerability affects Firefox < 63,     Firefox ESR < 60.3, and Thunderbird < 60.3.
    (CVE-2018-12393)

  - Memory safety bugs were reported in Firefox 59, Firefox     ESR 52.7, and Thunderbird 52.7. Some of these bugs     showed evidence of memory corruption and we presume that     with enough effort that some of these could be exploited     to run arbitrary code. This vulnerability affects     Thunderbird < 52.8, Thunderbird ESR < 52.8, Firefox <     60, and Firefox ESR < 52.8. (CVE-2018-5150)

  - Sites can bypass security checks on permissions to     install lightweight themes by manipulating the baseURI     property of the theme element. This could allow a     malicious site to install a theme without user     interaction which could contain offensive or     embarrassing images. This vulnerability affects     Thunderbird < 52.8, Thunderbird ESR < 52.8, Firefox <     60, and Firefox ESR < 52.8. (CVE-2018-5168)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

An update for firefox is now available for Red Hat Enterprise Linux 6.

Red Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Mozilla Firefox is an open source web browser, designed for standards compliance, performance, and portability.

This update upgrades Firefox to version 60.1.0 ESR.

Security Fix(es) :

* Mozilla: Memory safety bugs fixed in Firefox 61, Firefox ESR 60.1, and Firefox ESR 52.9 (CVE-2018-5188)

* Mozilla: Buffer overflow using computed size of canvas element (CVE-2018-12359)

* Mozilla: Use-after-free using focus() (CVE-2018-12360)

* Mozilla: Media recorder segmentation fault when track type is changed during capture (CVE-2018-5156)

* Skia: Heap buffer overflow rasterizing paths in SVG (CVE-2018-6126)

* Mozilla: Integer overflow in SSSE3 scaler (CVE-2018-12362)

* Mozilla: Use-after-free when appending DOM nodes (CVE-2018-12363)

* Mozilla: CSRF attacks through 307 redirects and NPAPI plugins (CVE-2018-12364)

* Mozilla: address bar username and password spoofing in reader mode (CVE-2017-7762)

* Mozilla: Compromised IPC child process can list local filenames (CVE-2018-12365)

* Mozilla: Invalid data handling during QCMS transformations (CVE-2018-12366)

For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.

Red Hat would like to thank the Mozilla project for reporting these issues. Upstream acknowledges Alex Gaynor, Christoph Diehl, Christian Holler, Jason Kratzer, David Major, Jon Coppeard, Nicolas B. Pierron, Marcia Knous, Ronald Crane, Nils, F. Alonso (revskills), David Black, and OSS-Fuzz as the original reporters.

An update for firefox is now available for Red Hat Enterprise Linux 7.

Red Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Mozilla Firefox is an open source web browser, designed for standards compliance, performance, and portability.

This update upgrades Firefox to version 60.1.0 ESR.

Security Fix(es) :

* Mozilla: Memory safety bugs fixed in Firefox 61, Firefox ESR 60.1, and Firefox ESR 52.9 (CVE-2018-5188)

* Mozilla: Buffer overflow using computed size of canvas element (CVE-2018-12359)

* Mozilla: Use-after-free using focus() (CVE-2018-12360)

* Mozilla: Media recorder segmentation fault when track type is changed during capture (CVE-2018-5156)

* Skia: Heap buffer overflow rasterizing paths in SVG (CVE-2018-6126)

* Mozilla: Integer overflow in SSSE3 scaler (CVE-2018-12362)

* Mozilla: Use-after-free when appending DOM nodes (CVE-2018-12363)

* Mozilla: CSRF attacks through 307 redirects and NPAPI plugins (CVE-2018-12364)

* Mozilla: address bar username and password spoofing in reader mode (CVE-2017-7762)

* Mozilla: Compromised IPC child process can list local filenames (CVE-2018-12365)

* Mozilla: Invalid data handling during QCMS transformations (CVE-2018-12366)

For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.

Red Hat would like to thank the Mozilla project for reporting these issues. Upstream acknowledges Alex Gaynor, Christoph Diehl, Christian Holler, Jason Kratzer, David Major, Jon Coppeard, Nicolas B. Pierron, Marcia Knous, Ronald Crane, Nils, F. Alonso (revskills), David Black, and OSS-Fuzz as the original reporters.

This update upgrades Firefox to version 60.1.0 ESR.

Many older firefox extensions must be updated to work with this new release.

Security Fix(es) :

  - Mozilla: Memory safety bugs fixed in Firefox 61, Firefox     ESR 60.1, and Firefox ESR 52.9 (CVE-2018-5188)

  - Mozilla: Buffer overflow using computed size of canvas     element (CVE-2018-12359)

  - Mozilla: Use-after-free using focus() (CVE-2018-12360)

  - Mozilla: Media recorder segmentation fault when track     type is changed during capture (CVE-2018-5156)

  - Skia: Heap buffer overflow rasterizing paths in SVG     (CVE-2018-6126)

  - Mozilla: Integer overflow in SSSE3 scaler     (CVE-2018-12362)

  - Mozilla: Use-after-free when appending DOM nodes     (CVE-2018-12363)

  - Mozilla: CSRF attacks through 307 redirects and NPAPI     plugins (CVE-2018-12364)

  - Mozilla: address bar username and password spoofing in     reader mode (CVE-2017-7762)

  - Mozilla: Compromised IPC child process can list local     filenames (CVE-2018-12365)

  - Mozilla: Invalid data handling during QCMS     transformations (CVE-2018-12366)

From Red Hat Security Advisory 2018:2113 :

An update for firefox is now available for Red Hat Enterprise Linux 7.

Red Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Mozilla Firefox is an open source web browser, designed for standards compliance, performance, and portability.

This update upgrades Firefox to version 60.1.0 ESR.

Security Fix(es) :

* Mozilla: Memory safety bugs fixed in Firefox 61, Firefox ESR 60.1, and Firefox ESR 52.9 (CVE-2018-5188)

* Mozilla: Buffer overflow using computed size of canvas element (CVE-2018-12359)

* Mozilla: Use-after-free using focus() (CVE-2018-12360)

* Mozilla: Media recorder segmentation fault when track type is changed during capture (CVE-2018-5156)

* Skia: Heap buffer overflow rasterizing paths in SVG (CVE-2018-6126)

* Mozilla: Integer overflow in SSSE3 scaler (CVE-2018-12362)

* Mozilla: Use-after-free when appending DOM nodes (CVE-2018-12363)

* Mozilla: CSRF attacks through 307 redirects and NPAPI plugins (CVE-2018-12364)

* Mozilla: address bar username and password spoofing in reader mode (CVE-2017-7762)

* Mozilla: Compromised IPC child process can list local filenames (CVE-2018-12365)

* Mozilla: Invalid data handling during QCMS transformations (CVE-2018-12366)

For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.

Red Hat would like to thank the Mozilla project for reporting these issues. Upstream acknowledges Alex Gaynor, Christoph Diehl, Christian Holler, Jason Kratzer, David Major, Jon Coppeard, Nicolas B. Pierron, Marcia Knous, Ronald Crane, Nils, F. Alonso (revskills), David Black, and OSS-Fuzz as the original reporters.

The remote Redhat Enterprise Linux 6 host has a package installed that is affected by multiple vulnerabilities as referenced in the RHSA-2018:2112 advisory.

  - Mozilla: address bar username and password spoofing in reader mode (CVE-2017-7762)

  - Mozilla: Media recorder segmentation fault when track type is changed during capture (CVE-2018-5156)

  - Mozilla: Memory safety bugs fixed in Firefox 61, Firefox ESR 60.1, and Firefox ESR 52.9 (CVE-2018-5188)

  - Skia: Heap buffer overflow rasterizing paths in SVG (CVE-2018-6126)

  - Mozilla: Buffer overflow using computed size of canvas element (CVE-2018-12359)

  - Mozilla: Use-after-free using focus() (CVE-2018-12360)

  - Mozilla: Integer overflow in SSSE3 scaler (CVE-2018-12362)

  - Mozilla: Use-after-free when appending DOM nodes (CVE-2018-12363)

  - Mozilla: CSRF attacks through 307 redirects and NPAPI plugins (CVE-2018-12364)

  - Mozilla: Compromised IPC child process can list local filenames (CVE-2018-12365)

  - Mozilla: Invalid data handling during QCMS transformations (CVE-2018-12366)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Multiple security issues were discovered in Firefox. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit these to cause a denial of service, read uninitialized memory, obtain sensitive information, spoof the addressbar contents, or execute arbitrary code. (CVE-2017-5470, CVE-2017-5471, CVE-2017-5472, CVE-2017-7749, CVE-2017-7750, CVE-2017-7751, CVE-2017-7752, CVE-2017-7754, CVE-2017-7756, CVE-2017-7757, CVE-2017-7758, CVE-2017-7762, CVE-2017-7764)

Multiple security issues were discovered in the Graphite 2 library used by Firefox. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit these to cause a denial of service, read uninitialized memory, or execute arbitrary code. (CVE-2017-7771, CVE-2017-7772, CVE-2017-7773, CVE-2017-7774, CVE-2017-7776, CVE-2017-7777, CVE-2017-7778).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The version of Mozilla Firefox installed on the remote Windows host is prior to 54. It is, therefore, affected by multiple vulnerabilities :

  - Multiple memory corruption issues exist that allow an     unauthenticated, remote attacker to execute arbitrary     code by convincing a user to visit a specially crafted     website. (CVE-2017-5470, CVE-2017-5471)

  - A use-after-free error exists in the EndUpdate()     function in nsCSSFrameConstructor.cpp that is triggered     when reconstructing trees during regeneration of CSS     layouts. An unauthenticated, remote attacker can exploit     this, by convincing a user to visit a specially crafted     website, to cause a denial of service condition or the     execution of arbitrary code. (CVE-2017-5472)

  - A use-after-free error exists in the Reload() function     in nsDocShell.cpp that is triggered when using an     incorrect URL during the reload of a docshell. An     unauthenticated, remote attacker can exploit this to     cause a denial of service condition or the execution of     arbitrary code. (CVE-2017-7749)

  - A use-after-free error exists in the Hide() function in     nsDocumentViewer.cpp that is triggered when handling     track elements. An unauthenticated, remote attacker can     exploit this to cause a denial of service condition or     the execution of arbitrary code. (CVE-2017-7750)

  - A use-after-free error exists in the nsDocumentViewer     class in nsDocumentViewer.cpp that is triggered when     handling content viewer listeners. An unauthenticated,     remote attacker can exploit this to cause a denial of     service condition or the execution of arbitrary code.
    (CVE-2017-7751)

  - A use-after-free error exists that is triggered when     handling events while specific user interaction occurs     with the input method editor (IME). An unauthenticated,     remote attacker can exploit this to cause a denial of     service condition or the execution of arbitrary code.
    (CVE-2017-7752)

  - An out-of-bounds read error exists in the IsComplete()     function in WebGLTexture.cpp that is triggered when     handling textures. An unauthenticated, remote attacker     can exploit this to disclose memory contents.
    (CVE-2017-7754)

  - A privilege escalation vulnerability exists due to     improper loading of dynamic-link library (DLL) files. A     local attacker can exploit this, via a specially crafted     DLL file in the installation path, to inject and execute     arbitrary code. (CVE-2017-7755)

  - A use-after-free error exists in the SetRequestHead()     function in XMLHttpRequestMainThread.cpp that is     triggered when logging XML HTTP Requests (XHR). An     unauthenticated, remote attacker can exploit this to     cause a denial of service condition or the execution of     arbitrary code. (CVE-2017-7756)

  - A use-after-free error exists in ActorsParent.cpp due to     improper handling of objects in memory. An     unauthenticated, remote attacker can exploit this to     cause a denial of service condition or the execution of     arbitrary code. (CVE-2017-7757)

  - An out-of-bounds read error exists in the     AppendAudioSegment() function in TrackEncoder.cpp that     is triggered when the number of channels in an audio     stream changes while the Opus encoder is in use. An     unauthenticated, remote attacker can exploit this to     disclose sensitive information. (CVE-2017-7758)

  - A flaw exists in the NS_main() function in updater.cpp     due to improper validation of input when handling     callback file path parameters. A local attacker can     exploit this to manipulate files in the installation     directory. (CVE-2017-7760)

  - A flaw exists in the Maintenance Service helper.exe     application that is triggered as permissions for a     temporary directory are set to writable by     non-privileged users. A local attacker can exploit this     to delete arbitrary files on the system. (CVE-2017-7761)

  - A flaw exists that is triggered when displaying URLs     including authentication sections in reader mode. An     unauthenticated, remote attacker can exploit this, via a     specially crafted URL, to spoof domains in the address     bar. (CVE-2017-7762)

  - A flaw exists in the isLabelSafe() function in     nsIDNService.cpp that is triggered when handling     characters from different unicode blocks. An     unauthenticated, remote attacker can exploit this, via a     specially crafted IDN domain, to spoof a valid URL and     conduct phishing attacks. (CVE-2017-7764)

  - A flaw exists that is triggered due to improper parsing     of long filenames when handling downloaded files. An     unauthenticated, remote attacker can exploit this to     cause a file to be downloaded without the     'mark-of-the-web' applied, resulting in security     warnings for executables not being displayed.
    (CVE-2017-7765)

  - A flaw exists in the Mozilla Maintenance Service that is     triggered when handling paths for the 'patch',     'install', and 'working' directories. A local attacker     can exploit this to execute arbitrary code with elevated     privileges. (CVE-2017-7766)

  - A flaw exists in the Mozilla Maintenance Service that is     triggered when being invoked using the Mozilla Windows     Updater. A local attacker can exploit this to overwrite     arbitrary files with random data. (CVE-2017-7767)

  - A flaw exists in the IsStatusApplying() function in     workmonitor.cpp that is triggered when logging the     update status. A local attacker can exploit this to read     32 bytes of arbitrary files. (CVE-2017-7768)

  - Multiple integer overflow conditions exist in the     Graphite component in the decompress() function in     Decompressor.cpp due to improper validation of     user-supplied input. An unauthenticated, remote attacker     can exploit this to cause a denial of service condition     or the execution of arbitrary code. (CVE-2017-7772,     CVE-2017-7778)

  - An out-of-bounds read error exists in the Graphite     component in the readGraphite() function in Silf.cpp. An     unauthenticated, remote attacker can exploit this to     cause a denial of service condition or disclose memory     contents. (CVE-2017-7774)

  - An out-of-bounds read error exists in the Graphite     component in getClassGlyph() function in Silf.cpp due to     improper validation of user-supplied input. An     unauthenticated, remote attacker can exploit this to     cause a denial of service condition. (CVE-2017-7776)

  - A flaw exists in the Graphite component in the     read_glyph() function in GlyphCache.cpp related to use     of uninitialized memory. An unauthenticated, remote     attacker can exploit this to have an unspecified impact.
    (CVE-2017-7777)

The version of Mozilla Firefox installed on the remote macOS or Mac OS X host is prior to 54. It is, therefore, affected by multiple vulnerabilities :

  - Multiple memory corruption issues exist that allow an     unauthenticated, remote attacker to execute arbitrary     code by convincing a user to visit a specially crafted     website. (CVE-2017-5470, CVE-2017-5471)

  - A use-after-free error exists in the EndUpdate()     function in nsCSSFrameConstructor.cpp that is triggered     when reconstructing trees during regeneration of CSS     layouts. An unauthenticated, remote attacker can exploit     this, by convincing a user to visit a specially crafted     website, to cause a denial of service condition or the     execution of arbitrary code. (CVE-2017-5472)

  - A use-after-free error exists in the Reload() function     in nsDocShell.cpp that is triggered when using an     incorrect URL during the reload of a docshell. An     unauthenticated, remote attacker can exploit this to     cause a denial of service condition or the execution of     arbitrary code. (CVE-2017-7749)

  - A use-after-free error exists in the Hide() function in     nsDocumentViewer.cpp that is triggered when handling     track elements. An unauthenticated, remote attacker can     exploit this to cause a denial of service condition or     the execution of arbitrary code. (CVE-2017-7750)

  - A use-after-free error exists in the nsDocumentViewer     class in nsDocumentViewer.cpp that is triggered when     handling content viewer listeners. An unauthenticated,     remote attacker can exploit this to cause a denial of     service condition or the execution of arbitrary code.
    (CVE-2017-7751)

  - A use-after-free error exists that is triggered when     handling events while specific user interaction occurs     with the input method editor (IME). An unauthenticated,     remote attacker can exploit this to cause a denial of     service condition or the execution of arbitrary code.
    (CVE-2017-7752)

  - An out-of-bounds read error exists in the IsComplete()     function in WebGLTexture.cpp that is triggered when     handling textures. An unauthenticated, remote attacker     can exploit this to disclose memory contents.
    (CVE-2017-7754)

  - A privilege escalation vulnerability exists due to     improper loading of dynamic-link library (DLL) files. A     local attacker can exploit this, via a specially crafted     DLL file in the installation path, to inject and execute     arbitrary code. (CVE-2017-7755)

  - A use-after-free error exists in the SetRequestHead()     function in XMLHttpRequestMainThread.cpp that is     triggered when logging XML HTTP Requests (XHR). An     unauthenticated, remote attacker can exploit this to     cause a denial of service condition or the execution of     arbitrary code. (CVE-2017-7756)

  - A use-after-free error exists in ActorsParent.cpp due to     improper handling of objects in memory. An     unauthenticated, remote attacker can exploit this to     cause a denial of service condition or the execution of     arbitrary code. (CVE-2017-7757)

  - An out-of-bounds read error exists in the     AppendAudioSegment() function in TrackEncoder.cpp that     is triggered when the number of channels in an audio     stream changes while the Opus encoder is in use. An     unauthenticated, remote attacker can exploit this to     disclose sensitive information. (CVE-2017-7758)

  - A flaw exists in the NS_main() function in updater.cpp     due to improper validation of input when handling     callback file path parameters. A local attacker can     exploit this to manipulate files in the installation     directory. (CVE-2017-7760)

  - A flaw exists in the Maintenance Service helper.exe     application that is triggered as permissions for a     temporary directory are set to writable by     non-privileged users. A local attacker can exploit this     to delete arbitrary files on the system. (CVE-2017-7761)

  - A flaw exists that is triggered when displaying URLs     including authentication sections in reader mode. An     unauthenticated, remote attacker can exploit this, via a     specially crafted URL, to spoof domains in the address     bar. (CVE-2017-7762)

  - A flaw exists in the ReadCMAP() function in     gfxMacPlatformFontList.mm that is triggered when     handling tibetan characters in combination with macOS     fonts. An unauthenticated, remote attacker can exploit     this, via a specially crafted IDN domain, to spoof a     valid URL. (CVE-2017-7763)

  - A flaw exists in the isLabelSafe() function in     nsIDNService.cpp that is triggered when handling     characters from different unicode blocks. An     unauthenticated, remote attacker can exploit this, via a     specially crafted IDN domain, to spoof a valid URL and     conduct phishing attacks. (CVE-2017-7764)

  - Multiple integer overflow conditions exist in the     Graphite component in the decompress() function in     Decompressor.cpp due to improper validation of     user-supplied input. An unauthenticated, remote attacker     can exploit this to cause a denial of service condition     or the execution of arbitrary code. (CVE-2017-7772,     CVE-2017-7778)

  - An out-of-bounds read error exists in the Graphite     component in the readGraphite() function in Silf.cpp. An     unauthenticated, remote attacker can exploit this to     cause a denial of service condition or disclose memory     contents. (CVE-2017-7774)

  - An out-of-bounds read error exists in the Graphite     component in getClassGlyph() function in Silf.cpp due to     improper validation of user-supplied input. An     unauthenticated, remote attacker can exploit this to     cause a denial of service condition. (CVE-2017-7776)

  - A flaw exists in the Graphite component in the     read_glyph() function in GlyphCache.cpp related to use     of uninitialized memory. An unauthenticated, remote     attacker can exploit this to have an unspecified impact.
    (CVE-2017-7777)

Multiple memory corruption issues exist that allow an unauthenticated, remote attacker to execute arbitrary code by convincing a user to visit a specially crafted website. (CVE-2017-5470, CVE-2017-5471)
 - A use-after-free error exists in the 'EndUpdate()' function in 'nsCSSFrameConstructor.cpp' that is triggered when reconstructing trees during regeneration of CSS layouts. An unauthenticated, remote attacker can exploit this, by convincing a user to visit a specially crafted website, to cause a denial of service condition or the execution of arbitrary code. (CVE-2017-5472)
 - A use-after-free error exists in the 'Reload()' function in 'nsDocShell.cpp' that is triggered when using an incorrect URL during the reload of a docshell. An unauthenticated, remote attacker can exploit this to cause a denial of service condition or the execution of arbitrary code. (CVE-2017-7749)
 - A use-after-free error exists in the 'Hide()' function in 'nsDocumentViewer.cpp' that is triggered when handling track elements. An unauthenticated, remote attacker can exploit this to cause a denial of service condition or the execution of arbitrary code. (CVE-2017-7750)
 - A use-after-free error exists in the nsDocumentViewer class in 'nsDocumentViewer.cpp' that is triggered when handling content viewer listeners. An unauthenticated, remote attacker can exploit this to cause a denial of service condition or the execution of arbitrary code. (CVE-2017-7751)
 - A use-after-free error exists that is triggered when handling events while specific user interaction occurs with the input method editor (IME). An unauthenticated, remote attacker can exploit this to cause a denial of service condition or the execution of arbitrary code. (CVE-2017-7752)
 - An out-of-bounds read error exists in the 'IsComplete()' function in 'WebGLTexture.cpp' that is triggered when handling textures. An unauthenticated, remote attacker can exploit this to disclose memory contents. (CVE-2017-7754)
 - A privilege escalation vulnerability exists due to improper loading of dynamic-link library (DLL) files. A local attacker can exploit this, via a specially crafted DLL file in the installation path, to inject and execute arbitrary code. (CVE-2017-7755)
 - A use-after-free error exists in the 'SetRequestHead()' function in 'XMLHttpRequestMainThread.cpp' that is triggered when logging XML HTTP Requests (XHR). An unauthenticated, remote attacker can exploit this to cause a denial of service condition or the execution of arbitrary code. (CVE-2017-7756)
 - A use-after-free error exists in 'ActorsParent.cpp' due to improper handling of objects in memory. An unauthenticated, remote attacker can exploit this to cause a denial of service condition or the execution of arbitrary code. (CVE-2017-7757)
 - An out-of-bounds read error exists in the 'AppendAudioSegment()' function in 'TrackEncoder.cpp' that is triggered when the number of channels in an audio stream changes while the Opus encoder is in use. An unauthenticated, remote attacker can exploit this to disclose sensitive information. (CVE-2017-7758)
 - A flaw exists in the 'NS_main()' function in 'updater.cpp' due to improper validation of input when handling callback file path parameters. A local attacker can exploit this to manipulate files in the installation directory. (CVE-2017-7760)
 - A flaw exists in the Maintenance Service 'helper.exe' application that is triggered as permissions for a temporary directory are set to writable by non-privileged users. A local attacker can exploit this to delete arbitrary files on the system. (CVE-2017-7761)
 - A flaw exists that is triggered when displaying URLs including authentication sections in reader mode. An unauthenticated, remote attacker can exploit this, via a specially crafted URL, to spoof domains in the address bar. (CVE-2017-7762)
 - A flaw exists in the 'ReadCMAP()' function in 'gfxMacPlatformFontList.mm' that is triggered when handling tibetan characters in combination with macOS fonts. An unauthenticated, remote attacker can exploit this, via a specially crafted IDN domain, to spoof a valid URL. (CVE-2017-7763)
 - A flaw exists in the 'isLabelSafe()' function in 'nsIDNService.cpp' that is triggered when handling characters from different unicode blocks. An unauthenticated, remote attacker can exploit this, via a specially crafted IDN domain, to spoof a valid URL and conduct phishing attacks. (CVE-2017-7764)
 - Multiple integer overflow conditions exist in the Graphite component in the 'decompress()' function in 'Decompressor.cpp' due to improper validation of user-supplied input. An unauthenticated, remote attacker can exploit this to cause a denial of service condition or the execution of arbitrary code. (CVE-2017-7772, CVE-2017-7778)
 - An out-of-bounds read error exists in the Graphite component in the 'readGraphite()' function in 'Silf.cpp'. An unauthenticated, remote attacker can exploit this to cause a denial of service condition or disclose memory contents. (CVE-2017-7774)
 - An out-of-bounds read error exists in the Graphite component in 'getClassGlyph()' function in 'Silf.cpp' due to improper validation of user-supplied input. An unauthenticated, remote attacker can exploit this to cause a denial of service condition. (CVE-2017-7776)
 - An flaw exists in the Graphite component in the 'read_glyph()' function in 'GlyphCache.cpp' related to use of uninitialized memory. An unauthenticated, remote attacker can exploit this to have an unspecified impact. (CVE-2017-7777)

Mozilla Foundation reports :

Please reference CVE/URL list for details

ID	Name	Product	Family	Severity
127404	NewStart CGSL MAIN 4.05 : firefox Multiple Vulnerabilities (NS-SA-2019-0141)	Nessus	NewStart CGSL Local Security Checks	critical
127198	NewStart CGSL CORE 5.04 / MAIN 5.04 : firefox Multiple Vulnerabilities (NS-SA-2019-0032)	Nessus	NewStart CGSL Local Security Checks	critical
111074	CentOS 6 : firefox (CESA-2018:2112)	Nessus	CentOS Local Security Checks	critical
111013	CentOS 7 : firefox (CESA-2018:2113)	Nessus	CentOS Local Security Checks	critical
110971	Scientific Linux Security Update : firefox on SL6.x i386/x86_64 (20180628)	Nessus	Scientific Linux Local Security Checks	critical
110935	Scientific Linux Security Update : firefox on SL7.x x86_64 (20180628)	Nessus	Scientific Linux Local Security Checks	critical
110917	Oracle Linux 7 : firefox (ELSA-2018-2113)	Nessus	Oracle Linux Local Security Checks	critical
110800	RHEL 7 : firefox (RHSA-2018:2113)	Nessus	Red Hat Local Security Checks	critical
110799	RHEL 6 : firefox (RHSA-2018:2112)	Nessus	Red Hat Local Security Checks	critical
100835	Ubuntu 14.04 LTS / 16.04 LTS : Firefox vulnerabilities (USN-3315-1)	Nessus	Ubuntu Local Security Checks	critical
100810	Mozilla Firefox < 54 Multiple Vulnerabilities	Nessus	Windows	critical
100808	Mozilla Firefox < 54 Multiple Vulnerabilities (macOS)	Nessus	MacOS X Local Security Checks	critical
700134	Mozilla Firefox < 54 Multiple Vulnerabilities	Nessus Network Monitor	Web Clients	high
100775	FreeBSD : mozilla -- multiple vulnerabilities (6cec1b0a-da15-467d-8691-1dea392d4c8d)	Nessus	FreeBSD Local Security Checks	critical

Detections

Analytics

CVE-2017-7762

high

Tenable Plugins

critical

critical

critical

critical

critical

critical

critical

critical

critical

critical

critical

critical

high

critical