104561

1041193

https://bugzilla.mozilla.org/show_bug.cgi?id=1454909

GLSA-201810-01

USN-3705-1

https://www.mozilla.org/security/advisories/mfsa2018-15/

https://www.mozilla.org/security/advisories/mfsa2018-16/

This security update for MozillaFirefox to version 60.1.0esr fixes multiple issues.

Security issues fixed (MFSA 2018-16, boo#1098998) :

  - CVE-2018-12359: Buffer overflow using computed size of     canvas element

  - CVE-2018-12360: Use-after-free when using focus()

  - CVE-2018-12361: Integer overflow in SwizzleData

  - CVE-2018-12362: Integer overflow in SSSE3 scaler

  - CVE-2018-5156: Media recorder segmentation fault when     track type is changed during capture

  - CVE-2018-12363: Use-after-free when appending DOM nodes

  - CVE-2018-12364: CSRF attacks through 307 redirects and     NPAPI plugins

  - CVE-2018-12365: Compromised IPC child process can list     local filenames

  - CVE-2018-12371: Integer overflow in Skia library during     edge builder allocation

  - CVE-2018-12366: Invalid data handling during QCMS     transformations

  - CVE-2018-12367: Timing attack mitigation of     PerformanceNavigationTiming

  - CVE-2018-12369: WebExtension security permission checks     bypassed by embedded experiments

  - CVE-2018-5187: Memory safety bugs fixed in Firefox 60     and Firefox ESR 60.1

  - CVE-2018-5188: Memory safety bugs fixed in Firefox 60,     Firefox ESR 60.1, and Firefox ESR 52.9

Other issues fixed :

  - various stability and regression fixes

  - do not disable system installed unsigned language packs     (bmo#1464766)

The remote host is affected by the vulnerability described in GLSA-201810-01 (Mozilla Firefox: Multiple vulnerabilities)

    Multiple vulnerabilities have been discovered in Mozilla Firefox. Please       review the referenced CVE identifiers for details.
  Impact :

    A remote attacker could entice a user to view a specially crafted web       page, possibly resulting in the execution of arbitrary code with the       privileges of the process or a Denial of Service condition. Furthermore,       a remote attacker may be able to perform Man-in-the-Middle attacks,       obtain sensitive information, spoof the address bar, conduct clickjacking       attacks, bypass security restrictions and protection mechanisms, or have       other unspecified impact.
  Workaround :

    There is no known workaround at this time.

Versions of Mozilla Firefox ESR earlier than 60.1 are unpatched for the following vulnerabilities :

 - An out-of-bounds read flaw exists in the 'qcms_modular_transform_data()' function in 'chain.c' that is triggered when handling an invalid grid size during QCMS transformations. This may allow a context-dependent attacker to potentially disclose memory contents.
 - A flaw exists in 'dom/performance/PerformanceNavigationTiming.cpp' that is triggered as the Navigation APIs can be used as a precision timer. This may allow a context-dependent attacker to conduct timing attacks.
 - A flaw exists in the 'nsLocalFile::IsExecutable()' function in 'xpcom/io/nsLocalFileWin.cpp', as 'settingcontent-ms' is not recognized as an executable file extension. This may allow a context-dependent attacker to more easily trick a user into opening a malicious file without a warning prompt being presented.
 - A flaw exists in the WebExtension that is triggered as embedded experiments are not properly checked. This may allow a context-dependent attacker to bypass authorization mechanisms.
 - An integer overflow flaw exists that is triggered as uninitialized memory is used when allocating memory for edge builders. This may allow a context-dependent attacker to potentially execute arbitrary code.
 - A flaw exists in the 'ContentParent::RecvGetFilesRequest()' function in 'dom/ipc/ContentParent.cpp'. Combined with another vulnerability this may allow a context-dependent attacker to bypass the sandbox and enumerate file names.
 - An overflow condition exists in the 'CanvasRenderingContext2D::SetDimensions()' function in 'dom/canvas/CanvasRenderingContext2D.cpp' that is triggered when handling '<canvas>' element dimensions. This may allow a context-dependent attacker to cause a buffer overflow and potentially execute arbitrary code.
 - A use-after-free error exists in the 'HTMLInputElement::Focus()' function in 'dom/html/HTMLInputElement.cpp' that is triggered when deleting input elements during a mutation event handler. This may allow a context-dependent attacker to dereference already freed memory and potentially execute arbitrary code.
 - An integer overflow condition exists in 'gfx/2d/ssse3-scaler.c' within the Supplemental Streaming SIMD Extensions 3 (SSSE3) scaler that is triggered when handling graphics operations. This may allow a context-dependent attacker to potentially execute arbitrary code.
 - A flaw exists that is triggered when capturing a media stream and the media source type is changed. This may allow a context-dependent attacker to potentially execute arbitrary code.
 - A use-after-free error exists that is triggered when using scripts to perform mutations to move DOM nodes between documents. This may allow a context-dependent attacker to dereference already freed memory and potentially execute arbitrary code.
 - A flaw exists when handling 307 redirects as HTTP requests to NPAPI plugins do not require multiple steps, explicit confirmation, or a unique token when performing certain sensitive actions. By tricking a user into following a specially crafted link, a context-dependent attacker can perform a Cross-Site Request Forgery (CSRF / XSRF) attack causing the victim to perform unspecified actions.
 - An unspecified flaw exists in 'netwerk/sctp/datachannel/DataChannel.cpp' that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
 - An out-of-bounds access flaw exists in 'webrtc/modules/video_coding/rtp_frame_reference_finder.cc' that is triggered as certain input is not properly validated when handling VP9 missing frame processing. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
 - A race condition exists in 'js/src/gc/GC.cpp' that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
 - An unspecified flaw exists in 'xpcom/ds/Observer.h' that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
 - An unspecified flaw exists in 'js/src/frontend/BytecodeEmitter.cpp' that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
 - A flaw exists in the 'GCMarker::markDelayedChildren()' function in 'js/src/gc/Marking.cpp' that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
 - An unspecified flaw exists in the 'nsMozIconURI::Deserialize()' function in 'image/decoders/icon/nsIconURI.cpp' that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
 - An unspecified flaw exists that is triggered when managing physical audio devices. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
 - A flaw exists in the 'FromIPCSegment()' function in 'netwerk/base/nsStandardURL.cpp' that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
 - An unspecified flaw exists in 'dom/base/StructuredCloneHolder.cpp' that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
 - An unspecified flaw exists in the 'JS::Rooted()' function in 'dom/xbl/nsXBLBinding.cpp' that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
 - An unspecified flaw exists in 'dom/canvas/WebGLContextDraw.cpp' that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
 - An unspecified flaw exists in 'dom/media/PeerConnection.js' that is triggered when handling ICE connection state changes. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
 - An unspecified flaw exists in 'hal/Hal.cpp' that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.

 - Mutliple vulnerabilities in the following may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code:
 - 'netwerk/sctp/datachannel/DataChannel.cpp'
 - 'xpcom/ds/Observer.h'
 - 'js/src/frontend/BytecodeEmitter.cpp'
 - 'nsMozIconURI::Deserialize()'
 - 'dom/base/StructuredCloneHolder.cpp'
 - 'dom/xbl/nsXBLBinding.cpp'
 - 'dom/canvas/WebGLContextDraw.cpp'
 - 'dom/media/PeerConnection.js'
 - 'hal/Hal.cpp'

Versions of Mozilla Firefox earlier than 61 are unpatched for the following vulnerabilities :

 - An out-of-bounds read flaw exists in the 'qcms_modular_transform_data()' function in 'chain.c' that is triggered when handling an invalid grid size during QCMS transformations. This may allow a context-dependent attacker to potentially disclose memory contents.
 - A flaw exists in 'dom/performance/PerformanceNavigationTiming.cpp' that is triggered as the Navigation APIs can be used as a precision timer. This may allow a context-dependent attacker to conduct timing attacks.
 - A flaw exists in the 'nsLocalFile::IsExecutable()' function in 'xpcom/io/nsLocalFileWin.cpp', as 'settingcontent-ms' is not recognized as an executable file extension. This may allow a context-dependent attacker to more easily trick a user into opening a malicious file without a warning prompt being presented.
 - A flaw exists in the WebExtension that is triggered as embedded experiments are not properly checked. This may allow a context-dependent attacker to bypass authorization mechanisms.
 - An integer overflow flaw exists that is triggered as uninitialized memory is used when allocating memory for edge builders. This may allow a context-dependent attacker to potentially execute arbitrary code.
 - A flaw exists in the 'ContentParent::RecvGetFilesRequest()' function in 'dom/ipc/ContentParent.cpp'. Combined with another vulnerability this may allow a context-dependent attacker to bypass the sandbox and enumerate file names.
 - An overflow condition exists in the 'CanvasRenderingContext2D::SetDimensions()' function in 'dom/canvas/CanvasRenderingContext2D.cpp' that is triggered when handling '<canvas>' element dimensions. This may allow a context-dependent attacker to cause a buffer overflow and potentially execute arbitrary code.
 - A use-after-free error exists in the 'HTMLInputElement::Focus()' function in 'dom/html/HTMLInputElement.cpp' that is triggered when deleting input elements during a mutation event handler. This may allow a context-dependent attacker to dereference already freed memory and potentially execute arbitrary code.
 - A flaw exists that is triggered during the handling of a redirection initiated by a service worker. This may allow a context-dependent attacker to bypass the same-origin policy.
 - An integer overflow condition exists in 'gfx/2d/ssse3-scaler.c' within the Supplemental Streaming SIMD Extensions 3 (SSSE3) scaler that is triggered when handling graphics operations. This may allow a context-dependent attacker to potentially execute arbitrary code.
 - A flaw exists that is triggered when capturing a media stream and the media source type is changed. This may allow a context-dependent attacker to potentially execute arbitrary code.
 - A use-after-free error exists that is triggered when using scripts to perform mutations to move DOM nodes between documents. This may allow a context-dependent attacker to dereference already freed memory and potentially execute arbitrary code.
 - A flaw exists when handling 307 redirects as HTTP requests to NPAPI plugins do not require multiple steps, explicit confirmation, or a unique token when performing certain sensitive actions. By tricking a user into following a specially crafted link, a context-dependent attacker can perform a Cross-Site Request Forgery (CSRF / XSRF) attack causing the victim to perform unspecified actions.
 - A flaw exists in 'toolkit/components/reader/ReaderMode.jsm' that is triggered as SameSite cookie protections are not properly checked when exiting Reader View. This may allow a context-dependent attacker to bypass CSRF protection mechanisms.
 - A use-after-free error exists in the 'Debugger::findZoneEdges()' function in 'js/src/vm/Debugger.cpp' that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to dereference already freed memory and potentially execute arbitrary code.
 - An unspecified flaw exists in 'gfx/vr/ipc/VRManagerChild.cpp' that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
 - An unspecified flaw exists that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
 - An unspecified flaw exists in the 'gfxFontUtils::MapCharToGlyphFormat4()' function in 'gfx/thebes/gfxFontUtils.cpp' that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
 - An unspecified flaw exists that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
 - An unspecified flaw exists that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
 - An unspecified flaw exists in the 'ExecuteServiceCommand()' function in 'toolkit/components/maintenanceservice/workmonitor.cpp' that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
 - An unspecified flaw exists that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
 - An unspecified flaw exists that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
 - An unspecified flaw exists in 'netwerk/sctp/datachannel/DataChannel.cpp' that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
 - An out-of-bounds access flaw exists in 'webrtc/modules/video_coding/rtp_frame_reference_finder.cc' that is triggered as certain input is not properly validated when handling VP9 missing frame processing. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
 - A race condition exists in 'js/src/gc/GC.cpp' that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
 - An unspecified flaw exists in 'xpcom/ds/Observer.h' that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
 - An unspecified flaw exists that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
 - An unspecified flaw exists in 'js/src/frontend/BytecodeEmitter.cpp' that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
 - A flaw exists in the 'GCMarker::markDelayedChildren()' function in 'js/src/gc/Marking.cpp' that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
 - An unspecified flaw exists that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
 - An unspecified flaw exists in the 'nsMozIconURI::Deserialize()' function in 'image/decoders/icon/nsIconURI.cpp' that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
 - An unspecified flaw exists that is triggered when managing physical audio devices. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
 - A flaw exists in the 'FromIPCSegment()' function in 'netwerk/base/nsStandardURL.cpp' that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
 - An unspecified flaw exists that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
 - An unspecified flaw exists that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
 - An unspecified flaw exists that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
 - An unspecified flaw exists that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
 - An unspecified flaw exists in 'dom/base/StructuredCloneHolder.cpp' that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
 - An unspecified flaw exists in the 'JS::Rooted()' function in 'dom/xbl/nsXBLBinding.cpp' that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
 - An unspecified flaw exists in 'dom/canvas/WebGLContextDraw.cpp' that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
 - An unspecified flaw exists that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
 - An unspecified flaw exists that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
 - An unspecified flaw exists that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
 - An unspecified flaw exists in 'dom/media/PeerConnection.js' that is triggered when handling ICE connection state changes. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
 - An unspecified flaw exists in 'hal/Hal.cpp' that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
 - An unspecified flaw exists that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.

USN-3705-1 fixed vulnerabilities in Firefox. The update introduced various minor regressions. This update fixes the problems.

We apologize for the inconvenience.

Original advisory details :

Multiple security issues were discovered in Firefox. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit these to cause a denial of service, read uninitialized memory, bypass same-origin restrictions, bypass CORS restrictions, bypass CSRF protections, obtain sensitive information, or execute arbitrary code. (CVE-2018-5156, CVE-2018-5186, CVE-2018-5187, CVE-2018-5188, CVE-2018-12358, CVE-2018-12359, CVE-2018-12360, CVE-2018-12361, CVE-2018-12362, CVE-2018-12363, CVE-2018-12364, CVE-2018-12365, CVE-2018-12366, CVE-2018-12367, CVE-2018-12370, CVE-2018-12371)

A security issue was discovered with WebExtensions. If a user were tricked in to installing a specially crafted extension, an attacker could potentially exploit this to obtain full browser permissions. (CVE-2018-12369).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Multiple security issues were discovered in Firefox. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit these to cause a denial of service, read uninitialized memory, bypass same-origin restrictions, bypass CORS restrictions, bypass CSRF protections, obtain sensitive information, or execute arbitrary code. (CVE-2018-5156, CVE-2018-5186, CVE-2018-5187, CVE-2018-5188, CVE-2018-12358, CVE-2018-12359, CVE-2018-12360, CVE-2018-12361, CVE-2018-12362, CVE-2018-12363, CVE-2018-12364, CVE-2018-12365, CVE-2018-12366, CVE-2018-12367, CVE-2018-12370, CVE-2018-12371)

A security issue was discovered with WebExtensions. If a user were tricked in to installing a specially crafted extension, an attacker could potentially exploit this to obtain full browser permissions.
(CVE-2018-12369).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The version of Mozilla Firefox installed on the remote Windows     host is prior to 61. It is, therefore, affected by multiple critical     and high severity vulnerabilities.

The version of Mozilla Firefox ESR installed on the remote Windows     host is prior to 60.1. It is, therefore, affected by multiple critical     and high severity vulnerabilities.

The version of Mozilla Firefox ESR installed on the remote macOS or Mac OS X host is prior to 60.1. It is, therefore, affected by multiple vulnerabilities, some of which allow code execution and potentially exploitable crashes.

The version of Mozilla Firefox installed on the remote macOS or     Mac OS X host is prior to 61. It is, therefore, affected by multiple     critical and high severity vulnerabilities.

Mozilla Foundation reports :

CVE-2018-12359: Buffer overflow using computed size of canvas element

CVE-2018-12360: Use-after-free when using focus()

CVE-2018-12361: Integer overflow in SwizzleData

CVE-2018-12358: Same-origin bypass using service worker and redirection

CVE-2018-12362: Integer overflow in SSSE3 scaler

CVE-2018-5156: Media recorder segmentation fault when track type is changed during capture

CVE-2018-12363: Use-after-free when appending DOM nodes

CVE-2018-12364: CSRF attacks through 307 redirects and NPAPI plugins

CVE-2018-12365: Compromised IPC child process can list local filenames

CVE-2018-12371: Integer overflow in Skia library during edge builder allocation

CVE-2018-12366: Invalid data handling during QCMS transformations

CVE-2018-12367: Timing attack mitigation of PerformanceNavigationTiming

CVE-2018-12368: No warning when opening executable SettingContent-ms files

CVE-2018-12369: WebExtension security permission checks bypassed by embedded experiments

CVE-2018-12370: SameSite cookie protections bypassed when exiting Reader View

CVE-2018-5186: Memory safety bugs fixed in Firefox 61

CVE-2018-5187: Memory safety bugs fixed in Firefox 60 and Firefox ESR 60.1

CVE-2018-5188: Memory safety bugs fixed in Firefox 60, Firefox ESR 60.1, and Firefox ESR 52.9

ID	Name	Product	Family	Severity
123203	openSUSE Security Update : MozillaFirefox (openSUSE-2019-494)	Nessus	SuSE Local Security Checks	high
117894	GLSA-201810-01 : Mozilla Firefox: Multiple vulnerabilities	Nessus	Gentoo Local Security Checks	high
700341	Mozilla Firefox ESR < 60.1 Multiple Vulnerabilities	Nessus Network Monitor	Web Clients	high
700330	Mozilla Firefox < 61 Multiple Vulnerabilities	Nessus Network Monitor	Web Clients	high
111005	Ubuntu 14.04 LTS / 16.04 LTS / 17.10 / 18.04 LTS : firefox regressions (USN-3705-2)	Nessus	Ubuntu Local Security Checks	high
110942	Ubuntu 14.04 LTS / 16.04 LTS / 17.10 / 18.04 LTS : firefox vulnerabilities (USN-3705-1)	Nessus	Ubuntu Local Security Checks	high
110811	Mozilla Firefox < 61 Multiple Critical Vulnerabilities	Nessus	Windows	high
110810	Mozilla Firefox ESR < 60.1 Multiple Critical Vulnerabilities	Nessus	Windows	high
110808	Mozilla Firefox ESR < 60.1 Multiple Vulnerabilities (macOS)	Nessus	MacOS X Local Security Checks	high
110806	Mozilla Firefox < 61 Multiple Critical Vulnerabilities (macOS)	Nessus	MacOS X Local Security Checks	high
110801	openSUSE Security Update : MozillaFirefox (openSUSE-2018-676)	Nessus	SuSE Local Security Checks	high
110700	FreeBSD : mozilla -- multiple vulnerabilities (cd81806c-26e7-4d4a-8425-02724a2f48af)	Nessus	FreeBSD Local Security Checks	high

CVE-2018-12369

Description

References

Details

Risk Information

CVSS v2.0

CVSS v3.0

Vulnerable Software

Configuration 1

Configuration 2

Tenable Plugins