102786

1040270

https://bugzilla.mozilla.org/show_bug.cgi?id=1425267

USN-3544-1

https://www.mozilla.org/security/advisories/mfsa2018-02/

Versions of Mozilla Firefox earlier than 58 are unpatched for the following vulnerabilities :

 - An out-of-bounds read flaw exists in the 'js::WasmTableObject::getImpl()' function. This may allow a context-dependent attacker to crash a process linked against the library or potentially disclose memory contents.
 - An overflow condition exists in the 'ShiftFromList()' function in 'js/src/vm/List-inl.h' that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to cause a heap-based buffer overflow and potentially execute arbitrary code.
 - A flaw exists in 'gfx/2d/Filters.h' related to missing thread safety. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
 - A flaw exists in the JavaScript just-in-time (JIT) compiler that is triggered when handling call stacks. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
 - An unspecified flaw exists that is triggered as certain input is not properly validated when handling TypeScripts. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
 - A flaw exists in the 'AppendToList()' function in 'js/src/vm/List-inl.h' that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
 - A flaw exists in the 'CalcTableChecksum()' function in 'gfx/2d/ScaledFontMac.cpp' that is triggered when handling checksums that are not 4-byte aligned. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
 - A flaw exists in the 'HttpChannelChild::Release()' function in 'netwerk/protocol/http/HttpChannelChild.cpp' that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
 - A flaw exists in the 'WebrtcVideoConduit::VideoStreamFactory::CreateEncoderStreams()' function in 'media/webrtc/signaling/src/media-conduit/VideoConduit.cpp' that is triggered as certain input is not properly validated when handling temporal layers for screencasts. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
 - A flaw exists in 'dom/media/MediaDecoderStateMachine.cpp' that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
 - A flaw exists in the 'ParseFTPList()' function in 'netwerk/streamconv/converters/ParseFTPList.cpp' that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
 - A flaw exists in the accessibility component related to use of uninitialized memory. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
 - A flaw exists related to use of uninitialized memory when handling cocoa widgets. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
 - A flaw exists in the security manager component related to use of uninitialized memory. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
 - An integer overflow that is triggered when allocating memory for edge builders. This may allow a context-dependent attacker to potentially execute arbitrary code.
 - A use-after-free error exists that is triggered when the source document for XSL transformation is manipulated by script content during the transformation. This may allow a context-dependent attacker to dereference already freed memory and potentially execute arbitrary code.
 - A use-after-free error exists in 'layout/forms/nsNumberControlFrame.cpp' that is triggered when handling form input elements. This may allow a context-dependent attacker to dereference already freed memory and potentially execute arbitrary code.
 - A use-after-free error exists in the widget listener. The issue is triggered when holding strong references to browser objects. This may allow a context-dependent attacker to dereference already freed memory and potentially execute arbitrary code.
 - A use-after-free error exists in the 'nsIDocument::IsPotentiallyScrollable()' function in 'dom/base/nsDocument.cpp' that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to dereference already freed memory and potentially execute arbitrary code.
 - A use-after-free error exists in the 'nsCSSFrameConstructor::CreateLetterFrame()' function in 'layout/base/nsCSSFrameConstructor.cpp' that is triggered when manipulating floating first-letter style elements. This may allow a context-dependent attacker to dereference already freed memory and potentially execute arbitrary code.
 - A use-after-free error exists in 'dom/html/HTMLMediaElement.cpp' that is triggered when handling specially crafted HTML media elements. This may allow a context-dependent attacker to dereference already freed memory and potentially execute arbitrary code.
 - A use-after-free error exists in the 'EventStateManager::DispatchMouseOrPointerEvent()' function in 'dom/events/EventStateManager.cpp' that is triggered when handling mouse events. This may allow a context-dependent attacker to dereference already freed memory and potentially execute arbitrary code.
 - A use-after-free error exists that is triggered when handling font faces. This may allow a context-dependent attacker to dereference already freed memory and potentially execute arbitrary code.
 - A flaw exists in WebExtensions that may allow a context-dependent attacker to bypass user prompts and save and execute downloaded files without user confirmation.
 - A flaw exists that is triggered when a user selects error exists links when tools are open. This may allow a context-dependent attacker to cause style editor traffic in the Developer Tools to be routed through a service worker hosted on a third party website, potentially disclosing sensitive cross-origin information.
 - A flaw exists as the printing process creates temporary files insecurely. It is possible for a local attacker to use a symlink attack against a file to cause the program to unexpectedly disclose arbitrary files.
 - A flaw exists in 'dom/file/nsHostObjectProtocolHandler.cpp' that is triggered during the handling of certain manually entered blob URLs. This may allow a context-dependent attacker to gain access to potentially sensitive information from private browsing.
 - A flaw exists in the 'MediaManager::GetUserMedia()' function in 'dom/media/MediaManager.cpp'. This may allow a context-dependent attacker to spoof the origin of audio prompts.
 - A flaw exists that is triggered when cursor visibility is toggled back and forth from 'none' to an image via a script. This may allow a context-dependent attacker to cause the cursor to be rendered invisibly.
 - A flaw exists that is triggered during the handling of a specially formatted URL that is dragged to the address bar from page content. This may allow a context-dependent attacker to spoof the URL bar.
 - A flaw exists in the developement tool panels of an extension that may allow a context-dependent attacker to bypass restrictions and load non-relative URLS, which may potentially include privileged pages.
 - A flaw exists in the 'browser.identity'.'launchWebAuthFlow()' function in WebExtensions that is triggered as HTTPS content loading restrictions are not properly honored. This may allow a context-dependent attacker to load content over an HTTP connection.
 - A flaw exists that is triggered when changing a cookie to HttpOnly when a document is open. This can cause the cookie to remain accessible until the document is closed.
 - A flaw exists that is due to program displaying HTTP authentication prompts from background pages over the currently loaded foreground page. This may allow a context-dependent attacker to potentially spoof the originating page of an authentication prompt.
 - A flaw exists in WebExtensions with the ActiveTab permission that may allow a context-dependent attacker to inject frames from arbitrary origins into the loaded page and gain access to arbitrary frame content.
 - A flaw exists in 'browser/base/content/browser.js' that is triggered when right-to-left text is used in the address bar with left-to-right alignment. This may allow a context-dependent attacker to spoof the URL bar.
 - A flaw exists in the Activity Stream page that is triggered as it may improperly create images via the file: URL. This may allow a context-dependent attacker to gain access to potentially sensitive local information.
 - A flaw exists in the reader view that can allow a context-dependent attacker to bypass CORS header restrictions and view cross-origin content that should be prohibited from loading.
 - A flaw exists in 'browser/themes/osx/browser.css' that is triggered when rendering Tibetan characters in several unspecified fonts. This may allow a context-dependent attacker to spoof a valid domain name.
 - An integer overflow in the 'DoCrypt()' function in 'dom/crypto/WebCryptoTask.cpp' that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
 - A use-after-free error exists that is triggered when WebRTC connections interact with DTMF timers. This may allow a context-dependent attacker to dereference already freed memory and potentially execute arbitrary code.
 - A use-after-free error exists that is triggered when handling threads for web workers. This may allowa context-dependent attacker to dereference already freed memory and potentially execute arbitrary code.
 - A use-after-free error exists that is triggered when editing events in form elements on a page. This may allow a context-dependent attacker to dereference already freed memory and potentially execute arbitrary code.
 - A flaw exists in the 'JSStructuredCloneReader::readV1ArrayBuffer()' function in 'js/src/vm/StructuredClone.cpp' that is triggered when deserializing invalid typed arrays. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
 - A flaw exists in the 'nsCookieService::RemoveCookiesWithOriginAttributes()' function in 'netwerk/cookie/nsCookieService.cpp' that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
 - A flaw exists in the 'WebrtcGmpVideoDecoder::ReleaseGmp()' function in 'media/webrtc/signaling/src/media-conduit/WebrtcGmpVideoCodec.cpp' that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
 - A flaw exists in the 'nsCookieService::PurgeCookies()' function in 'netwerk/cookie/nsCookieService.cpp' that is triggered when handling cookie expiry. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
 - An unspecified race condition exists in 'modules/libjar/nsJAR.cpp' that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
 - An unspecified race condition exists in 'netwerk/base/AutoClose.h' that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
 - A flaw exists in the browser UI that is triggered when handling specially crafted HTML fragments. This may allow a context-dependent attacker to potentially execute arbitrary code.

 - Mutliple vulnerabilities in the following may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code:
 - 'media/webrtc/signaling/src/mediapipeline/MediaPipeline.cpp'
 - 'gfx/thebes/gfxPlatformFontList.cpp'
 - 'dom/media/systemservices/CamerasChild.cpp'
 - 'dom/media/MediaDecoder.cpp'
 - 'js/src/gc/Zone.h'
 - 'js/src/jsfun.h'
 - 'dom/plugins/ipc/PluginMessageUtils.cpp'
 - 'ipc/glue/IPCMessageUtils.h'
 - 'dom/media/webrtc/MediaEngineDefault.cpp'
 - 'toolkit/components/places/History.cpp'
 - 'startupcache/StartupCache.cpp'
 - 'dom/media/GraphDriver.cpp'
 - 'media/webrtc/signaling/src/media-conduit/WebrtcGmpVideoCodec.h'
 - 'dom/base/DirectionalityUtils.cpp'
 - 'media/webrtc/signaling/src/peerconnection/PeerConnectionImpl.cpp'
 - 'js/src/vm/StructuredClone.cpp'

USN-3544-1 fixed vulnerabilities in Firefox. The update caused a web compatibility regression and a tab crash during printing in some circumstances. This update fixes the problem.

We apologize for the inconvenience.

Multiple security issues were discovered in Firefox. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit these to cause a denial of service via application crash, spoof the origin in audio capture prompts, trick the user in to providing HTTP credentials for another origin, spoof the addressbar contents, or execute arbitrary code. (CVE-2018-5089, CVE-2018-5090, CVE-2018-5091, CVE-2018-5092, CVE-2018-5093, CVE-2018-5094, CVE-2018-5095, CVE-2018-5097, CVE-2018-5098, CVE-2018-5099, CVE-2018-5100, CVE-2018-5101, CVE-2018-5102, CVE-2018-5103, CVE-2018-5104, CVE-2018-5109, CVE-2018-5114, CVE-2018-5115, CVE-2018-5117, CVE-2018-5122)

Multiple security issues were discovered in WebExtensions.
If a user were tricked in to installing a specially crafted extension, an attacker could potentially exploit these to gain additional privileges, bypass same-origin restrictions, or execute arbitrary code. (CVE-2018-5105, CVE-2018-5113, CVE-2018-5116)

A security issue was discovered with the developer tools. If a user were tricked in to opening a specially crafted website with the developer tools open, an attacker could potentially exploit this to obtain sensitive information from other origins. (CVE-2018-5106)

A security issue was discovered with printing. An attacker could potentially exploit this to obtain sensitive information from local files. (CVE-2018-5107)

It was discovered that manually entered blob URLs could be accessed by subsequent private browsing tabs. If a user were tricked in to entering a blob URL, an attacker could potentially exploit this to obtain sensitive information from a private browsing context. (CVE-2018-5108)

It was discovered that dragging certain specially formatted URLs to the addressbar could cause the wrong URL to be displayed. If a user were tricked in to opening a specially crafted website and dragging a URL to the addressbar, an attacker could potentially exploit this to spoof the addressbar contents. (CVE-2018-5111)

It was discovered that WebExtension developer tools panels could open non-relative URLs. If a user were tricked in to installing a specially crafted extension and running the developer tools, an attacker could potentially exploit this to gain additional privileges. (CVE-2018-5112)

It was discovered that ActivityStream images can attempt to load local content through file: URLs. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit this in combination with another vulnerability that allowed sandbox protections to be bypassed, in order to obtain sensitive information from local files. (CVE-2018-5118)

It was discovered that the reader view will load cross-origin content in violation of CORS headers. An attacker could exploit this to bypass CORS restrictions.
(CVE-2018-5119).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Multiple security issues were discovered in Firefox. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit these to cause a denial of service via application crash, spoof the origin in audio capture prompts, trick the user in to providing HTTP credentials for another origin, spoof the addressbar contents, or execute arbitrary code. (CVE-2018-5089, CVE-2018-5090, CVE-2018-5091, CVE-2018-5092, CVE-2018-5093, CVE-2018-5094, CVE-2018-5095, CVE-2018-5097, CVE-2018-5098, CVE-2018-5099, CVE-2018-5100, CVE-2018-5101, CVE-2018-5102, CVE-2018-5103, CVE-2018-5104, CVE-2018-5109, CVE-2018-5114, CVE-2018-5115, CVE-2018-5117, CVE-2018-5122)

Multiple security issues were discovered in WebExtensions. If a user were tricked in to installing a specially crafted extension, an attacker could potentially exploit these to gain additional privileges, bypass same-origin restrictions, or execute arbitrary code. (CVE-2018-5105, CVE-2018-5113, CVE-2018-5116)

A security issue was discovered with the developer tools. If a user were tricked in to opening a specially crafted website with the developer tools open, an attacker could potentially exploit this to obtain sensitive information from other origins. (CVE-2018-5106)

A security issue was discovered with printing. An attacker could potentially exploit this to obtain sensitive information from local files. (CVE-2018-5107)

It was discovered that manually entered blob URLs could be accessed by subsequent private browsing tabs. If a user were tricked in to entering a blob URL, an attacker could potentially exploit this to obtain sensitive information from a private browsing context.
(CVE-2018-5108)

It was discovered that dragging certain specially formatted URLs to the addressbar could cause the wrong URL to be displayed. If a user were tricked in to opening a specially crafted website and dragging a URL to the addressbar, an attacker could potentially exploit this to spoof the addressbar contents. (CVE-2018-5111)

It was discovered that WebExtension developer tools panels could open non-relative URLs. If a user were tricked in to installing a specially crafted extension and running the developer tools, an attacker could potentially exploit this to gain additional privileges.
(CVE-2018-5112)

It was discovered that ActivityStream images can attempt to load local content through file: URLs. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit this in combination with another vulnerability that allowed sandbox protections to be bypassed, in order to obtain sensitive information from local files. (CVE-2018-5118)

It was discovered that the reader view will load cross-origin content in violation of CORS headers. An attacker could exploit this to bypass CORS restrictions. (CVE-2018-5119).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The version of Mozilla Firefox installed on the remote Windows host is prior to 58. It is, therefore, affected by multiple vulnerabilities, some of which allow code execution and potentially exploitable crashes.

The version of Mozilla Firefox installed on the remote macOS or Mac OS X host is prior to 58. It is, therefore, affected by multiple vulnerabilities, some of which allow code execution and potentially exploitable crashes.

Mozilla Foundation reports :

CVE-2018-5091: Use-after-free with DTMF timers

CVE-2018-5092: Use-after-free in Web Workers

CVE-2018-5093: Buffer overflow in WebAssembly during Memory/Table resizing

CVE-2018-5094: Buffer overflow in WebAssembly with garbage collection on uninitialized memory

CVE-2018-5095: Integer overflow in Skia library during edge builder allocation

CVE-2018-5097: Use-after-free when source document is manipulated during XSLT

CVE-2018-5098: Use-after-free while manipulating form input elements

CVE-2018-5099: Use-after-free with widget listener

CVE-2018-5100: Use-after-free when IsPotentiallyScrollable arguments are freed from memory

CVE-2018-5101: Use-after-free with floating first-letter style elements

CVE-2018-5102: Use-after-free in HTML media elements

CVE-2018-5103: Use-after-free during mouse event handling

CVE-2018-5104: Use-after-free during font face manipulation

CVE-2018-5105: WebExtensions can save and execute files on local file system without user prompts

CVE-2018-5106: Developer Tools can expose style editor information cross-origin through service worker

CVE-2018-5107: Printing process will follow symlinks for local file access

CVE-2018-5108: Manually entered blob URL can be accessed by subsequent private browsing tabs

CVE-2018-5109: Audio capture prompts and starts with incorrect origin attribution

CVE-2018-5110: Cursor can be made invisible on OS X

CVE-2018-5111: URL spoofing in addressbar through drag and drop

CVE-2018-5112: Extension development tools panel can open a non-relative URL in the panel

CVE-2018-5113: WebExtensions can load non-HTTPS pages with browser.identity.launchWebAuthFlow

CVE-2018-5114: The old value of a cookie changed to HttpOnly remains accessible to scripts

CVE-2018-5115: Background network requests can open HTTP authentication in unrelated foreground tabs

CVE-2018-5116: WebExtension ActiveTab permission allows cross-origin frame content access

CVE-2018-5117: URL spoofing with right-to-left text aligned left-to-right

CVE-2018-5118: Activity Stream images can attempt to load local content through file :

CVE-2018-5119: Reader view will load cross-origin content in violation of CORS headers

CVE-2018-5121: OS X Tibetan characters render incompletely in the addressbar

CVE-2018-5122: Potential integer overflow in DoCrypt

CVE-2018-5090: Memory safety bugs fixed in Firefox 58

CVE-2018-5089: Memory safety bugs fixed in Firefox 58 and Firefox ESR 52.6

ID	Name	Product	Family	Severity
700326	Mozilla Firefox < 58 Multiple Vulnerabilities	Nessus Network Monitor	Web Clients	critical
106790	Ubuntu 14.04 LTS / 16.04 LTS / 17.10 : firefox regressions (USN-3544-2)	Nessus	Ubuntu Local Security Checks	critical
106347	Ubuntu 14.04 LTS / 16.04 LTS / 17.10 : firefox vulnerabilities (USN-3544-1)	Nessus	Ubuntu Local Security Checks	critical
106303	Mozilla Firefox < 58 Multiple Vulnerabilities	Nessus	Windows	high
106301	Mozilla Firefox < 58 Multiple Vulnerabilities (macOS)	Nessus	MacOS X Local Security Checks	high
106288	FreeBSD : mozilla -- multiple vulnerabilities (a891c5b4-3d7a-4de9-9c71-eef3fd698c77)	Nessus	FreeBSD Local Security Checks	critical

CVE-2018-5113

Description

References

Details

Risk Information

CVSS v2.0

CVSS v3.0

Vulnerable Software

Configuration 1

Configuration 2

Tenable Plugins