Ubuntu 12.04 LTS / 14.04 LTS / 15.10 : firefox regressions (USN-2917-3)

Ubuntu Security Notice (C) 2016 Canonical, Inc. / NASL script (C) 2016 Tenable Network Security, Inc.


Synopsis :

The remote Ubuntu host is missing a security-related patch.

Description :

USN-2917-1 fixed vulnerabilities in Firefox. This update caused
several web compatibility regressions.

This update fixes the problem.

We apologize for the inconvenience.

Francis Gabriel discovered a buffer overflow during ASN.1 decoding in
NSS. If a user were tricked in to opening a specially crafted website,
an attacker could potentially exploit this to cause a denial of
service via application crash, or execute arbitrary code with the
privileges of the user invoking Firefox. (CVE-2016-1950)

Bob Clary, Christoph Diehl, Christian Holler, Andrew
McCreight, Daniel Holbert, Jesse Ruderman, Randell Jesup,
Carsten Book, Gian-Carlo Pascutto, Tyson Smith, Andrea
Marchesini, and Jukka Jylanki discovered multiple memory
safety issues in Firefox. If a user were tricked in to
opening a specially crafted website, an attacker could
potentially exploit these to cause a denial of service via
application crash, or execute arbitrary code with the
privileges of the user invoking Firefox. (CVE-2016-1952,
CVE-2016-1953)

Nicolas Golubovic discovered that CSP violation reports can
be used to overwrite local files. If a user were tricked in
to opening a specially crafted website with addon signing
disabled and unpacked addons installed, an attacker could
potentially exploit this to gain additional privileges.
(CVE-2016-1954)

Muneaki Nishimura discovered that CSP violation reports
contained full paths for cross-origin iframe navigations. An
attacker could potentially exploit this to steal
confidential data. (CVE-2016-1955)

Ucha Gobejishvili discovered that performing certain WebGL
operations resulted in memory resource exhaustion with some
Intel GPUs, requiring a reboot. If a user were tricked in to
opening a specially crafted website, an attacker could
potentially exploit this to cause a denial of service.
(CVE-2016-1956)

Jose Martinez and Romina Santillan discovered a memory leak
in libstagefright during MPEG4 video file processing in some
circumstances. If a user were tricked in to opening a
specially crafted website, an attacker could potentially
exploit this to cause a denial of service via memory
exhaustion. (CVE-2016-1957)

Abdulrahman Alqabandi discovered that the addressbar could
be blank or filled with page defined content in some
circumstances. If a user were tricked in to opening a
specially crafted website, an attacker could potentially
exploit this to conduct URL spoofing attacks.
(CVE-2016-1958)

Looben Yang discovered an out-of-bounds read in Service
Worker Manager. If a user were tricked in to opening a
specially crafted website, an attacker could potentially
exploit this to cause a denial of service via application
crash, or execute arbitrary code with the privileges of the
user invoking Firefox. (CVE-2016-1959)

A use-after-free was discovered in the HTML5 string parser.
If a user were tricked in to opening a specially crafted
website, an attacker could potentially exploit this to cause
a denial of service via application crash, or execute
arbitrary code with the privileges of the user invoking
Firefox. (CVE-2016-1960)

A use-after-free was discovered in the SetBody function of
HTMLDocument. If a user were tricked in to opening a
specially crafted website, an attacker could potentially
exploit this to cause a denial of service via application
crash, or execute arbitrary code with the privileges of the
user invoking Firefox. (CVE-2016-1961)

Dominique Hazael-Massieux discovered a use-after-free when
using multiple WebRTC data channels. If a user were tricked
in to opening a specially crafted website, an attacker could
potentially exploit this to cause a denial of service via
application crash, or execute arbitrary code with the
privileges of the user invoking Firefox. (CVE-2016-1962)

It was discovered that Firefox crashes when local files are
modified whilst being read by the FileReader API. If a user
were tricked in to opening a specially crafted website, an
attacker could potentially exploit this to execute arbitrary
code with the privileges of the user invoking Firefox.
(CVE-2016-1963)

Nicolas Gregoire discovered a use-after-free during XML
transformations. If a user were tricked in to opening a
specially crafted website, an attacker could potentially
exploit this to cause a denial of service via application
crash, or execute arbitrary code with the privileges of the
user invoking Firefox. (CVE-2016-1964)

Tsubasa Iinuma discovered a mechanism to cause the
addressbar to display an incorrect URL, using history
navigations and the Location protocol property. If a user
were tricked in to opening a specially crafted website, an
attacker could potentially exploit this to conduct URL
spoofing attacks. (CVE-2016-1965)

A memory corruption issues was discovered in the NPAPI
subsystem. If a user were tricked in to opening a specially
crafted website with a malicious plugin installed, an
attacker could potentially exploit this to cause a denial of
service via application crash, or execute arbitrary code
with the privileges of the user invoking Firefox.
(CVE-2016-1966)

Jordi Chancel discovered a same-origin-policy bypass when
using performance.getEntries and history navigation with
session restore. If a user were tricked in to opening a
specially crafted website, an attacker could potentially
exploit this to steal confidential data. (CVE-2016-1967)

Luke Li discovered a buffer overflow during Brotli
decompression in some circumstances. If a user were tricked
in to opening a specially crafted website, an attacker could
potentially exploit this to cause a denial of service via
application crash, or execute arbitrary code with the
privileges of the user invoking Firefox. (CVE-2016-1968)

Ronald Crane discovered a use-after-free in
GetStaticInstance in WebRTC. If a user were tricked in to
opening a specially crafted website, an attacker could
potentially exploit this to cause a denial of service via
application crash, or execute arbitrary code with the
privileges of the user invoking Firefox. (CVE-2016-1973)

Ronald Crane discovered an out-of-bounds read following a
failed allocation in the HTML parser in some circumstances.
If a user were tricked in to opening a specially crafted
website, an attacker could potentially exploit this to cause
a denial of service via application crash, or execute
arbitrary code with the privileges of the user invoking
Firefox. (CVE-2016-1974)

Holger Fuhrmannek, Tyson Smith and Holger Fuhrmannek
reported multiple memory safety issues in the Graphite 2
library. If a user were tricked in to opening a specially
crafted website, an attacker could potentially exploit these
to cause a denial of service via application crash, or
execute arbitrary code with the privileges of the user
invoking Firefox. (CVE-2016-1977, CVE-2016-2790,
CVE-2016-2791, CVE-2016-2792, CVE-2016-2793, CVE-2016-2794,
CVE-2016-2795, CVE-2016-2796, CVE-2016-2797, CVE-2016-2798,
CVE-2016-2799, CVE-2016-2800, CVE-2016-2801, CVE-2016-2802).

Note that Tenable Network Security has extracted the preceding
description block directly from the Ubuntu security advisory. Tenable
has attempted to automatically clean and format it as much as possible
without introducing additional issues.

Solution :

Update the affected firefox package.

Risk factor :

Critical / CVSS Base Score : 10.0
(CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C)
CVSS Temporal Score : 7.4
(CVSS2#E:U/RL:OF/RC:C)
Public Exploit Available : false