Ubuntu 12.04 LTS / 14.04 LTS / 16.04 LTS : firefox vulnerabilities (USN-3044-1)

Ubuntu Security Notice (C) 2016-2017 Canonical, Inc. / NASL script (C) 2016-2017 Tenable Network Security, Inc.


Synopsis :

The remote Ubuntu host is missing a security-related patch.

Description :

Gustavo Grieco discovered an out-of-bounds read during XML parsing in
some circumstances. If a user were tricked in to opening a specially
crafted website, an attacker could potentially exploit this to cause a
denial of service via application crash, or obtain sensitive
information. (CVE-2016-0718)

Toni Huttunen discovered that once a favicon is requested from a site,
the remote server can keep the network connection open even after the
page is closed. A remote attacked could potentially exploit this to
track users, resulting in information disclosure. (CVE-2016-2830)

Christian Holler, Tyson Smith, Boris Zbarsky, Byron Campen, Julian
Seward, Carsten Book, Gary Kwong, Jesse Ruderman, Andrew McCreight,
and Phil Ringnalda discovered multiple memory safety issues in
Firefox. If a user were tricked in to opening a specially crafted
website, an attacker could potentially exploit these to cause a denial
of service via application crash, or execute arbitrary code.
(CVE-2016-2835, CVE-2016-2836)

A buffer overflow was discovered in the ClearKey Content Decryption
Module (CDM) during video playback. If a user were tricked in to
opening a specially crafted website, an attacker could potentially
exploit this to cause a denial of service via plugin process crash,
or, in combination with another vulnerability to escape the GMP
sandbox, execute arbitrary code. (CVE-2016-2837)

Atte Kettunen discovered a buffer overflow when rendering SVG content
in some circumstances. If a user were tricked in to opening a
specially crafted website, an attacker could potentially exploit this
to cause a denial of service via application crash, or execute
arbitrary code. (CVE-2016-2838)

Bert Massop discovered a crash in Cairo with version 0.10 of FFmpeg.
If a user were tricked in to opening a specially crafted website, an
attacker could potentially exploit this to execute arbitrary code.
(CVE-2016-2839)

Catalin Dumitru discovered that URLs of resources loaded after a
navigation start could be leaked to the following page via the
Resource Timing API. An attacker could potentially exploit this to
obtain sensitive information. (CVE-2016-5250)

Firas Salem discovered an issue with non-ASCII and emoji characters in
data: URLs. An attacker could potentially exploit this to spoof the
addressbar contents. (CVE-2016-5251)

Georg Koppen discovered a stack buffer underflow during 2D graphics
rendering in some circumstances. If a user were tricked in to opening
a specially crafted website, an attacker could potentially exploit
this to cause a denial of service via application crash, or execute
arbitrary code. (CVE-2016-5252)

Abhishek Arya discovered a use-after-free when the alt key is used
with top-level menus. If a user were tricked in to opening a specially
crafted website, an attacker could potentially exploit this to cause a
denial of service via application crash, or execute arbitrary code.
(CVE-2016-5254)

Jukka Jylanki discovered a crash during garbage collection. If a user
were tricked in to opening a specially crafted website, an attacker
could potentially exploit this to execute arbitrary code.
(CVE-2016-5255)

Looben Yang discovered a use-after-free in WebRTC. If a user were
tricked in to opening a specially crafted website, an attacker could
potentially exploit this to cause a denial of service via application
crash, or execute arbitrary code. (CVE-2016-5258)

Looben Yang discovered a use-after-free when working with nested sync
events in service workers. If a user were tricked in to opening a
specially crafted website, an attacker could potentially exploit this
to cause a denial of service via application crash, or execute
arbitrary code. (CVE-2016-5259)

Mike Kaply discovered that plain-text passwords can be stored in
session restore if an input field type is changed from 'password' to
'text' during a session, leading to information disclosure.
(CVE-2016-5260)

Samuel Gross discovered an integer overflow in WebSockets during data
buffering in some circumstances. If a user were tricked in to opening
a specially crafted website, an attacker could potentially exploit
this to cause a denial of service via application crash, or execute
arbitrary code. (CVE-2016-5261)

Nikita Arykov discovered that JavaScript event handlers on a <marquee>
element can execute in a sandboxed iframe without the allow-scripts
flag set. If a user were tricked in to opening a specially crafted
website, an attacker could potentially exploit this to conduct
cross-site scripting (XSS) attacks. (CVE-2016-5262)

A type confusion bug was discovered in display transformation during
rendering. If a user were tricked in to opening a specially crafted
website, an attacker could potentially exploit this to cause a denial
of service via application crash, or execute arbitrary code.
(CVE-2016-5263)

A use-after-free was discovered when applying effects to SVG elements
in some circumstances. If a user were tricked in to opening a
specially crafted website, an attacker could potentially exploit this
to cause a denial of service via application crash, or execute
arbitrary code. (CVE-2016-5264)

Abdulrahman Alqabandi discovered a same-origin policy violation
relating to local HTML files and saved shortcut files. An attacker
could potentially exploit this to obtain sensitive information.
(CVE-2016-5265)

Rafael Gieschke discovered an information disclosure issue related to
drag and drop. An attacker could potentially exploit this to obtain
sensitive information. (CVE-2016-5266)

A text injection issue was discovered with about: URLs. An attacker
could potentially exploit this to spoof internal error pages.
(CVE-2016-5268).

Note that Tenable Network Security has extracted the preceding
description block directly from the Ubuntu security advisory. Tenable
has attempted to automatically clean and format it as much as possible
without introducing additional issues.

Solution :

Update the affected firefox package.

Risk factor :

High / CVSS Base Score : 7.5
(CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P)
CVSS Temporal Score : 6.4
(CVSS2#E:U/RL:U/RC:C)
Public Exploit Available : false