GLSA-202305-35 : Mozilla Firefox: Multiple Vulnerabilities

high Nessus Plugin ID 176481

Description

The remote host is affected by the vulnerability described in GLSA-202305-35 (Mozilla Firefox: Multiple Vulnerabilities)

- An attacker could construct a PKCS 12 cert bundle in such a way that could allow for arbitrary memory writes via PKCS 12 Safe Bag attributes being mishandled. (CVE-2023-0767)

- Unexpected data returned from the Safe Browsing API could have led to memory corruption and a potentially exploitable crash. (CVE-2023-1945)

- A double-free in libwebp could have led to memory corruption and a potentially exploitable crash.
(CVE-2023-1999)

- Mozilla: Content security policy leak in violation reports using iframes (CVE-2023-25728)

- Permission prompts for opening external schemes were only shown for <code>ContentPrincipals</code> resulting in extensions being able to open them without user interaction via <code>ExpandedPrincipals</code>. This could lead to further malicious actions such as downloading files or interacting with software already installed on the system. (CVE-2023-25729)

- A background script invoking <code>requestFullscreen</code> and then blocking the main thread could force the browser into fullscreen mode indefinitely, resulting in potential user confusion or spoofing attacks.
(CVE-2023-25730)

- Due to URL previews in the network panel of developer tools improperly storing URLs, query parameters could potentially be used to overwrite global objects in privileged code. (CVE-2023-25731)

- When encoding data from an <code>inputStream</code> in <code>xpcom</code> the size of the input being encoded was not correctly calculated potentially leading to an out of bounds memory write.
(CVE-2023-25732)

- After downloading a Windows <code>.url</code> shortcut from the local filesystem, an attacker could supply a remote path that would lead to unexpected network requests from the operating system. This also had the potential to leak NTLM credentials to the resource. This bug only affects Thunderbird on Windows. Other operating systems are unaffected. (CVE-2023-25734)

- Cross-compartment wrappers wrapping a scripted proxy could have caused objects from other compartments to be stored in the main compartment resulting in a use-after-free after unwrapping the proxy.
(CVE-2023-25735)

- An invalid downcast from <code>nsTextNode</code> to <code>SVGElement</code> could have lead to undefined behavior. (CVE-2023-25737)

- Members of the <code>DEVMODEW</code> struct set by the printer device driver weren't being validated and could have resulted in invalid values which in turn would cause the browser to attempt out of bounds access to related variables. This bug only affects Thunderbird on Windows. Other operating systems are unaffected. (CVE-2023-25738)

- Module load requests that failed were not being checked as to whether or not they were cancelled causing a use-after-free in <code>ScriptLoadContext</code>. (CVE-2023-25739)

- When importing a SPKI RSA public key as ECDSA P-256, the key would be handled incorrectly causing the tab to crash. (CVE-2023-25742)

- Mozilla developers Philipp and Gabriele Svelto reported memory safety bugs present in Thunderbird 102.7.
Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. (CVE-2023-25746)

- By displaying a prompt with a long description, the fullscreen notification could have been hidden, resulting in potential user confusion or spoofing attacks. This bug only affects Firefox for Android.
Other operating systems are unaffected. (CVE-2023-25748)

- Android applications with unpatched vulnerabilities can be launched from a browser using Intents, exposing users to these vulnerabilities. Firefox will now confirm with users that they want to launch an external application before doing so. This bug only affects Firefox for Android. Other versions of Firefox are unaffected. (CVE-2023-25749)

- Under certain circumstances, a ServiceWorker's offline cache may have leaked to the file system when using private browsing mode. (CVE-2023-25750)

- Mozilla: Incorrect code generation during JIT compilation (CVE-2023-25751)

- Mozilla: Potential out-of-bounds when accessing throttled streams (CVE-2023-25752)

- The fullscreen notification could have been hidden on Firefox for Android by using download popups, resulting in potential user confusion or spoofing attacks. This bug only affects Firefox for Android.
Other operating systems are unaffected. (CVE-2023-28159)

- When following a redirect to a publicly accessible web extension file, the URL may have been translated to the actual local path, leaking potentially sensitive information. (CVE-2023-28160)

- If temporary one-time permissions, such as the ability to use the Camera, were granted to a document loaded using a file: URL, that permission persisted in that tab for all other documents loaded from a file: URL. This is potentially dangerous if the local files came from different sources, such as in a download directory. (CVE-2023-28161)

- Mozilla: Invalid downcast in Worklets (CVE-2023-28162)

- When downloading files through the Save As dialog on Windows with suggested filenames containing environment variable names, Windows would have resolved those in the context of the current user. This bug only affects Firefox on Windows. Other versions of Firefox are unaffected. (CVE-2023-28163)

- Mozilla: URL being dragged from a removed cross-origin iframe into the same tab triggered navigation (CVE-2023-28164)

- Mozilla: Memory safety bugs fixed in Firefox 111 and Firefox ESR 102.9 (CVE-2023-28176)

- Mozilla developers and community members Calixte Denizet, Gabriele Svelto, Andrew McCreight, and the Mozilla Fuzzing Team reported memory safety bugs present in Firefox 110. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. (CVE-2023-28177)

- A website could have obscured the fullscreen notification by using a combination of <code>window.open</code>, fullscreen requests, <code>window.name</code> assignments, and <code>setInterval</code> calls. This could have led to user confusion and possible spoofing attacks.
(CVE-2023-29533)

- Following a Garbage Collector compaction, weak maps may have been accessed before they were correctly traced. This resulted in memory corruption and a potentially exploitable crash. (CVE-2023-29535)

- An attacker could cause the memory manager to incorrectly free a pointer that addresses attacker- controlled memory, resulting in an assertion, memory corruption, or a potentially exploitable crash.
(CVE-2023-29536)

- Multiple race conditions in the font initialization could have led to memory corruption and execution of attacker-controlled code. (CVE-2023-29537)

- Under specific circumstances a WebExtension may have received a <code>jar:file:///</code> URI instead of a <code>moz-extension:///</code> URI during a load request. This leaked directory paths on the user's machine. (CVE-2023-29538)

- When handling the filename directive in the Content-Disposition header, the filename would be truncated if the filename contained a NULL character. This could have led to reflected file download attacks potentially tricking users to install malware. (CVE-2023-29539)

- Using a redirect embedded into <code>sourceMappingUrls</code> could allow for navigation to external protocol links in sandboxed iframes without <code>allow-top-navigation-to-custom-protocols</code>.
(CVE-2023-29540)

- Thunderbird did not properly handle downloads of files ending in <code>.desktop</code>, which can be interpreted to run attacker-controlled commands. This bug only affects Thunderbird for Linux on certain Distributions. Other operating systems are unaffected, and Mozilla is unable to enumerate all affected Linux Distributions. (CVE-2023-29541)

- An attacker could have caused memory corruption and a potentially exploitable use-after-free of a pointer in a global object's debugger vector. (CVE-2023-29543)

- If multiple instances of resource exhaustion occurred at the incorrect time, the garbage collector could have caused memory corruption and a potentially exploitable crash. (CVE-2023-29544)

- When a secure cookie existed in the Firefox cookie jar an insecure cookie for the same domain could have been created, when it should have silently failed. This could have led to a desynchronization in expected results when reading from the secure cookie. (CVE-2023-29547)

- A wrong lowering instruction in the ARM64 Ion compiler resulted in a wrong optimization result.
(CVE-2023-29548)

- Under certain circumstances, a call to the <code>bind</code> function may have resulted in the incorrect realm. This may have created a vulnerability relating to JavaScript-implemented sandboxes such as SES.
(CVE-2023-29549)

- Mozilla developers Andrew Osmond, Sebastian Hengst, Andrew McCreight, and the Mozilla Fuzzing Team reported memory safety bugs present in Thunderbird 102.9. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. (CVE-2023-29550)

- Mozilla developers Randell Jesup, Andrew McCreight, Gabriele Svelto, and the Mozilla Fuzzing Team reported memory safety bugs present in Firefox 111. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code.
(CVE-2023-29551)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Solution

All Mozilla Firefox ESR binary users should upgrade to the latest version:

# emerge --sync # emerge --ask --oneshot --verbose >=www-client/firefox-bin-102.10.0:esr All Mozilla Firefox ESR users should upgrade to the latest version:

# emerge --sync # emerge --ask --oneshot --verbose >=www-client/firefox-102.10.0:esr All Mozilla Firefox binary users should upgrade to the latest version:

# emerge --sync # emerge --ask --oneshot --verbose >=www-client/firefox-bin-112.0:rapid All Mozilla Firefox users should upgrade to the latest version:

# emerge --sync # emerge --ask --oneshot --verbose >=www-client/firefox-112.0:rapid

See Also

https://security.gentoo.org/glsa/202305-35

https://bugs.gentoo.org/show_bug.cgi?id=895962

https://bugs.gentoo.org/show_bug.cgi?id=903618

https://bugs.gentoo.org/show_bug.cgi?id=905889

Plugin Details

Severity: High

ID: 176481

File Name: gentoo_GLSA-202305-35.nasl

Version: 1.1

Type: local

Published: 5/30/2023

Updated: 8/29/2023

Supported Sensors: Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 6.7

CVSS v2

Risk Factor: Critical

Base Score: 10

Temporal Score: 7.8

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

CVSS Score Source: CVE-2023-29551

CVSS v3

Risk Factor: High

Base Score: 8.8

Temporal Score: 7.9

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

Vulnerability Information

CPE: p-cpe:/a:gentoo:linux:firefox, p-cpe:/a:gentoo:linux:firefox-bin, cpe:/o:gentoo:linux

Required KB Items: Host/local_checks_enabled, Host/Gentoo/release, Host/Gentoo/qpkg-list

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 5/30/2023

Vulnerability Publication Date: 2/14/2023

Reference Information

CVE: CVE-2023-0767, CVE-2023-1945, CVE-2023-1999, CVE-2023-25728, CVE-2023-25729, CVE-2023-25730, CVE-2023-25731, CVE-2023-25732, CVE-2023-25734, CVE-2023-25735, CVE-2023-25737, CVE-2023-25738, CVE-2023-25739, CVE-2023-25742, CVE-2023-25746, CVE-2023-25748, CVE-2023-25749, CVE-2023-25750, CVE-2023-25751, CVE-2023-25752, CVE-2023-28159, CVE-2023-28160, CVE-2023-28161, CVE-2023-28162, CVE-2023-28163, CVE-2023-28164, CVE-2023-28176, CVE-2023-28177, CVE-2023-29533, CVE-2023-29535, CVE-2023-29536, CVE-2023-29537, CVE-2023-29538, CVE-2023-29539, CVE-2023-29540, CVE-2023-29541, CVE-2023-29543, CVE-2023-29544, CVE-2023-29547, CVE-2023-29548, CVE-2023-29549, CVE-2023-29550, CVE-2023-29551