Ubuntu 12.04 LTS / 14.04 LTS / 16.04 LTS / 16.10 : firefox vulnerabilities (USN-3124-1)

High Nessus Plugin ID 95025

Synopsis

The remote Ubuntu host is missing a security-related patch.

Description

Christian Holler, Andrew McCreight, Dan Minor, Tyson Smith, Jon Coppeard, Jan-Ivar Bruaroey, Jesse Ruderman, Markus Stange, Olli Pettay, Ehsan Akhgari, Gary Kwong, Tooru Fujisawa, and Randell Jesup discovered multiple memory safety issues in Firefox. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit these to cause a denial of service via application crash, or execute arbitrary code. (CVE-2016-5289, CVE-2016-5290)

A same-origin policy bypass was discovered with local HTML files in some circumstances. An attacker could potentially exploit this to obtain sensitive information. (CVE-2016-5291)

A crash was discovered when parsing URLs in some circumstances. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit this to execute arbitrary code.
(CVE-2016-5292)

A heap buffer-overflow was discovered in Cairo when processing SVG content. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit this to cause a denial of service via application crash, or execute arbitrary code.
(CVE-2016-5296)

An error was discovered in argument length checking in JavaScript. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit this to cause a denial of service via application crash, or execute arbitrary code. (CVE-2016-5297)

An integer overflow was discovered in the Expat library. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit this to cause a denial of service via application crash. (CVE-2016-9063)

It was discovered that addon updates failed to verify that the addon ID inside the signed package matched the ID of the addon being updated. An attacker that could perform a man-in-the-middle (MITM) attack could potentially exploit this to provide malicious addon updates. (CVE-2016-9064)

A buffer overflow was discovered in nsScriptLoadHandler. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit this to cause a denial of service via application crash, or execute arbitrary code. (CVE-2016-9066)

2 use-after-free bugs were discovered during DOM operations in some circumstances. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit these to cause a denial of service via application crash, or execute arbitrary code.
(CVE-2016-9067, CVE-2016-9069)

A heap use-after-free was discovered during web animations in some circumstances. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit this to cause a denial of service via application crash, or execute arbitrary code.
(CVE-2016-9068)

It was discovered that a page loaded in to the sidebar through a bookmark could reference a privileged chrome window. An attacker could potentially exploit this to bypass same origin restrictions.
(CVE-2016-9070)

An issue was discovered with Content Security Policy (CSP) in combination with HTTP to HTTPS redirection. An attacker could potentially exploit this to verify whether a site is within the user's browsing history. (CVE-2016-9071)

An issue was discovered with the windows.create() WebExtensions API.
If a user were tricked in to installing a malicious extension, an attacker could potentially exploit this to escape the WebExtensions sandbox. (CVE-2016-9073)

It was discovered that WebExtensions can use the mozAddonManager API.
An attacker could potentially exploit this to install additional extensions without user permission. (CVE-2016-9075)

It was discovered that <select> element dropdown menus can cover location bar content when e10s is enabled. An attacker could potentially exploit this to conduct UI spoofing attacks.
(CVE-2016-9076)

It was discovered that canvas allows the use of the feDisplacementMap filter on cross-origin images. An attacker could potentially exploit this to conduct timing attacks. (CVE-2016-9077).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Solution

Update the affected firefox package.

See Also

https://usn.ubuntu.com/3124-1/

Plugin Details

Severity: High

ID: 95025

File Name: ubuntu_USN-3124-1.nasl

Version: 3.9

Type: local

Agent: unix

Published: 2016/11/21

Updated: 2018/12/01

Dependencies: 12634

Risk Information

Risk Factor: High

CVSS v2.0

Base Score: 7.5

Temporal Score: 5.5

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P

Temporal Vector: CVSS2#E:U/RL:OF/RC:C

CVSS v3.0

Base Score: 9.8

Temporal Score: 8.5

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

CPE: p-cpe:/a:canonical:ubuntu_linux:firefox, cpe:/o:canonical:ubuntu_linux:12.04:-:lts, cpe:/o:canonical:ubuntu_linux:14.04, cpe:/o:canonical:ubuntu_linux:16.04, cpe:/o:canonical:ubuntu_linux:16.10

Exploit Available: false

Exploit Ease: No known exploits are available

Patch Publication Date: 2016/11/18

Reference Information

CVE: CVE-2016-5289, CVE-2016-5290, CVE-2016-5291, CVE-2016-5292, CVE-2016-5296, CVE-2016-5297, CVE-2016-9063, CVE-2016-9064, CVE-2016-9066, CVE-2016-9067, CVE-2016-9068, CVE-2016-9069, CVE-2016-9070, CVE-2016-9071, CVE-2016-9073, CVE-2016-9075, CVE-2016-9076, CVE-2016-9077

USN: 3124-1