[manjaro-security] [arch-security] [ASA-201606-7] firefox: multiple issues

Levente Polyak anthraxx at archlinux.org
Wed Jun 8 13:31:28 CEST 2016


Arch Linux Security Advisory ASA-201606-7
=========================================

Severity: Critical
Date    : 2016-06-08
CVE-ID  : CVE-2016-2815 CVE-2016-2818 CVE-2016-2819 CVE-2016-2821
          CVE-2016-2822 CVE-2016-2825 CVE-2016-2828 CVE-2016-2829
          CVE-2016-2831 CVE-2016-2832 CVE-2016-2833
Package : firefox
Type    : multiple issues
Remote  : Yes
Link    : https://wiki.archlinux.org/index.php/CVE

Summary
=======

The package firefox before version 47.0-1 is vulnerable to arbitrary
code execution, same-origin policy bypass, information leakage,
cross-site scripting, denial of service, clickjacking, addressbar
spoofing and visual user confusion.

Resolution
==========

Upgrade to 47.0-1.

# pacman -Syu "firefox>=47.0-1"

The problems have been fixed upstream in version 47.0.

Workaround
==========

None.

Description
===========

- CVE-2016-2815 (arbitrary code execution)

Mozilla developers and community members reported several memory safety
bugs in the browser engine used in Firefox and other Mozilla-based
products. Some of these bugs showed evidence of memory corruption under
certain circumstances, and we presume that with enough effort at least
some of these could be exploited to run arbitrary code.

- CVE-2016-2818 (arbitrary code execution)

Mozilla developers and community members reported several memory safety
bugs in the browser engine used in Firefox and other Mozilla-based
products. Some of these bugs showed evidence of memory corruption under
certain circumstances, and we presume that with enough effort at least
some of these could be exploited to run arbitrary code.

- CVE-2016-2819 (arbitrary code execution)

Security researcher firehack reported a buffer overflow when parsing
HTML5 fragments in a foreign context such as under an <svg> node. This
results in a potentially exploitable crash when inserting an HTML
fragment into an existing document.

- CVE-2016-2821 (arbitrary code execution)

Security researcher firehack used the Address Sanitizer tool to
discover a use-after-free in contenteditable mode. This occurs when
deleting document object model (DOM) table elements created within the
editor and results in a potentially exploitable crash.

- CVE-2016-2822 (addressbar spoofing)

Security researcher Jordi Chancel reported a method to spoof the
contents of the addressbar. This uses a persistent menu within a
<select> element, which acts as a container for HTML content and can be
placed in an arbitrary location. When placed over the addressbar, this
can mask the true site URL, allowing for spoofing by a malicious site.

- CVE-2016-2825 (same-origin policy bypass)

Security researcher Armin Razmdjou reported that the location.host
property can be set to an arbitrary string after creating an invalid
data: URI. This allows for a bypass of some same-origin policy
protections. This issue is mitigated by the data: URI in use and any
same-origin checks for http: or https: are still enforced correctly. As
a result cookie stealing and other common same-origin bypass attacks
are not possible.

- CVE-2016-2828 (arbitrary code execution)

Mozilla community member jomo reported a use-after-free crash when
processing WebGL content. This issue was caused by the use of a texture
after its recycle pool has been destroyed during WebGL operations,
which frees the memory associated with the texture. This results in a
potentially exploitable crash when the texture is later called.

- CVE-2016-2829 (visual user confusion)

Security researcher Tim McCormack reported that when a page requests a
series of permissions in a short timespan, the resulting permission
notifications can show the icon for the wrong permission request. This
can lead to user confusion and inadvertent consent given when a user is
prompted by web content to give permissions, such as for geolocation or
microphone access.

- CVE-2016-2831 (clickjacking)

Security researcher sushi Anton Larsson reported that when paired
fullscreen and pointerlock requests are done in combination with
closing windows, a pointerlock can be created within a fullscreen
window without user permission. This pointerlock cannot then be
cancelled without terminating the browser, resulting in a persistent
denial of service attack. This can also be used for spoofing and
clickjacking attacks against the browser UI.

- CVE-2016-2832 (information leakage)

Mozilla developer John Schoenick reported that CSS pseudo-classes can
be used by web content to leak information on plugins that are
installed but disabled. This can be used for information disclosure
through a fingerprinting attack that lists all of the plugins installed
by a user on a system, even when they are disabled.

- CVE-2016-2833 (cross-site scripting)

Mozilla engineer Matt Wobensmith reported that Content Security Policy
(CSP) does not block the loading of cross-domain Java applets when
specified by policy. This is because the Java applet is loaded by the
Java plugin, which then mediates all network requests without checking
against CSP. This could allow a malicious site to manipulate content
through a Java applet to bypass CSP protections, allowing for possible
cross-site scripting (XSS) attacks.

Impact
======

A remote attacker is able to execute arbitrary code, bypass the
same-origin policy, leak sensitive information, perform cross-site
scripting, perform a denial of service attack, perform a clickjacking
attack and spoof the addressbar via various vectors.

References
==========

https://access.redhat.com/security/cve/CVE-2016-2815
https://access.redhat.com/security/cve/CVE-2016-2818
https://access.redhat.com/security/cve/CVE-2016-2819
https://access.redhat.com/security/cve/CVE-2016-2821
https://access.redhat.com/security/cve/CVE-2016-2822
https://access.redhat.com/security/cve/CVE-2016-2825
https://access.redhat.com/security/cve/CVE-2016-2828
https://access.redhat.com/security/cve/CVE-2016-2829
https://access.redhat.com/security/cve/CVE-2016-2831
https://access.redhat.com/security/cve/CVE-2016-2832
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2833
https://www.mozilla.org/en-US/security/known-vulnerabilities/firefox/#firefox47

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <http://lists.manjaro.org/pipermail/manjaro-security/attachments/20160608/ba21e664/attachment.pgp>


More information about the manjaro-security mailing list