firefox: multiple issues

2016-04-30T00:00:00
ID ASA-201604-15
Type archlinux
Reporter Arch Linux
Modified 2016-04-30T00:00:00

Description

  • CVE-2016-2804:

Gary Kwong, Christian Holler, Andrew McCreight, Boris Zbarsky, and Steve Fink reported memory safety problems and crashes that are fixed in Firefox 46.

  • CVE-2016-2805:

Christian Holler reported a memory safety problem that is fixed in Firefox ESR 38.8.

  • CVE-2016-2806:

Gary Kwong, Christian Holler, Jesse Ruderman, Mats Palmgren, Carsten Book, Boris Zbarsky, David Bolter, and Randell Jesup reported memory safety problems and crashes that are fixed in Firefox ESR 45.1 and Firefox 46.

  • CVE-2016-2807:

Christian Holler, Tyson Smith, and Phil Ringalda reported memory safety problems and crashes that are fixed in Firefox ESR 45.1, Firefox ESR 38.8 and Firefox 46.

  • CVE-2016-2808:

The CESG, the Information Security Arm of GCHQ, reported that the JavaScript .watch() method could be used to overflow the 32-bit generation count of the underlying HashMap, resulting in a write to an invalid entry. Under the right conditions this write could lead to arbitrary code execution. The overflow takes considerable time and a malicious page would require a user to keep it open for the duration of the attack.

  • CVE-2016-2811, CVE-2016-2812:

Security researcher Looben Yang reported two issues discovered in Service Workers using Address Sanitizer.

The first of these is a use-after-free vulnerability caused by a ServiceWorkerInfo object being kept active beyond the life its owning registration. When it is later called through this registration, a use-after-free results.

In the second issue, a race condition leading to a buffer overflow was found in the ServiceWorkerManager. This leads to a potentially exploitable crash when triggered.

  • CVE-2016-2814:

Using Address Sanitizer, security researcher Sascha Just reported a buffer overflow in the libstagefright library due to issues with the handling of CENC offsets and the sizes table. This results in a potentially exploitable crash triggerable through web content.

  • CVE-2016-2816:

Security researcher Muneaki Nishimura (nishimunea) of Recruit Technologies Co., Ltd. reported that Content Security Policy (CSP) is not applied correctly to web content sent with the multipart/x-mixed-replace MIME type. This allows for script to run in instances where CSP should block it, leading to a failure to prevent potential cross-site scripting (XSS) and other attacks against the web page.

  • CVE-2016-2817:

Security researcher Muneaki Nishimura (nishimunea) of Recruit Technologies Co., Ltd. reported that the chrome.tabs.update API for web extensions allows for navigation to javascript: URLs without additional permissions. This can used to elevate privilege for a universal cross-site scripting (XSS) attack by a malicious web extension. It can also be used to inject content into other extensions if they load content within browser tabs.

  • CVE-2016-2820:

Mozilla engineer Mark Goodwin discovered that the Firefox Health Report (about:healthreport) accepts certain events from any content document present in the remote-report iframe. If there were another vulnerability that allowed the injection of web content into the Firefox Health Report iframe, this content could change the sharing preferences of a user by firing the appropriate events at it s containing page.