Arch Linux Security Advisory ASA-201704-6

Severity: Critical
Date : 2017-04-21
CVE-ID : CVE-2017-5429 CVE-2017-5430 CVE-2017-5432 CVE-2017-5433
CVE-2017-5434 CVE-2017-5435 CVE-2017-5436 CVE-2017-5437
CVE-2017-5438 CVE-2017-5439 CVE-2017-5440 CVE-2017-5441
CVE-2017-5442 CVE-2017-5443 CVE-2017-5444 CVE-2017-5445
CVE-2017-5446 CVE-2017-5447 CVE-2017-5448 CVE-2017-5449
CVE-2017-5451 CVE-2017-5453 CVE-2017-5454 CVE-2017-5455
CVE-2017-5456 CVE-2017-5458 CVE-2017-5459 CVE-2017-5460
CVE-2017-5461 CVE-2017-5464 CVE-2017-5465 CVE-2017-5466
CVE-2017-5467 CVE-2017-5468 CVE-2017-5469
Package : firefox
Type : multiple issues
Remote : Yes
Link : https://security.archlinux.org/AVG-249

Summary

The package firefox before version 53.0-1 is vulnerable to multiple
issues including arbitrary code execution, cross-site scripting, access
restriction bypass, arbitrary filesystem access, denial of service,
information disclosure and content spoofing.

Resolution

Upgrade to 53.0-1.

pacman -Syu “firefox>=53.0-1”

The problems have been fixed upstream in version 53.0.

Workaround

None.

Description

• CVE-2017-5429 (arbitrary code execution)

Mozilla developers and community members Christian Holler, Jon
Coppeard, Marcia Knous, David Baron, Mats Palmgren, Ronald Crane, Bob
Clary, and Chris Peterson reported memory safety bugs present in
Firefox 52, Firefox ESR 45.8, and Firefox ESR 52. Some of these bugs
showed evidence of memory corruption and we presume that with enough
effort that some of these could be exploited to run arbitrary code.

• CVE-2017-5430 (arbitrary code execution)

Mozilla developers and community members Christian Holler, Jon
Coppeard, Milan Sreckovic, Tyson Smith, Ronald Crane, Randell Jesup,
Philipp, Tooru Fujisawa, and Kan-Ru Chen reported memory safety bugs
present in Firefox 52 and Firefox ESR 52. Some of these bugs showed
evidence of memory corruption and we presume that with enough effort
that some of these could be exploited to run arbitrary code.

• CVE-2017-5432 (arbitrary code execution)

A use-after-free vulnerability has been found in Firefox < 53. It
occurs during certain text input selection and results in a potentially
exploitable crash.

• CVE-2017-5433 (arbitrary code execution)

A use-after-free vulnerability has been found in Firefox < 53, It
occurs in SMIL animation functions when pointers to animation elements
in an array are dropped from the animation controller while still in
use. This results in a potentially exploitable crash.

• CVE-2017-5434 (arbitrary code execution)

A use-after-free vulnerability has been found in Firefox < 53. It
occurs when redirecting focus handling and results in a potentially
exploitable crash.

• CVE-2017-5435 (arbitrary code execution)

A use-after-free vulnerability has been found in Firefox < 53. It
occurs during transaction processing in the editor during design mode
interactions and results in a potentially exploitable crash.

• CVE-2017-5436 (arbitrary code execution)

An out-of-bounds write has been found in the Graphite 2 library,
triggered with a maliciously crafted Graphite font. This results in a
potentially exploitable crash. This issue was fixed in the Graphite 2
library as well as Mozilla products.

• CVE-2017-5437 (denial of service)

Three vulnerabilities were reported in the Libevent library that allow
for out-of-bounds reads and denial of service (DoS) attacks:
CVE-2016-10195, CVE-2016-10196, and CVE-2016-10197. These were fixed in
the Libevent library and these changes were ported to Mozilla code in
Firefox 53.

• CVE-2017-5438 (arbitrary code execution)

A use-after-free vulnerability has been found in Firefox < 53, during
XSLT processing due to the result handler being held by a freed handler
during handling. This results in a potentially exploitable crash.

• CVE-2017-5439 (arbitrary code execution)

A use-after-free vulnerability has been found in Firefox < 53, during
XSLT processing due to poor handling of template parameters. This
results in a potentially exploitable crash.

• CVE-2017-5440 (arbitrary code execution)

A use-after-free vulnerability has been found in Firefox < 53, during
XSLT processing due to a failure to propagate error conditions during
matching while evaluating context, leading to objects being used when
they no longer exist. This results in a potentially exploitable crash.

• CVE-2017-5441 (arbitrary code execution)

A use-after-free vulnerability when holding a selection during scroll
events has been found in Firefox < 53. This results in a potentially
exploitable crash.

• CVE-2017-5442 (arbitrary code execution)

A use-after-free vulnerability during changes in style when
manipulating DOM elements has been found in Firefox < 53. This results
in a potentially exploitable crash.

• CVE-2017-5443 (arbitrary code execution)

An out-of-bounds write vulnerability has been found in Firefox < 53,
while decoding improperly formed BinHex format archives.

• CVE-2017-5444 (information disclosure)

A buffer overflow vulnerability has been found in Firefox < 53, while
parsing application/http-index-format format content when the header
contains improperly formatted data. This allows for an out-of-bounds
read of data from memory.

• CVE-2017-5445 (information disclosure)

A vulnerability has been found in Firefox < 53, while parsing
application/http-index-format format content where uninitialized values
are used to create an array. This could allow the reading of
uninitialized memory into the arrays affected.

• CVE-2017-5446 (arbitrary code execution)

An out-of-bounds read has been found in Firefox < 53, when an HTTP/2
connection to a servers sends DATA frames with incorrect data content.
This leads to a potentially exploitable crash.

• CVE-2017-5447 (arbitrary code execution)

An out-of-bounds read has been found in Firefox < 53, during the
processing of glyph widths while rendering text layout. This results in
a potentially exploitable crash and could allow an attacker to read
otherwise inaccessible memory.

• CVE-2017-5448 (arbitrary code execution)

A security issue has been found in Firefox < 53, an out-of-bounds write
in ClearKeyDecryptor while decrypting some Clearkey-encrypted media
content. The ClearKeyDecryptor code runs within the Gecko Media Plugin
(GMP) sandbox. If a second mechanism is found to escape the sandbox,
this vulnerability allows for the writing of arbitrary data within
memory, resulting in a potentially exploitable crash.

• CVE-2017-5449 (arbitrary code execution)

A possibly exploitable crash has been found in Firefox < 53, triggered
during layout and manipulation of bidirectional unicode text in concert
with CSS animations.

• CVE-2017-5451 (content spoofing)

A security issue has been found in Firefox < 53, allowing to spoof the
addressbar through the user interaction on the addressbar and the
onblur event. The event could be used by script to affect text display
to make the loaded site appear to be different from the one actually
loaded within the addressbar.

• CVE-2017-5453 (content spoofing)

A security issue has been found in Firefox < 53, allowing to inject
static HTML into the RSS reader preview page due to a failure to escape
characters sent as URL parameters for a feed’s TITLE element. This
vulnerability allows for spoofing but no scripted content can be run.

• CVE-2017-5454 (access restriction bypass)

A security issue has been found in Firefox < 53, allowing to bypass
file system access protections in the sandbox to use the file picker to
access different files than those selected in the file picker through
the use of relative paths. This allows for read only access to the
local file system.

• CVE-2017-5455 (access restriction bypass)

A security issue has been found in Firefox < 53. The internal feed
reader APIs that crossed the sandbox barrier allowed for a sandbox
escape and escalation of privilege if combined with another
vulnerability that resulted in remote code execution inside the
sandboxed process.

• CVE-2017-5456 (arbitrary filesystem access)

A security issue has been found in Firefox < 53, allowing to bypass
file system access protections in the sandbox using the file system
request constructor through an IPC message. This allows for read and
write access to the local file system.

• CVE-2017-5458 (cross-site scripting)

An issue has been found in Firefox < 53. When a javascript: URL is drag
and dropped by a user into the addressbar, the URL will be processed
and executed. This allows for users to be socially engineered to
execute an XSS attack on themselves.

• CVE-2017-5459 (arbitrary code execution)

A buffer overflow has been found in the WebGL part of Firefox < 53.
It’s triggerable by web content, resulting in a potentially exploitable
crash.

• CVE-2017-5460 (arbitrary code execution)

A use-after-free vulnerability has been found in Firefox < 53. It’s
located in frame selection, triggered by a combination of malicious
script content and key presses by a user. This results in a potentially
exploitable crash.

• CVE-2017-5461 (arbitrary code execution)

An out-of-bounds write during Base64 decoding operation has been found
in the Network Security Services (NSS) library due to insufficient
memory being allocated to the buffer.
An attacker could use this flaw to create a specially crafted
certificate which, when parsed by NSS, could cause it to crash or
execute arbitrary code, using the permissions of the user running an
application compiled against the NSS library. The issue has been fixed
in releases 3.29.5 and 3.30.1.

• CVE-2017-5464 (arbitrary code execution)

A security issue has been found in Firefox < 53. During DOM
manipulations of the accessibility tree through script, the DOM tree
can become out of sync with the accessibility tree, leading to memory
corruption and a potentially exploitable crash.

• CVE-2017-5465 (information disclosure)

An out-of-bounds read has been found in Firefox < 53, while processing
SVG content in ConvolvePixel. This results in a crash and also allows
for otherwise inaccessible memory being copied into SVG graphic
content, which could then displayed.

• CVE-2017-5466 (cross-site scripting)

An origin confusion issue has been found in Firefox < 53. If a page is
loaded from an original site through a hyperlink and contains a
redirect to a data:text/html URL, triggering a reload will run the
reloaded data:text/html page with its origin set incorrectly. This
allows for a cross-site scripting (XSS) attack.

• CVE-2017-5467 (denial of service)

A potential memory corruption and crash has been found in Firefox < 53,
when using Skia content when drawing content outside of the bounds of a
clipping region.

• CVE-2017-5468 (denial of service)

An issue with incorrect ownership model of privateBrowsing information
exposed through developer tools has been found in Firefox < 53. This
can result in a non-exploitable crash when manually triggered during
debugging.

• CVE-2017-5469 (arbitrary code execution)

Several potential buffer overflows in generated code, due to the
CVE-2016-6354 issue in Flex, have been fixed in Firefox 53.

Impact

A remote attacker can spoof content, bypass access restrictions, access
arbitrary files and sensitive information, crash the application and
execute arbitrary code on the affected host.

References

https://www.mozilla.org/en-US/security/advisories/mfsa2017-10/
https://www.mozilla.org/en-US/security/advisories/mfsa2017-10/#CVE-2017-5429
https://bugzilla.mozilla.org/buglist.cgi?bug_id=1343261%2C1350844%2C1341096%2C1342823%2C1348894%2C1348941%2C1349340%2C1352926%2C1353088%2C
https://www.mozilla.org/en-US/security/advisories/mfsa2017-10/#CVE-2017-5430
https://bugzilla.mozilla.org/buglist.cgi?bug_id=1342101%2C1340482%2C1344686%2C1329796%2C1346419%2C1349621%2C1344081%2C1344305%2C1348143%2C1349719%2C1353476%2C1337418%2C1346140%2C1339722
https://www.mozilla.org/en-US/security/advisories/mfsa2017-10/#CVE-2017-5432
https://bugzilla.mozilla.org/show_bug.cgi?id=1346654
https://www.mozilla.org/en-US/security/advisories/mfsa2017-10/#CVE-2017-5433
https://bugzilla.mozilla.org/show_bug.cgi?id=1347168
https://www.mozilla.org/en-US/security/advisories/mfsa2017-10/#CVE-2017-5434
https://bugzilla.mozilla.org/show_bug.cgi?id=1349946
https://www.mozilla.org/en-US/security/advisories/mfsa2017-10/#CVE-2017-5435
https://bugzilla.mozilla.org/show_bug.cgi?id=1350683
https://www.mozilla.org/en-US/security/advisories/mfsa2017-10/#CVE-2017-5436
https://bugzilla.mozilla.org/show_bug.cgi?id=1345461
https://www.mozilla.org/en-US/security/advisories/mfsa2017-10/#CVE-2017-5437
https://bugzilla.mozilla.org/show_bug.cgi?id=1343453
https://www.mozilla.org/en-US/security/advisories/mfsa2017-10/#CVE-2017-5438
https://bugzilla.mozilla.org/show_bug.cgi?id=1336828
https://www.mozilla.org/en-US/security/advisories/mfsa2017-10/#CVE-2017-5439
https://bugzilla.mozilla.org/show_bug.cgi?id=1336830
https://www.mozilla.org/en-US/security/advisories/mfsa2017-10/#CVE-2017-5440
https://bugzilla.mozilla.org/show_bug.cgi?id=1336832
https://www.mozilla.org/en-US/security/advisories/mfsa2017-10/#CVE-2017-5441
https://bugzilla.mozilla.org/show_bug.cgi?id=1343795
https://www.mozilla.org/en-US/security/advisories/mfsa2017-10/#CVE-2017-5442
https://bugzilla.mozilla.org/show_bug.cgi?id=1347979
https://www.mozilla.org/en-US/security/advisories/mfsa2017-10/#CVE-2017-5443
https://bugzilla.mozilla.org/show_bug.cgi?id=1342661
https://www.mozilla.org/en-US/security/advisories/mfsa2017-10/#CVE-2017-5444
https://bugzilla.mozilla.org/show_bug.cgi?id=1344461
https://www.mozilla.org/en-US/security/advisories/mfsa2017-10/#CVE-2017-5445
https://bugzilla.mozilla.org/show_bug.cgi?id=1344467
https://www.mozilla.org/en-US/security/advisories/mfsa2017-10/#CVE-2017-5446
https://bugzilla.mozilla.org/show_bug.cgi?id=1343505
https://www.mozilla.org/en-US/security/advisories/mfsa2017-10/#CVE-2017-5447
https://bugzilla.mozilla.org/show_bug.cgi?id=1343552
https://www.mozilla.org/en-US/security/advisories/mfsa2017-10/#CVE-2017-5448
https://bugzilla.mozilla.org/show_bug.cgi?id=1346648
https://www.mozilla.org/en-US/security/advisories/mfsa2017-10/#CVE-2017-5449
https://bugzilla.mozilla.org/show_bug.cgi?id=1340127
https://www.mozilla.org/en-US/security/advisories/mfsa2017-10/#CVE-2017-5451
https://bugzilla.mozilla.org/show_bug.cgi?id=1273537
https://www.mozilla.org/en-US/security/advisories/mfsa2017-10/#CVE-2017-5453
https://bugzilla.mozilla.org/show_bug.cgi?id=1321247
https://www.mozilla.org/en-US/security/advisories/mfsa2017-10/#CVE-2017-5454
https://bugzilla.mozilla.org/show_bug.cgi?id=1349276
https://www.mozilla.org/en-US/security/advisories/mfsa2017-10/#CVE-2017-5455
https://bugzilla.mozilla.org/show_bug.cgi?id=1341191
https://www.mozilla.org/en-US/security/advisories/mfsa2017-10/#CVE-2017-5456
https://bugzilla.mozilla.org/show_bug.cgi?id=1344415
https://www.mozilla.org/en-US/security/advisories/mfsa2017-10/#CVE-2017-5458
https://bugzilla.mozilla.org/show_bug.cgi?id=1229426
https://www.mozilla.org/en-US/security/advisories/mfsa2017-10/#CVE-2017-5459
https://bugzilla.mozilla.org/show_bug.cgi?id=1333858
https://www.mozilla.org/en-US/security/advisories/mfsa2017-10/#CVE-2017-5460
https://bugzilla.mozilla.org/show_bug.cgi?id=1343642
https://www.mozilla.org/en-US/security/advisories/mfsa2017-10/#CVE-2017-5461
https://bugzilla.mozilla.org/show_bug.cgi?id=1344380
https://hg.mozilla.org/projects/nss/rev/ac34db053672
https://www.mozilla.org/en-US/security/advisories/mfsa2017-10/#CVE-2017-5464
https://bugzilla.mozilla.org/show_bug.cgi?id=1347075
https://www.mozilla.org/en-US/security/advisories/mfsa2017-10/#CVE-2017-5465
https://bugzilla.mozilla.org/show_bug.cgi?id=1347617
https://www.mozilla.org/en-US/security/advisories/mfsa2017-10/#CVE-2017-5466
https://bugzilla.mozilla.org/show_bug.cgi?id=1353975
https://www.mozilla.org/en-US/security/advisories/mfsa2017-10/#CVE-2017-5467
https://bugzilla.mozilla.org/show_bug.cgi?id=1347262
https://www.mozilla.org/en-US/security/advisories/mfsa2017-10/#CVE-2017-5468
https://bugzilla.mozilla.org/show_bug.cgi?id=1329521
https://www.mozilla.org/en-US/security/advisories/mfsa2017-10/#CVE-2017-5469
https://bugzilla.mozilla.org/show_bug.cgi?id=1292534
https://security.archlinux.org/CVE-2017-5429
https://security.archlinux.org/CVE-2017-5430
https://security.archlinux.org/CVE-2017-5432
https://security.archlinux.org/CVE-2017-5433
https://security.archlinux.org/CVE-2017-5434
https://security.archlinux.org/CVE-2017-5435
https://security.archlinux.org/CVE-2017-5436
https://security.archlinux.org/CVE-2017-5437
https://security.archlinux.org/CVE-2017-5438
https://security.archlinux.org/CVE-2017-5439
https://security.archlinux.org/CVE-2017-5440
https://security.archlinux.org/CVE-2017-5441
https://security.archlinux.org/CVE-2017-5442
https://security.archlinux.org/CVE-2017-5443
https://security.archlinux.org/CVE-2017-5444
https://security.archlinux.org/CVE-2017-5445
https://security.archlinux.org/CVE-2017-5446
https://security.archlinux.org/CVE-2017-5447
https://security.archlinux.org/CVE-2017-5448
https://security.archlinux.org/CVE-2017-5449
https://security.archlinux.org/CVE-2017-5451
https://security.archlinux.org/CVE-2017-5453
https://security.archlinux.org/CVE-2017-5454
https://security.archlinux.org/CVE-2017-5455
https://security.archlinux.org/CVE-2017-5456
https://security.archlinux.org/CVE-2017-5458
https://security.archlinux.org/CVE-2017-5459
https://security.archlinux.org/CVE-2017-5460
https://security.archlinux.org/CVE-2017-5461
https://security.archlinux.org/CVE-2017-5464
https://security.archlinux.org/CVE-2017-5465
https://security.archlinux.org/CVE-2017-5466
https://security.archlinux.org/CVE-2017-5467
https://security.archlinux.org/CVE-2017-5468
https://security.archlinux.org/CVE-2017-5469