Mozilla Firefox < 45.0 Multiple Vulnerabilities

The version of Firefox installed on the remote host is prior to 45.0 and is affected by multiple vulnerabilities :

• Mozilla Network Security Services (NSS) contains an overflow condition. The issue is triggered as user-supplied input is not properly validated when parsing ASN.1 structures. With a specially crafted certificate, a context-dependent attacker can cause a heap-based buffer overflow, resulting in a denial of service or potentially allowing the execution of arbitrary code. (CVE-2016-1950)
• A flaw exists in the ‘ValueNumberer::fixupOSROnlyLoop()’ function in ‘jit/ValueNumbering.cpp’ that is triggered as user-supplied input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code. (CVE-2016-1952)
• A flaw in the ‘Downscaler::BeginFrame()’ function in ‘image/Downscaler.cpp’ exists that is triggered when failing to compute filters for image downscaling. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code. (CVE-2016-1952)
• A flaw exists that is triggered as user-supplied input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code. (CVE-2016-1952, CVE-2016-1953)
• A flaw exists in the ‘JSScript::maybeSweepTypes()’ function in ‘vm/TypeInference.cpp’ that is triggered as user-supplied input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code. (CVE-2016-1952)
• A flaw exists in the ‘DispatchEvents()’ function in ‘layout/style/nsAnimationManager.h’ and ‘layout/style/nsTransitionManager.h’ that is triggered as user-supplied input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code. (CVE-2016-1952)
• A flaw exists in ‘dom/base/Console.cpp’ that is triggered as user-supplied input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code. (CVE-2016-1952)
• A flaw exists in the ‘PeerConnectionMedia::SelfDestruct_m()’ function in ‘media/webrtc/signaling/src/peerconnection/PeerConnectionMedia.cpp’ that is triggered as user-supplied input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code. (CVE-2016-1952)
• A flaw exists in the ‘nsICODecoder::ReadDirEntry()’ function in ‘image/decoders/nsICODecoder.cpp’ that is triggered when rendering ICO sub-images. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code. (CVE-2016-1953)
• A flaw exists in the ‘nsIDNService::IDNA2008ToUnicode()’ function in ‘netwerk/dns/nsIDNService.cpp’ that is triggered as user-supplied input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code. (CVE-2016-1953)
• A flaw exists that is triggered as user-supplied input is not properly validated when handling image decoding. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code. (CVE-2016-1953)
• A flaw exists in the ‘DiscardTransferables()’ function in ‘vm/StructuredClone.cpp’ that is triggered as user-supplied input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code. (CVE-2016-1953)
• A flaw exits in the ‘Assembler::GetCF32Target()’ function in ‘jit/arm/Assembler-arm.cpp’ that is triggered as user-supplied input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code. (CVE-2016-1953)
• A flaw exists in the ‘GetPcScript()’ function in ‘jit/JitFrames.cpp’ that is triggered as user-supplied input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code. (CVE-2016-1953)
• A flaw exists in the ‘JSFunction::isDerivedClassConstructor()’ function in ‘js/src/jsfun.cpp’ that is triggered when handling lazy self-hosted functions. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code. (CVE-2016-1953)
• A flaw exists in ‘js/src/jit/Lowering.cpp’ that is triggered as user-supplied input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code. (CVE-2016-1953)
• A flaw exits in the ‘EventListenerManager::HandleEventInternal()’ function in ‘dom/events/EventListenerManager.cpp’. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code. (CVE-2016-1953)
• A flaw exists in ‘layout/base/nsRefreshDriver.cpp’ that is triggered when handling transition events. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code. (CVE-2016-1953)
• A flaw exists in ‘dom/media/systemservices/CamerasChild.cpp’ that is triggered as user-supplied input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code. (CVE-2016-1953)
• A flaw exists in ‘dom/xslt/xslt/txMozillaTextOutput.cpp’ that is triggered as user-supplied input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code. (CVE-2016-1953)
• A flaw exists in ‘dom/gamepad/windows/WindowsGamepad.cpp’ that is triggered when handling ‘WindowsGamepadService’ shutdown. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code. (CVE-2016-1953)
• A flaw exists in the ‘nsCSPContext::SendReports()’ function in ‘dom/security/nsCSPContext.cpp’ that is triggered during the handling of Content Security Policy (CSP) violation reports. This may allow a context-dependent attacker to overwrite arbitrary files on a user’s machine and potentially gain elevated privileges. (CVE-2016-1954)
• A flaw exists in ‘dom/security/nsCSPContext.cpp’ that is due to Content Security Policy (CSP) violation reports containing full path information for cross-origin iframe navigations in violation of the CSP specification. This may allow a context-dependent attacker to gain unauthorized access to sensitive information. (CVE-2016-1955)
• A flaw exists in ‘gfx/gl/GLContext.cpp’ when using Intel Video cards that is triggered when performing WebGL operations that require a large amount buffer to be allocated from video memory. This may allow a context-dependent to cause a consumption of memory resources that will persist until the system has been restarted. (CVE-2016-1956)
• Google Stagefright contains a flaw that is triggered during the handling of array destruction during MPEG4 video file processing. This may allow a context-dependent attacker to cause a memory leak, with unspecified consequences. (CVE-2016-1957)
• An unspecified flaw exists that may allow a context-dependent attacker to spoof the user’s address bar. No further details have been provided. (CVE-2016-1958)
• A flaw exists in Service Worker Manager that is triggered when handling the Clients API. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code. (CVE-2016-1959)
• A flaw exists in use-after-free error in the HTML5 string parser. The issue is triggered when parsing a set of table-related tags in a foreign fragment context such as SVG. This may allow a context-dependent attacker to dereference already freed memory and potentially execute arbitrary code. (CVE-2016-1960)
• A flaw exists in use-after-free error in the ‘nsHTMLDocument::SetBody()’ function in ‘dom/html/nsHTMLDocument.cpp’. This may allow a context-dependent attacker to dereference already freed memory and potentially execute arbitrary code. (CVE-2016-1961)
• A flaw exists in use-after-free error in ‘netwerk/sctp/datachannel/DataChannel.cpp’ when using multiple ‘WebRTC’ data channel connections and freeing a data channel connection from within a call. This may allow a context-dependent attacker to dereference already freed memory and potentially execute arbitrary code. (CVE-2016-1962)
• A flaw exists in the ‘FileReader::DoReadData()’ function in ‘dom/base/FileReader.cpp’. The issue is triggered as user-supplied input is not properly validated when handling modifications to local files that occur while they are being read with the FileReader API. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code. (CVE-2016-1963)
• A flaw exists in use-after-free error in the ‘txAttribute::execute()’ function in ‘dom/xslt/xslt/txInstructions.cpp’ that is triggered when handling XML transformation operations. This may allow a context-dependent attacker to dereference already freed memory and potentially execute arbitrary code. (CVE-2016-1964)
• A flaw exists in the ‘nsLocation::SetProtocol()’ function in ‘dom/base/nsLocation.cpp’ that is triggered when handling history navigation in combination with the location protocol property. This may allow a context-dependent attacker to spoof the contents of the address bar. (CVE-2016-1965)
• A flaw exists that is triggered when handling history navigation in a restored browser session. This may potentially allow a context-dependent attacker to gain unauthorized access to cross-origin URL information. (CVE-2016-1967)
• A pointer underflow condition exists in the ‘Brotli’ library. The issue is triggered as user-supplied input is not properly validated when the library is performing decompression. This may allow a context-dependent attacker to cause a buffer overflow, potentially allowing the execution of arbitrary code. (CVE-2016-1968)
• A use-after-free flaw exists in the Netscape Plugin Application Programming Interface (NPAPI) plugin within the ‘nsNPObjWrapper::GetNewOrUsed()’ function in ‘dom/plugins/base/nsJSNPRuntime.cpp’. The issue is triggered when handling malicious scripted web content in concert with the plugin. This may allow a context-dependent attacker to dereference already freed memory and potentially execute arbitrary code. (CVE-2016-1966)
• An integer underflow condition exists in the ‘srtp_unprotect()’ function in ‘netwerk/srtp/src/srtp/srtp.c’ that is triggered when handling SRTP packet lenghts. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code. (CVE-2016-1970)
• A flaw exists in the ‘I420VideoFrame::CreateFrame()’ function in WebRTC. The issue is triggered as user-supplied input is not properly validated due to a missing status check. This may potentially allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code. (CVE-2016-1971)
• ‘ibvpx’ contains a use-after-free error in ‘vpx_ports/vpx_once.h’ related to a race condition. This may allow a context-dependent attacker to dereference already freed memory and potentially execute arbitrary code. (CVE-2016-1972)
• A race condition exists in ‘dom/media/systemservices/CamerasChild.h’. The issue is triggered as user-supplied input is not properly validated when handling block-level statistics. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code. (CVE-2016-1975)
• A use-after-free flaw exists in ‘DesktopDisplayDevice::operator=’ in ‘media/webrtc/trunk/webrtc/modules/desktop_capture/desktop_device_info.cc’. This may allow a context-dependent attacker to dereference already freed memory and potentially execute arbitrary code. (CVE-2016-1976)
• A flaw exists in use-after-free error that is triggered by a race condition in ‘GetStaticInstance’ in WebRTC. This may allow a context-dependent attacker to dereference already freed memory and potentially execute arbitrary code. (CVE-2016-1973)
• A flaw exists in the ‘nsScannerString::AppendUnicodeTo()’ function in ‘parser/htmlparser/nsScannerString.cpp’. The issue is triggered when the program fails to allocate memory during handling of unicode strings. This may allow a context-dependent attacker to potentially execute arbitrary code. (CVE-2016-1974)
• Mozilla Network Security Services (NSS) contains a use-after-free error in the ‘PK11_ImportDERPrivateKeyInfoAndReturnKey()’ function. The issue is triggered when handling DER encoded keys. This may allow a context-dependent attacker to dereference already freed memory and potentially execute arbitrary code. (CVE-2016-1979)

The Graphite/Libgraphite component used in Mozilla Firefox contains the following vulnerabilities :

• An out-of-bounds write flaw exists in the ‘setAttr()’ function that is triggered when handling maliciously crafted fonts. This may allow a context-dependent attacker to potentially execute arbitrary code. (CVE-2016-1969)
• A flaw exists in the ‘Machine::Code::decoder::analysis::set_ref()’ function. The issue is triggered as user-supplied input is not properly validated. With a specially crafted font, a context-dependent attacker can corrupt memory to cause a denial of service in a process linked against the library or potentially execute arbitrary code. (CVE-2016-1977)
• A flaw exists in the ‘GetTableInfo()’ function in ‘TtfUtil.cpp’ related to the use of uninitialized memory when handling a specially crafted font. This may allow a context-dependent attacker to have an unspecified impact. (CVE-2016-2790)
• An out-of-bounds read flaw exists in the ‘GlyphCache::glyph()’ function that is triggered when handling maliciously crafted fonts. This may allow a context-dependent attacker to crash a process linked against the library or potentially disclose memory contents. (CVE-2016-2791)
• An out-of-bounds read flaw exist in the ‘getAttr()’ function in ‘Slot.cpp’ that is triggered when handling maliciously crafted fonts. This may allow a context-dependent attacker to crash a process linked against the library or potentially disclose memory contents. (CVE-2016-2792)
• An out-of-bounds read flaw in ‘CachedCmap.cpp’ that is triggered when handling maliciously crafted fonts. This may allow a context-dependent attacker to crash a process linked against the library or potentially disclose memory contents. (CVE-2016-2793)
• An out-of-bounds read flaw in the ‘CmapSubtable12NextCodepoint()’ function in ‘TtfUtil.cpp’ that is triggered when handling maliciously crafted fonts. This may allow a context-dependent attacker to crash a process linked against the library or potentially disclose memory contents. (CVE-2016-2794)
• A flaw exists in the ‘FileFace::get_table_fn()’ function related to the use of uninitialized memory when handling a specially crafted font. This may allow a context-dependent attacker to have an unspecified impact. (CVE-2016-2795)
• An out-of-bounds write flaw exixts in the ‘vm::Machine::Code::Code()’ function that is triggered when handling maliciously crafted fonts. This may allow a context-dependent attacker to potentially execute arbitrary code. (CVE-2016-2796)
• An out-of-bounds read flaw exists in the ‘CmapSubtable12Lookup()’ function in ‘TtfUtil.cpp’ that is triggered when handling maliciously crafted fonts. This may allow a context-dependent attacker to crash a process linked against the library or potentially disclose memory contents. (CVE-2016-2797)
• An out-of-bounds read flaw exists in the ‘GlyphCache::Loader::Loader()’ function that is triggered when handling maliciously crafted fonts. This may allow a context-dependent attacker to crash a process linked against the library or potentially disclose memory contents. (CVE-2016-2798)
• An out-of-bounds write flaw exists in the ‘setAttr()’ function in ‘Slot.cpp’ that is triggered when handling maliciously crafted fonts. This may allow a context-dependent attacker to potentially execute arbitrary code. (CVE-2016-2799)
• An out-of-bounds read flaw exists in the ‘getAttr()’ function in ‘Slot.cpp’ that is triggered when handling maliciously crafted fonts. This may allow a context-dependent attacker to crash a process linked against the library or potentially disclose memory contents. (CVE-2016-2800)
• An out-of-bounds read flaw exists in the ‘CmapSubtable12Lookup()’ function in ‘TtfUtil.cpp’ that is triggered when handling maliciously crafted fonts. This may allow a context-dependent attacker to crash a process linked against the library or potentially disclose memory contents. (CVE-2016-2801)
• An out-of-bounds read flaw existsin the ‘CmapSubtable4NextCodepoint()’ function in ‘TtfUtil.cpp’ that is triggered when handling maliciously crafted fonts. This may allow a context-dependent attacker to crash a process linked against the library or potentially disclose memory contents. (CVE-2016-2802)