Mozilla Firefox < 48.0 Multiple Vulnerabilities

Versions of Mozilla Firefox prior to 48.0 are unpatched for the following vulnerabilities :

• A flaw is triggered as certain input is not properly validated when handling the ‘BitmapInfoHeader’ in icons. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
• A flaw exists in ‘js/src/frontend/Parser.cpp’ that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
• A flaw exists in the ‘js::array_splice_impl()’ function in ‘js/src/jsarray.cpp’ that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
• A flaw is triggered as certain unspecified user-supplied input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
• A flaw exists in the ‘OSXNotificationCenter::ShowAlertWithIconData()’ function in ‘widget/cocoa/OSXNotificationCenter.mm’ that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
• A flaw exists in the ‘Http2Session::TransactionHasDataToWrite()’ function in ‘netwerk/protocol/http/Http2Session.cpp’ and ‘SpdySession31::TransactionHasDataToWrite()’ function in ‘netwerk/protocol/http/SpdySession31.cpp’. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
• A flaw exists in the ‘Assembler::bind()’ function in ‘js/src/jit/arm/Assembler-arm.cpp’ that is triggered when handling certain labels. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
• A flaw exists in the ‘CodeGeneratorShared::assignBailoutId()’ function in ‘js/src/jit/shared/CodeGenerator-shared.cpp’ that is triggered when handling allocation errors. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
• An overflow condition exists in ‘woff2_dec.cc’ that is triggered as certain input is not properly validated when decompressing files. This may allow a context-dependent attacker to cause a buffer overflow and potentially execute arbitrary code.
• A flaw exists in the ‘SetPaintPattern()’ function in ‘gfx/2d/DrawTargetSkia.cpp’ that is triggered when handling gradients with non-finite endpoints. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
• A flaw exists in the ‘PeerConnectionMedia::ProtocolProxyQueryHandler::OnProxyAvailable()’ function in ‘media/webrtc/signaling/src/peerconnection/PeerConnectionMedia.cpp’ that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
• A flaw exists in ‘media/mtransport/nr_timer.cpp’ that is triggered when handling timers. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
• A race condition exists in the ‘MatchKeyHash()’ function in ‘security/pkix/lib/pkixocsp.cpp’ that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
• An overflow condition exists in the ‘ClearKeyDecryptor::Decrypt()’ function in ‘media/gmp-clearkey/0.1/ClearKeyDecryptionManager.cpp’ used by the Encrypted Media Extensions (EME) API. The issue is triggered as user-supplied input is not properly validated when handling video files. This may allow a context-dependent attacker to cause a buffer overflow, potentially allowing the execution of arbitrary code.
• A flaw is triggered as file URIs dragged from a web page to a different piece of software failed to have the contents properly filtered. This may allow a context-dependent attacker to gain access to potentially sensitive information.
• A flaw is triggered when handling right-to-left character sets with left-to-right character sets. This may allow a context-dependent attacker to spoof the address bar.
• A flaw is triggered when handling certain specific ‘about:’ URLs. This may allow a context-dependent attacker to spoof the contents of system information or error messages.
• A flaw exists in the ‘HttpBaseChannel::GetPerformance()’ function in ‘netwerk/protocol/http/HttpBaseChannel.cpp’ due to the program leaking potentially sensitive resources of URLs through the Resource Timing API during page navigation. This may allow a context-dependent attacker to potentially disclose sensitive information.
• An integer overflow condition exists in the ‘WebSocketChannel::ProcessInput()’ function in ‘netwerk/protocol/websocket/WebSocketChannel.cpp’. The issue is triggered as user-supplied input is not properly validated when handling specially crafted ‘WebSocketChannel’ packets. This may allow a context-dependent attacker to potentially execute arbitrary code.
• A use-after-free error exists in the ‘nsNodeUtils::NativeAnonymousChildListChange()’ function. The issue is triggered when applying effects to SVG element. This may allow a context-dependent attacker to dereference already freed memory and potentially execute arbitrary code.
• A use-after-free error exists in the ‘js::PreliminaryObjectArray::sweep()’ function in JavaScript. The issue is triggered when handling objects and pointers during incremental garbage collection. This may allow a context-dependent attacker to dereference already freed memory and potentially execute arbitrary code.
• A use-after-free error exists in ‘WebRTC’. The issue is triggered when handling DTLS objects. This may allow a context-dependent attacker to dereference already freed memory and potentially execute arbitrary code.
• A flaw exists in the r’estorableFormNodes()’ function in ‘toolkit/modules/sessionstore/XPathGenerator.jsm’ that is due to the program persistently storing passwords in in plaintext in session restore data. This may allow a context-dependent attacker to potentially gain access to password information.
• A use-after-free error exists in the ‘WorkerPrivate::DestroySyncLoop()’ function in ‘dom/workers/WorkerPrivate.cpp’. The issue is triggered when handling nested sync event loops in Service Workers. This may allow a context-dependent attacker to dereference already freed memory and potentially execute arbitrary code.
• A type confusion flaw exists in the ‘nsDisplayList::HitTest()’ function in ‘layout/base/nsDisplayList.cpp’ that is triggered during the handling of display transformations. This may allow a context-dependent attacker to potentially execute arbitrary code.
• A flaw exists in the ‘nsBaseChannel::Redirect()’ function in ‘netwerk/base/nsBaseChannel.cpp’ that is triggered when a malicious shortcut is called from the same directory as a local HTML file. This may allow a local attacker to bypass the same-origin policy.
• An underflow condition exists in the ‘mozilla::gfx::BasePoint4d()’ function in ‘gfx/2d/Matrix.h’. The issue is triggered as user-supplied input is not properly validated when calculating clipping regions in 2D graphics. This may allow a context-dependent attacker to cause a stack buffer underflow, potentially allowing the execution of arbitrary code.
• An overflow condition exists in the ‘nsBidi::BracketData::ProcessPDI()’ function in ‘layout/base/nsBidi.cpp’. The issue is triggered as user-supplied input is not properly validated when rendering SVG format graphics with directional content. This may allow a context-dependent attacker to cause a heap-based buffer overflow, potentially allowing the execution of arbitrary code.
• A flaw exists in the ‘Cairo’ graphics layer that is triggered when allocating the ‘LibAV’ header during video decoding. This may allow a context-dependent attacker to crash the Cairo graphics layer.
• A flaw is due to event handler attributes on a ‘marquee’ tag being executed inside a sandboxed iframe that does not have the allow-scripts flag set. This may allow a context-dependent attacker to bypass XSS protection mechanisms.
• A flaw is due to the program failing to close connections after requesting favicons. This may allow a context-dependent attacker to continue to send requests to the user’s browser and gain access to potentially sensitive information.
• A use-after-free error exists in the ‘nsXULPopupManager::KeyDown()’ function in ‘layout/xul/nsXULPopupManager.cpp’. The issue is triggered when using the alt key in conjunction with top level menu items in Firefox. This may allow a context-dependent attacker to dereference already freed memory and potentially execute arbitrary code.
• A flaw is triggered when decoding url-encoded values in ‘data:’ URLs. This may allow a context-dependent attacker to use non-ASCII or emoji characters to spoof the address bar.
• A flaw exists in ‘toolkit/mozapps/update/updater/updater.cpp’ that is due to the ‘Updater’, when opened using the callback application path parameter, creating a copy of a user specified file as a callback file with a locked hardlink. This may allow a local attacker to run the target file and gain elevated privileges.
• An unspecified flaw exists that is triggered during the handling of TTC detection. This may allow a context-dependent attacker to have an unspecified impact. No further details have been provided.
• An out-of-bounds access flaw exists in the ‘ReconstructTransformedHmtx()’ function in ‘woff2_dec.cc’ that may allow a context-dependent attacker to have an unspecified impact.
• An unspecified flaw exists in ‘woff2_dec.cc’ that may allow a context-dependent attacker to have an unspecified impact.
• An unspecified flaw exists in ‘woff2_dec.cc’ that is triggered during memory allocation, which may allow a context-dependent attacker to crash a process linked against the library.