openSUSE Security Update : Mozilla Firefox (openSUSE-2016-1271)

2016-11-0700:00:00

www.tenable.com

JSON

Mozilla Firefox was updated to 49.0.2 to fix two security issues and some bugs.

The following vulnerabilities were fixed :

CVE-2016-5287: Crash in nsTArray_base (bsc#1006475)
CVE-2016-5288: Web content can read cache entries (bsc#1006476)

The following changes and fixes are included :
Asynchronous rendering of the Flash plugins is now enabled by default
Change D3D9 default fallback preference to prevent graphical artifacts
Network issue prevents some users from seeing the Firefox UI on startup
Web compatibility issue with file uploads
Web compatibility issue with Array.prototype.values
Diagnostic information on timing for tab switching
Fix a Canvas filters graphics issue affecting HTML5 apps

#%NASL_MIN_LEVEL 70300
#
# (C) Tenable Network Security, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from openSUSE Security Update openSUSE-2016-1271.
#
# The text description of this plugin is (C) SUSE LLC.
#

include('deprecated_nasl_level.inc');
include('compat.inc');

if (description)
{
  script_id(94602);
  script_version("2.7");
  script_set_attribute(attribute:"plugin_modification_date", value:"2021/01/19");

  script_cve_id("CVE-2016-5287", "CVE-2016-5288");

  script_name(english:"openSUSE Security Update : Mozilla Firefox (openSUSE-2016-1271)");
  script_summary(english:"Check for the openSUSE-2016-1271 patch");

  script_set_attribute(
    attribute:"synopsis", 
    value:"The remote openSUSE host is missing a security update."
  );
  script_set_attribute(
    attribute:"description", 
    value:
"Mozilla Firefox was updated to 49.0.2 to fix two security issues and
some bugs.

The following vulnerabilities were fixed :

  - CVE-2016-5287: Crash in nsTArray_base (bsc#1006475)

  - CVE-2016-5288: Web content can read cache entries
    (bsc#1006476)

    The following changes and fixes are included :

  - Asynchronous rendering of the Flash plugins is now
    enabled by default

  - Change D3D9 default fallback preference to prevent
    graphical artifacts

  - Network issue prevents some users from seeing the
    Firefox UI on startup

  - Web compatibility issue with file uploads

  - Web compatibility issue with Array.prototype.values

  - Diagnostic information on timing for tab switching

  - Fix a Canvas filters graphics issue affecting HTML5 apps"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1006475"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1006476"
  );
  script_set_attribute(
    attribute:"solution", 
    value:"Update the affected Mozilla Firefox packages."
  );
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:MozillaFirefox");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:MozillaFirefox-branding-upstream");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:MozillaFirefox-buildsymbols");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:MozillaFirefox-debuginfo");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:MozillaFirefox-debugsource");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:MozillaFirefox-devel");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:MozillaFirefox-translations-common");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:MozillaFirefox-translations-other");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:opensuse:13.1");

  script_set_attribute(attribute:"patch_publication_date", value:"2016/11/05");
  script_set_attribute(attribute:"plugin_publication_date", value:"2016/11/07");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_copyright(english:"This script is Copyright (C) 2016-2021 and is owned by Tenable, Inc. or an Affiliate thereof.");
  script_family(english:"SuSE Local Security Checks");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/SuSE/release", "Host/SuSE/rpm-list", "Host/cpu");

  exit(0);
}


include("audit.inc");
include("global_settings.inc");
include("rpm.inc");

if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
release = get_kb_item("Host/SuSE/release");
if (isnull(release) || release =~ "^(SLED|SLES)") audit(AUDIT_OS_NOT, "openSUSE");
if (release !~ "^(SUSE13\.1)$") audit(AUDIT_OS_RELEASE_NOT, "openSUSE", "13.1", release);
if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);

ourarch = get_kb_item("Host/cpu");
if (!ourarch) audit(AUDIT_UNKNOWN_ARCH);
if (ourarch !~ "^(i586|i686|x86_64)$") audit(AUDIT_ARCH_NOT, "i586 / i686 / x86_64", ourarch);

flag = 0;

if ( rpm_check(release:"SUSE13.1", reference:"MozillaFirefox-49.0.2-128.1") ) flag++;
if ( rpm_check(release:"SUSE13.1", reference:"MozillaFirefox-branding-upstream-49.0.2-128.1") ) flag++;
if ( rpm_check(release:"SUSE13.1", reference:"MozillaFirefox-buildsymbols-49.0.2-128.1") ) flag++;
if ( rpm_check(release:"SUSE13.1", reference:"MozillaFirefox-debuginfo-49.0.2-128.1") ) flag++;
if ( rpm_check(release:"SUSE13.1", reference:"MozillaFirefox-debugsource-49.0.2-128.1") ) flag++;
if ( rpm_check(release:"SUSE13.1", reference:"MozillaFirefox-devel-49.0.2-128.1") ) flag++;
if ( rpm_check(release:"SUSE13.1", reference:"MozillaFirefox-translations-common-49.0.2-128.1") ) flag++;
if ( rpm_check(release:"SUSE13.1", reference:"MozillaFirefox-translations-other-49.0.2-128.1") ) flag++;

if (flag)
{
  if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());
  else security_hole(0);
  exit(0);
}
else
{
  tested = pkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, "MozillaFirefox / MozillaFirefox-branding-upstream / etc");
}

VendorProductVersionCPE
novellopensusemozillafirefoxp-cpe:/a:novell:opensuse:mozillafirefox
novellopensusemozillafirefox-branding-upstreamp-cpe:/a:novell:opensuse:mozillafirefox-branding-upstream
novellopensusemozillafirefox-buildsymbolsp-cpe:/a:novell:opensuse:mozillafirefox-buildsymbols
novellopensusemozillafirefox-debuginfop-cpe:/a:novell:opensuse:mozillafirefox-debuginfo
novellopensusemozillafirefox-debugsourcep-cpe:/a:novell:opensuse:mozillafirefox-debugsource
novellopensusemozillafirefox-develp-cpe:/a:novell:opensuse:mozillafirefox-devel
novellopensusemozillafirefox-translations-commonp-cpe:/a:novell:opensuse:mozillafirefox-translations-common
novellopensusemozillafirefox-translations-otherp-cpe:/a:novell:opensuse:mozillafirefox-translations-other
novellopensuse13.1cpe:/o:novell:opensuse:13.1

Vendor	Product	Version	CPE
novell	opensuse	mozillafirefox	p-cpe:/a:novell:opensuse:mozillafirefox
novell	opensuse	mozillafirefox-branding-upstream	p-cpe:/a:novell:opensuse:mozillafirefox-branding-upstream
novell	opensuse	mozillafirefox-buildsymbols	p-cpe:/a:novell:opensuse:mozillafirefox-buildsymbols
novell	opensuse	mozillafirefox-debuginfo	p-cpe:/a:novell:opensuse:mozillafirefox-debuginfo
novell	opensuse	mozillafirefox-debugsource	p-cpe:/a:novell:opensuse:mozillafirefox-debugsource
novell	opensuse	mozillafirefox-devel	p-cpe:/a:novell:opensuse:mozillafirefox-devel
novell	opensuse	mozillafirefox-translations-common	p-cpe:/a:novell:opensuse:mozillafirefox-translations-common
novell	opensuse	mozillafirefox-translations-other	p-cpe:/a:novell:opensuse:mozillafirefox-translations-other
novell	opensuse	13.1	cpe:/o:novell:opensuse:13.1