Arch Linux Security Advisory ASA-201611-16 ========================================== Severity: Critical Date : 2016-11-16 CVE-ID : CVE-2016-5289 CVE-2016-5290 CVE-2016-5291 CVE-2016-5292 CVE-2016-5296 CVE-2016-5297 CVE-2016-9063 CVE-2016-9064 CVE-2016-9066 CVE-2016-9067 CVE-2016-9068 CVE-2016-9070 CVE-2016-9071 CVE-2016-9073 CVE-2016-9075 CVE-2016-9076 CVE-2016-9077 Package : firefox Type : multiple issues Remote : Yes Link : https://wiki.archlinux.org/index.php/CVE Summary ======= The package firefox before version 50.0-1 is vulnerable to multiple issues including arbitrary code execution, information disclosure, insufficient validation, privilege escalation, content spoofing, same- origin policy bypass and sandbox escape. Resolution ========== Upgrade to 50.0-1. # pacman -Syu "firefox>=50.0-1" The problems have been fixed upstream in version 50.0. Workaround ========== None. Description =========== - CVE-2016-5289 (arbitrary code execution) Mozilla developers and community members Christian Holler, Andrew McCreight, Dan Minor, Tyson Smith, Jon Coppeard, Jan-Ivar Bruaroey, Jesse Ruderman, and Markus Stange reported memory safety bugs present in Firefox 49. Some of these bugs showed evidence of memory corruption and we presume that with enough effort that some of these could be exploited to run arbitrary code. - CVE-2016-5290 (arbitrary code execution) Mozilla developers and community members Olli Pettay, Christian Holler, Ehsan Akhgari, Jon Coppeard, Gary Kwong, Tooru Fujisawa, Philipp, and Randell Jesup reported memory safety bugs present in Firefox 49 and Firefox ESR 45.4. Some of these bugs showed evidence of memory corruption and we presume that with enough effort that some of these could be exploited to run arbitrary code. - CVE-2016-5291 (same-origin policy bypass) A same-origin policy bypass with local shortcut files to load arbitrary local content from disk. - CVE-2016-5292 (arbitrary code execution) During URL parsing, a maliciously crafted URL can cause a potentially exploitable crash. - CVE-2016-5296 (arbitrary code execution) A heap-buffer-overflow in Cairo when processing SVG content caused by compiler optimization, resulting in a potentially exploitable crash. - CVE-2016-5297 (arbitrary code execution) An error in argument length checking in JavaScript, leading to potential integer overflows or other bounds checking issues. - CVE-2016-9063 (arbitrary code execution) An integer overflow during the parsing of XML using the Expat library. - CVE-2016-9064 (insufficient validation) Add-on updates failed to verify that the add-on ID inside the signed package matched the ID of the add-on being updated. An attacker who could perform a man-in-the-middle attack on the user's connection to the update server and defeat the certificate pinning protection could provide a malicious signed add-on instead of a valid update. - CVE-2016-9066 (arbitrary code execution) A buffer overflow resulting in a potentially exploitable crash due to memory allocation issues when handling large amounts of incoming data. - CVE-2016-9067 (arbitrary code execution) Two heap-use-after-free errors during DOM operations in nsINode::ReplaceOrInsertBefore resulting in potentially exploitable crashes. - CVE-2016-9068 (arbitrary code execution) A heap-use-after-free in nsRefreshDriver during web animations when working with timelines resulting in a potentially exploitable crash. - CVE-2016-9070 (same-origin policy bypass) A maliciously crafted page loaded to the sidebar through a bookmark can reference a privileged chrome window and engage in limited JavaScript operations violating cross-origin protections. - CVE-2016-9071 (information disclosure) Content Security Policy combined with HTTP to HTTPS redirection can be used by malicious server to verify whether a known site is within a user's browser history. - CVE-2016-9073 (sandbox escape) WebExtensions can bypass security checks to load privileged URLs and potentially escape the WebExtension sandbox. - CVE-2016-9075 (privilege escalation) An issue where WebExtensions can use the mozAddonManager API to elevate privilege due to privileged pages being allowed in the permissions list. This allows a malicious extension to then install additional extensions without explicit user permission. - CVE-2016-9076 (content spoofing) An issue where a