Arch Linux Security Advisory ASA-201704-6 ========================================= Severity: Critical Date : 2017-04-21 CVE-ID : CVE-2017-5429 CVE-2017-5430 CVE-2017-5432 CVE-2017-5433 CVE-2017-5434 CVE-2017-5435 CVE-2017-5436 CVE-2017-5437 CVE-2017-5438 CVE-2017-5439 CVE-2017-5440 CVE-2017-5441 CVE-2017-5442 CVE-2017-5443 CVE-2017-5444 CVE-2017-5445 CVE-2017-5446 CVE-2017-5447 CVE-2017-5448 CVE-2017-5449 CVE-2017-5451 CVE-2017-5453 CVE-2017-5454 CVE-2017-5455 CVE-2017-5456 CVE-2017-5458 CVE-2017-5459 CVE-2017-5460 CVE-2017-5461 CVE-2017-5464 CVE-2017-5465 CVE-2017-5466 CVE-2017-5467 CVE-2017-5468 CVE-2017-5469 Package : firefox Type : multiple issues Remote : Yes Link : https://security.archlinux.org/AVG-249 Summary ======= The package firefox before version 53.0-1 is vulnerable to multiple issues including arbitrary code execution, cross-site scripting, access restriction bypass, arbitrary filesystem access, denial of service, information disclosure and content spoofing. Resolution ========== Upgrade to 53.0-1. # pacman -Syu "firefox>=53.0-1" The problems have been fixed upstream in version 53.0. Workaround ========== None. Description =========== - CVE-2017-5429 (arbitrary code execution) Mozilla developers and community members Christian Holler, Jon Coppeard, Marcia Knous, David Baron, Mats Palmgren, Ronald Crane, Bob Clary, and Chris Peterson reported memory safety bugs present in Firefox 52, Firefox ESR 45.8, and Firefox ESR 52. Some of these bugs showed evidence of memory corruption and we presume that with enough effort that some of these could be exploited to run arbitrary code. - CVE-2017-5430 (arbitrary code execution) Mozilla developers and community members Christian Holler, Jon Coppeard, Milan Sreckovic, Tyson Smith, Ronald Crane, Randell Jesup, Philipp, Tooru Fujisawa, and Kan-Ru Chen reported memory safety bugs present in Firefox 52 and Firefox ESR 52. Some of these bugs showed evidence of memory corruption and we presume that with enough effort that some of these could be exploited to run arbitrary code. - CVE-2017-5432 (arbitrary code execution) A use-after-free vulnerability has been found in Firefox < 53. It occurs during certain text input selection and results in a potentially exploitable crash. - CVE-2017-5433 (arbitrary code execution) A use-after-free vulnerability has been found in Firefox < 53, It occurs in SMIL animation functions when pointers to animation elements in an array are dropped from the animation controller while still in use. This results in a potentially exploitable crash. - CVE-2017-5434 (arbitrary code execution) A use-after-free vulnerability has been found in Firefox < 53. It occurs when redirecting focus handling and results in a potentially exploitable crash. - CVE-2017-5435 (arbitrary code execution) A use-after-free vulnerability has been found in Firefox < 53. It occurs during transaction processing in the editor during design mode interactions and results in a potentially exploitable crash. - CVE-2017-5436 (arbitrary code execution) An out-of-bounds write has been found in the Graphite 2 library, triggered with a maliciously crafted Graphite font. This results in a potentially exploitable crash. This issue was fixed in the Graphite 2 library as well as Mozilla products. - CVE-2017-5437 (denial of service) Three vulnerabilities were reported in the Libevent library that allow for out-of-bounds reads and denial of service (DoS) attacks: CVE-2016-10195, CVE-2016-10196, and CVE-2016-10197. These were fixed in the Libevent library and these changes were ported to Mozilla code in Firefox 53. - CVE-2017-5438 (arbitrary code execution) A use-after-free vulnerability has been found in Firefox < 53, during XSLT processing due to the result handler being held by a freed handler during handling. This results in a potentially exploitable crash. - CVE-2017-5439 (arbitrary code execution) A use-after-free vulnerability has been found in Firefox < 53, during XSLT processing due to poor handling of template parameters. This results in a potentially exploitable crash. - CVE-2017-5440 (arbitrary code execution) A use-after-free vulnerability has been found in Firefox < 53, during XSLT processing due to a failure to propagate error conditions during matching while evaluating context, leading to objects being used when they no longer exist. This results in a potentially exploitable crash. - CVE-2017-5441 (arbitrary code execution) A use-after-free vulnerability when holding a selection during scroll events has been found in Firefox < 53. This results in a potentially exploitable crash. - CVE-2017-5442 (arbitrary code execution) A use-after-free vulnerability during changes in style when manipulating DOM elements has been found in Firefox < 53. This results in a potentially exploitable crash. - CVE-2017-5443 (arbitrary code execution) An out-of-bounds write vulnerability has been found in Firefox < 53, while decoding improperly formed BinHex format archives. - CVE-2017-5444 (information disclosure) A buffer overflow vulnerability has been found in Firefox < 53, while parsing application/http-index-format format content when the header contains improperly formatted data. This allows for an out-of-bounds read of data from memory. - CVE-2017-5445 (information disclosure) A vulnerability has been found in Firefox < 53, while parsing application/http-index-format format content where uninitialized values are used to create an array. This could allow the reading of uninitialized memory into the arrays affected. - CVE-2017-5446 (arbitrary code execution) An out-of-bounds read has been found in Firefox < 53, when an HTTP/2 connection to a servers sends DATA frames with incorrect data content. This leads to a potentially exploitable crash. - CVE-2017-5447 (arbitrary code execution) An out-of-bounds read has been found in Firefox < 53, during the processing of glyph widths while rendering text layout. This results in a potentially exploitable crash and could allow an attacker to read otherwise inaccessible memory. - CVE-2017-5448 (arbitrary code execution) A security issue has been found in Firefox < 53, an out-of-bounds write in ClearKeyDecryptor while decrypting some Clearkey-encrypted media content. The ClearKeyDecryptor code runs within the Gecko Media Plugin (GMP) sandbox. If a second mechanism is found to escape the sandbox, this vulnerability allows for the writing of arbitrary data within memory, resulting in a potentially exploitable crash. - CVE-2017-5449 (arbitrary code execution) A possibly exploitable crash has been found in Firefox < 53, triggered during layout and manipulation of bidirectional unicode text in concert with CSS animations. - CVE-2017-5451 (content spoofing) A security issue has been found in Firefox < 53, allowing to spoof the addressbar through the user interaction on the addressbar and the onblur event. The event could be used by script to affect text display to make the loaded site appear to be different from the one actually loaded within the addressbar. - CVE-2017-5453 (content spoofing) A security issue has been found in Firefox < 53, allowing to inject static HTML into the RSS reader preview page due to a failure to escape characters sent as URL parameters for a feed's TITLE element. This vulnerability allows for spoofing but no scripted content can be run. - CVE-2017-5454 (access restriction bypass) A security issue has been found in Firefox < 53, allowing to bypass file system access protections in the sandbox to use the file picker to access different files than those selected in the file picker through the use of relative paths. This allows for read only access to the local file system. - CVE-2017-5455 (access restriction bypass) A security issue has been found in Firefox < 53. The internal feed reader APIs that crossed the sandbox barrier allowed for a sandbox escape and escalation of privilege if combined with another vulnerability that resulted in remote code execution inside the sandboxed process. - CVE-2017-5456 (arbitrary filesystem access) A security issue has been found in Firefox < 53, allowing to bypass file system access protections in the sandbox using the file system request constructor through an IPC message. This allows for read and write access to the local file system. - CVE-2017-5458 (cross-site scripting) An issue has been found in Firefox < 53. When a javascript: URL is drag and dropped by a user into the addressbar, the URL will be processed and executed. This allows for users to be socially engineered to execute an XSS attack on themselves. - CVE-2017-5459 (arbitrary code execution) A buffer overflow has been found in the WebGL part of Firefox < 53. It's triggerable by web content, resulting in a potentially exploitable crash. - CVE-2017-5460 (arbitrary code execution) A use-after-free vulnerability has been found in Firefox < 53. It's located in frame selection, triggered by a combination of malicious script content and key presses by a user. This results in a potentially exploitable crash. - CVE-2017-5461 (arbitrary code execution) An out-of-bounds write during Base64 decoding operation has been found in the Network Security Services (NSS) library due to insufficient memory being allocated to the buffer. An attacker could use this flaw to create a specially crafted certificate which, when parsed by NSS, could cause it to crash or execute arbitrary code, using the permissions of the user running an application compiled against the NSS library. The issue has been fixed in releases 3.29.5 and 3.30.1. - CVE-2017-5464 (arbitrary code execution) A security issue has been found in Firefox < 53. During DOM manipulations of the accessibility tree through script, the DOM tree can become out of sync with the accessibility tree, leading to memory corruption and a potentially exploitable crash. - CVE-2017-5465 (information disclosure) An out-of-bounds read has been found in Firefox < 53, while processing SVG content in ConvolvePixel. This results in a crash and also allows for otherwise inaccessible memory being copied into SVG graphic content, which could then displayed. - CVE-2017-5466 (cross-site scripting) An origin confusion issue has been found in Firefox < 53. If a page is loaded from an original site through a hyperlink and contains a redirect to a data:text/html URL, triggering a reload will run the reloaded data:text/html page with its origin set incorrectly. This allows for a cross-site scripting (XSS) attack. - CVE-2017-5467 (denial of service) A potential memory corruption and crash has been found in Firefox < 53, when using Skia content when drawing content outside of the bounds of a clipping region. - CVE-2017-5468 (denial of service) An issue with incorrect ownership model of privateBrowsing information exposed through developer tools has been found in Firefox < 53. This can result in a non-exploitable crash when manually triggered during debugging. - CVE-2017-5469 (arbitrary code execution) Several potential buffer overflows in generated code, due to the CVE-2016-6354 issue in Flex, have been fixed in Firefox 53. Impact ====== A remote attacker can spoof content, bypass access restrictions, access arbitrary files and sensitive information, crash the application and execute arbitrary code on the affected host. References ========== https://www.mozilla.org/en-US/security/advisories/mfsa2017-10/ https://www.mozilla.org/en-US/security/advisories/mfsa2017-10/#CVE-2017-5429 https://bugzilla.mozilla.org/buglist.cgi?bug_id=1343261%2C1350844%2C1341096%2C1342823%2C1348894%2C1348941%2C1349340%2C1352926%2C1353088%2C https://www.mozilla.org/en-US/security/advisories/mfsa2017-10/#CVE-2017-5430 https://bugzilla.mozilla.org/buglist.cgi?bug_id=1342101%2C1340482%2C1344686%2C1329796%2C1346419%2C1349621%2C1344081%2C1344305%2C1348143%2C1349719%2C1353476%2C1337418%2C1346140%2C1339722 https://www.mozilla.org/en-US/security/advisories/mfsa2017-10/#CVE-2017-5432 https://bugzilla.mozilla.org/show_bug.cgi?id=1346654 https://www.mozilla.org/en-US/security/advisories/mfsa2017-10/#CVE-2017-5433 https://bugzilla.mozilla.org/show_bug.cgi?id=1347168 https://www.mozilla.org/en-US/security/advisories/mfsa2017-10/#CVE-2017-5434 https://bugzilla.mozilla.org/show_bug.cgi?id=1349946 https://www.mozilla.org/en-US/security/advisories/mfsa2017-10/#CVE-2017-5435 https://bugzilla.mozilla.org/show_bug.cgi?id=1350683 https://www.mozilla.org/en-US/security/advisories/mfsa2017-10/#CVE-2017-5436 https://bugzilla.mozilla.org/show_bug.cgi?id=1345461 https://www.mozilla.org/en-US/security/advisories/mfsa2017-10/#CVE-2017-5437 https://bugzilla.mozilla.org/show_bug.cgi?id=1343453 https://www.mozilla.org/en-US/security/advisories/mfsa2017-10/#CVE-2017-5438 https://bugzilla.mozilla.org/show_bug.cgi?id=1336828 https://www.mozilla.org/en-US/security/advisories/mfsa2017-10/#CVE-2017-5439 https://bugzilla.mozilla.org/show_bug.cgi?id=1336830 https://www.mozilla.org/en-US/security/advisories/mfsa2017-10/#CVE-2017-5440 https://bugzilla.mozilla.org/show_bug.cgi?id=1336832 https://www.mozilla.org/en-US/security/advisories/mfsa2017-10/#CVE-2017-5441 https://bugzilla.mozilla.org/show_bug.cgi?id=1343795 https://www.mozilla.org/en-US/security/advisories/mfsa2017-10/#CVE-2017-5442 https://bugzilla.mozilla.org/show_bug.cgi?id=1347979 https://www.mozilla.org/en-US/security/advisories/mfsa2017-10/#CVE-2017-5443 https://bugzilla.mozilla.org/show_bug.cgi?id=1342661 https://www.mozilla.org/en-US/security/advisories/mfsa2017-10/#CVE-2017-5444 https://bugzilla.mozilla.org/show_bug.cgi?id=1344461 https://www.mozilla.org/en-US/security/advisories/mfsa2017-10/#CVE-2017-5445 https://bugzilla.mozilla.org/show_bug.cgi?id=1344467 https://www.mozilla.org/en-US/security/advisories/mfsa2017-10/#CVE-2017-5446 https://bugzilla.mozilla.org/show_bug.cgi?id=1343505 https://www.mozilla.org/en-US/security/advisories/mfsa2017-10/#CVE-2017-5447 https://bugzilla.mozilla.org/show_bug.cgi?id=1343552 https://www.mozilla.org/en-US/security/advisories/mfsa2017-10/#CVE-2017-5448 https://bugzilla.mozilla.org/show_bug.cgi?id=1346648 https://www.mozilla.org/en-US/security/advisories/mfsa2017-10/#CVE-2017-5449 https://bugzilla.mozilla.org/show_bug.cgi?id=1340127 https://www.mozilla.org/en-US/security/advisories/mfsa2017-10/#CVE-2017-5451 https://bugzilla.mozilla.org/show_bug.cgi?id=1273537 https://www.mozilla.org/en-US/security/advisories/mfsa2017-10/#CVE-2017-5453 https://bugzilla.mozilla.org/show_bug.cgi?id=1321247 https://www.mozilla.org/en-US/security/advisories/mfsa2017-10/#CVE-2017-5454 https://bugzilla.mozilla.org/show_bug.cgi?id=1349276 https://www.mozilla.org/en-US/security/advisories/mfsa2017-10/#CVE-2017-5455 https://bugzilla.mozilla.org/show_bug.cgi?id=1341191 https://www.mozilla.org/en-US/security/advisories/mfsa2017-10/#CVE-2017-5456 https://bugzilla.mozilla.org/show_bug.cgi?id=1344415 https://www.mozilla.org/en-US/security/advisories/mfsa2017-10/#CVE-2017-5458 https://bugzilla.mozilla.org/show_bug.cgi?id=1229426 https://www.mozilla.org/en-US/security/advisories/mfsa2017-10/#CVE-2017-5459 https://bugzilla.mozilla.org/show_bug.cgi?id=1333858 https://www.mozilla.org/en-US/security/advisories/mfsa2017-10/#CVE-2017-5460 https://bugzilla.mozilla.org/show_bug.cgi?id=1343642 https://www.mozilla.org/en-US/security/advisories/mfsa2017-10/#CVE-2017-5461 https://bugzilla.mozilla.org/show_bug.cgi?id=1344380 https://hg.mozilla.org/projects/nss/rev/ac34db053672 https://www.mozilla.org/en-US/security/advisories/mfsa2017-10/#CVE-2017-5464 https://bugzilla.mozilla.org/show_bug.cgi?id=1347075 https://www.mozilla.org/en-US/security/advisories/mfsa2017-10/#CVE-2017-5465 https://bugzilla.mozilla.org/show_bug.cgi?id=1347617 https://www.mozilla.org/en-US/security/advisories/mfsa2017-10/#CVE-2017-5466 https://bugzilla.mozilla.org/show_bug.cgi?id=1353975 https://www.mozilla.org/en-US/security/advisories/mfsa2017-10/#CVE-2017-5467 https://bugzilla.mozilla.org/show_bug.cgi?id=1347262 https://www.mozilla.org/en-US/security/advisories/mfsa2017-10/#CVE-2017-5468 https://bugzilla.mozilla.org/show_bug.cgi?id=1329521 https://www.mozilla.org/en-US/security/advisories/mfsa2017-10/#CVE-2017-5469 https://bugzilla.mozilla.org/show_bug.cgi?id=1292534 https://security.archlinux.org/CVE-2017-5429 https://security.archlinux.org/CVE-2017-5430 https://security.archlinux.org/CVE-2017-5432 https://security.archlinux.org/CVE-2017-5433 https://security.archlinux.org/CVE-2017-5434 https://security.archlinux.org/CVE-2017-5435 https://security.archlinux.org/CVE-2017-5436 https://security.archlinux.org/CVE-2017-5437 https://security.archlinux.org/CVE-2017-5438 https://security.archlinux.org/CVE-2017-5439 https://security.archlinux.org/CVE-2017-5440 https://security.archlinux.org/CVE-2017-5441 https://security.archlinux.org/CVE-2017-5442 https://security.archlinux.org/CVE-2017-5443 https://security.archlinux.org/CVE-2017-5444 https://security.archlinux.org/CVE-2017-5445 https://security.archlinux.org/CVE-2017-5446 https://security.archlinux.org/CVE-2017-5447 https://security.archlinux.org/CVE-2017-5448 https://security.archlinux.org/CVE-2017-5449 https://security.archlinux.org/CVE-2017-5451 https://security.archlinux.org/CVE-2017-5453 https://security.archlinux.org/CVE-2017-5454 https://security.archlinux.org/CVE-2017-5455 https://security.archlinux.org/CVE-2017-5456 https://security.archlinux.org/CVE-2017-5458 https://security.archlinux.org/CVE-2017-5459 https://security.archlinux.org/CVE-2017-5460 https://security.archlinux.org/CVE-2017-5461 https://security.archlinux.org/CVE-2017-5464 https://security.archlinux.org/CVE-2017-5465 https://security.archlinux.org/CVE-2017-5466 https://security.archlinux.org/CVE-2017-5467 https://security.archlinux.org/CVE-2017-5468 https://security.archlinux.org/CVE-2017-5469