Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 611976 (MFSA-2017-06) - <www-client/firefox{,-bin}-45.8.0: multiple vulnerabilities (MFSA-2017-06)
Summary: <www-client/firefox{,-bin}-45.8.0: multiple vulnerabilities (MFSA-2017-06)
Status: RESOLVED FIXED
Alias: MFSA-2017-06
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal major (vote)
Assignee: Gentoo Security
URL: https://www.mozilla.org/en-US/securit...
Whiteboard: A2 [glsa cve]
Keywords:
Depends on: CVE-2017-5398, CVE-2017-5400, CVE-2017-5401, CVE-2017-5402, CVE-2017-5404, CVE-2017-5405, CVE-2017-5407, CVE-2017-5408, CVE-2017-5410
Blocks:
  Show dependency tree
 
Reported: 2017-03-07 18:28 UTC by Thomas Deutschmann
Modified: 2017-05-09 19:40 UTC (History)
1 user (show)

See Also:
Package list:
=www-client/firefox-45.8.0
Runtime testing required: ---
stable-bot: sanity-check+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Thomas Deutschmann gentoo-dev 2017-03-07 18:28:17 UTC
From $URL:

CVE-2017-5400: asm.js JIT-spray bypass of ASLR and DEP

Impact
    critical

Description
    JIT-spray targeting asm.js combined with a heap spray allows for a
    bypass of ASLR and DEP protections leading to potential memory
    corruption attacks.


CVE-2017-5401: Memory Corruption when handling ErrorResult

Impact
    critical

Description
    A crash triggerable by web content in which an ErrorResult references
    unassigned memory due to a logic error. The resulting crash may be
    exploitable.


CVE-2017-5402: Use-after-free working with events in FontFace objects

Impact
    critical

Description
    A use-after-free can occur when events are fired for a FontFace object
    after the object has been already been destroyed while working with
    fonts. This results in a potentially exploitable crash.


CVE-2017-5404: Use-after-free working with ranges in selections

Impact
    critical

Description
    A use-after-free error can occur when manipulating ranges in
    selections with one node inside a native anonymous tree and one node
    outside of it. This results in a potentially exploitable crash.


CVE-2017-5407: Pixel and history stealing via floating-point timing side
               channel with SVG filters

Impact
    high

Description
    Using SVG filters that don't use the fixed point math implementation
    on a target iframe, a malicious page can extract pixel values from a
    targeted user. This can be used to extract history information and
    read text values across domains. This violates same-origin policy and
    leads to information disclosure.


CVE-2017-5410: Memory corruption during JavaScript garbage collection
               incremental sweeping

Impact
    high

Description
    Memory corruption resulting in a potentially exploitable crash during
    garbage collection of JavaScript due errors in how incremental sweeping
    is managed for memory cleanup.


CVE-2017-5409: File deletion via callback parameter in Mozilla Windows
               Updater and Maintenance Service

Impact
    moderate

Description
    The Mozilla Windows updater can be called by a non-privileged user to
    delete an arbitrary local file by passing a special path to the
    callback parameter through the Mozilla Maintenance Service, which has
    privileged access.
    
    
    Note: This attack requires local system access and only affects
          Windows. Other operating systems are not affected.


CVE-2017-5408: Cross-origin reading of video captions in violation of CORS

Impact
    moderate

Description
    Video files loaded video captions cross-origin without checking for
    the presence of CORS headers permitting such cross-origin use, leading
    to potential information disclosure for video captions.


CVE-2017-5405: FTP response codes can cause use of uninitialized values
               for ports

Impact
    low

Description
    Certain response codes in FTP connections can result in the use of
    uninitialized values for ports in FTP operations.



CVE-2017-5398: Memory safety bugs fixed in Firefox 52 and Firefox ESR 45.8

Impact
    critical

Description
    Mozilla developers and community members Boris Zbarsky, Christian
    Holler, Honza Bambas, Jon Coppeard, Randell Jesup, André Bargull,
    Kan-Ru Chen, and Nathan Froyd reported memory safety bugs present in
    Firefox 51 and Firefox ESR 45.7. Some of these bugs showed evidence of
    memory corruption and we presume that with enough effort that some of
    these could be exploited to run arbitrary code.
Comment 1 Thomas Deutschmann gentoo-dev 2017-03-07 18:45:28 UTC
www-client/firefox{,-bin}-51.x (unstable in Gentoo) specific vulnerabilities addressed in 52.x (from https://www.mozilla.org/en-US/security/advisories/mfsa2017-05/):


CVE-2017-5403: Use-after-free using addRange to add range to an incorrect
               root object

Impact
    critical

Description
    When adding a range to an object in the DOM, it is possible to use
    addRange to add the range to an incorrect root object. This triggers a
    use-after-free, resulting in a potentially exploitable crash.


CVE-2017-5406: Segmentation fault in Skia with canvas operations

Impact
    high

Description
    A segmentation fault can occur in the Skia graphics library during some
    canvas operations due to issues with mask/clip intersection and empty
    masks.


CVE-2017-5411: Use-after-free in Buffer Storage in libGLES

Impact
    high

Description
    A use-after-free can occur during buffer storage operations within the
    ANGLE graphics library, used for WebGL content. The buffer storage can
    be freed while still in use in some circumstances, leading to a
    potentially exploitable crash.
    
    Note: This issue is in libGLES, which is only in use on Windows. Other
          operating systems are not affected.


CVE-2017-5412: Buffer overflow read in SVG filters

Impact
    moderate

Description
    A buffer overflow read during SVG filter color value operations,
    resulting in data exposure. 


CVE-2017-5413: Segmentation fault during bidirectional operations

Impact
    moderate

Description
    A segmentation fault can occur during some bidirectional layout
    operations.


CVE-2017-5414: File picker can choose incorrect default directory

Impact
    moderate

Description
    The file picker dialog can choose and display the wrong local default
    directory when instantiated. On some operating systems, this can lead
    to information disclosure, such as the operating system or the local
    account name.


CVE-2017-5415: Addressbar spoofing through blob URL

Impact
    moderate

Description
    An attack can use a blob URL and script to spoof an arbitrary
    addressbar URL prefaced by blob: as the protocol, leading to user
    confusion and further spoofing attacks.


CVE-2017-5416: Null dereference crash in HttpChannel

Impact
    moderate

Description
    In certain circumstances a networking event listener can be prematurely
    released. This appears to result in a null dereference in practice. 


CVE-2017-5417: Addressbar spoofing by draging and dropping URLs

Impact
    moderate

Description
    When dragging content from the primary browser pane to the addressbar
    on a malicious site, it is possible to change the addressbar so that
    the displayed location following navigation does not match the URL of
    the newly loaded page. This allows for spoofing attacks.


CVE-2017-5425: Overly permissive Gecko Media Plugin sandbox regular
               expression access

Impact
    moderate

Description
    The Gecko Media Plugin sandbox allows access to local files that match
    specific regular expressions. On OS OX, this matching allows access to
    some data in subdirectories of /private/var that could expose personal
    or temporary data. This has been updated to not allow access to
    /private/var and its subdirectories.
    
    Note: this issue only affects OS X. Other operating systems are not
          affected.


CVE-2017-5426: Gecko Media Plugin sandbox is not started if seccomp-bpf
               filter is running

Impact
    moderate

Description
    On Linux, if the secure computing mode BPF (seccomp-bpf) filter is
    running when the Gecko Media Plugin sandbox is started, the sandbox
    fails to be applied and items that would run within the sandbox are run
    protected only by the running filter which is typically weak compared
    to the sandbox.
    
    Note: this issue only affects Linux. Other operating systems are not
          affected.


CVE-2017-5427: Non-existent chrome.manifest file loaded during startup

Impact
    moderate

Description
    A non-existent chrome.manifest file will attempt to be loaded during
    startup from the primary installation directory. If a malicious user
    with local access puts chrome.manifest and other referenced files in
    this directory, they will be loaded and activated during startup. This
    could result in malicious software being added without consent or
    modification of referenced installed files.


CVE-2017-5418: Out of bounds read when parsing HTTP digest authorization
               responses

Impact
    low

Description
    An out of bounds read error occurs when parsing some HTTP digest
    authorization responses, resulting in information leakage through the
    reading of random memory containing matches to specifically set
    patterns.


CVE-2017-5419: Repeated authentication prompts lead to DOS attack

Impact
    low

Description
    If a malicious site repeatedly triggers a modal authentication prompt,
    eventually the browser UI will become non-responsive, requiring
    shutdown through the operating system. This is a denial of service
    (DOS) attack.


CVE-2017-5420: Javascript: URLs can obfuscate addressbar location

Impact
    low

Description
    A javascript: url loaded by a malicious page can obfuscate its location
    by blanking the URL displayed in the addressbar, allowing for an
    attacker to spoof an existing page without the malicious page's
    address being displayed correctly.


CVE-2017-5421: Print preview spoofing

Impact
    low

Description
    A malicious site could spoof the contents of the print preview window
    if popup windows are enabled, resulting in user confusion of what site
    is currently loaded.


CVE-2017-5422: DOS attack by using view-source: protocol repeatedly in one
               hyperlink

Impact
    low

Description
    If a malicious site uses the view-source: protocol in a series within
    a single hyperlink, it can trigger a non-exploitable browser crash when
    the hyperlink is selected. This was fixed by no longer making
    view-source: linkable.


CVE-2017-5399: Memory safety bugs fixed in Firefox 52

Impact
    critical

Description
    Mozilla developers and community members Carsten Book, Calixte Denizet,
    Christian Holler, Andrew McCreight, David Bolter, David Keeler, Jon
    Coppeard, Tyson Smith, Ronald Crane, Tooru Fujisawa, Ben Kelly, Bob
    Owen, Jed Davis, Julian Seward, Julian Hector, Philipp, Markus Stange,
    and André Bargull reported memory safety bugs present in Firefox 51.
    Some of these bugs showed evidence of memory corruption and we presume
    that with enough effort that some of these could be exploited to run
    arbitrary code.
Comment 2 Yury German Gentoo Infrastructure gentoo-dev 2017-03-08 00:08:08 UTC
Setting Tracker Bug for CVE Purposes.
Comment 3 Thomas Deutschmann gentoo-dev 2017-03-09 19:24:15 UTC
firefox-bin-45.8.0 already marked stable.
Comment 4 Agostino Sarubbo gentoo-dev 2017-03-25 19:25:58 UTC
ppc stable
Comment 5 Agostino Sarubbo gentoo-dev 2017-03-25 19:28:16 UTC
ppc64 stable
Comment 6 Yury German Gentoo Infrastructure gentoo-dev 2017-04-11 23:07:19 UTC
Can we please finish stabilization on x86
Comment 7 Yury German Gentoo Infrastructure gentoo-dev 2017-04-26 01:30:36 UTC
Please finish X86 stabilization as per Vulnerability Treatment Policy should of been done on March 30. Holding up GLSA
Comment 8 Yury German Gentoo Infrastructure gentoo-dev 2017-04-30 16:41:18 UTC
Arches and Maintainer(s), Thank you for your work.

Security would really appreciate when you are done with stabilization of cleaning, to just put a quick line in here that it is done. There are a lot of security bugs in play and managing them all takes a lot of time, especially if we have to check if they are stable, or cleaned.

www-client/firefox: marked stable for x86 
Ian Stakenvicius, Fri, 28 Apr 2017 18:30, commit 372eaa6d
firefox-45.8.0.ebuild
Comment 9 GLSAMaker/CVETool Bot gentoo-dev 2017-05-09 19:40:43 UTC
This issue was resolved and addressed in
 GLSA 201705-06 at https://security.gentoo.org/glsa/201705-06
by GLSA coordinator Kristian Fiskerstrand (K_F).