[arch-security] [ASA-201708-3] firefox: multiple issues

Remi Gacogne rgacogne at archlinux.org
Thu Aug 10 21:18:57 UTC 2017


Arch Linux Security Advisory ASA-201708-3
=========================================

Severity: Critical
Date    : 2017-08-10
CVE-ID  : CVE-2017-7753 CVE-2017-7779 CVE-2017-7780 CVE-2017-7781
          CVE-2017-7783 CVE-2017-7784 CVE-2017-7785 CVE-2017-7786
          CVE-2017-7787 CVE-2017-7788 CVE-2017-7789 CVE-2017-7791
          CVE-2017-7792 CVE-2017-7794 CVE-2017-7797 CVE-2017-7798
          CVE-2017-7799 CVE-2017-7800 CVE-2017-7801 CVE-2017-7802
          CVE-2017-7803 CVE-2017-7806 CVE-2017-7807 CVE-2017-7808
          CVE-2017-7809
Package : firefox
Type    : multiple issues
Remote  : Yes
Link    : https://security.archlinux.org/AVG-375

Summary
=======

The package firefox before version 55.0-1 is vulnerable to multiple
issues including arbitrary code execution, content spoofing,
information disclosure, same-origin policy bypass, access restriction
bypass, cross-site scripting, incorrect calculation, sandbox escape and
denial of service.

Resolution
==========

Upgrade to 55.0-1.

# pacman -Syu "firefox>=55.0-1"

The problems have been fixed upstream in version 55.0.

Workaround
==========

None.

Description
===========

- CVE-2017-7753 (information disclosure)

An out-of-bounds read  has been found in Firefox < 55.0, when applying
style rules to pseudo-elements, such as ::first-line, using cached
style data.

- CVE-2017-7779 (arbitrary code execution)

Several memory safety bugs have been found in Firefox < 55.0. Some of
these bugs showed evidence of memory corruption and we presume that
with enough effort that some of these could be exploited to run
arbitrary code.

- CVE-2017-7780 (arbitrary code execution)

Several memory safety bugs have been found in Firefox < 55.0. Some of
these bugs showed evidence of memory corruption and we presume that
with enough effort that some of these could be exploited to run
arbitrary code.

- CVE-2017-7781 (incorrect calculation)

An elliptic curve point addition error has been found in Firefox <
55.0. An error occurs in the elliptic curve point addition algorithm
that uses mixed Jacobian-affine coordinates where it can yield a result
POINT_AT_INFINITY when it should not. A man-in-the-middle attacker
could use this to interfere with a connection, resulting in an attacked
party computing an incorrect shared secret.

- CVE-2017-7783 (denial of service)

A denial of service has been found in Firefox < 55.0. If a long user
name is used in a username/password combination in a site URL (such as
http://UserName:Password@example.com), the resulting modal prompt will
hang in a non-responsive state or crash, causing a denial of service.

- CVE-2017-7784 (arbitrary code execution)

A use-after-free issue has been found in Firefox < 55.0, when reading
an image observer during frame reconstruction after the observer has
been freed. This results in a potentially exploitable crash.

- CVE-2017-7785 (arbitrary code execution)

A buffer overflow has been found in Firefox < 55.0, when manipulating
Accessible Rich Internet Applications (ARIA) attributes within the DOM.
This results in a potentially exploitable crash.

- CVE-2017-7786 (arbitrary code execution)

A buffer overflow has been found in Firefox < 55.0, when the image
renderer attempts to paint non-displayable SVG elements. This results
in a potentially exploitable crash.

- CVE-2017-7787 (same-origin policy bypass)

Same-origin policy protections can be bypassed in Firefox < 55.0, on
pages with embedded iframes during page reloads, allowing the iframes
to access content on the top level page and leading to information
disclosure.

- CVE-2017-7788 (access restriction bypass)

A security issue has been found in Firefox < 55.0. When an iframe has a
sandbox attribute and its content is specified using srcdoc, that
content does not inherit the containing page's Content Security Policy
(CSP) as it should unless the sandbox attribute included allow-same-
origin.

- CVE-2017-7789 (access restriction bypass)

A security issue has been found in Firefox < 55.0. If a server sends
two Strict-Transport-Security (STS) headers for a single connection,
they will be rejected as invalid and HTTP Strict Transport Security
(HSTS) will not be enabled for the connection.

- CVE-2017-7791 (content spoofing)

A content spoofing issue has been found in Firefox < 55.0. On pages
containing an iframe, the data: protocol can be used to create a modal
alert that will render over arbitrary domains following page
navigation, spoofing of the origin of the modal alert from the iframe
content.

- CVE-2017-7792 (arbitrary code execution)

A buffer overflow has been found in Firefox < 55.0, when viewing a
certificate in the certificate manager if the certificate has an
extremely long object identifier (OID). This results in a potentially
exploitable crash.

- CVE-2017-7794 (sandbox escape)

A security issue has been found in Firefox < 55.0. On Linux systems, if
the content process is compromised, the sandbox broker will allow files
to be truncated even though the sandbox explicitly only has read access
to the local file system and no write permissions.

- CVE-2017-7797 (access restriction bypass)

A security issue has been found in Firefox <55.0. Response header name
interning does not have same-origin protections and these headers are
stored in a global registry. This allows stored header names to be
available cross-origin.

- CVE-2017-7798 (arbitrary code execution)

A XUL injection has been found in Firefox < 55.0, in the style editor
in devtools. The Developer Tools feature suffers from a XUL injection
vulnerability due to improper sanitization of the web page source code.
In the worst case, this could allow arbitrary code execution when
opening a malicious page with the style editor tool.

- CVE-2017-7799 (cross-site scripting)

A security issue has been found in Firefox < 55.0. JavaScript in the
about:webrtc page is not sanitized properly being being assigned to
innerHTML. Data on this page is supplied by WebRTC usage and is not
under third-party control, making this difficult to exploit, but the
vulnerability could possibly be used for a cross-site scripting (XSS)
attack.

- CVE-2017-7800 (arbitrary code execution)

A use-after-free issue has been found in Firefox < 55.0, in WebSockets,
when the object holding the connection is freed before the
disconnection operation is finished. This results in an exploitable
crash.

- CVE-2017-7801 (arbitrary code execution)

A use-after-free issue has been found in Firefox < 55.0, while re-
computing layout for a marquee element during window resizing where the
updated style object is freed while still in use. This results in a
potentially exploitable crash.

- CVE-2017-7802 (arbitrary code execution)

A use-after-free vulnerability has been found in Firefox < 55.0, when
manipulating the DOM during the resize event of an image element. If
these elements have been freed due to a lack of strong references, a
potentially exploitable crash may occur when the freed elements are
accessed.

- CVE-2017-7803 (access restriction bypass)

A security issue has been found in Firefox < 55.0. When a page’s
content security policy (CSP) header contains a sandbox directive,
other directives are ignored. This results in the incorrect enforcement
of CSP.

- CVE-2017-7806 (arbitrary code execution)

A use-after-free vulnerability has been found in Firefox < 55.0, when
the layer manager is freed too early when rendering specific SVG
content, resulting in a potentially exploitable crash.

- CVE-2017-7807 (content spoofing)

A domain hijacking flaw has been found in Firefox < 55.0. A mechanism
that uses AppCache to hijack a URL in a domain using fallback by
serving the files from a sub-path on the domain. This has been
addressed by requiring fallback files be inside the manifest directory.

- CVE-2017-7808 (information disclosure)

A CSP information leak has been found in Firefox < 55.0. A content
security policy (CSP) frame-ancestors directive containing origins with
paths allows for comparisons against those paths instead of the origin.
This results in a cross-origin information leak of this path
information.

- CVE-2017-7809 (arbitrary code execution)

A use-after-free issue has been found in Firefox < 55.0, when an editor
DOM node is deleted prematurely during tree traversal while still bound
to the document. This results in a potentially exploitable crash.

Impact
======

A remote attacker can access sensitive information, bypass security
restrictions, crash the browser or execute arbitrary code on the
affected host.

References
==========

https://www.mozilla.org/en-US/security/advisories/mfsa2017-18/
https://www.mozilla.org/en-US/security/advisories/mfsa2017-18/#CVE-2017-7753
https://bugzilla.mozilla.org/show_bug.cgi?id=1353312
https://www.mozilla.org/en-US/security/advisories/mfsa2017-18/#CVE-2017-7779
https://bugzilla.mozilla.org/buglist.cgi?bug_id=1354443%2C1368576%2C1366903%2C1369913%2C1371424%2C1346590%2C1371890%2C1372985%2C1362924%2C1368105%2C1369994%2C1371283%2C1368362%2C1378826%2C1380426%2C1368030%2C1373220%2C1321384%2C1383002
https://www.mozilla.org/en-US/security/advisories/mfsa2017-18/#CVE-2017-7780
https://bugzilla.mozilla.org/buglist.cgi?bug_id=1353763%2C1353356%2C1370070%2C1375435%2C1373663%2C1363150%2C1370817%2C1273678%2C1367850%2C1347968%2C1361749%2C1349138%2C1371982%2C1344666%2C1369836%2C1330739%2C1371511%2C1371484
https://www.mozilla.org/en-US/security/advisories/mfsa2017-18/#CVE-2017-7781
https://bugzilla.mozilla.org/show_bug.cgi?id=1352039
https://www.mozilla.org/en-US/security/advisories/mfsa2017-18/#CVE-2017-7783
https://bugzilla.mozilla.org/show_bug.cgi?id=1360842
https://www.mozilla.org/en-US/security/advisories/mfsa2017-18/#CVE-2017-7784
https://bugzilla.mozilla.org/show_bug.cgi?id=1376087
https://www.mozilla.org/en-US/security/advisories/mfsa2017-18/#CVE-2017-7785
https://bugzilla.mozilla.org/show_bug.cgi?id=1356985
https://www.mozilla.org/en-US/security/advisories/mfsa2017-18/#CVE-2017-7786
https://bugzilla.mozilla.org/show_bug.cgi?id=1365189
https://www.mozilla.org/en-US/security/advisories/mfsa2017-18/#CVE-2017-7787
https://bugzilla.mozilla.org/show_bug.cgi?id=1322896
https://www.mozilla.org/en-US/security/advisories/mfsa2017-18/#CVE-2017-7788
https://bugzilla.mozilla.org/show_bug.cgi?id=1073952
https://www.mozilla.org/en-US/security/advisories/mfsa2017-18/#CVE-2017-7789
https://bugzilla.mozilla.org/show_bug.cgi?id=1074642
https://www.mozilla.org/en-US/security/advisories/mfsa2017-18/#CVE-2017-7791
https://bugzilla.mozilla.org/show_bug.cgi?id=1365875
https://www.mozilla.org/en-US/security/advisories/mfsa2017-18/#CVE-2017-7792
https://bugzilla.mozilla.org/show_bug.cgi?id=1368652
https://www.mozilla.org/en-US/security/advisories/mfsa2017-18/#CVE-2017-7794
https://bugzilla.mozilla.org/show_bug.cgi?id=1374281
https://www.mozilla.org/en-US/security/advisories/mfsa2017-18/#CVE-2017-7797
https://bugzilla.mozilla.org/show_bug.cgi?id=1334776
https://www.mozilla.org/en-US/security/advisories/mfsa2017-18/#CVE-2017-7798
https://bugzilla.mozilla.org/buglist.cgi?bug_id=1371586%2C1372112
https://www.mozilla.org/en-US/security/advisories/mfsa2017-18/#CVE-2017-7799
https://bugzilla.mozilla.org/show_bug.cgi?id=1372509
https://www.mozilla.org/en-US/security/advisories/mfsa2017-18/#CVE-2017-7800
https://bugzilla.mozilla.org/show_bug.cgi?id=1374047
https://www.mozilla.org/en-US/security/advisories/mfsa2017-18/#CVE-2017-7801
https://bugzilla.mozilla.org/show_bug.cgi?id=1371259
https://www.mozilla.org/en-US/security/advisories/mfsa2017-18/#CVE-2017-7802
https://bugzilla.mozilla.org/show_bug.cgi?id=1378147
https://www.mozilla.org/en-US/security/advisories/mfsa2017-18/#CVE-2017-7803
https://bugzilla.mozilla.org/show_bug.cgi?id=1377426
https://www.mozilla.org/en-US/security/advisories/mfsa2017-18/#CVE-2017-7806
https://bugzilla.mozilla.org/show_bug.cgi?id=1378113
https://www.mozilla.org/en-US/security/advisories/mfsa2017-18/#CVE-2017-7807
https://bugzilla.mozilla.org/show_bug.cgi?id=1376459
https://www.mozilla.org/en-US/security/advisories/mfsa2017-18/#CVE-2017-7808
https://bugzilla.mozilla.org/show_bug.cgi?id=1367531
https://www.mozilla.org/en-US/security/advisories/mfsa2017-18/#CVE-2017-7809
https://bugzilla.mozilla.org/show_bug.cgi?id=1380284
https://security.archlinux.org/CVE-2017-7753
https://security.archlinux.org/CVE-2017-7779
https://security.archlinux.org/CVE-2017-7780
https://security.archlinux.org/CVE-2017-7781
https://security.archlinux.org/CVE-2017-7783
https://security.archlinux.org/CVE-2017-7784
https://security.archlinux.org/CVE-2017-7785
https://security.archlinux.org/CVE-2017-7786
https://security.archlinux.org/CVE-2017-7787
https://security.archlinux.org/CVE-2017-7788
https://security.archlinux.org/CVE-2017-7789
https://security.archlinux.org/CVE-2017-7791
https://security.archlinux.org/CVE-2017-7792
https://security.archlinux.org/CVE-2017-7794
https://security.archlinux.org/CVE-2017-7797
https://security.archlinux.org/CVE-2017-7798
https://security.archlinux.org/CVE-2017-7799
https://security.archlinux.org/CVE-2017-7800
https://security.archlinux.org/CVE-2017-7801
https://security.archlinux.org/CVE-2017-7802
https://security.archlinux.org/CVE-2017-7803
https://security.archlinux.org/CVE-2017-7806
https://security.archlinux.org/CVE-2017-7807
https://security.archlinux.org/CVE-2017-7808
https://security.archlinux.org/CVE-2017-7809

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <https://lists.archlinux.org/pipermail/arch-security/attachments/20170810/67fc545e/attachment.asc>


More information about the arch-security mailing list