[arch-security] [ASA-201706-19] firefox: multiple issues

Sat Jun 17 11:10:06 UTC 2017

Arch Linux Security Advisory ASA-201706-19
==========================================

Severity: Critical
Date    : 2017-06-16
CVE-ID  : CVE-2017-5470 CVE-2017-5471 CVE-2017-5472 CVE-2017-7749
          CVE-2017-7750 CVE-2017-7751 CVE-2017-7752 CVE-2017-7754
          CVE-2017-7756 CVE-2017-7757 CVE-2017-7758 CVE-2017-7762
          CVE-2017-7764 CVE-2017-7771 CVE-2017-7772 CVE-2017-7773
          CVE-2017-7774 CVE-2017-7775 CVE-2017-7776 CVE-2017-7777
          CVE-2017-7778
Package : firefox
Type    : multiple issues
Remote  : Yes
Link    : https://security.archlinux.org/AVG-302

Summary
=======

The package firefox before version 54.0-1 is vulnerable to multiple
issues including arbitrary code execution, denial of service,
information disclosure and content spoofing.

Resolution
==========

Upgrade to 54.0-1.

# pacman -Syu "firefox>=54.0-1"

The problems have been fixed upstream in version 54.0.

Workaround
==========

None.

Description
===========

- CVE-2017-5470 (arbitrary code execution)

Several memory safety issues leading to arbitrary code execution have
been found in Firefox < 54.0 and Thunderbird < 52.2.

- CVE-2017-5471 (arbitrary code execution)

Several memory safety issues leading to arbitrary code execution have
been found in Firefox < 54.0.

- CVE-2017-5472 (arbitrary code execution)

A use-after-free vulnerability has been found in Firefox < 54.0 and
Thunderbird < 52.2, in the frameloader during tree reconstruction while
regenerating CSS layout when attempting to use a node in the tree that
no longer exists.

- CVE-2017-7749 (arbitrary code execution)

A user-after-free has been found in Firefox < 54.0 and Thunderbird <
52.2, when using an incorrect URL during the reloading of a docshell.

- CVE-2017-7750 (arbitrary code execution)

A use-after-free has been found in Firefox < 54.0 and Thunderbird <
52.2, during video control operations when a <track> element holds a
reference to an older window if that window has been replaced in the
DOM.

- CVE-2017-7751 (arbitrary code execution)

A use-after-free has been found in Firefox < 54.0 and Thunderbird <
52.2, in content viewer listeners.

- CVE-2017-7752 (arbitrary code execution)

A use-after-free has been found in Firefox < 54.0 and Thunderbird <
52.2, during specific user interactions with the input method editor
(IME) in some languages due to how events are handled. This results in
a potentially exploitable crash but would require specific user
interaction to trigger.

- CVE-2017-7754 (information disclosure)

An out-of-bounds read has been found in Firefox < 54.0 and Thunderbird
< 52.2, with a maliciously crafted ImageInfo object during WebGL
operations.

- CVE-2017-7756 (arbitrary code execution)

A use after-free and use-after-scope vulnerability has been found in
Firefox < 54.0 and Thunderbird < 52.2, when logging errors from headers
for XML HTTP Requests (XHR).

- CVE-2017-7757 (arbitrary code execution)

A use after-free vulnerability has been found in Firefox < 54.0 and
Thunderbird < 52.2, in IndexedDB when one of its objects is destroyed
in memory while a method on it is still being executed.

- CVE-2017-7758 (information disclosure)

An out-of-bounds read vulnerability has been found in Firefox < 54.0
and Thunderbird < 52.2, with the Opus encoder when the number of
channels in an audio stream changes while the encoder is in use.

- CVE-2017-7762 (content spoofing)

A security issue has been found in Firefox < 54.0. When entered
directly, Reader Mode did not strip the username and password section
of URLs displayed in the addressbar. This can be used for spoofing the
domain of the current page.

- CVE-2017-7764 (content spoofing)

A security issue has been found in Firefox < 54.0 and Thunderbird <
52.2, where characters from the "Canadian Syllabics" unicode block can
be mixed with characters from other unicode blocks in the addressbar
instead of being rendered as their raw "punycode" form, allowing for
domain name spoofing attacks through character confusion. The current
Unicode standard allows characters from "Aspirational Use Scripts" such
as Canadian Syllabics to be mixed with Latin characters in the
"moderately restrictive" IDN profile. Firefox and Thunderbird behavior
has been changed to match the upcoming Unicode version 10.0 which
removes this category and treats them as "Limited Use Scripts."

- CVE-2017-7771 (information disclosure)

An out-of-bounds read has been found in the Graphite 2 library used in
Firefox < 54.0 and Thunderbird < 52.2, in Pass::readPass.

- CVE-2017-7772 (arbitrary code execution)

A heap-buffer-overflow write has been found in the Graphite 2 library
used in Firefox < 54.0 and Thunderbird < 52.2, in lz4::decompress.

- CVE-2017-7773 (arbitrary code execution)

A heap-buffer-overflow write has been found in the Graphite 2 library
used in Firefox < 54.0 and Thunderbird < 52.2, in lz4::decompress.

- CVE-2017-7774 (information disclosure)

An out-of-bounds read has been found in the Graphite 2 library used in
Firefox < 54.0 and Thunderbird < 52.2, in Silf::readGraphite.

- CVE-2017-7775 (denial of service)

An assertion failure has been found in the Graphite 2 library used in
Firefox < 54.0 and Thunderbird < 52.2.

- CVE-2017-7776 (information disclosure)

A heap-buffer-overflow read has been found in the Graphite 2 library
used in Firefox < 54.0 and Thunderbird < 52.2, in Silf::getClassGlyph.

- CVE-2017-7777 (information disclosure)

An use of initialized memory has been found in the Graphite 2 library
used in Firefox < 54.0 and Thunderbird < 52.2, in
GlyphCache::Loader::read_glyph.

- CVE-2017-7778 (arbitrary code execution)

An out-of-bounds write has been found in the Graphite 2 library used in
Firefox < 54.0 and Thunderbird < 52.2, in lz4::decompress.

Impact
======

A remote attacker may be able to crash Firefox, access sensitive
information, spoof content to trick the user into performing an
unwanted action and execute arbitrary code on the affected host.

References
==========

https://www.mozilla.org/en-US/security/advisories/mfsa2017-15/
https://www.mozilla.org/en-US/security/advisories/mfsa2017-15/#CVE-2017-5470
https://bugzilla.mozilla.org/buglist.cgi?bug_id=1359639%2C1349595%2C1352295%2C1352556%2C1342552%2C1342567%2C1346012%2C1366140%2C1368732%2C1297111%2C1362590%2C1357462%2C1363280%2C1349266%2C1352093%2C1348424%2C1347748%2C1356025%2C1325513%2C1367692
https://www.mozilla.org/en-US/security/advisories/mfsa2017-15/#CVE-2017-5471
https://www.mozilla.org/en-US/security/advisories/mfsa2017-15/#CVE-2017-5472
https://bugzilla.mozilla.org/show_bug.cgi?id=1365602
https://www.mozilla.org/en-US/security/advisories/mfsa2017-15/#CVE-2017-7749
https://bugzilla.mozilla.org/show_bug.cgi?id=1355039
https://www.mozilla.org/en-US/security/advisories/mfsa2017-15/#CVE-2017-7750
https://bugzilla.mozilla.org/show_bug.cgi?id=1356558
https://www.mozilla.org/en-US/security/advisories/mfsa2017-15/#CVE-2017-7751
https://bugzilla.mozilla.org/show_bug.cgi?id=1363396
https://www.mozilla.org/en-US/security/advisories/mfsa2017-15/#CVE-2017-7752
https://bugzilla.mozilla.org/show_bug.cgi?id=1359547
https://www.mozilla.org/en-US/security/advisories/mfsa2017-15/#CVE-2017-7754
https://bugzilla.mozilla.org/show_bug.cgi?id=1357090
https://www.mozilla.org/en-US/security/advisories/mfsa2017-15/#CVE-2017-7756
https://bugzilla.mozilla.org/show_bug.cgi?id=1366595
https://www.mozilla.org/en-US/security/advisories/mfsa2017-15/#CVE-2017-7757
https://bugzilla.mozilla.org/show_bug.cgi?id=1356824
https://www.mozilla.org/en-US/security/advisories/mfsa2017-15/#CVE-2017-7758
https://bugzilla.mozilla.org/show_bug.cgi?id=1368490
https://www.mozilla.org/en-US/security/advisories/mfsa2017-15/#CVE-2017-7762
https://bugzilla.mozilla.org/show_bug.cgi?id=1358248
https://www.mozilla.org/en-US/security/advisories/mfsa2017-15/#CVE-2017-7764
https://bugzilla.mozilla.org/show_bug.cgi?id=1364283
http://www.unicode.org/reports/tr31/tr31-26.html#Aspirational_Use_Scripts
https://www.mozilla.org/en-US/security/advisories/mfsa2017-15/#CVE-2017-7778
https://bugzilla.mozilla.org/show_bug.cgi?id=1350047
https://bugzilla.mozilla.org/show_bug.cgi?id=1352745
https://bugzilla.mozilla.org/show_bug.cgi?id=1352747
https://www.mozilla.org/en-US/security/advisories/mfsa2017-17/#CVE-2017-7778
https://bugzilla.mozilla.org/show_bug.cgi?id=1355174
https://bugzilla.mozilla.org/show_bug.cgi?id=1355182
https://bugzilla.mozilla.org/show_bug.cgi?id=1356607
https://bugzilla.mozilla.org/show_bug.cgi?id=1358551
https://bugzilla.mozilla.org/show_bug.cgi?id=1349310
https://security.archlinux.org/CVE-2017-5470
https://security.archlinux.org/CVE-2017-5471
https://security.archlinux.org/CVE-2017-5472
https://security.archlinux.org/CVE-2017-7749
https://security.archlinux.org/CVE-2017-7750
https://security.archlinux.org/CVE-2017-7751
https://security.archlinux.org/CVE-2017-7752
https://security.archlinux.org/CVE-2017-7754
https://security.archlinux.org/CVE-2017-7756
https://security.archlinux.org/CVE-2017-7757
https://security.archlinux.org/CVE-2017-7758
https://security.archlinux.org/CVE-2017-7762
https://security.archlinux.org/CVE-2017-7764
https://security.archlinux.org/CVE-2017-7771
https://security.archlinux.org/CVE-2017-7772
https://security.archlinux.org/CVE-2017-7773
https://security.archlinux.org/CVE-2017-7774
https://security.archlinux.org/CVE-2017-7775
https://security.archlinux.org/CVE-2017-7776
https://security.archlinux.org/CVE-2017-7777
https://security.archlinux.org/CVE-2017-7778

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <https://lists.archlinux.org/pipermail/arch-security/attachments/20170617/29d83805/attachment.asc>