Vous êtes ici: index » cert » avis

Avis du CERT RENATER

Par défaut, cette page vous affichera les derniers messages envoyés par le CERT RENATER à la communauté. Vous pouvez affiner par année ou par type de message. Si aucun critère n'est précisé, seuls les derniers messages sont affichés

Date : Thu, 20 Apr 2017 18:12:26 +0200
Type : VULN
Sujet : CERT-Renater : 2017/VULN120 (Mozilla : Multiple Security vulnerabilities fixed in Firefox 53)
===================================================================
                              CERT-Renater

                 Note d'Information No. 2017/VULN120
_____________________________________________________________________

DATE                : 20/04/2017

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running Firefox versions prior to 53,
                                 ESR 45.9, ESR 52.1.

=====================================================================
https://www.mozilla.org/en-US/security/advisories/mfsa2017-10/
____________________________________________________________________


Mozilla Foundation Security Advisory 2017-10
Security vulnerabilities fixed in Firefox 53

Announced     April 19, 2017
Impact        critical
Products      Firefox
Fixed in
        Firefox 53

#CVE-2017-5433: Use-after-free in SMIL animation functions

Reporter      Nils
Impact        critical


Description

A use-after-free vulnerability in SMIL animation functions occurs when
pointers to animation elements in an array are dropped from the
animation controller while still in use. This results in a potentially
exploitable crash.

References

    Bug 1347168


#CVE-2017-5435: Use-after-free during transaction processing in the
editor

Reporter      Nils
Impact        critical

Description

A use-after-free vulnerability occurs during transaction processing in
the editor during design mode interactions. This results in a
potentially exploitable crash.

References

    Bug 1350683


#CVE-2017-5436: Out-of-bounds write with malicious font in Graphite 2

Reporter      Holger Fuhrmannek
Impact        critical

Description

An out-of-bounds write in the Graphite 2 library triggered with a
maliciously crafted Graphite font. This results in a potentially
exploitable crash. This issue was fixed in the Graphite 2 library as
well as Mozilla products.

References

    Bug 1345461


#CVE-2017-5461: Out-of-bounds write in Base64 encoding in NSS

Reporter      Ronald Crane
Impact        critical

Description

An out-of-bounds write during Base64 decoding operation in the Network
Security Services (NSS) library due to insufficient memory being
allocated to the buffer. This results in a potentially exploitable
crash. The NSS library has been updated to fix this issue to address
this issue and Firefox 53 has been updated with NSS version 3.29.5.

References

    Bug 1344380


#CVE-2017-5459: Buffer overflow in WebGL

Reporter      Atte Kettunen
Impact        critical

Description

A buffer overflow in WebGL triggerable by web content, resulting in a
potentially exploitable crash.

References

    Bug 1333858


#CVE-2017-5466: Origin confusion when reloading isolated data:text/html
URL

Reporter      Takeshi Terada
Impact        critical

Description

If a page is loaded from an original site through a hyperlink and
contains a redirect to a data:text/html URL, triggering a reload will
run the reloaded data:text/html page with its origin set incorrectly.
This allows for a cross-site scripting (XSS) attack.

References

    Bug 1353975


#CVE-2017-5434: Use-after-free during focus handling

Reporter      Nils
Impact        high

Description

A use-after-free vulnerability occurs when redirecting focus handling
which results in a potentially exploitable crash.

References

    Bug 1349946


#CVE-2017-5432: Use-after-free in text input selection

Reporter      Nils
Impact        high

Description

A use-after-free vulnerability occurs during certain text input
selection resulting in a potentially exploitable crash.

References

    Bug 1346654


#CVE-2017-5460: Use-after-free in frame selection

Reporter      Nils
Impact        high

Description

A use-after-free vulnerability in frame selection triggered by a
combination of malicious script content and key presses by a user. This
results in a potentially exploitable crash.

References

    Bug 1343642


#CVE-2017-5438: Use-after-free in nsAutoPtr during XSLT processing

Reporter      Nicolas Grégoire
Impact        high

Description

A use-after-free vulnerability during XSLT processing due to the result
handler being held by a freed handler during handling. This results in
a potentially exploitable crash.

References

    Bug 1336828


#CVE-2017-5439: Use-after-free in nsTArray Length() during XSLT processing

Reporter      Nicolas Grégoire
Impact        high

Description

A use-after-free vulnerability during XSLT processing due to poor
handling of template parameters. This results in a potentially
exploitable crash.
References

    Bug 1336830


#CVE-2017-5440: Use-after-free in txExecutionState destructor during
XSLT processing

Reporter      Nicolas Grégoire
Impact        high

Description

A use-after-free vulnerability during XSLT processing due to a failure
to propagate error conditions during matching while evaluating context,
leading to objects being used when they no longer exist. This results
in a potentially exploitable crash.

References

    Bug 1336832


#CVE-2017-5441: Use-after-free with selection during scroll events

Reporter      Nils
Impact        high

Description

A use-after-free vulnerability when holding a selection during scroll
events. This results in a potentially exploitable crash.

References

    Bug 1343795


#CVE-2017-5442: Use-after-free during style changes

Reporter      Nils
Impact        high

Description

A use-after-free vulnerability during changes in style when
manipulating DOM elements. This results in a potentially exploitable
crash.

References

    Bug 1347979


#CVE-2017-5464: Memory corruption with accessibility and DOM manipulation

Reporter      Nils
Impact        high

Description

During DOM manipulations of the accessibility tree through script, the
DOM tree can become out of sync with the accessibility tree, leading to
memory corruption and a potentially exploitable crash.

References

    Bug 1347075


#CVE-2017-5443: Out-of-bounds write during BinHex decoding

Reporter      Chamal De Silva
Impact        high

Description

An out-of-bounds write vulnerability while decoding improperly formed
BinHex format archives.

References

    Bug 1342661


#CVE-2017-5444: Buffer overflow while parsing
application/http-index-format content

Reporter      Chamal De Silva
Impact        high

Description

A buffer overflow vulnerability while parsing application/http-index-
format format content when the header contains improperly formatted
data. This allows for an out-of-bounds read of data from memory.

References

    Bug 1344461


#CVE-2017-5446: Out-of-bounds read when HTTP/2 DATA frames are sent with
incorrect data

Reporter      Chun Han Hsiao
Impact        high

Description

An out-of-bounds read when an HTTP/2 connection to a servers sends DATA
frames with incorrect data content. This leads to a potentially
exploitable crash.

References

    Bug 1343505


#CVE-2017-5447: Out-of-bounds read during glyph processing

Reporter      Ivan Fratric of Google Project Zero
Impact        high

Description

An out-of-bounds read during the processing of glyph widths during text
layout. This results in a potentially exploitable crash and could allow
an attacker to read otherwise inaccessible memory.

References

    Bug 1343552


#CVE-2017-5465: Out-of-bounds read in ConvolvePixel

Reporter      Ivan Fratric of Google Project Zero
Impact        high

Description

An out-of-bounds read while processing SVG content in ConvolvePixel.
This results in a crash and also allows for otherwise inaccessible
memory being copied into SVG graphic content, which could then
displayed.

References

    Bug 1347617


#CVE-2017-5448: Out-of-bounds write in ClearKeyDecryptor

Reporter      Anonymous working with Trend Micro's Zero Day Initiative
Impact        high

Description

An out-of-bounds write in ClearKeyDecryptor while decrypting some
Clearkey-encrypted media content. The ClearKeyDecryptor code runs
within the Gecko Media Plugin (GMP) sandbox. If a second mechanism is
found to escape the sandbox, this vulnerability allows for the writing
of arbitrary data within memory, resulting in a potentially exploitable
crash.

References

    Bug 1346648


#CVE-2017-5437: Vulnerabilities in Libevent library

Reporter      Huzaifa Sidhpurwala
Impact        high

Description

Three vulnerabilities were reported in the Libevent library that allow
for out-of-bounds reads and denial of service (DoS) attacks:
CVE-2016-10195, CVE-2016-10196, and CVE-2016-10197. These were fixed in
the Libevent library and these changes were ported to Mozilla code.

References

    Bug 1343453


#CVE-2017-5454: Sandbox escape allowing file system read access through
file picker

Reporter      Haik Aftandilian
Impact        high

Description

A mechanism to bypass file system access protections in the sandbox to
use the file picker to access different files than those selected in
the file picker through the use of relative paths. This allows for read
only access to the local file system.

References

    Bug 1349276


#CVE-2017-5455: Sandbox escape through internal feed reader APIs

Reporter      Paul Theriault
Impact        high

Description

The internal feed reader APIs that crossed the sandbox barrier allowed
for a sandbox escape and escalation of privilege if combined with
another vulnerability that resulted in remote code execution inside the
sandboxed process.

References

    Bug 1341191


#CVE-2017-5456: Sandbox escape allowing local file system access

Reporter      Julian Hector
Impact        high

Description

A mechanism to bypass file system access protections in the sandbox
using the file system request constructor through an IPC message. This
allows for read and write access to the local file system.

References

    Bug 1344415


#CVE-2017-5469: Potential Buffer overflow in flex-generated code

Reporter      Petr Cerny
Impact        high

Description

Fixed potential buffer overflows in generated Firefox code due to
CVE-2016-6354 issue in Flex.

References

    Bug 1292534


#CVE-2017-5445: Uninitialized values used while parsing
application/http-index-format content

Reporter      Chamal De Silva
Impact        moderate

Description

A vulnerability while parsing application/http-index-format format
content where uninitialized values are used to create an array. This
could allow the reading of uninitialized memory into the arrays
affected.

References

    Bug 1344467


#CVE-2017-5449: Crash during bidirectional unicode manipulation with
animation

Reporter      Nils
Impact        moderate

Description

A possibly exploitable crash triggered during layout and manipulation
of bidirectional unicode text in concert with CSS animations.

References

    Bug 1340127


#CVE-2017-5450: Addressbar spoofing using javascript: URI on Firefox
for Android

Reporter      Haosheng Wang
Impact        moderate

Description

A mechanism to spoof the Firefox for Android addressbar using a
javascript: URI. On Firefox for Android, the base domain is parsed
incorrectly, making the resulting location less visibly a spoofed site
and showing an incorrect domain in appended notifications.

References

    Bug 1325955


#CVE-2017-5451: Addressbar spoofing with onblur event

Reporter      Jordi Chancel
Impact        moderate

Description

A mechanism to spoof the addressbar through the user interaction on the
addressbar and the onblur event. The event could be used by script to
affect text display to make the loaded site appear to be different from
the one actually loaded within the addressbar.

References

    Bug 1273537


#CVE-2017-5462: DRBG flaw in NSS

Reporter      Vladimir Klebanov, Franziskus Kiefer
Impact        moderate

Description

A flaw in DRBG number generation within the Network Security Services
(NSS) library where the internal state V does not correctly carry bits
over. The NSS library has been updated to fix this issue to address
this issue and Firefox 53 has been updated with NSS version 3.29.5.

References

    Bug 1345089


#CVE-2017-5463: Addressbar spoofing through reader view on Firefox for
Android

Reporter      Muneaki Nishimura
Impact        moderate

Description

Android intents can be used to launch Firefox for Android in reader
mode with a user specified URL. This allows an attacker to spoof the
contents of the addressbar as displayed to users.
Note: This attack only affects Firefox for Android. Other operating
systems are not affected.
References

    Bug 1338867


#CVE-2017-5467: Memory corruption when drawing Skia content

Reporter      Heather Miller of Google Skia team
Impact        moderate

Description

A potential memory corruption and crash when using Skia content when
drawing content outside of the bounds of a clipping region.

References

    Bug 1347262


#CVE-2017-5452: Addressbar spoofing during scrolling with editable
content on Firefox for Android

Reporter      Jordi Chancel
Impact        low

Description

Malicious sites can display a spoofed addressbar on a page when the
existing location bar on the new page is scrolled out of view if an
HTML editable page element is user selected.
Note: This attack only affects Firefox for Android. Other operating
systems are not affected.

References

    Bug 1344517


#CVE-2017-5453: HTML injection into RSS Reader feed preview page
through TITLE element

Reporter      Jose María Acuña
Impact        low

Description

A mechanism to inject static HTML into the RSS reader preview page due
to a failure to escape characters sent as URL parameters for a feed's
TITLE element. This vulnerability allows for spoofing but no scripted
content can be run.

References

    Bug 1321247


#CVE-2017-5458: Drag and drop of javascript: URLs can allow for self-XSS

Reporter      Daniel Veditz
Impact        low

Description

When a javascript: URL is drag and dropped by a user into the
addressbar, the URL will be processed and executed. This allows for
users to be socially engineered to execute an XSS attack on themselves.

References

    Bug 1229426


#CVE-2017-5468: Incorrect ownership model for Private Browsing
information

Reporter      Anonymous
Impact        low

Description

An issue with incorrect ownership model of privateBrowsing information
exposed through developer tools. This can result in a non-exploitable
crash when manually triggered during debugging.

References

    Bug 1329521


#CVE-2017-5430: Memory safety bugs fixed in Firefox 53 and Firefox ESR 52.1

Reporter      Mozilla developers and community
Impact        critical

Description

Mozilla developers and community members Christian Holler, Jon
Coppeard, Milan Sreckovic, Tyson Smith, Ronald Crane, Randell Jesup,
Philipp, Tooru Fujisawa, and Kan-Ru Chen reported memory safety bugs
present in Firefox 52 and Firefox ESR 52. Some of these bugs showed
evidence of memory corruption and we presume that with enough effort
that some of these could be exploited to run arbitrary code.

References

    Memory safety bugs fixed in Firefox 53 and Firefox ESR 52.1


#CVE-2017-5429: Memory safety bugs fixed in Firefox 53, Firefox ESR
45.9, and Firefox ESR 52.1

Reporter      Mozilla developers and community
Impact        critical

Description

Mozilla developers and community members Christian Holler, Jon
Coppeard, Marcia Knous, David Baron, Mats Palmgren, Ronald Crane, Bob
Clary, and Chris Peterson reported memory safety bugs present in
Firefox 52, Firefox ESR 45.8, and Firefox ESR 52. Some of these bugs
showed evidence of memory corruption and we presume that with enough
effort that some of these could be exploited to run arbitrary code.

References

    Memory safety bugs fixed in Firefox 53, Firefox ESR 45.9, and
Firefox ESR 52.1


==========================================================
+ CERT-RENATER          | tel : 01-53-94-20-44           +
+ 23 - 25 Rue Daviel    | fax : 01-53-94-20-41           +
+ 75013 Paris           | email: cert@support.renater.fr +
==========================================================

[An attachment of type application/pkcs7-signature was included here]