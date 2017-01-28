This is an OpenPGP/MIME signed message (RFC 4880 and 3156)

==========================================================================

Ubuntu Security Notice USN-3175-1

January 27, 2017



firefox vulnerabilities

==========================================================================



A security issue affects these releases of Ubuntu and its derivatives:



- Ubuntu 16.10

- Ubuntu 16.04 LTS

- Ubuntu 14.04 LTS

- Ubuntu 12.04 LTS



Summary:



Firefox could be made to crash or run programs as your login if it

opened a malicious website.



Software Description:

- firefox: Mozilla Open Source web browser



Details:



Multiple memory safety issues were discovered in Firefox. If a user were

tricked in to opening a specially crafted website, an attacker could

potentially exploit these to cause a denial of service via application

crash, or execute arbitrary code. (CVE-2017-5373, CVE-2017-5374)



JIT code allocation can allow a bypass of ASLR protections in some

circumstances. If a user were tricked in to opening a specially crafted

website, an attacker could potentially exploit this to cause a denial of

service via application crash, or execute arbitrary code. (CVE-2017-5375)



Nicolas GrÃ©goire discovered a use-after-free when manipulating XSL in

XSLT documents in some circumstances. If a user were tricked in to opening

a specially crafted website, an attacker could potentially exploit this to

cause a denial of service via application crash, or execute arbitrary

code. (CVE-2017-5376)



Atte Kettunen discovered a memory corruption issue in Skia in some

circumstances. If a user were tricked in to opening a specially crafted

website, an attacker could potentially exploit this to cause a denial of

service via application crash, or execute arbitrary code. (CVE-2017-5377)



Jann Horn discovered that an object's address could be discovered through

hashed codes of JavaScript objects shared between pages. If a user were

tricked in to opening a specially crafted website, an attacker could

potentially exploit this to obtain sensitive information. (CVE-2017-5378)



A use-after-free was discovered in Web Animations in some circumstances.

If a user were tricked in to opening a specially crafted website, an

attacker could potentially exploit this to cause a denial of service via

application crash, or execute arbitrary code. (CVE-2017-5379)



A use-after-free was discovered during DOM manipulation of SVG content in

some circumstances. If a user were tricked in to opening a specially

crafted website, an attacker could potentially exploit this to cause a

denial of service via application crash, or execute arbitrary code.

(CVE-2017-5380)



Jann Horn discovered that the "export" function in the Certificate

Viewer

can force local filesystem navigation when the Common Name contains

slashes. If a user were tricked in to exporting a specially crafted

certificate, an attacker could potentially exploit this to save content

with arbitrary filenames in unsafe locations. (CVE-2017-5381)



Jerri Rice discovered that the Feed preview for RSS feeds can be used to

capture errors and exceptions generated by privileged content. An attacker

could potentially exploit this to obtain sensitive information.

(CVE-2017-5382)



Armin Razmjou discovered that certain unicode glyphs do not trigger

punycode display. An attacker could potentially exploit this to spoof the

URL bar contents. (CVE-2017-5383)



Paul Stone and Alex Chapman discovered that the full URL path is exposed

to JavaScript functions specified by Proxy Auto-Config (PAC) files. If a

user has enabled Web Proxy Auto Detect (WPAD), an attacker could

potentially exploit this to obtain sensitive information. (CVE-2017-5384)



Muneaki Nishimura discovered that data sent in multipart channels will

ignore the Referrer-Policy response headers. An attacker could potentially

exploit this to obtain sensitive information. (CVE-2017-5385)



Muneaki Nishimura discovered that WebExtensions can affect other

extensions using the data: protocol. If a user were tricked in to

installing a specially crafted addon, an attacker could potentially

exploit this to obtain sensitive information or gain additional

privileges. (CVE-2017-5386)



Mustafa Hasan discovered that the existence of local files can be

determined using the <track> element. An attacker could potentially

exploit this to obtain sensitive information. (CVE-2017-5387)



Cullen Jennings discovered that WebRTC can be used to generate large

amounts of UDP traffic. An attacker could potentially exploit this to

conduct Distributed Denial-of-Service (DDOS) attacks. (CVE-2017-5388)



Kris Maglione discovered that WebExtensions can use the mozAddonManager

API by modifying the CSP headers on sites with the appropriate permissions

and then using host requests to redirect script loads to a malicious site.

If a user were tricked in to installing a specially crafted addon, an

attacker could potentially exploit this to install additional addons

without user permission. (CVE-2017-5389)



Jerri Rice discovered insecure communication methods in the Dev Tools JSON

Viewer. An attacker could potentially exploit this to gain additional

privileges. (CVE-2017-5390)



Jerri Rice discovered that about: pages used by content can load

privileged about: pages in iframes. An attacker could potentially exploit

this to gain additional privileges, in combination with a

content-injection bug in one of those about: pages. (CVE-2017-5391)



Stuart Colville discovered that mozAddonManager allows for the

installation of extensions from the CDN for addons.mozilla.org, a publicly

accessible site. If a user were tricked in to installing a specially

crafted addon, an attacker could potentially exploit this, in combination

with a cross-site scripting (XSS) attack on Mozilla's AMO sites, to

install additional addons. (CVE-2017-5393)



Filipe Gomes discovered a use-after-free in the media decoder in some

circumstances. If a user were tricked in to opening a specially crafted

website, an attacker could potentially exploit this to cause a denial of

service via application crash, or execute arbitrary code. (CVE-2017-5396)



Update instructions:



The problem can be corrected by updating your system to the following

package versions:



Ubuntu 16.10:

firefox 51.0.1+build2-0ubuntu0.16.10.1



Ubuntu 16.04 LTS:

firefox 51.0.1+build2-0ubuntu0.16.04.1



Ubuntu 14.04 LTS:

firefox 51.0.1+build2-0ubuntu0.14.04.1



Ubuntu 12.04 LTS:

firefox 51.0.1+build2-0ubuntu0.12.04.1



After a standard system update you need to restart Firefox to make

all the necessary changes.



References:

http://www.ubuntu.com/usn/usn-3175-1

CVE-2017-5373, CVE-2017-5374, CVE-2017-5375, CVE-2017-5376,

CVE-2017-5377, CVE-2017-5378, CVE-2017-5379, CVE-2017-5380,

CVE-2017-5381, CVE-2017-5382, CVE-2017-5383, CVE-2017-5384,

CVE-2017-5385, CVE-2017-5386, CVE-2017-5387, CVE-2017-5388,

CVE-2017-5389, CVE-2017-5390, CVE-2017-5391, CVE-2017-5393,

CVE-2017-5396



Package Information:

https://launchpad.net/ubuntu/+source/firefox/51.0.1+build2-0ubuntu0.16.10.1

https://launchpad.net/ubuntu/+source/firefox/51.0.1+build2-0ubuntu0.16.04.1

https://launchpad.net/ubuntu/+source/firefox/51.0.1+build2-0ubuntu0.14.04.1

https://launchpad.net/ubuntu/+source/firefox/51.0.1+build2-0ubuntu0.12.04.1







