-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
                         AUSCERT Security Bulletin

                               ASB-2016.0119
    Security vulnerabilities fixed in Firefox 50.1 and Firefox ESR 45.6
                             14 December 2016

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:              Mozilla Firefox
                      Firefox ESR
Operating System:     UNIX variants (UNIX, Linux, OSX)
                      Windows
Impact/Access:        Execute Arbitrary Code/Commands -- Remote with User Interaction
                      Cross-site Scripting            -- Remote with User Interaction
                      Denial of Service               -- Remote with User Interaction
                      Access Confidential Data        -- Remote with User Interaction
Resolution:           Patch/Upgrade
CVE Names:            CVE-2016-9905 CVE-2016-9904 CVE-2016-9903
                      CVE-2016-9902 CVE-2016-9901 CVE-2016-9900
                      CVE-2016-9899 CVE-2016-9898 CVE-2016-9897
                      CVE-2016-9896 CVE-2016-9895 CVE-2016-9894
                      CVE-2016-9893 CVE-2016-9080 
Member content until: Friday, January 13 2017

OVERVIEW

        A critical vulnerability has been identified in Mozilla Firefox 
        prior to version 50.1 and Firefox ESR 45.6 [1 - 2]


IMPACT

        The vendor has provided the following details regarding the
        vulnerability:
        
        "#CVE-2016-9894: Buffer overflow in SkiaGL
        
        A buffer overflow in SkiaGl caused when a GrGLBuffer is truncated 
        during allocation. Later writers will overflow the buffer, resulting
        in a potentially exploitable crash.
        
        #CVE-2016-9899: Use-after-free while manipulating DOM events and 
        audio elements
        
        Use-after-free while manipulating DOM events and removing audio 
        elements due to errors in the handling of node adoption. 
        
        #CVE-2016-9895: CSP bypass using marquee tag
        
        Event handlers on marquee elements were executed despite a strict 
        Content Security Policy (CSP) that disallowed inline JavaScript. 
        
        #CVE-2016-9896: Use-after-free with WebVR
        
        Use-after-free while manipulating the navigator object within WebVR.
        
        Note: WebVR is not currently enabled by default. 
        
        #CVE-2016-9897: Memory corruption in libGLES
        
        Memory corruption resulting in a potentially exploitable crash 
        during WebGL functions using a vector constructor with a varying 
        array within libGLES. 
        
        #CVE-2016-9898: Use-after-free in Editor while manipulating DOM 
        subtrees
        
        Use-after-free resulting in potentially exploitable crash when 
        manipulating DOM subtrees in the Editor.
        
        #CVE-2016-9900: Restricted external resources can be loaded by SVG 
        images through data URLs
        
        External resources that should be blocked when loaded by SVG images
        can bypass security restrictions through the use of data: URLs. This
        could allow for cross-domain data leakage.
        
        #CVE-2016-9904: Cross-origin information leak in shared atoms
        
        An attacker could use a JavaScript Map/Set timing attack to 
        determine whether an atom is used by another compartment/zone in 
        specific contexts. This could be used to leak information, such as 
        usernames embedded in JavaScript code, across websites.
        
        #CVE-2016-9901: Data from Pocket server improperly sanitized before
        execution
        
        HTML tags received from the Pocket server will be processed without
        sanitization and any JavaScript code executed will be run in the 
        about:pocket-saved (unprivileged) page, giving it access to Pocket's
        messaging API through HTML injection. 
        
        #CVE-2016-9902: Pocket extension does not validate the origin of 
        events
        
        The Pocket toolbar button, once activated, listens for events fired
        from it's own pages but does not verify the origin of incoming 
        events. This allows content from other origins to fire events and 
        inject content and commands into the Pocket context. Note: this 
        issue does not affect users with e10s enabled. 
        
        #CVE-2016-9903: XSS injection vulnerability in add-ons SDK
        
        Mozilla's add-ons SDK had a world-accessible resource with an HTML 
        injection vulnerability. If an additional vulnerability allowed this
        resource to be loaded as a document it could allow injecting content
        and script into an add-on's context. 
        
        #CVE-2016-9080: Memory safety bugs fixed in Firefox 50.1
        
        Mozilla developers and community members Kan-Ru Chen, Christian 
        Holler, and Tyson Smith reported memory safety bugs present in 
        Firefox 50.0.2. Some of these bugs showed evidence of memory 
        corruption and we presume that with enough effort that some of these
        could be exploited to run arbitrary code.
        
        #CVE-2016-9893: Memory safety bugs fixed in Firefox 50.1 and Firefox
        ESR 45.6
        
        Mozilla developers and community members Jan de Mooij, Iris Hsiao, 
        Christian Holler, Carsten Book, Timothy Nikkel, Christoph Diehl, 
        Olli Pettay, Raymond Forbes, and Boris Zbarsky reported memory 
        safety bugs present in Firefox 50.0.2 and Firefox ESR 45.5.1. Some 
        of these bugs showed evidence of memory corruption and we presume 
        that with enough effort that some of these could be exploited to run
        arbitrary code." [1]
        
        "#CVE-2016-9899: Use-after-free while manipulating DOM events and 
        audio elements
        
        Use-after-free while manipulating DOM events and removing audio 
        elements due to errors in the handling of node adoption.
        
        #CVE-2016-9895: CSP bypass using marquee tag
        
        Event handlers on marquee elements were executed despite a strict 
        Content Security Policy (CSP) that disallowed inline JavaScript.
        
        #CVE-2016-9897: Memory corruption in libGLES
        
        Memory corruption resulting in a potentially exploitable crash 
        during WebGL functions using a vector constructor with a varying 
        array within libGLES.
        
        #CVE-2016-9898: Use-after-free in Editor while manipulating DOM 
        subtrees
        
        Use-after-free resulting in potentially exploitable crash when 
        manipulating DOM subtrees in the Editor.
        
        #CVE-2016-9900: Restricted external resources can be loaded by SVG 
        images through data URLs
        
        External resources that should be blocked when loaded by SVG images
        can bypass security restrictions through the use of data: URLs. This
        could allow for cross-domain data leakage.
        
        #CVE-2016-9904: Cross-origin information leak in shared atoms
        
        An attacker could use a JavaScript Map/Set timing attack to 
        determine whether an atom is used by another compartment/zone in 
        specific contexts. This could be used to leak information, such as 
        usernames embedded in JavaScript code, across websites.
        
        #CVE-2016-9905: Crash in EnumerateSubDocuments
        
        A potentially exploitable crash in EnumerateSubDocuments while 
        adding or removing sub-documents.
        
        #CVE-2016-9901: Data from Pocket server improperly sanitized before
        execution
        
        HTML tags received from the Pocket server will be processed without
        sanitization and any JavaScript code executed will be run in the 
        about:pocket-saved (unprivileged) page, giving it access to Pocket's
        messaging API through HTML injection.
        
        #CVE-2016-9902: Pocket extension does not validate the origin of 
        events
        
        The Pocket toolbar button, once activated, listens for events fired
        from it's own pages but does not verify the origin of incoming 
        events. This allows content from other origins to fire events and 
        inject content and commands into the Pocket context.
        
        Note: this issue does not affect users with e10s enabled.
        
        #CVE-2016-9893: Memory safety bugs fixed in Firefox 50.1 and Firefox
        ESR 45.6
        
        Mozilla developers and community members Jan de Mooij, Iris Hsiao, 
        Christian Holler, Carsten Book, Timothy Nikkel, Christoph Diehl, 
        Olli Pettay, Raymond Forbes, and Boris Zbarsky reported memory 
        safety bugs present in Firefox 50.0.2 and Firefox ESR 45.5.1. Some 
        of these bugs showed evidence of memory corruption and we presume 
        that with enough effort that some of these could be exploited to run
        arbitrary code."[2]


MITIGATION

        Mozilla advises upgrading to the latest version to address this 
        issues. [1 -2]


REFERENCES

        [1] Mozilla Foundation Security Advisory 2016-94
            https://www.mozilla.org/en-US/security/advisories/mfsa2016-94/

        [2] Mozilla Foundation Security Advisory 2016-95
            https://www.mozilla.org/en-US/security/advisories/mfsa2016-95/

AusCERT has made every effort to ensure that the information contained
in this document is accurate.  However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours 
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBWFDgJ4x+lLeg9Ub1AQh1iBAAk8thVO/8DlSGRbwXkwbKjVEq7JjL9oNi
1ElOfb8APyUWX2y+dJGKrH4MUQCdPSMlxL7V92tV6ikSmBn1FEaTbTsDXo6iS6+T
scJAVFl0dXkXCyzC9a63mAklpYj1lYCArlK6dtbb1CYpaPxvKYj9XeMrx1AO+ECQ
QsfxTv4zeZZJd52NlozSeFL6ZaqEerFHJTUOS95KB+31u6fXo3/hFqI5W52H7hPP
EBZX4g209+fqvVfn7oAEwBeL7LnduRWLn69UCKXMxga55fI3Kj+JRVqCizy7pPhJ
GIDjFticTjGnWJelYACryhxh36DG53XMfCjwfoJzfckZssiFcymKJP2MxUTKUdW0
Y4ULiKlcNIakqoWbdrLuzpGIC7E67m34v9aDu0kKpoTOF/gLRftB5r89mLGH9AmX
tH55Kn6fR3whK6dI2czH+JiO8iSevH+Y6sxzp5wIIrufC1y6llptUXRe7j3+4IVA
aCIdgQ8WtWcvBcR/NTBWXs3UoEUAV2alNpx5JHTcSzTuKldPtB1oVwcFTLCu5ilA
fQqSYSx6K6Y/B7+ZNjz0ITorUzXgyYMmLGxrwAMthsK0BhT/PSRAoCAwAgGwnaaH
pWi8ghbDvwIj1FFuhng6jFXEKlCwPpJK9X5Ze895ICoW2tjovQsdzOElTq5HdSpf
8IPx5YjKvUM=
=o2JI
-----END PGP SIGNATURE-----