-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
                         AUSCERT Security Bulletin

                               ASB-2017.0042
         Security vulnerabilities fixed in Firefox 53, Firefox ESR
                         45.9 and Firefox ESR 52.1
                               20 April 2017

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:              Mozilla Firefox
                      Firefox ESR
Operating System:     UNIX variants (UNIX, Linux, OSX)
                      Windows
Impact/Access:        Execute Arbitrary Code/Commands -- Remote with User Interaction
                      Modify Arbitrary Files          -- Remote with User Interaction
                      Denial of Service               -- Remote with User Interaction
                      Provide Misleading Information  -- Remote with User Interaction
                      Access Confidential Data        -- Remote with User Interaction
                      Reduced Security                -- Remote with User Interaction
Resolution:           Patch/Upgrade
CVE Names:            CVE-2017-5469 CVE-2017-5468 CVE-2017-5467
                      CVE-2017-5466 CVE-2017-5465 CVE-2017-5464
                      CVE-2017-5463 CVE-2017-5462 CVE-2017-5461
                      CVE-2017-5460 CVE-2017-5459 CVE-2017-5458
                      CVE-2017-5456 CVE-2017-5455 CVE-2017-5454
                      CVE-2017-5453 CVE-2017-5452 CVE-2017-5451
                      CVE-2017-5450 CVE-2017-5449 CVE-2017-5448
                      CVE-2017-5447 CVE-2017-5446 CVE-2017-5445
                      CVE-2017-5444 CVE-2017-5443 CVE-2017-5442
                      CVE-2017-5441 CVE-2017-5440 CVE-2017-5439
                      CVE-2017-5438 CVE-2017-5437 CVE-2017-5436
                      CVE-2017-5435 CVE-2017-5434 CVE-2017-5433
                      CVE-2017-5432 CVE-2017-5430 CVE-2017-5429
                      CVE-2016-10197 CVE-2016-10196 CVE-2016-10195
                      CVE-2016-6354  
Member content until: Saturday, May 20 2017
Reference:            ESB-2016.1963

OVERVIEW

        Critical vulnerabilities have been identified in Mozilla Firefox 
        prior to version 53, ESR 45.9 and ESR 52.1. [1-3]


IMPACT

        The vendor has provided the following details regarding the 
        vulnerability:
        
        "CVE-2017-5433: Use-after-free in SMIL animation functions
        
        A use-after-free vulnerability in SMIL animation functions occurs 
        when pointers to animation elements in an array are dropped from the
        animation controller while still in use. This results in a 
        potentially exploitable crash.
        
        #CVE-2017-5435: Use-after-free during transaction processing in the
        editor
        
        A use-after-free vulnerability occurs during transaction processing
        in the editor during design mode interactions. This results in a 
        potentially exploitable crash.
        
        #CVE-2017-5436: Out-of-bounds write with malicious font in Graphite
        2
        
        An out-of-bounds write in the Graphite 2 library triggered with a 
        maliciously crafted Graphite font. This results in a potentially 
        exploitable crash. This issue was fixed in the Graphite 2 library as
        well as Mozilla products.
        
        #CVE-2017-5461: Out-of-bounds write in Base64 encoding in NSS
        
        An out-of-bounds write during Base64 decoding operation in the 
        Network Security Services (NSS) library due to insufficient memory 
        being allocated to the buffer. This results in a potentially 
        exploitable crash. The NSS library has been updated to fix this 
        issue to address this issue and Firefox 53 has been updated with NSS
        version 3.29.5.
        
        #CVE-2017-5459: Buffer overflow in WebGL
        
        A buffer overflow in WebGL triggerable by web content, resulting in
        a potentially exploitable crash.
        
        #CVE-2017-5466: Origin confusion when reloading isolated 
        data:text/html URL
        
        If a page is loaded from an original site through a hyperlink and 
        contains a redirect to a data:text/html URL, triggering a reload 
        will run the reloaded data:text/html page with its origin set 
        incorrectly. This allows for a cross-site scripting (XSS) attack.
        
        #CVE-2017-5434: Use-after-free during focus handling
        
        A use-after-free vulnerability occurs when redirecting focus 
        handling which results in a potentially exploitable crash.
        
        #CVE-2017-5432: Use-after-free in text input selection
        
        A use-after-free vulnerability occurs during certain text input 
        selection resulting in a potentially exploitable crash.
        
        #CVE-2017-5460: Use-after-free in frame selection
        
        A use-after-free vulnerability in frame selection triggered by a 
        combination of malicious script content and key presses by a user. 
        This results in a potentially exploitable crash.
        
        #CVE-2017-5438: Use-after-free in nsAutoPtr during XSLT processing
        
        A use-after-free vulnerability during XSLT processing due to the 
        result handler being held by a freed handler during handling. This 
        results in a potentially exploitable crash.
        
        #CVE-2017-5439: Use-after-free in nsTArray Length() during XSLT 
        processing
        
        A use-after-free vulnerability during XSLT processing due to poor 
        handling of template parameters. This results in a potentially 
        exploitable crash.
        
        #CVE-2017-5440: Use-after-free in txExecutionState destructor during
        XSLT processing
        
        A use-after-free vulnerability during XSLT processing due to a 
        failure to propagate error conditions during matching while 
        evaluating context, leading to objects being used when they no 
        longer exist. This results in a potentially exploitable crash.
        
        #CVE-2017-5441: Use-after-free with selection during scroll events
        
        A use-after-free vulnerability when holding a selection during 
        scroll events. This results in a potentially exploitable crash.
        
        #CVE-2017-5442: Use-after-free during style changes
        
        A use-after-free vulnerability during changes in style when 
        manipulating DOM elements. This results in a potentially exploitable
        crash.
        
        #CVE-2017-5464: Memory corruption with accessibility and DOM 
        manipulation
        
        During DOM manipulations of the accessibility tree through script, 
        the DOM tree can become out of sync with the accessibility tree, 
        leading to memory corruption and a potentially exploitable crash.
        
        #CVE-2017-5443: Out-of-bounds write during BinHex decoding
        
        An out-of-bounds write vulnerability while decoding improperly 
        formed BinHex format archives.
        
        #CVE-2017-5444: Buffer overflow while parsing 
        application/http-index-format content
        
        A buffer overflow vulnerability while parsing 
        application/http-index-format format content when the header 
        contains improperly formatted data. This allows for an out-of-bounds
        read of data from memory.
        
        #CVE-2017-5446: Out-of-bounds read when HTTP/2 DATA frames are sent
        with incorrect data
        
        An out-of-bounds read when an HTTP/2 connection to a servers sends 
        DATA frames with incorrect data content. This leads to a potentially
        exploitable crash.
        
        #CVE-2017-5447: Out-of-bounds read during glyph processing
        
        An out-of-bounds read during the processing of glyph widths during 
        text layout. This results in a potentially exploitable crash and 
        could allow an attacker to read otherwise inaccessible memory.
        
        #CVE-2017-5465: Out-of-bounds read in ConvolvePixel
        
        An out-of-bounds read while processing SVG content in ConvolvePixel.
        This results in a crash and also allows for otherwise inaccessible 
        memory being copied into SVG graphic content, which could then 
        displayed.
        
        #CVE-2017-5448: Out-of-bounds write in ClearKeyDecryptor
        
        An out-of-bounds write in ClearKeyDecryptor while decrypting some 
        Clearkey-encrypted media content. The ClearKeyDecryptor code runs 
        within the Gecko Media Plugin (GMP) sandbox. If a second mechanism 
        is found to escape the sandbox, this vulnerability allows for the 
        writing of arbitrary data within memory, resulting in a potentially
        exploitable crash.
        
        #CVE-2017-5437: Vulnerabilities in Libevent library
        
        Three vulnerabilities were reported in the Libevent library that 
        allow for out-of-bounds reads and denial of service (DoS) attacks: 
        CVE-2016-10195, CVE-2016-10196, and CVE-2016-10197. These were fixed
        in the Libevent library and these changes were ported to Mozilla 
        code.
        
        #CVE-2017-5454: Sandbox escape allowing file system read access 
        through file picker
        
        A mechanism to bypass file system access protections in the sandbox
        to use the file picker to access different files than those selected
        in the file picker through the use of relative paths. This allows 
        for read only access to the local file system.
        
        #CVE-2017-5455: Sandbox escape through internal feed reader APIs
        
        The internal feed reader APIs that crossed the sandbox barrier 
        allowed for a sandbox escape and escalation of privilege if combined
        with another vulnerability that resulted in remote code execution 
        inside the sandboxed process.
        
        #CVE-2017-5456: Sandbox escape allowing local file system access
        
        A mechanism to bypass file system access protections in the sandbox
        using the file system request constructor through an IPC message. 
        This allows for read and write access to the local file system.
        
        #CVE-2017-5469: Potential Buffer overflow in flex-generated code
        
        Fixed potential buffer overflows in generated Firefox code due to 
        CVE-2016-6354 issue in Flex.
        
        #CVE-2017-5445: Uninitialized values used while parsing 
        application/http-index-format content
        
        A vulnerability while parsing application/http-index-format format 
        content where uninitialized values are used to create an array. This
        could allow the reading of uninitialized memory into the arrays 
        affected.
        
        #CVE-2017-5449: Crash during bidirectional unicode manipulation with
        animation
        
        A possibly exploitable crash triggered during layout and 
        manipulation of bidirectional unicode text in concert with CSS 
        animations.
        
        #CVE-2017-5450: Addressbar spoofing using javascript: URI on Firefox
        for Android
        
        A mechanism to spoof the Firefox for Android addressbar using a 
        javascript: URI. On Firefox for Android, the base domain is parsed 
        incorrectly, making the resulting location less visibly a spoofed 
        site and showing an incorrect domain in appended notifications.
        
        #CVE-2017-5451: Addressbar spoofing with onblur event
        
        A mechanism to spoof the addressbar through the user interaction on
        the addressbar and the onblur event. The event could be used by 
        script to affect text display to make the loaded site appear to be 
        different from the one actually loaded within the addressbar.
        
        #CVE-2017-5462: DRBG flaw in NSS
        
        A flaw in DRBG number generation within the Network Security 
        Services (NSS) library where the internal state V does not correctly
        carry bits over. The NSS library has been updated to fix this issue
        to address this issue and Firefox 53 has been updated with NSS 
        version 3.29.5.
        
        #CVE-2017-5463: Addressbar spoofing through reader view on Firefox 
        for Android
        
        Android intents can be used to launch Firefox for Android in reader
        mode with a user specified URL. This allows an attacker to spoof the
        contents of the addressbar as displayed to users. Note: This attack
        only affects Firefox for Android. Other operating systems are not 
        affected.
        
        #CVE-2017-5467: Memory corruption when drawing Skia content
        
        A potential memory corruption and crash when using Skia content when
        drawing content outside of the bounds of a clipping region.
        
        #CVE-2017-5452: Addressbar spoofing during scrolling with editable 
        content on Firefox for Android
        
        Malicious sites can display a spoofed addressbar on a page when the
        existing location bar on the new page is scrolled out of view if an
        HTML editable page element is user selected. Note: This attack only
        affects Firefox for Android. Other operating systems are not 
        affected.
        
        #CVE-2017-5453: HTML injection into RSS Reader feed preview page 
        through TITLE element
        
        A mechanism to inject static HTML into the RSS reader preview page 
        due to a failure to escape characters sent as URL parameters for a 
        feed's TITLE element. This vulnerability allows for spoofing but no
        scripted content can be run.
        
        #CVE-2017-5458: Drag and drop of javascript: URLs can allow for 
        self-XSS
        
        When a javascript: URL is drag and dropped by a user into the 
        addressbar, the URL will be processed and executed. This allows for
        users to be socially engineered to execute an XSS attack on 
        themselves.
        
        #CVE-2017-5468: Incorrect ownership model for Private Browsing 
        information
        
        An issue with incorrect ownership model of privateBrowsing 
        information exposed through developer tools. This can result in a 
        non-exploitable crash when manually triggered during debugging.
        
        #CVE-2017-5430: Memory safety bugs fixed in Firefox 53 and Firefox 
        ESR 52.1
        
        Mozilla developers and community members Christian Holler, Jon 
        Coppeard, Milan Sreckovic, Tyson Smith, Ronald Crane, Randell Jesup,
        Philipp, Tooru Fujisawa, and Kan-Ru Chen reported memory safety bugs
        present in Firefox 52 and Firefox ESR 52. Some of these bugs showed
        evidence of memory corruption and we presume that with enough effort
        that some of these could be exploited to run arbitrary code.
        
        #CVE-2017-5429: Memory safety bugs fixed in Firefox 53, Firefox ESR
        45.9, and Firefox ESR 52.1
        
        Mozilla developers and community members Christian Holler, Jon 
        Coppeard, Marcia Knous, David Baron, Mats Palmgren, Ronald Crane, 
        Bob Clary, and Chris Peterson reported memory safety bugs present in
        Firefox 52, Firefox ESR 45.8, and Firefox ESR 52. Some of these bugs
        showed evidence of memory corruption and we presume that with enough
        effort that some of these could be exploited to run arbitrary code." [1-3]


MITIGATION

        Mozilla advises upgrading to the latest version to address these 
        issues. [1-3]


REFERENCES

        [1] Security vulnerabilities fixed in Firefox 53
             https://www.mozilla.org/en-US/security/advisories/mfsa2017-10/

        [2] Security vulnerabilities fixed in Firefox ESR 45.9
            https://www.mozilla.org/en-US/security/advisories/mfsa2017-11/

        [3] Security vulnerabilities fixed in Firefox ESR 52.1
            https://www.mozilla.org/en-US/security/advisories/mfsa2017-12/

AusCERT has made every effort to ensure that the information contained
in this document is accurate.  However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours 
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBWPgjhYx+lLeg9Ub1AQgXRA/9FmWxlrZQF6ojqbKrK7AIeU9ZHO1rxyeo
BoUH+eHwCR29Fl2WEp+lAcpOF7J2/TWKy4PUJEN6tXhMVqlGcsWxhkwXJ4FgrKgY
AlJbkk0xe7VXRaL/MpGmkarrWr9YgF8RGTiX6GSj1E774fxsmfUZE1ux5H5YfT/J
7fZPJqjklsGFgcBHqcBSb5T0tvC1pk9BuS/rWZ/u36ephpSEL+iAsV/OoN+Rq4cq
Ntc/nGQuZ8cKcVRgVxXX5aB904w3qvLFhhCoelSqR9mns7Q+Ton94xrNuqO9kGhb
wr9SL+2lzD8vWbhIEVOc99M7YihRgSFThNIaQL91zkItXao2Uvz3xJaoz7ztn3Su
djl8LXIehjxYNZOSnOpYM6ynAw/i6FNpQeolTv+6bTnuuqcoB926YcdGxSB6EFw0
x0LAgo703wDlO2M9T/MWkaPoLdHDjXr8lFhY/kgdEA8mi9JgkUePCKNGYBLxmXWd
dFWNJKmSyXKCQ+v7C+oOxs4NLYrhQwDvHO4WnrOXShKYi2mDfKTZuJG4XmvQr8h2
8wmn1mQhVZYXoewiMHKvIHNO5CYxX2RBKAaxY7kdT1IyJqdQ9k3iV7uyusCkkCnm
63xcLZsvjtVs23160evJQi8ciAFPA6qGsGQ+etcCnk6isNNjZK9qWOXvZecsaWCG
OjcxcRprPRA=
=EtwN
-----END PGP SIGNATURE-----