-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
                         AUSCERT Security Bulletin

                               ASB-2018.0138
               Mozilla Foundation Security Advisory 2018-15
                               27 June 2018

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:              Mozilla Firefox
Operating System:     UNIX variants (UNIX, Linux, OSX)
                      Windows
                      Mobile Device
Impact/Access:        Execute Arbitrary Code/Commands -- Remote with User Interaction
                      Cross-site Request Forgery      -- Remote with User Interaction
                      Denial of Service               -- Remote with User Interaction
                      Access Confidential Data        -- Remote with User Interaction
                      Reduced Security                -- Remote with User Interaction
Resolution:           Patch/Upgrade
CVE Names:            CVE-2018-12371 CVE-2018-12370 CVE-2018-12369
                      CVE-2018-12368 CVE-2018-12367 CVE-2018-12366
                      CVE-2018-12365 CVE-2018-12364 CVE-2018-12363
                      CVE-2018-12362 CVE-2018-12361 CVE-2018-12360
                      CVE-2018-12359 CVE-2018-12358 CVE-2018-5188
                      CVE-2018-5187 CVE-2018-5186 CVE-2018-5156
Member content until: Friday, July 27 2018

OVERVIEW

        Multiple vulnerabilities have been identified in Mozilla Firefox 
        prior to version 61. [1]


IMPACT

        The vendor has provided the following information about the 
        vulnerabilities:
        
        "#CVE-2018-12359: Buffer overflow using computed size of canvas 
        element
        
        Reporter Nils Impact critical
        
        Description
        
        A buffer overflow can occur when rendering canvas content while 
        adjusting the height and width of the <canvas> element dynamically,
        causing data to be written outside of the currently computed 
        boundaries. This results in a potentially exploitable crash. 
        References
        
            Bug 1459162
        
        #CVE-2018-12360: Use-after-free when using focus()
        
        Reporter Nils Impact critical
        
        Description
        
        A use-after-free vulnerability can occur when deleting an input 
        element during a mutation event handler triggered by focusing that 
        element. This results in a potentially exploitable crash. References
        
            Bug 1459693
        
        #CVE-2018-12361: Integer overflow in SwizzleData
        
        Reporter R Impact critical
        
        Description
        
        An integer overflow can occur in the SwizzleData code while 
        calculating buffer sizes. The overflowed value is used for 
        subsequent graphics computations when their inputs are not sanitized
        which results in a potentially exploitable crash. References
        
            Bug 1463244
        
        #CVE-2018-12358: Same-origin bypass using service worker and 
        redirection
        
        Reporter Ben Kelly Impact high
        
        Description
        
        Service workers can use redirection to avoid the tainting of 
        cross-origin resources in some instances, allowing a malicious site
        to read responses which are supposed to be opaque. References
        
            Bug 1467852
        
        #CVE-2018-12362: Integer overflow in SSSE3 scaler
        
        Reporter F. Alonso (revskills) Impact high
        
        Description
        
        An integer overflow can occur during graphics operations done by the
        Supplemental Streaming SIMD Extensions 3 (SSSE3) scaler, resulting 
        in a potentially exploitable crash. References
        
            Bug 1452375
        
        #CVE-2018-5156: Media recorder segmentation fault when track type is
        changed during capture
        
        Reporter Nils Impact high
        
        Description
        
        A vulnerability can occur when capturing a media stream when the 
        media source type is changed as the capture is occuring. This can 
        result in stream data being cast to the wrong type causing a 
        potentially exploitable crash. References
        
            Bug 1453127
        
        #CVE-2018-12363: Use-after-free when appending DOM nodes
        
        Reporter Nils Impact high
        
        Description
        
        A use-after-free vulnerability can occur when script uses mutation 
        events to move DOM nodes between documents, resulting in the old 
        document that held the node being freed but the node still having a
        pointer referencing it. This results in a potentially exploitable 
        crash. References
        
            Bug 1464784
        
        #CVE-2018-12364: CSRF attacks through 307 redirects and NPAPI 
        plugins
        
        Reporter David Black Impact high
        
        Description
        
        NPAPI plugins, such as Adobe Flash, can send non-simple cross-origin
        requests, bypassing CORS by making a same-origin POST that does a 
        307 redirect to the target site. This allows for a malicious site to
        engage in cross-site request forgery (CSRF) attacks. References
        
            Bug 1436241
        
        #CVE-2018-12365: Compromised IPC child process can list local 
        filenames
        
        Reporter Alex Gaynor Impact moderate
        
        Description
        
        A compromised IPC child process can escape the content sandbox and 
        list the names of arbitrary files on the file system without user 
        consent or interaction. This could result in exposure of private 
        local files. References
        
            Bug 1459206
        
        #CVE-2018-12371: Integer overflow in Skia library during edge 
        builder allocation
        
        Reporter anonymous Impact moderate
        
        Description
        
        An integer overflow vulnerability in the Skia library when 
        allocating memory for edge builders on some systems with at least 16
        GB of RAM. This results in the use of uninitialized memory, 
        resulting in a potentially exploitable crash. References
        
            Bug 1465686
        
        #CVE-2018-12366: Invalid data handling during QCMS transformations
        
        Reporter OSS-Fuzz Impact moderate
        
        Description
        
        An invalid grid size during QCMS (color profile) transformations can
        result in the out-of-bounds read interpreted as a float value. This
        could leak private data into the output. References
        
            Bug 1464039
        
        #CVE-2018-12367: Timing attack mitigation of 
        PerformanceNavigationTiming
        
        Reporter Andrea Marchesini Impact moderate
        
        Description
        
        In the previous mitigations for Spectre, the resolution or precision
        of various methods was reduced to counteract the ability to measure
        precise time intervals. In that work, PerformanceNavigationTiming 
        was not adjusted but it was found that it could be used as a 
        precision timer. References
        
            Bug 1462891
        
        #CVE-2018-12368: No warning when opening executable 
        SettingContent-ms files
        
        Reporter Abdulrahman Alqabandi Impact moderate
        
        Description
        
        Windows 10 does not warn users before opening executable files with
        the SettingContent-ms extension even when they have been downloaded
        from the internet and have the "Mark of the Web." Without the 
        warning, unsuspecting users unfamiliar with this new file type might
        run an unwanted executable. This also allows a WebExtension with the
        limited downloads.open permission to execute arbitrary code without
        user interaction on Windows 10 systems Note: this issue only affects
        Windows operating systems. Other operating systems are unaffected. 
        References
        
            Bug 1468217 The Tale of SettingContent-ms Files
        
        #CVE-2018-12369: WebExtension security permission checks bypassed by
        embedded experiments
        
        Reporter Jonathan Kingston Impact moderate
        
        Description
        
        WebExtensions bundled with embedded experiments were not correctly 
        checked for proper authorization. This allowed a malicious 
        WebExtension to gain full browser permissions. References
        
            Bug 1454909
        
        #CVE-2018-12370: SameSite cookie protections bypassed when exiting 
        Reader View
        
        Reporter Jun Kokatsu Impact low
        
        Description
        
        In Reader View SameSite cookie protections are not checked on 
        exiting. This allows for a payload to be triggered when Reader View
        is exited if loaded by a malicious site while Reader mode is active,
        bypassing CSRF protections. References
        
            Bug 1456652
        
        #CVE-2018-5186: Memory safety bugs fixed in Firefox 61
        
        Reporter Mozilla developers and community Impact critical
        
        Description
        
        Mozilla developers and community members Christian Holler, Jason 
        Kratzer, Jon Coppeard, Randell Jesup, Ronald Crane, and Boris 
        Zbarsky reported memory safety bugs present in Firefox 60. Some of 
        these bugs showed evidence of memory corruption and we presume that
        with enough effort that some of these could be exploited to run 
        arbitrary code. References
        
            Memory safety bugs fixed in Firefox 61
        
        #CVE-2018-5187: Memory safety bugs fixed in Firefox 60 and Firefox 
        ESR 60.1
        
        Reporter Mozilla developers and community Impact critical
        
        Description
        
        Mozilla developers and community members Christian Holler, Sebastian
        Hengst, Nils Ohlmeier, Jon Coppeard, Randell Jesup, Ted Campbell, 
        Gary Kwong, and Jean-Yves Avenard reported memory safety bugs 
        present in Firefox 60 and Firefox ESR 60. Some of these bugs showed
        evidence of memory corruption and we presume that with enough effort
        that some of these could be exploited to run arbitrary code. 
        References
        
            Memory safety bugs fixed in Firefox 61 and Firefox ESR 60.1
        
        #CVE-2018-5188: Memory safety bugs fixed in Firefox 60, Firefox ESR
        60.1, and Firefox ESR 52.9
        
        Reporter Mozilla developers and community Impact critical
        
        Description
        
        Mozilla developers and community members Alex Gaynor, Christoph 
        Diehl, Christian Holler, Jason Kratzer, David Major, Jon Coppeard, 
        Nicolas B. Pierron, Jason Kratzer, Marcia Knous, and Ronald Crane 
        reported memory safety bugs present in Firefox 60, Firefox ESR 60, 
        and Firefox ESR 52.8. Some of these bugs showed evidence of memory 
        corruption and we presume that with enough effort that some of these
        could be exploited to run arbitrary code. 
        
        References
        
            Memory safety bugs fixed in Firefox 61, Firefox ESR 60.1, and 
        Firefox ESR 52.9" [1]


MITIGATION

        Users are advised to update to Firefox version 61 to address these 
        issues. [1]


REFERENCES

        [1] Mozilla Foundation Security Advisory 2018-15
            https://www.mozilla.org/en-US/security/advisories/mfsa2018-15/

AusCERT has made every effort to ensure that the information contained
in this document is accurate.  However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours 
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBWzLSdWaOgq3Tt24GAQi+BA/+LyjS0RZzhb399/8Ik/22J5/cD9LoQVMF
DaCp1xbefdZ01ypfFnSGt95SH4Ezb/DZ9stO4kKFXOjWZGr7ofz1/OwQFJ2zzfbV
UsrDiFgLm92CpN/zPGHLoAvHzY+SPrnJVsPs8i3ZTgQOyUVNPRDOf00sDHFWtsS4
x9ZLIOkVB2+Oe/eDt5iEm9P3MOTP3KI/cCrPjO8AO7YRyQ3xR1uVcKFXa4O7H4v7
tYGsyGw6xyk2EYawXH7RZMpRM1O7jGqHKl2jziln4yvMi8rbAdqXxewKaddpT3IJ
Sl8Wg7o6+NcAdv0XQQpfdNOO8rJ/ZsjBp277zdFOMNY1zsLAit3t8mfvz1G1tgpS
ChgLtcY7x/wPi+d5WkKj4Xy3/0tpVLkH61Ct2aAPbcDR65wbOzhXY1qW1QVF9xrC
0EtCIf0sgz3k1x1DG+J18JWW7iXboOHojEydqnsJYKjXaUOhvP4hZjKullxM2jxo
ndt4ID2qOSQgp3wZT9/cLTAwVLvnMqZthor5Jo2uh8CDlhdTHatt1lvwDu3fYGzU
3HNfcbZVQp+2hNxIquqdfTReXT6TuXoQFG4VqESzGP8+vmrzgP7Rqm1mMmRJKbYv
qDI6Gzo9dItT7zZcpMviGGfcmNaDngOSOJ5p01YrtHJNb+9RIWG26ki1hN0prYkO
SRMftf2lsT4=
=WKyy
-----END PGP SIGNATURE-----