-----BEGIN PGP SIGNED MESSAGE-----
AUSCERT External Security Bulletin Redistribution
MFSA 2021-16 Security Vulnerabilities fixed in Firefox 88
20 April 2021
AusCERT Security Bulletin Summary
Operating System: UNIX variants (UNIX, Linux, OSX)
Impact/Access: Execute Arbitrary Code/Commands -- Remote with User Interaction
Increased Privileges -- Remote with User Interaction
Denial of Service -- Remote with User Interaction
Provide Misleading Information -- Remote with User Interaction
Access Confidential Data -- Remote with User Interaction
Reduced Security -- Remote with User Interaction
CVE Names: CVE-2021-29947 CVE-2021-29946 CVE-2021-29945
CVE-2021-29944 CVE-2021-24002 CVE-2021-24001
CVE-2021-24000 CVE-2021-23999 CVE-2021-23998
CVE-2021-23997 CVE-2021-23996 CVE-2021-23995
Comment: This advisory references vulnerabilities in products which run on
different platforms. It is recommended that administrators
running Firefox check for an updated version of the software for
their operating system.
- --------------------------BEGIN INCLUDED TEXT--------------------
Mozilla Foundation Security Advisory 2021-16
Security Vulnerabilities fixed in Firefox 88
Announced: April 19, 2021
Fixed in: Firefox 88
# CVE-2021-23994: Out of bound write due to lazy initialization
Reporter: Abraruddin Khan and Omair
A WebGL framebuffer was not initialized early enough, resulting in memory
corruption and an out of bound write.
o Bug 1699077
# CVE-2021-23995: Use-after-free in Responsive Design Mode
Reporter: Irvan Kurniawan
When Responsive Design Mode was enabled, it used references to objects that
were previously freed. We presume that with enough effort this could have been
exploited to run arbitrary code.
o Bug 1699835
# CVE-2021-23996: Content rendered outside of webpage viewport
Reporter: Colin D. Munro
rendered outside the webpage's viewport, resulting in a spoofing attack that
could have been used for phishing or other attacks on a user.
o Bug 1701834
# CVE-2021-23997: Use-after-free when freeing fonts from cache
Reporter: Irvan Kurniawan
Due to unexpected data type conversions, a use-after-free could have occurred
when interacting with the font cache. We presume that with enough effort this
could have been exploited to run arbitrary code.
o Bug 1701942
# CVE-2021-23998: Secure Lock icon could have been spoofed
Reporter: Jordi Chancel
Through complicated navigations with new windows, an HTTP page could have
inherited a secure lock icon from an HTTPS page.
o Bug 1667456
# CVE-2021-23999: Blob URLs may have been granted additional privileges
Reporter: Nika Layzell
If a Blob URL was loaded through some unusual user interaction, it could have
been loaded by the System Principal and granted additional privileges that
should not be granted to web content.
o Bug 1691153
# CVE-2021-24000: requestPointerLock() could be applied to a tab different from
the visible tab
Reporter: Irvan Kurniawan
A race condition with requestPointerLock() and setTimeout() could have resulted
in a user interacting with one tab when they believed they were on a separate
tab. In conjunction with certain elements (such as <input type="file">) this
could have led to an attack where a user was confused about the origin of the
webpage and potentially disclosed information they did not intend to.
o Bug 1694698
# CVE-2021-24001: Testing code could have enabled session history manipulations
by a compromised content process
Reporter: Andrew McCreight
A compromised content process could have performed session history
manipulations it should not have been able to due to testing infrastructure
that was not restricted to testing-only configurations.
o Bug 1694727
# CVE-2021-24002: Arbitrary FTP command execution on FTP servers using an
Reporter: Daniel Santos
When a user clicked on an FTP URL containing encoded newline characters (%0A
and %0D), the newlines would have been interpreted as such and allowed
arbitrary commands to be sent to the FTP server.
o Bug 1702374
# CVE-2021-29945: Incorrect size computation in WebAssembly JIT could lead to
Reporter: Christian Holler
The WebAssembly JIT could miscalculate the size of a return type, which could
lead to a null read and result in a crash.
Note: This issue only affected x86-32 platforms. Other platforms are
o Bug 1700690
# CVE-2021-29944: HTML injection vulnerability in Firefox for Android's Reader
Reporter: Wladimir Palant working with Include Security
Lack of escaping allowed HTML injection when a webpage was viewed in Reader
View. While a Content Security Policy prevents direct code execution, HTML
injection is still possible.
Note: This issue only affected Firefox for Android. Other operating systems are
o Bug 1697604
# CVE-2021-29946: Port blocking could be bypassed
Reporter: Frederik Braun
Ports that were written as an integer overflow above the bounds of a 16-bit
integer could have bypassed port blocking restrictions when used in the Alt-Svc
o Bug 1698503
# CVE-2021-29947: Memory safety bugs fixed in Firefox 88
Reporter: Mozilla developers and community
Mozilla developers and community members Ryan VanderMeulen, Sean Feng, Tyson
Smith, Julian Seward, Christian Holler reported memory safety bugs present in
Firefox 87. Some of these bugs showed evidence of memory corruption and we
presume that with enough effort some of these could have been exploited to run
o Memory safety bugs fixed in Firefox 88
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to email@example.com
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
Australian Computer Emergency Response Team
The University of Queensland
Internet Email: firstname.lastname@example.org
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
-----BEGIN PGP SIGNATURE-----
-----END PGP SIGNATURE-----