Hash: SHA256

             AUSCERT External Security Bulletin Redistribution

         MFSA 2021-16 Security Vulnerabilities fixed in Firefox 88
                               20 April 2021


        AusCERT Security Bulletin Summary

Product:           Firefox
Publisher:         Mozilla
Operating System:  UNIX variants (UNIX, Linux, OSX)
Impact/Access:     Execute Arbitrary Code/Commands -- Remote with User Interaction
                   Increased Privileges            -- Remote with User Interaction
                   Denial of Service               -- Remote with User Interaction
                   Provide Misleading Information  -- Remote with User Interaction
                   Access Confidential Data        -- Remote with User Interaction
                   Reduced Security                -- Remote with User Interaction
Resolution:        Patch/Upgrade
CVE Names:         CVE-2021-29947 CVE-2021-29946 CVE-2021-29945
                   CVE-2021-29944 CVE-2021-24002 CVE-2021-24001
                   CVE-2021-24000 CVE-2021-23999 CVE-2021-23998
                   CVE-2021-23997 CVE-2021-23996 CVE-2021-23995

Original Bulletin: 

Comment: This advisory references vulnerabilities in products which run on 
         different platforms. It is recommended that administrators
         running Firefox check for an updated version of the software for 
         their operating system.

- --------------------------BEGIN INCLUDED TEXT--------------------

Mozilla Foundation Security Advisory 2021-16

Security Vulnerabilities fixed in Firefox 88

Announced: April 19, 2021
Impact:    high
Products:  Firefox
Fixed in:  Firefox 88

# CVE-2021-23994: Out of bound write due to lazy initialization

Reporter: Abraruddin Khan and Omair
Impact:   high


A WebGL framebuffer was not initialized early enough, resulting in memory
corruption and an out of bound write.


  o Bug 1699077

# CVE-2021-23995: Use-after-free in Responsive Design Mode

Reporter: Irvan Kurniawan
Impact:   high


When Responsive Design Mode was enabled, it used references to objects that
were previously freed. We presume that with enough effort this could have been
exploited to run arbitrary code.


  o Bug 1699835

# CVE-2021-23996: Content rendered outside of webpage viewport

Reporter: Colin D. Munro
Impact:   high


By utilizing 3D CSS in conjunction with Javascript, content could have been
rendered outside the webpage's viewport, resulting in a spoofing attack that
could have been used for phishing or other attacks on a user.


  o Bug 1701834

# CVE-2021-23997: Use-after-free when freeing fonts from cache

Reporter: Irvan Kurniawan
Impact:   high


Due to unexpected data type conversions, a use-after-free could have occurred
when interacting with the font cache. We presume that with enough effort this
could have been exploited to run arbitrary code.


  o Bug 1701942

# CVE-2021-23998: Secure Lock icon could have been spoofed

Reporter: Jordi Chancel
Impact:   moderate


Through complicated navigations with new windows, an HTTP page could have
inherited a secure lock icon from an HTTPS page.


  o Bug 1667456

# CVE-2021-23999: Blob URLs may have been granted additional privileges

Reporter: Nika Layzell
Impact:   moderate


If a Blob URL was loaded through some unusual user interaction, it could have
been loaded by the System Principal and granted additional privileges that
should not be granted to web content.


  o Bug 1691153

# CVE-2021-24000: requestPointerLock() could be applied to a tab different from
the visible tab

Reporter: Irvan Kurniawan
Impact:   moderate


A race condition with requestPointerLock() and setTimeout() could have resulted
in a user interacting with one tab when they believed they were on a separate
tab. In conjunction with certain elements (such as <input type="file">) this
could have led to an attack where a user was confused about the origin of the
webpage and potentially disclosed information they did not intend to.


  o Bug 1694698

# CVE-2021-24001: Testing code could have enabled session history manipulations
by a compromised content process

Reporter: Andrew McCreight
Impact:   moderate


A compromised content process could have performed session history
manipulations it should not have been able to due to testing infrastructure
that was not restricted to testing-only configurations.


  o Bug 1694727

# CVE-2021-24002: Arbitrary FTP command execution on FTP servers using an
encoded URL

Reporter: Daniel Santos
Impact:   moderate


When a user clicked on an FTP URL containing encoded newline characters (%0A
and %0D), the newlines would have been interpreted as such and allowed
arbitrary commands to be sent to the FTP server.


  o Bug 1702374

# CVE-2021-29945: Incorrect size computation in WebAssembly JIT could lead to

Reporter: Christian Holler
Impact:   moderate


The WebAssembly JIT could miscalculate the size of a return type, which could
lead to a null read and result in a crash.
Note: This issue only affected x86-32 platforms. Other platforms are


  o Bug 1700690

# CVE-2021-29944: HTML injection vulnerability in Firefox for Android's Reader

Reporter: Wladimir Palant working with Include Security
Impact:   low


Lack of escaping allowed HTML injection when a webpage was viewed in Reader
View. While a Content Security Policy prevents direct code execution, HTML
injection is still possible.
Note: This issue only affected Firefox for Android. Other operating systems are


  o Bug 1697604

# CVE-2021-29946: Port blocking could be bypassed

Reporter: Frederik Braun
Impact:   low


Ports that were written as an integer overflow above the bounds of a 16-bit
integer could have bypassed port blocking restrictions when used in the Alt-Svc


  o Bug 1698503

# CVE-2021-29947: Memory safety bugs fixed in Firefox 88

Reporter: Mozilla developers and community
Impact:   high


Mozilla developers and community members Ryan VanderMeulen, Sean Feng, Tyson
Smith, Julian Seward, Christian Holler reported memory safety bugs present in
Firefox 87. Some of these bugs showed evidence of memory corruption and we
presume that with enough effort some of these could have been exploited to run
arbitrary code.


  o Memory safety bugs fixed in Firefox 88

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:


Australian Computer Emergency Response Team
The University of Queensland
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
Comment: http://www.auscert.org.au/render.html?it=1967