-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2021.1897
         MFSA 2021-23 Security Vulnerabilities fixed in Firefox 89
                                2 June 2021

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           Firefox
Publisher:         Mozilla
Operating System:  Windows
                   UNIX variants (UNIX, Linux, OSX)
Impact/Access:     Execute Arbitrary Code/Commands -- Remote with User Interaction
                   Denial of Service               -- Remote with User Interaction
                   Provide Misleading Information  -- Remote with User Interaction
                   Access Confidential Data        -- Remote with User Interaction
                   Unauthorised Access             -- Remote with User Interaction
                   Reduced Security                -- Remote with User Interaction
Resolution:        Patch/Upgrade
CVE Names:         CVE-2021-29967 CVE-2021-29966 CVE-2021-29965
                   CVE-2021-29964 CVE-2021-29963 CVE-2021-29962
                   CVE-2021-29961 CVE-2021-29960 CVE-2021-29959

Reference:         ESB-2021.1896

Original Bulletin: 
   https://www.mozilla.org/en-US/security/advisories/mfsa2021-23/

- --------------------------BEGIN INCLUDED TEXT--------------------

Mozilla Foundation Security Advisory 2021-23

Security Vulnerabilities fixed in Firefox 89

Announced: June  1, 2021
Impact:    high
Products:  Firefox
Fixed in:  Firefox 89

# CVE-2021-29965: Password Manager on Firefox for Android susceptible to domain
spoofing

Reporter: Harshit Mahendra
Impact:   high

Description

A malicious website that causes an HTTP Authentication dialog to be spawned
could trick the built-in password manager to suggest passwords for the
currently active website instead of the website that triggered the dialog.
This bug only affects Firefox for Android. Other operating systems are
unaffected.

References

  o Bug 1709257

# CVE-2021-29960: Filenames printed from private browsing mode incorrectly
retained in preferences

Reporter: Sebastian Hengst
Impact:   moderate

Description

Firefox used to cache the last filename used for printing a file. When
generating a filename for printing, Firefox usually suggests the web page
title. The caching and suggestion techniques combined may have lead to the
title of a website visited during private browsing mode being stored on disk.

References

  o Bug 1675965

# CVE-2021-29961: Firefox UI spoof using `<select>` elements and CSS scaling

Reporter: Irvan Kurniawan
Impact:   moderate

Description

When styling and rendering an oversized <select> element, Firefox did not apply
correct clipping which allowed an attacker to paint over the user interface.

References

  o Bug 1700235

# CVE-2021-29963: Shared cookies for search suggestions in private browsing mode

Reporter: Wladimir Palant working with Include Security
Impact:   moderate

Description

Address bar search suggestions in private browsing mode were re-using session
data from normal mode.
This bug only affects Firefox for Android. Other operating systems are
unaffected.

References

  o Bug 1705068

# CVE-2021-29964: Out of bounds-read when parsing a `WM_COPYDATA` message

Reporter: Ronald Crane
Impact:   moderate

Description

A locally-installed hostile program could send WM_COPYDATA messages that
Firefox would process incorrectly, leading to an out-of-bounds read.
This bug only affects Firefox on Windows. Other operating systems are
unaffected.

References

  o Bug 1706501

# CVE-2021-29959: Devices could be re-enabled without additional permission
prompt

Reporter: Jan-Ivar Bruaroey
Impact:   low

Description

When a user has already allowed a website to access microphone and camera,
disabling camera sharing would not fully prevent the website from re-enabling
it without an additional prompt. This was only possible if the website kept
recording with the microphone until re-enabling the camera.

References

  o Bug 1395819

# CVE-2021-29962: No rate-limiting for popups on Firefox for Android

Reporter: Wladimir Palant working with Include Security
Impact:   low

Description

Firefox for Android would become unstable and hard-to-recover when a website
opened too many popups.
This bug only affects Firefox for Android. Other operating systems are
unaffected.

References

  o Bug 1701673

# CVE-2021-29967: Memory safety bugs fixed in Firefox 89 and Firefox ESR 78.11

Reporter: Mozilla developers and community
Impact:   high

Description

Mozilla developers Christian Holler, Anny Gakhokidze, Alexandru Michis,
Gabriele Svelto reported memory safety bugs present in Firefox 88 and Firefox
ESR 78.11. Some of these bugs showed evidence of memory corruption and we
presume that with enough effort some of these could have been exploited to run
arbitrary code.

References

  o Memory safety bugs fixed in Firefox 89 and Firefox ESR 78.11

# CVE-2021-29966: Memory safety bugs fixed in Firefox 89

Reporter: Mozilla developers and community
Impact:   moderate

Description

Mozilla developers Christian Holler, Tooru Fujisawa, Tyson Smith reported
memory safety bugs present in Firefox 88. Some of these bugs showed evidence of
memory corruption and we presume that with enough effort some of these could
have been exploited to run arbitrary code.

References

  o Memory safety bugs fixed in Firefox 89

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBYLb75eNLKJtyKPYoAQjy6A/+M4QkHHXo9o2oNiZ7eNbX+ETJFAngUxRS
0uVoREHjqx5wwx4QEgNoU2dCMp4wTzlIzpOYGoxzYYwF/158v9LMoKS/oxpB15MA
ohrIflwh2WmMXt+ghC9UqGzj7EOmkJCyJsUWm9s/XuWmznGdfVVogDy1ghxglDon
1a3/FhkWET1oJEb5q1sTir94ZyXKxn2HaSJSrQnfhuZLrV12of9SrheBTib2I2eN
Ec29cuZ9a+JwOCCseWwmny0mQoS5sI3VJss0NMLLmT5F3PqR5riQaCS94oipqZRo
xhcpdpme8kJLmbs+3zSKKv1wtmAbuCCboPrpqyCJqtNgrpCrji0jE3eb/ZfWMuhz
mNaZ1KdYchwAjFhLAsaSJOSGBFcHWxC5zOzVKt+r/ZZS+HfzP2rnjyzJSDv4CoeF
yPVmsYjcR5xWFB1Wwx7dbwZhczYJe8RRPxFb6Uhh8qaKNAQ0DJ5JdQxgbw8z+L2l
0bO0yLHoLhrmqur9r66vRPpHg735GgcLgsBMmwgwFrbGEFxCQwtBC9itH2YvGYGh
gRJ4umWz+mU8xT+TKz1eM8PJRHXRhvikpIywHyTGsWkcFRXxqw1IIgc4ic1PR8LQ
IQJwmKNZbMXZ0zN95jYtNgcKmAoo6uu9fLrs8HTQH2ypO1VZe7LSWcsr2NpqPZX0
mBP+CqvljeI=
=K5Kx
-----END PGP SIGNATURE-----