Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2021.2686 TITLE: MFSA 2021-33 Security Vulnerabilities fixed in Firefox 91 11 August 2021 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Firefox Publisher: Mozilla Operating System: Windows UNIX variants (UNIX, Linux, OSX) Impact/Access: Execute Arbitrary Code/Commands -- Remote with User Interaction Denial of Service -- Remote with User Interaction Reduced Security -- Remote with User Interaction Resolution: Patch/Upgrade CVE Names: CVE-2021-29990 CVE-2021-29989 CVE-2021-29988 CVE-2021-29987 CVE-2021-29986 CVE-2021-29985 CVE-2021-29984 CVE-2021-29983 CVE-2021-29982 CVE-2021-29981 CVE-2021-29980 Original Bulletin: https://www.mozilla.org/en-US/security/advisories/mfsa2021-33/ - --------------------------BEGIN INCLUDED TEXT-------------------- Mozilla Foundation Security Advisory 2021-33 Security Vulnerabilities fixed in Firefox 91 Announced: August 10, 2021 Impact: high Products: Firefox Fixed in: Firefox 91 # CVE-2021-29986: Race condition when resolving DNS names could have led to memory corruption Reporter: pahhur Impact: high Description A suspected race condition when calling getaddrinfo led to memory corruption and a potentially exploitable crash. Note: This issue only affected Linux operating systems. Other operating systems are unaffected. References o Bug 1696138 # CVE-2021-29981: Live range splitting could have led to conflicting assignments in the JIT Reporter: Gary Kwong Impact: high Description An issue present in lowering/register allocation could have led to obscure but deterministic register confusion failures in JITted code that would lead to a potentially exploitable crash. References o Bug 1707774 # CVE-2021-29988: Memory corruption as a result of incorrect style treatment Reporter: Irvan Kurniawan Impact: high Description Firefox incorrectly treated an inline list-item element as a block element, resulting in an out of bounds read or memory corruption, and a potentially exploitable crash. References o Bug 1717922 # CVE-2021-29983: Firefox for Android could get stuck in fullscreen mode Reporter: Irvan Kurniawan Impact: high Description Firefox for Android could get stuck in fullscreen mode and not exit it even after normal interactions that should cause it to exit. Note: This issue only affected Firefox for Android. Other operating systems are unaffected. References o Bug 1719088 # CVE-2021-29984: Incorrect instruction reordering during JIT optimization Reporter: Lukas Bernhard Impact: high Description Instruction reordering resulted in a sequence of instructions that would cause an object to be incorrectly considered during garbage collection. This led to memory corruption and a potentially exploitable crash. References o Bug 1720031 # CVE-2021-29980: Uninitialized memory in a canvas object could have led to memory corruption Reporter: Irvan Kurniawan Impact: high Description Uninitialized memory in a canvas object could have caused an incorrect free() leading to memory corruption and a potentially exploitable crash. References o Bug 1722204 # CVE-2021-29987: Users could have been tricked into accepting unwanted permissions on Linux Reporter: Irvan Kurniawan Impact: moderate Description After requesting multiple permissions, and closing the first permission panel, subsequent permission panels will be displayed in a different position but still record a click in the default location, making it possible to trick a user into accepting a permission they did not want to. This bug only affects Firefox on Linux. Other operating systems are unaffected. References o Bug 1716129 # CVE-2021-29985: Use-after-free media channels Reporter: Marcin 'Icewall' Noga of Cisco Talos Impact: moderate Description A use-after-free vulnerability in media channels could have led to memory corruption and a potentially exploitable crash. References o Bug 1722083 # CVE-2021-29982: Single bit data leak due to incorrect JIT optimization and type confusion Reporter: Lukas Bernhard Impact: low Description Due to incorrect JIT optimization, we incorrectly interpreted data from the wrong type of object, resulting in the potential leak of a single bit of memory. References o Bug 1715318 # CVE-2021-29989: Memory safety bugs fixed in Firefox 91 and Firefox ESR 78.13 Reporter: Mozilla developers and community Impact: high Description Mozilla developers Christoph Kerschbaumer, Olli Pettay, Sandor Molnar, and Simon Giesecke reported memory safety bugs present in Firefox 90 and Firefox ESR 78.12. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. References o Memory safety bugs fixed in Firefox 91 and Firefox ESR 78.13 # CVE-2021-29990: Memory safety bugs fixed in Firefox 91 Reporter: Mozilla developers and community Impact: high Description Mozilla developers and community members Kershaw Chang, Philipp, Chris Peterson, and Sebastian Hengst reported memory safety bugs present in Firefox 90. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. References o Memory safety bugs fixed in Firefox 91 - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBYRMys+NLKJtyKPYoAQiW7Q/9H92mr8Vs4C6uou7GEhaPLlKOCa9EwPjZ BKanYz4mIMQnX6X3ReAO2THDi60jXD4d5/ZlMu2xwtjCOP8chwbHrAXAiHRAwuZz uFVY8gD4uwEItHpJEbEaS/BMEhqK5ihkyBqUDL/vhynFIo0KtPPhCbPPvNk1zgE6 lEK/bZCzeHrfGAI0gfEmo6sPekBbwFJzpGHZyXKU4KF7HHs9VjiIrthnc+vBso4x qbwbFxM8sooNkTd0qtPc5XHAeILgJKozu8boae3HA1hHnM8Hx/EUwAe3dIIkelJT Bg2R09iAR63gB6ALpq09Exla2AXRwLi/2mNFItbQqcG4BnR5H5ehCc4d2JhvQgxx e8P2p4kcGR1nPuFGGun9RuLDie2LOsf29lXsJJ/5QwoO/5qyYY4Zruz4lNZ2B/Gp 8bxY/gYkTwB1YrtJs5ILqWKJ+Jl92QyxXitoNfzA5lWqLE2MdWb9I1u5qi6EbLtS kEc4yyYbEaj7uYyhtqUJrvATzCRJhAnIW+ffh2Q56dDI9xuOxiG3SrXkT/j3VXbC 4H72I9k3kDBiTNeebZ06qrGUQ5YU6+oSe6fPNqaiaQvJPUuFPmLeiTBzZi6B3LMZ V5CUjIgNR5NTfJEQoHbNrt8DDDoSG6Eco4auSsw7UNdvYUNMv60+XOo3kbLnCCAd IMBO31rGNg0= =hP48 -----END PGP SIGNATURE-----