Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2021.2686
TITLE: MFSA 2021-33 Security Vulnerabilities fixed in Firefox 91
11 August 2021
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Firefox
Publisher: Mozilla
Operating System: Windows
UNIX variants (UNIX, Linux, OSX)
Impact/Access: Execute Arbitrary Code/Commands -- Remote with User Interaction
Denial of Service -- Remote with User Interaction
Reduced Security -- Remote with User Interaction
Resolution: Patch/Upgrade
CVE Names: CVE-2021-29990 CVE-2021-29989 CVE-2021-29988
CVE-2021-29987 CVE-2021-29986 CVE-2021-29985
CVE-2021-29984 CVE-2021-29983 CVE-2021-29982
CVE-2021-29981 CVE-2021-29980
Original Bulletin:
https://www.mozilla.org/en-US/security/advisories/mfsa2021-33/
- --------------------------BEGIN INCLUDED TEXT--------------------
Mozilla Foundation Security Advisory 2021-33
Security Vulnerabilities fixed in Firefox 91
Announced: August 10, 2021
Impact: high
Products: Firefox
Fixed in: Firefox 91
# CVE-2021-29986: Race condition when resolving DNS names could have led to
memory corruption
Reporter: pahhur
Impact: high
Description
A suspected race condition when calling getaddrinfo led to memory corruption
and a potentially exploitable crash.
Note: This issue only affected Linux operating systems. Other operating systems
are unaffected.
References
o Bug 1696138
# CVE-2021-29981: Live range splitting could have led to conflicting assignments
in the JIT
Reporter: Gary Kwong
Impact: high
Description
An issue present in lowering/register allocation could have led to obscure but
deterministic register confusion failures in JITted code that would lead to a
potentially exploitable crash.
References
o Bug 1707774
# CVE-2021-29988: Memory corruption as a result of incorrect style treatment
Reporter: Irvan Kurniawan
Impact: high
Description
Firefox incorrectly treated an inline list-item element as a block element,
resulting in an out of bounds read or memory corruption, and a potentially
exploitable crash.
References
o Bug 1717922
# CVE-2021-29983: Firefox for Android could get stuck in fullscreen mode
Reporter: Irvan Kurniawan
Impact: high
Description
Firefox for Android could get stuck in fullscreen mode and not exit it even
after normal interactions that should cause it to exit.
Note: This issue only affected Firefox for Android. Other operating systems are
unaffected.
References
o Bug 1719088
# CVE-2021-29984: Incorrect instruction reordering during JIT optimization
Reporter: Lukas Bernhard
Impact: high
Description
Instruction reordering resulted in a sequence of instructions that would cause
an object to be incorrectly considered during garbage collection. This led to
memory corruption and a potentially exploitable crash.
References
o Bug 1720031
# CVE-2021-29980: Uninitialized memory in a canvas object could have led to
memory corruption
Reporter: Irvan Kurniawan
Impact: high
Description
Uninitialized memory in a canvas object could have caused an incorrect free()
leading to memory corruption and a potentially exploitable crash.
References
o Bug 1722204
# CVE-2021-29987: Users could have been tricked into accepting unwanted
permissions on Linux
Reporter: Irvan Kurniawan
Impact: moderate
Description
After requesting multiple permissions, and closing the first permission panel,
subsequent permission panels will be displayed in a different position but
still record a click in the default location, making it possible to trick a
user into accepting a permission they did not want to.
This bug only affects Firefox on Linux. Other operating systems are unaffected.
References
o Bug 1716129
# CVE-2021-29985: Use-after-free media channels
Reporter: Marcin 'Icewall' Noga of Cisco Talos
Impact: moderate
Description
A use-after-free vulnerability in media channels could have led to memory
corruption and a potentially exploitable crash.
References
o Bug 1722083
# CVE-2021-29982: Single bit data leak due to incorrect JIT optimization and
type confusion
Reporter: Lukas Bernhard
Impact: low
Description
Due to incorrect JIT optimization, we incorrectly interpreted data from the
wrong type of object, resulting in the potential leak of a single bit of
memory.
References
o Bug 1715318
# CVE-2021-29989: Memory safety bugs fixed in Firefox 91 and Firefox ESR 78.13
Reporter: Mozilla developers and community
Impact: high
Description
Mozilla developers Christoph Kerschbaumer, Olli Pettay, Sandor Molnar, and
Simon Giesecke reported memory safety bugs present in Firefox 90 and Firefox
ESR 78.12. Some of these bugs showed evidence of memory corruption and we
presume that with enough effort some of these could have been exploited to run
arbitrary code.
References
o Memory safety bugs fixed in Firefox 91 and Firefox ESR 78.13
# CVE-2021-29990: Memory safety bugs fixed in Firefox 91
Reporter: Mozilla developers and community
Impact: high
Description
Mozilla developers and community members Kershaw Chang, Philipp, Chris
Peterson, and Sebastian Hengst reported memory safety bugs present in Firefox
90. Some of these bugs showed evidence of memory corruption and we presume that
with enough effort some of these could have been exploited to run arbitrary
code.
References
o Memory safety bugs fixed in Firefox 91
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBYRMys+NLKJtyKPYoAQiW7Q/9H92mr8Vs4C6uou7GEhaPLlKOCa9EwPjZ
BKanYz4mIMQnX6X3ReAO2THDi60jXD4d5/ZlMu2xwtjCOP8chwbHrAXAiHRAwuZz
uFVY8gD4uwEItHpJEbEaS/BMEhqK5ihkyBqUDL/vhynFIo0KtPPhCbPPvNk1zgE6
lEK/bZCzeHrfGAI0gfEmo6sPekBbwFJzpGHZyXKU4KF7HHs9VjiIrthnc+vBso4x
qbwbFxM8sooNkTd0qtPc5XHAeILgJKozu8boae3HA1hHnM8Hx/EUwAe3dIIkelJT
Bg2R09iAR63gB6ALpq09Exla2AXRwLi/2mNFItbQqcG4BnR5H5ehCc4d2JhvQgxx
e8P2p4kcGR1nPuFGGun9RuLDie2LOsf29lXsJJ/5QwoO/5qyYY4Zruz4lNZ2B/Gp
8bxY/gYkTwB1YrtJs5ILqWKJ+Jl92QyxXitoNfzA5lWqLE2MdWb9I1u5qi6EbLtS
kEc4yyYbEaj7uYyhtqUJrvATzCRJhAnIW+ffh2Q56dDI9xuOxiG3SrXkT/j3VXbC
4H72I9k3kDBiTNeebZ06qrGUQ5YU6+oSe6fPNqaiaQvJPUuFPmLeiTBzZi6B3LMZ
V5CUjIgNR5NTfJEQoHbNrt8DDDoSG6Eco4auSsw7UNdvYUNMv60+XOo3kbLnCCAd
IMBO31rGNg0=
=hP48
-----END PGP SIGNATURE-----