USN-3124-1: Firefox vulnerabilities

Releases

• Ubuntu 16.10
• Ubuntu 16.04 ESM
• Ubuntu 14.04 ESM
• Ubuntu 12.04

Packages

• firefox - Mozilla Open Source web browser

Details

Christian Holler, Andrew McCreight, Dan Minor, Tyson Smith, Jon Coppeard,
Jan-Ivar Bruaroey, Jesse Ruderman, Markus Stange, Olli Pettay, Ehsan
Akhgari, Gary Kwong, Tooru Fujisawa, and Randell Jesup discovered multiple
memory safety issues in Firefox. If a user were tricked in to opening a
specially crafted website, an attacker could potentially exploit these to
cause a denial of service via application crash, or execute arbitrary
code. (CVE-2016-5289, CVE-2016-5290)

A same-origin policy bypass was discovered with local HTML files in some
circumstances. An attacker could potentially exploit this to obtain
sensitive information. (CVE-2016-5291)

A crash was discovered when parsing URLs in some circumstances. If a user
were tricked in to opening a specially crafted website, an attacker could
potentially exploit this to execute arbitrary code. (CVE-2016-5292)

A heap buffer-overflow was discovered in Cairo when processing SVG
content. If a user were tricked in to opening a specially crafted website,
an attacker could potentially exploit this to cause a denial of service
via application crash, or execute arbitrary code. (CVE-2016-5296)

An error was discovered in argument length checking in Javascript. If a
user were tricked in to opening a specially crafted website, an attacker
could potentially exploit this to cause a denial of service via
application crash, or execute arbitrary code. (CVE-2016-5297)

An integer overflow was discovered in the Expat library. If a user were
tricked in to opening a specially crafted website, an attacker could
potentially exploit this to cause a denial of service via application
crash. (CVE-2016-9063)

It was discovered that addon updates failed to verify that the addon ID
inside the signed package matched the ID of the addon being updated.
An attacker that could perform a machine-in-the-middle (MITM) attack could
potentially exploit this to provide malicious addon updates.
(CVE-2016-9064)

A buffer overflow was discovered in nsScriptLoadHandler. If a user were
tricked in to opening a specially crafted website, an attacker could
potentially exploit this to cause a denial of service via application
crash, or execute arbitrary code. (CVE-2016-9066)

2 use-after-free bugs were discovered during DOM operations in some
circumstances. If a user were tricked in to opening a specially crafted
website, an attacker could potentially exploit these to cause a denial of
service via application crash, or execute arbitrary code. (CVE-2016-9067,
CVE-2016-9069)

A heap use-after-free was discovered during web animations in some
circumstances. If a user were tricked in to opening a specially crafted
website, an attacker could potentially exploit this to cause a denial of
service via application crash, or execute arbitrary code. (CVE-2016-9068)

It was discovered that a page loaded in to the sidebar through a bookmark
could reference a privileged chrome window. An attacker could potentially
exploit this to bypass same origin restrictions. (CVE-2016-9070)

An issue was discovered with Content Security Policy (CSP) in combination
with HTTP to HTTPS redirection. An attacker could potentially exploit this
to verify whether a site is within the user's browsing history.
(CVE-2016-9071)

An issue was discovered with the windows.create() WebExtensions API. If a
user were tricked in to installing a malicious extension, an attacker
could potentially exploit this to escape the WebExtensions sandbox.
(CVE-2016-9073)

It was discovered that WebExtensions can use the mozAddonManager API. An
attacker could potentially exploit this to install additional extensions
without user permission. (CVE-2016-9075)

It was discovered that element dropdown menus can cover location
bar content when e10s is enabled. An attacker could potentially exploit
this to conduct UI spoofing attacks. (CVE-2016-9076)

It was discovered that canvas allows the use of the feDisplacementMap
filter on cross-origin images. An attacker could potentially exploit this
to conduct timing attacks. (CVE-2016-9077)

Reduce your security exposure

Ubuntu Pro provides ten-year security coverage to 25,000+ packages in Main and Universe repositories, and it is free for up to five machines.

Learn more about Ubuntu Pro

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 16.10

• firefox - 50.0+build2-0ubuntu0.16.10.2

Ubuntu 16.04

• firefox - 50.0+build2-0ubuntu0.16.04.2

Ubuntu 14.04

• firefox - 50.0+build2-0ubuntu0.14.04.2

Ubuntu 12.04

• firefox - 50.0+build2-0ubuntu0.12.04.2

After a standard system update you need to restart Firefox to make
all the necessary changes.

References

• CVE-2016-5289
• CVE-2016-5290
• CVE-2016-5291
• CVE-2016-5292
• CVE-2016-5296
• CVE-2016-5297
• CVE-2016-9063
• CVE-2016-9064
• CVE-2016-9066
• CVE-2016-9067
• CVE-2016-9068
• CVE-2016-9069
• CVE-2016-9070
• CVE-2016-9071
• CVE-2016-9073
• CVE-2016-9075
• CVE-2016-9076
• CVE-2016-9077

Related notices

• USN-3141-1: thunderbird-locale-sr, thunderbird-locale-hr, thunderbird-locale-es-ar, thunderbird-locale-pt, thunderbird-locale-he, thunderbird-locale-hu, thunderbird-locale-el, thunderbird-locale-ca, thunderbird-locale-sv, thunderbird-locale-cs, xul-ext-gdata-provider, thunderbird-locale-fi, thunderbird-locale-cy, thunderbird-locale-es-es, thunderbird-locale-pl, thunderbird-locale-ga, xul-ext-lightning, thunderbird-locale-gl, thunderbird-locale-ja, thunderbird-locale-en, thunderbird-locale-dsb, thunderbird-locale-tr, thunderbird-locale-bg, thunderbird-locale-pt-br, thunderbird-locale-ast, thunderbird-locale-hy, thunderbird-locale-rm, thunderbird-dev, thunderbird-locale-ro, thunderbird-locale-mk, thunderbird-locale-ar, thunderbird-locale-nn-no, thunderbird-locale-nb, thunderbird-locale-af, thunderbird-gnome-support, thunderbird-locale-nn, thunderbird-locale-es, thunderbird-globalmenu, thunderbird-locale-sv-se, thunderbird-locale-hsb, thunderbird-locale-bn-bd, thunderbird-locale-ta, thunderbird-locale-zh-hant, thunderbird-locale-si, thunderbird-locale-pt-pt, thunderbird-locale-sk, thunderbird-locale-lt, thunderbird-locale-fy, thunderbird-locale-da, thunderbird-locale-en-gb, thunderbird-locale-be, thunderbird-locale-sq, thunderbird-locale-fy-nl, thunderbird-locale-ko, thunderbird-locale-is, thunderbird-locale-id, thunderbird-locale-ga-ie, thunderbird-locale-uk, thunderbird-locale-nb-no, thunderbird-locale-nl, thunderbird-locale-zh-tw, thunderbird-locale-eu, thunderbird-locale-br, thunderbird-locale-pa, thunderbird-locale-vi, thunderbird-locale-bn, thunderbird-locale-pa-in, thunderbird-locale-en-us, thunderbird-locale-gd, thunderbird-locale-de, thunderbird-locale-fr, thunderbird-locale-ru, thunderbird-locale-zh-hans, thunderbird-locale-et, thunderbird-locale-ka, thunderbird-locale-zh-cn, thunderbird-locale-it, thunderbird-locale-sl, thunderbird, xul-ext-calendar-timezones, thunderbird-locale-ta-lk, thunderbird-testsuite, thunderbird-mozsymbols

Join the discussion

• Ubuntu security updates mailing list
• Security announcements mailing list

Need help with your security needs?

Ubuntu Pro provides up to ten-year security coverage for over 23,000 open-source packages within the Ubuntu Main and Universe repositories.

Talk to an expert to find out what would work best for you

Further reading

• Loading...