============================================================================
Ubuntu Security Notice USN-2917-2
April 07, 2016

firefox regressions
============================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 15.10
- Ubuntu 14.04 LTS
- Ubuntu 12.04 LTS

Summary:

USN-2917-1 introduced several regressions in Firefox.

Software Description:
- firefox: Mozilla Open Source web browser

Details:

USN-2917-1 fixed vulnerabilities in Firefox. This update caused several
regressions that could result in search engine settings being lost, the
list of search providers appearing empty or the location bar breaking
after typing an invalid URL. This update fixes the problem.

We apologize for the inconvenience.

Original advisory details:

 Francis Gabriel discovered a buffer overflow during ASN.1 decoding in NSS.
 If a user were tricked in to opening a specially crafted website, an
 attacker could potentially exploit this to cause a denial of service via
 application crash, or execute arbitrary code with the privileges of the
 user invoking Firefox. (CVE-2016-1950)
 
 Bob Clary, Christoph Diehl, Christian Holler, Andrew McCreight, Daniel
 Holbert, Jesse Ruderman, Randell Jesup, Carsten Book, Gian-Carlo Pascutto,
 Tyson Smith, Andrea Marchesini, and Jukka Jyl=C3=A4nki discovered multiple
 memory safety issues in Firefox. If a user were tricked in to opening a
 specially crafted website, an attacker could potentially exploit these to
 cause a denial of service via application crash, or execute arbitrary code
 with the privileges of the user invoking Firefox. (CVE-2016-1952,
 CVE-2016-1953)
 
 Nicolas Golubovic discovered that CSP violation reports can be used to
 overwrite local files. If a user were tricked in to opening a specially
 crafted website with addon signing disabled and unpacked addons installed,
 an attacker could potentially exploit this to gain additional privileges.
 (CVE-2016-1954)
 
 Muneaki Nishimura discovered that CSP violation reports contained full
 paths for cross-origin iframe navigations. An attacker could potentially
 exploit this to steal confidential data. (CVE-2016-1955)
 
 Ucha Gobejishvili discovered that performing certain WebGL operations
 resulted in memory resource exhaustion with some Intel GPUs, requiring
 a reboot. If a user were tricked in to opening a specially crafted
 website, an attacker could potentially exploit this to cause a denial
 of service. (CVE-2016-1956)
 
 Jose Martinez and Romina Santillan discovered a memory leak in
 libstagefright during MPEG4 video file processing in some circumstances.
 If a user were tricked in to opening a specially crafted website, an
 attacker could potentially exploit this to cause a denial of service via
 memory exhaustion. (CVE-2016-1957)
 
 Abdulrahman Alqabandi discovered that the addressbar could be blank or
 filled with page defined content in some circumstances. If a user were
 tricked in to opening a specially crafted website, an attacker could
 potentially exploit this to conduct URL spoofing attacks. (CVE-2016-1958)
 
 Looben Yang discovered an out-of-bounds read in Service Worker Manager. If
 a user were tricked in to opening a specially crafted website, an attacker
 could potentially exploit this to cause a denial of service via
 application crash, or execute arbitrary code with the privileges of the
 user invoking Firefox. (CVE-2016-1959)
 
 A use-after-free was discovered in the HTML5 string parser. If a user were
 tricked in to opening a specially crafted website, an attacker could
 potentially exploit this to cause a denial of service via application
 crash, or execute arbitrary code with the privileges of the user invoking
 Firefox. (CVE-2016-1960)
 
 A use-after-free was discovered in the SetBody function of HTMLDocument.
 If a user were tricked in to opening a specially crafted website, an
 attacker could potentially exploit this to cause a denial of service via
 application crash, or execute arbitrary code with the privileges of the
 user invoking Firefox. (CVE-2016-1961)
 
 Dominique Haza=C3=ABl-Massieux discovered a use-after-free when using multiple
 WebRTC data channels. If a user were tricked in to opening a specially
 crafted website, an attacker could potentially exploit this to cause a
 denial of service via application crash, or execute arbitrary code with
 the privileges of the user invoking Firefox. (CVE-2016-1962)
 
 It was discovered that Firefox crashes when local files are modified
 whilst being read by the FileReader API. If a user were tricked in to
 opening a specially crafted website, an attacker could potentially exploit
 this to execute arbitrary code with the privileges of the user invoking
 Firefox. (CVE-2016-1963)
 
 Nicolas Gr=C3=A9goire discovered a use-after-free during XML transformations.
 If a user were tricked in to opening a specially crafted website, an
 attacker could potentially exploit this to cause a denial of service via
 application crash, or execute arbitrary code with the privileges of the
 user invoking Firefox. (CVE-2016-1964)
 
 Tsubasa Iinuma discovered a mechanism to cause the addressbar to display
 an incorrect URL, using history navigations and the Location protocol
 property. If a user were tricked in to opening a specially crafted
 website, an attacker could potentially exploit this to conduct URL
 spoofing attacks. (CVE-2016-1965)
 
 A memory corruption issues was discovered in the NPAPI subsystem. If
 a user were tricked in to opening a specially crafted website with a
 malicious plugin installed, an attacker could potentially exploit this
 to cause a denial of service via application crash, or execute arbitrary
 code with the privileges of the user invoking Firefox. (CVE-2016-1966)
 
 Jordi Chancel discovered a same-origin-policy bypass when using
 performance.getEntries and history navigation with session restore. If
 a user were tricked in to opening a specially crafted website, an attacker
 could potentially exploit this to steal confidential data. (CVE-2016-1967)
 
 Luke Li discovered a buffer overflow during Brotli decompression in some
 circumstances. If a user were tricked in to opening a specially crafted
 website, an attacker could potentially exploit this to cause a denial of
 service via application crash, or execute arbitrary code with the
 privileges of the user invoking Firefox. (CVE-2016-1968)
 
 Ronald Crane discovered a use-after-free in GetStaticInstance in WebRTC.
 If a user were tricked in to opening a specially crafted website, an
 attacker could potentially exploit this to cause a denial of service via
 application crash, or execute arbitrary code with the privileges of the
 user invoking Firefox. (CVE-2016-1973)
 
 Ronald Crane discovered an out-of-bounds read following a failed
 allocation in the HTML parser in some circumstances. If a user were
 tricked in to opening a specially crafted website, an attacker could
 potentially exploit this to cause a denial of service via application
 crash, or execute arbitrary code with the privileges of the user invoking
 Firefox. (CVE-2016-1974)
 
 Holger Fuhrmannek, Tyson Smith and Holger Fuhrmannek reported multiple
 memory safety issues in the Graphite 2 library. If a user were tricked in
 to opening a specially crafted website, an attacker could potentially
 exploit these to cause a denial of service via application crash, or
 execute arbitrary code with the privileges of the user invoking Firefox.
 (CVE-2016-1977, CVE-2016-2790, CVE-2016-2791, CVE-2016-2792,
 CVE-2016-2793, CVE-2016-2794, CVE-2016-2795, CVE-2016-2796, CVE-2016-2797,
 CVE-2016-2798, CVE-2016-2799, CVE-2016-2800, CVE-2016-2801, CVE-2016-2802)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 15.10:
  firefox                         45.0.1+build1-0ubuntu0.15.10.2

Ubuntu 14.04 LTS:
  firefox                         45.0.1+build1-0ubuntu0.14.04.2

Ubuntu 12.04 LTS:
  firefox                         45.0.1+build1-0ubuntu0.12.04.2

After a standard system update you need to restart Firefox to make
all the necessary changes.

References:
  http://www.ubuntu.com/usn/usn-2917-2
  http://www.ubuntu.com/usn/usn-2917-1
  https://launchpad.net/bugs/1567671

Package Information:
  https://launchpad.net/ubuntu/+source/firefox/45.0.1+build1-0ubuntu0.15.10.2
  https://launchpad.net/ubuntu/+source/firefox/45.0.1+build1-0ubuntu0.14.04.2
  https://launchpad.net/ubuntu/+source/firefox/45.0.1+build1-0ubuntu0.12.04.2