From: Chris Coulson <chris.coulson@canonical.com>
Reply-To: Ubuntu Security <security@ubuntu.com>
To: ubuntu-security-announce@lists.ubuntu.com
Message-ID: <ddfb479b-517b-e545-310d-f41a8e0b992a@canonical.com>
Subject: [USN-2917-3] Firefox regressions




============================================================================
Ubuntu Security Notice USN-2917-3
April 19, 2016

firefox regressions
============================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 15.10
- Ubuntu 14.04 LTS
- Ubuntu 12.04 LTS

Summary:

USN-2917-1 introduced several regressions in Firefox.

Software Description:
- firefox: Mozilla Open Source web browser

Details:

USN-2917-1 fixed vulnerabilities in Firefox. This update caused several
web compatibility regressions.

This update fixes the problem.

We apologize for the inconvenience.

Original advisory details:

 Francis Gabriel discovered a buffer overflow during ASN.1 decoding in NSS.
 If a user were tricked in to opening a specially crafted website, an
 attacker could potentially exploit this to cause a denial of service via
 application crash, or execute arbitrary code with the privileges of the
 user invoking Firefox. (CVE-2016-1950)
 
 Bob Clary, Christoph Diehl, Christian Holler, Andrew McCreight, Daniel
 Holbert, Jesse Ruderman, Randell Jesup, Carsten Book, Gian-Carlo Pascutto,
 Tyson Smith, Andrea Marchesini, and Jukka Jyl=C3=A4nki discovered multiple
 memory safety issues in Firefox. If a user were tricked in to opening a
 specially crafted website, an attacker could potentially exploit these to
 cause a denial of service via application crash, or execute arbitrary code
 with the privileges of the user invoking Firefox. (CVE-2016-1952,
 CVE-2016-1953)
 
 Nicolas Golubovic discovered that CSP violation reports can be used to
 overwrite local files. If a user were tricked in to opening a specially
 crafted website with addon signing disabled and unpacked addons installed,
 an attacker could potentially exploit this to gain additional privileges.
 (CVE-2016-1954)
 
 Muneaki Nishimura discovered that CSP violation reports contained full
 paths for cross-origin iframe navigations. An attacker could potentially
 exploit this to steal confidential data. (CVE-2016-1955)
 
 Ucha Gobejishvili discovered that performing certain WebGL operations
 resulted in memory resource exhaustion with some Intel GPUs, requiring
 a reboot. If a user were tricked in to opening a specially crafted
 website, an attacker could potentially exploit this to cause a denial
 of service. (CVE-2016-1956)
 
 Jose Martinez and Romina Santillan discovered a memory leak in
 libstagefright during MPEG4 video file processing in some circumstances.
 If a user were tricked in to opening a specially crafted website, an
 attacker could potentially exploit this to cause a denial of service via
 memory exhaustion. (CVE-2016-1957)
 
 Abdulrahman Alqabandi discovered that the addressbar could be blank or
 filled with page defined content in some circumstances. If a user were
 tricked in to opening a specially crafted website, an attacker could
 potentially exploit this to conduct URL spoofing attacks. (CVE-2016-1958)
 
 Looben Yang discovered an out-of-bounds read in Service Worker Manager. If
 a user were tricked in to opening a specially crafted website, an attacker
 could potentially exploit this to cause a denial of service via
 application crash, or execute arbitrary code with the privileges of the
 user invoking Firefox. (CVE-2016-1959)
 
 A use-after-free was discovered in the HTML5 string parser. If a user were
 tricked in to opening a specially crafted website, an attacker could
 potentially exploit this to cause a denial of service via application
 crash, or execute arbitrary code with the privileges of the user invoking
 Firefox. (CVE-2016-1960)
 
 A use-after-free was discovered in the SetBody function of HTMLDocument.
 If a user were tricked in to opening a specially crafted website, an
 attacker could potentially exploit this to cause a denial of service via
 application crash, or execute arbitrary code with the privileges of the
 user invoking Firefox. (CVE-2016-1961)
 
 Dominique Haza=C3=ABl-Massieux discovered a use-after-free when using multiple
 WebRTC data channels. If a user were tricked in to opening a specially
 crafted website, an attacker could potentially exploit this to cause a
 denial of service via application crash, or execute arbitrary code with
 the privileges of the user invoking Firefox. (CVE-2016-1962)
 
 It was discovered that Firefox crashes when local files are modified
 whilst being read by the FileReader API. If a user were tricked in to
 opening a specially crafted website, an attacker could potentially exploit
 this to execute arbitrary code with the privileges of the user invoking
 Firefox. (CVE-2016-1963)
 
 Nicolas Gr=C3=A9goire discovered a use-after-free during XML transformations.
 If a user were tricked in to opening a specially crafted website, an
 attacker could potentially exploit this to cause a denial of service via
 application crash, or execute arbitrary code with the privileges of the
 user invoking Firefox. (CVE-2016-1964)
 
 Tsubasa Iinuma discovered a mechanism to cause the addressbar to display
 an incorrect URL, using history navigations and the Location protocol
 property. If a user were tricked in to opening a specially crafted
 website, an attacker could potentially exploit this to conduct URL
 spoofing attacks. (CVE-2016-1965)
 
 A memory corruption issues was discovered in the NPAPI subsystem. If
 a user were tricked in to opening a specially crafted website with a
 malicious plugin installed, an attacker could potentially exploit this
 to cause a denial of service via application crash, or execute arbitrary
 code with the privileges of the user invoking Firefox. (CVE-2016-1966)
 
 Jordi Chancel discovered a same-origin-policy bypass when using
 performance.getEntries and history navigation with session restore. If
 a user were tricked in to opening a specially crafted website, an attacker
 could potentially exploit this to steal confidential data. (CVE-2016-1967)
 
 Luke Li discovered a buffer overflow during Brotli decompression in some
 circumstances. If a user were tricked in to opening a specially crafted
 website, an attacker could potentially exploit this to cause a denial of
 service via application crash, or execute arbitrary code with the
 privileges of the user invoking Firefox. (CVE-2016-1968)
 
 Ronald Crane discovered a use-after-free in GetStaticInstance in WebRTC.
 If a user were tricked in to opening a specially crafted website, an
 attacker could potentially exploit this to cause a denial of service via
 application crash, or execute arbitrary code with the privileges of the
 user invoking Firefox. (CVE-2016-1973)
 
 Ronald Crane discovered an out-of-bounds read following a failed
 allocation in the HTML parser in some circumstances. If a user were
 tricked in to opening a specially crafted website, an attacker could
 potentially exploit this to cause a denial of service via application
 crash, or execute arbitrary code with the privileges of the user invoking
 Firefox. (CVE-2016-1974)
 
 Holger Fuhrmannek, Tyson Smith and Holger Fuhrmannek reported multiple
 memory safety issues in the Graphite 2 library. If a user were tricked in
 to opening a specially crafted website, an attacker could potentially
 exploit these to cause a denial of service via application crash, or
 execute arbitrary code with the privileges of the user invoking Firefox.
 (CVE-2016-1977, CVE-2016-2790, CVE-2016-2791, CVE-2016-2792,
 CVE-2016-2793, CVE-2016-2794, CVE-2016-2795, CVE-2016-2796, CVE-2016-2797,
 CVE-2016-2798, CVE-2016-2799, CVE-2016-2800, CVE-2016-2801, CVE-2016-2802)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 15.10:
  firefox                         45.0.2+build1-0ubuntu0.15.10.1

Ubuntu 14.04 LTS:
  firefox                         45.0.2+build1-0ubuntu0.14.04.1

Ubuntu 12.04 LTS:
  firefox                         45.0.2+build1-0ubuntu0.12.04.1

After a standard system update you need to restart Firefox to make
all the necessary changes.

References:
  http://www.ubuntu.com/usn/usn-2917-3
  http://www.ubuntu.com/usn/usn-2917-1
  https://launchpad.net/bugs/1572169

Package Information:
  https://launchpad.net/ubuntu/+source/firefox/45.0.2+build1-0ubuntu0.15.10.1
  https://launchpad.net/ubuntu/+source/firefox/45.0.2+build1-0ubuntu0.14.04.1
  https://launchpad.net/ubuntu/+source/firefox/45.0.2+build1-0ubuntu0.12.04.1




--D3UEeoEj88SPGgawhEiUuTbS66wosjPIf