Your submission was sent successfully! Close

Thank you for contacting us. A member of our team will be in touch shortly. Close

You have successfully unsubscribed! Close

Thank you for signing up for our newsletter!
In these regular emails you will find the latest updates about Ubuntu and upcoming events where you can meet our team.Close

USN-3044-1: Firefox vulnerabilities

5 August 2016

Firefox could be made to crash or run programs as your login if it opened a malicious website.

Reduce your security exposure

Ubuntu Pro provides ten-year security coverage to 25,000+ packages in Main and Universe repositories, and it is free for up to five machines.

Learn more about Ubuntu Pro

Releases

Packages

  • firefox - Mozilla Open Source web browser

Details

Gustavo Grieco discovered an out-of-bounds read during XML parsing in
some circumstances. If a user were tricked in to opening a specially
crafted website, an attacker could potentially exploit this to cause a
denial of service via application crash, or obtain sensitive information.
(CVE-2016-0718)

Toni Huttunen discovered that once a favicon is requested from a site,
the remote server can keep the network connection open even after the page
is closed. A remote attacked could potentially exploit this to track
users, resulting in information disclosure. (CVE-2016-2830)

Christian Holler, Tyson Smith, Boris Zbarsky, Byron Campen, Julian Seward,
Carsten Book, Gary Kwong, Jesse Ruderman, Andrew McCreight, and Phil
Ringnalda discovered multiple memory safety issues in Firefox. If a user
were tricked in to opening a specially crafted website, an attacker could
potentially exploit these to cause a denial of service via application
crash, or execute arbitrary code. (CVE-2016-2835, CVE-2016-2836)

A buffer overflow was discovered in the ClearKey Content Decryption
Module (CDM) during video playback. If a user were tricked in to opening
a specially crafted website, an attacker could potentially exploit this to
cause a denial of service via plugin process crash, or, in combination
with another vulnerability to escape the GMP sandbox, execute arbitrary
code. (CVE-2016-2837)

Atte Kettunen discovered a buffer overflow when rendering SVG content in
some circumstances. If a user were tricked in to opening a specially
crafted website, an attacker could potentially exploit this to cause a
denial of service via application crash, or execute arbitrary code.
(CVE-2016-2838)

Bert Massop discovered a crash in Cairo with version 0.10 of FFmpeg. If a
user were tricked in to opening a specially crafted website, an attacker
could potentially exploit this to execute arbitrary code. (CVE-2016-2839)

Catalin Dumitru discovered that URLs of resources loaded after a
navigation start could be leaked to the following page via the Resource
Timing API. An attacker could potentially exploit this to obtain sensitive
information. (CVE-2016-5250)

Firas Salem discovered an issue with non-ASCII and emoji characters in
data: URLs. An attacker could potentially exploit this to spoof the
addressbar contents. (CVE-2016-5251)

Georg Koppen discovered a stack buffer underflow during 2D graphics
rendering in some circumstances. If a user were tricked in to opening a
specially crafted website, an attacker could potentially exploit this to
cause a denial of service via application crash, or execute arbitrary
code. (CVE-2016-5252)

Abhishek Arya discovered a use-after-free when the alt key is used with
top-level menus. If a user were tricked in to opening a specially crafted
website, an attacker could potentially exploit this to cause a denial of
service via application crash, or execute arbitrary code. (CVE-2016-5254)

Jukka Jylänki discovered a crash during garbage collection. If a user
were tricked in to opening a specially crafted website, an attacker could
potentially exploit this to execute arbitrary code. (CVE-2016-5255)

Looben Yang discovered a use-after-free in WebRTC. If a user were tricked
in to opening a specially crafted website, an attacker could potentially
exploit this to cause a denial of service via application crash, or
execute arbitrary code. (CVE-2016-5258)

Looben Yang discovered a use-after-free when working with nested sync
events in service workers. If a user were tricked in to opening a
specially crafted website, an attacker could potentially exploit this to
cause a denial of service via application crash, or execute arbitrary
code. (CVE-2016-5259)

Mike Kaply discovered that plain-text passwords can be stored in session
restore if an input field type is changed from "password" to "text" during
a session, leading to information disclosure. (CVE-2016-5260)

Samuel Groß discovered an integer overflow in WebSockets during data
buffering in some circumstances. If a user were tricked in to opening a
specially crafted website, an attacker could potentially exploit this to
cause a denial of service via application crash, or execute arbitrary
code. (CVE-2016-5261)

Nikita Arykov discovered that JavaScript event handlers on a
element can execute in a sandboxed iframe without the allow-scripts flag
set. If a user were tricked in to opening a specially crafted website, an
attacker could potentially exploit this to conduct cross-site scripting
(XSS) attacks. (CVE-2016-5262)

A type confusion bug was discovered in display transformation during
rendering. If a user were tricked in to opening a specially crafted
website, an attacker could potentially exploit this to cause a denial of
service via application crash, or execute arbitrary code. (CVE-2016-5263)

A use-after-free was discovered when applying effects to SVG elements in
some circumstances. If a user were tricked in to opening a specially
crafted website, an attacker could potentially exploit this to cause a
denial of service via application crash, or execute arbitrary code.
(CVE-2016-5264)

Abdulrahman Alqabandi discovered a same-origin policy violation relating
to local HTML files and saved shortcut files. An attacker could
potentially exploit this to obtain sensitive information. (CVE-2016-5265)

Rafael Gieschke discovered an information disclosure issue related to
drag and drop. An attacker could potentially exploit this to obtain
sensitive information. (CVE-2016-5266)

A text injection issue was discovered with about: URLs. An attacker could
potentially exploit this to spoof internal error pages. (CVE-2016-5268)

Reduce your security exposure

Ubuntu Pro provides ten-year security coverage to 25,000+ packages in Main and Universe repositories, and it is free for up to five machines.

Learn more about Ubuntu Pro

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 16.04
Ubuntu 14.04
Ubuntu 12.04

After a standard system update you need to restart Firefox to make
all the necessary changes.

Related notices

  • USN-3013-1: libxmlrpc-c++4, libxmlrpc-core-c3, xmlrpc-c
  • USN-2983-1: lib64expat1, libexpat1, lib64expat1-dev, libexpat1-udeb, expat, libexpat1-dev
  • USN-5455-1: libxmltok1, libxmltok1-dev, libxmltok
  • USN-3073-1: thunderbird-locale-zh-hant, thunderbird-locale-de, thunderbird-locale-nl, thunderbird-locale-gl, thunderbird-locale-si, thunderbird-locale-bn, xul-ext-calendar-timezones, thunderbird-locale-nb, thunderbird-locale-tr, thunderbird-locale-rm, thunderbird-locale-el, thunderbird-locale-ta, thunderbird-locale-he, thunderbird-locale-zh-tw, thunderbird-locale-pt-pt, thunderbird-locale-en-us, thunderbird-locale-sq, thunderbird-locale-sr, thunderbird-locale-uk, thunderbird-locale-br, thunderbird-locale-it, xul-ext-gdata-provider, thunderbird-locale-pl, thunderbird-gnome-support, thunderbird-locale-ar, thunderbird-locale-es-es, thunderbird-locale-fi, thunderbird-locale-hu, thunderbird-locale-ka, thunderbird-locale-ga-ie, thunderbird-locale-pa, thunderbird-locale-is, thunderbird-locale-nn-no, thunderbird-locale-sv-se, thunderbird-locale-eu, thunderbird-locale-bg, thunderbird-locale-gd, thunderbird-locale-ru, thunderbird-locale-sk, thunderbird-mozsymbols, thunderbird-locale-fy-nl, thunderbird-locale-en, xul-ext-lightning, thunderbird-locale-zh-hans, thunderbird-globalmenu, thunderbird-locale-ga, thunderbird-locale-es, thunderbird-locale-nb-no, thunderbird-locale-en-gb, thunderbird-locale-sl, thunderbird-locale-hsb, thunderbird-locale-pa-in, thunderbird-locale-be, thunderbird-locale-es-ar, thunderbird-locale-fr, thunderbird-locale-vi, thunderbird-locale-ta-lk, thunderbird-locale-fy, thunderbird-locale-da, thunderbird-locale-af, thunderbird-locale-id, thunderbird-locale-ast, thunderbird-locale-ro, thunderbird-testsuite, thunderbird-locale-zh-cn, thunderbird-locale-nn, thunderbird-locale-cy, thunderbird-locale-ca, thunderbird-locale-dsb, thunderbird, thunderbird-locale-sv, thunderbird-locale-ja, thunderbird-locale-et, thunderbird-locale-lt, thunderbird-locale-pt-br, thunderbird-locale-cs, thunderbird-locale-bn-bd, thunderbird-locale-mk, thunderbird-locale-pt, thunderbird-locale-ko, thunderbird-locale-hr, thunderbird-locale-hy, thunderbird-dev
  • USN-3112-1: thunderbird-locale-zh-hant, thunderbird-locale-de, thunderbird-locale-nl, thunderbird-locale-gl, thunderbird-locale-si, thunderbird-locale-bn, xul-ext-calendar-timezones, thunderbird-locale-nb, thunderbird-locale-tr, thunderbird-locale-rm, thunderbird-locale-el, thunderbird-locale-ta, thunderbird-locale-he, thunderbird-locale-zh-tw, thunderbird-locale-pt-pt, thunderbird-locale-en-us, thunderbird-locale-sq, thunderbird-locale-sr, thunderbird-locale-uk, thunderbird-locale-br, thunderbird-locale-it, xul-ext-gdata-provider, thunderbird-locale-pl, thunderbird-gnome-support, thunderbird-locale-ar, thunderbird-locale-es-es, thunderbird-locale-fi, thunderbird-locale-hu, thunderbird-locale-ka, thunderbird-locale-ga-ie, thunderbird-locale-pa, thunderbird-locale-is, thunderbird-locale-nn-no, thunderbird-locale-sv-se, thunderbird-locale-eu, thunderbird-locale-bg, thunderbird-locale-gd, thunderbird-locale-ru, thunderbird-locale-sk, thunderbird-mozsymbols, thunderbird-locale-fy-nl, thunderbird-locale-en, xul-ext-lightning, thunderbird-locale-zh-hans, thunderbird-globalmenu, thunderbird-locale-ga, thunderbird-locale-es, thunderbird-locale-nb-no, thunderbird-locale-en-gb, thunderbird-locale-sl, thunderbird-locale-hsb, thunderbird-locale-pa-in, thunderbird-locale-be, thunderbird-locale-es-ar, thunderbird-locale-fr, thunderbird-locale-vi, thunderbird-locale-ta-lk, thunderbird-locale-fy, thunderbird-locale-da, thunderbird-locale-af, thunderbird-locale-id, thunderbird-locale-ast, thunderbird-locale-ro, thunderbird-testsuite, thunderbird-locale-zh-cn, thunderbird-locale-nn, thunderbird-locale-cy, thunderbird-locale-ca, thunderbird-locale-dsb, thunderbird, thunderbird-locale-sv, thunderbird-locale-ja, thunderbird-locale-et, thunderbird-locale-lt, thunderbird-locale-pt-br, thunderbird-locale-cs, thunderbird-locale-bn-bd, thunderbird-locale-mk, thunderbird-locale-pt, thunderbird-locale-ko, thunderbird-locale-hr, thunderbird-locale-hy, thunderbird-dev