Package Instance

Using Address Sanitizer, security researcher Sascha Just reported a
buffer overflow in the libstagefright library due to issues with the handling of CENC
offsets and the sizes table. This results in a potentially exploitable crash triggerable
through web content.

Mozilla developers fixed several memory safety bugs in the browser engine used in
Firefox and other Mozilla-based products. Some of these bugs showed evidence of memory
corruption under certain circumstances, and we presume that with enough effort at least
some of these could be exploited to run arbitrary code.

Mozilla developers fixed several memory safety bugs in the browser engine used in
Firefox and other Mozilla-based products. Some of these bugs showed evidence of memory
corruption under certain circumstances, and we presume that with enough effort at least
some of these could be exploited to run arbitrary code.

The CESG, the Information Security Arm of GCHQ, reported that the
JavaScript .watch() method could be used to overflow the 32-bit generation
count of the underlying HashMap, resulting in a write to an invalid entry. Under the right
conditions this write could lead to arbitrary code execution. The overflow takes
considerable time and a malicious page would require a user to keep it open for the
duration of the attack.

Mozilla developers and community identified and fixed several memory safety
bugs in the browser engine used in Firefox and other Mozilla-based products.
Some of these bugs showed evidence of memory corruption under certain
circumstances, and we presume that with enough effort at least some of these
could be exploited to run arbitrary code.In general these flaws cannot be exploited through email in the
Thunderbird product because scripting is disabled, but are potentially a risk in
browser or browser-like contexts.

The CESG, the Information Security Arm of GCHQ, reported a dangling
pointer dereference within the Netscape Plugin Application Programming Interface (NPAPI)
that could lead to the NPAPI subsystem crashing. This issue requires a maliciously crafted
NPAPI plugin in concert with scripted web content, resulting in a potentially exploitable
crash when triggered.
In general this flaw cannot be exploited through email in the
Thunderbird product because scripting is disabled, but is potentially a risk in
browser or browser-like contexts.

Using Address Sanitizer, security researcher Sascha Just reported a
buffer overflow in the libstagefright library due to issues with the handling of CENC
offsets and the sizes table. This results in a potentially exploitable crash triggerable
through web content.

Security researcher Ronald Crane reported eight
vulnerabilities affecting released code that were found through code inspection. These
included several potential memory safety issues resulting from the use of
snprintf, one use of unowned memory, one use of a string without overflow
checks, and five memory safety bugs. These do not all have clear mechanisms to be
exploited through web content but are vulnerable if a mechanism can be found to trigger
them.
In general this flaw cannot be exploited through email in the
Thunderbird product because scripting is disabled, but is potentially a risk in
browser or browser-like contexts.

Mozilla developers fixed several memory safety bugs in the browser engine used in
Firefox and other Mozilla-based products. Some of these bugs showed evidence of memory
corruption under certain circumstances, and we presume that with enough effort at least
some of these could be exploited to run arbitrary code.

Security researcher Herre reported a use-after-free
vulnerability when a Content Policy modifies the Document Object Model to
remove a DOM object, which is then used afterwards due to an error in microtask
implementation. This leads to an exploitable crash.
In general this flaw cannot be exploited through email in the
Thunderbird product because scripting is disabled, but is potentially a risk in
browser or browser-like contexts.

Mozilla engineers Tyson Smith and David Keeler
reported a use-after-poison and buffer overflow in the ASN.1 decoder in Network Security
Services (NSS). These issues were in octet string parsing and were found through fuzzing
and code inspection. If these issues were triggered, they would lead to a potentially
exploitable crash. These issues were fixed in NSS version 3.19.2.1 and 3.19.4, shipped in
Firefox and Firefox ESR, respectively, as well as NSS 3.20.1.Google security engineer Ryan Sleevi reported an integer overflow in
the Netscape Portable Runtime (NSPR) due to a lack of checks during memory allocation.
This leads to a potentially exploitable crash. This issue is fixed in NSPR 4.10.10. The NSPR library is a required component of NSS.

Security researcher Ronald Crane reported seven
vulnerabilities affecting released code that he found through code inspection.
These included three uses of uninitialized memory, one poor validation
leading to an exploitable crash, one read of unowned memory in zip files, and
two buffer overflows. These do not all have clear mechanisms to be exploited
through web content but are vulnerable if a mechanism can be found to trigger
them.

Security researcher Holger Fuhrmannek and Mozilla security engineer
Tyson Smith reported a number of security vulnerabilities in the Graphite
2 library affecting version 1.3.5.
The issue reported by Holger Fuhrmannek is a mechanism to induce
stack corruption with a malicious graphite font. This leads to a potentially exploitable
crash when the font is loaded.
Tyson Smith used the Address Sanitizer tool in concert with a custom
software fuzzer to find a series of uninitialized memory, out-of-bounds read, and
out-of-bounds write errors when working with fuzzed graphite fonts. 

To address these security vulnerabilities, Firefox 45 and Firefox ESR 38.7 have been
updated to Graphite 2 version 1.3.6.

Security researcher Holger Fuhrmannek and Mozilla security engineer
Tyson Smith reported a number of security vulnerabilities in the Graphite
2 library affecting version 1.3.5.
The issue reported by Holger Fuhrmannek is a mechanism to induce
stack corruption with a malicious graphite font. This leads to a potentially exploitable
crash when the font is loaded.
Tyson Smith used the Address Sanitizer tool in concert with a custom
software fuzzer to find a series of uninitialized memory, out-of-bounds read, and
out-of-bounds write errors when working with fuzzed graphite fonts. 

To address these security vulnerabilities, Firefox 45 and Firefox ESR 38.7 have been
updated to Graphite 2 version 1.3.6.

Security researcher Holger Fuhrmannek and Mozilla security engineer
Tyson Smith reported a number of security vulnerabilities in the Graphite
2 library affecting version 1.3.5.
The issue reported by Holger Fuhrmannek is a mechanism to induce
stack corruption with a malicious graphite font. This leads to a potentially exploitable
crash when the font is loaded.
Tyson Smith used the Address Sanitizer tool in concert with a custom
software fuzzer to find a series of uninitialized memory, out-of-bounds read, and
out-of-bounds write errors when working with fuzzed graphite fonts. 

To address these security vulnerabilities, Firefox 45 and Firefox ESR 38.7 have been
updated to Graphite 2 version 1.3.6.

Security researcher André Bargull reported non-configurable
properties on JavaScript objects can be redefined while parsing JSON in
violation of the ECMAScript 6 standard. This allows malicious web content to
bypass same-origin policy by editing these properties to arbitrary values.

Mozilla developer Ehsan Akhgari reported two issues with Cross-origin
resource sharing (CORS) "preflight" requests.The first issue is that in some circumstances the same cache key can be generated for
two preflight requests on a site. As a result, if a second request is made that will match
the cached key generated by an earlier request, CORS checks will be bypassed because the
system will see the previously cached request as applicable.In the second issue, when some Access-Control- headers are missing from
CORS responses, the values from different Access-Control- headers can be used
that present in the same response. In general this flaw cannot be exploited through email in the
Thunderbird product because scripting is disabled, but is potentially a risk in
browser or browser-like contexts.

Security researcher Ronald Crane reported seven
vulnerabilities affecting released code that he found through code inspection.
These included three uses of uninitialized memory, one poor validation
leading to an exploitable crash, one read of unowned memory in zip files, and
two buffer overflows. These do not all have clear mechanisms to be exploited
through web content but are vulnerable if a mechanism can be found to trigger
them.