Package Instance

Google developer Tony Payne reported an out of bounds (OOB)
read in QCMS, Mozilla’s color management library. With a carefully crafted color profile portions of a user's memory could be incorporated into a transformed image and possibly deciphered.

Security researcher Mariusz Mlynski reported an issue with
spoofing of the location property. In this issue, calls to history.forward and
history.back are used to navigate to a site while displaying the previous site
in the addressbar but changing the baseURI to the newer site. This can be used
for phishing by allowing the user to input form or other data on the newer,
attacking, site while appearing to be on the older, displayed site.

Security researcher Bill Keese reported a memory corruption.
This is caused by JSDependentString::undepend changing a dependent string into a
fixed string when there are additional dependent strings relying on the same
base. When the undepend occurs during conversion, the base data is freed,
leaving other dependent strings with dangling pointers. This can lead to a
potentially exploitable crash.

Mozilla security researcher moz_bug_r_a4 reported a cross-site scripting (XSS) attack through the context menu using a
data: URL. In this issue, context menu functionality ("View Image", "Show only this frame", and "View background image") are disallowed in a javascript: URL but allowed in a data: URL, allowing for XSS. This can lead to arbitrary code execution.

Bugzilla developer Frédéric Buclin reported that the
"X-Frame-Options header is ignored when the value is duplicated,
for example X-Frame-Options: SAMEORIGIN, SAMEORIGIN. This
duplication occurs for unknown reasons on some websites and when it occurs
results in Mozilla browsers not being protected against possible clickjacking
attacks on those pages

Mozilla security researcher moz_bug_r_a4 reported a
arbitrary code execution attack using a javascript: URL. The Gecko
engine features a JavaScript sandbox utility that allows the browser or add-ons
to safely execute script in the context of a web page. In certain cases,
javascript: URLs are executed in such a sandbox with insufficient
context that can allow those scripts to escape from the sandbox and run with
elevated privilege. This can lead to arbitrary code execution.

Mozilla developer Bobby Holley found that same-compartment
security wrappers (SCSW) can be bypassed by passing them to another compartment.
Cross-compartment wrappers often do not go through SCSW, but have a filtering
policy built into them. When an object is wrapped cross-compartment, the SCSW is
stripped off and, when the object is read read back, it is not known that SCSW
was previously present, resulting in a bypassing of SCSW. This could result in
untrusted content having access to the XBL that implements browser
functionality.

Security researcher Arthur Gerkis used the Address Sanitizer
tool to find a use-after-free in nsGlobalWindow::PageHidden when mFocusedContent
is released and oldFocusedContent is used afterwards. This use-after-free could
possibly allow for remote code execution.

Security researcher Mario Gomes andresearch firm
Code Audit Labs reported a mechanism to short-circuit page
loads through drag and drop to the addressbar by canceling the page load. This
causes the address of the previously site entered to be displayed in the
addressbar instead of the currently loaded page. This could lead to potential
phishing attacks on users.

Security researcher Mario Heiderich reported that javascript
could be executed in the HTML feed-view using <embed> tag
within the RSS <description>. This problem is due to
<embed> tags not being filtered out during parsing and can
lead to a potential cross-site scripting (XSS) attack. The flaw existed in a
parser utility class and could affect other parts of the browser or add-ons
which rely on that class to sanitize untrusted input.

Security researcher Karthikeyan Bhargavan of Prosecco at
INRIA reported Content Security Policy (CSP) 1.0 implementation errors. CSP
violation reports generated by Firefox and sent to the "report-uri" location
include sensitive data within the "blocked-uri" parameter. These include
fragment components and query strings even if the "blocked-uri" parameter has a
different origin than the protected resource. This can be used to retrieve a
user's OAuth 2.0 access tokens and OpenID credentials by malicious sites.

Security researchers Mario Gomes and Soroush
Dalili reported that since Mozilla allows the pseudo-protocol feed: to prefix any valid URL, it is possible to construct feed:javascript: URLs that will execute scripts in some contexts. On some sites it may be possible to use this to evade output filtering that would otherwise strip javascript: URLs and thus contribute to cross-site scripting (XSS) problems on these sites.

Mozilla developers identified and fixed several memory safety bugs
in the browser engine used in Firefox and other Mozilla-based
products. Some of these bugs showed evidence of memory corruption
under certain circumstances, and we presume that with enough effort at
least some of these could be exploited to run arbitrary code.In general these flaws cannot be exploited through email in the Thunderbird
and SeaMonkey products because scripting is disabled, but are potentially a risk
in browser or browser-like contexts in those products.

Google security researcher Abhishek Arya used the Address
Sanitizer tool to uncover four issues: two use-after-free problems, one out of
bounds read bug, and a bad cast. The first use-after-free problem is caused
when an array of nsSMILTimeValueSpec objects is destroyed but attempts are made
to call into objects in this array later. The second use-after-free problem is
in nsDocument::AdoptNode when it adopts into an empty document and then adopts
into another document, emptying the first one. The heap buffer overflow is in
ElementAnimations when data is read off of end of an array and then pointers are
dereferenced. The bad cast happens when nsTableFrame::InsertFrames is called
with frames in aFrameList that are a mix of row group frames and column group
frames. AppendFrames is not able to handle this mix.All four of these issues are potentially exploitable.