Package Instance

Security researcher Abhishek Arya (Inferno) of the Google
Chrome Security Team used the Address Sanitizer tool to discover two buffer
overflow issues in the Libvpx library used for WebM video when decoding a
malformed WebM video file. These buffer overflows result in potentially
exploitable crashes.

Security researcher André Bargull reported non-configurable
properties on JavaScript objects can be redefined while parsing JSON in
violation of the ECMAScript 6 standard. This allows malicious web content to
bypass same-origin policy by editing these properties to arbitrary values.

Security researcher Masato Kinugawa reported that opening a
target page using a POST to the url prefixed with the feed:
protocol disables the mixed content blocker for that page. This could allow for
the risk of a man-in-the-middle (MITM) scripting attack on pages that
accidentally include insecure content which would otherwise be blocked.

Mozilla security engineer Christoph Kerschbaumer reported a
discrepancy in Mozilla's implementation of Content Security Policy and the CSP specification. The specification
states that blob:, data:, and filesystem:
URLs should be excluded in case of a wildcard when matching source expressions
but Mozilla's implementation allows these in the case of an asterisk wildcard.
This could allow for more permissive CSP usage than expected by a web developer,
possibly allowing for cross-site scripting (XSS) attacks.

Security researcher Looben Yang discovered a use-after-free
vulnerability when recursively calling .open() on an XMLHttpRequest
in a SharedWorker.

Security researcher Aki Helin used the Address Sanitizer
tool to discover an out-of-bounds read during playback of a malformed MP3 format
audio file which switches sample formats. This could trigger a potentially
exploitable crash or the reading of out-of-bounds memory content in some
circumstances.

An anonymous researcher reported, via TippingPoint's Zero Day Initiative, two integer
overflows in the libstagefright library that could be triggered by a malicious 'saio'
chunk in an MPEG4 video. These overflows allowed for potential arbitrary code execution.
This issue was independently reported by security researcher laf.intel.Security researcher Massimiliano Tomassoli also discovered an
integer overflow issue when parsing an invalid MPEG4 video.Mozilla security engineers Tyson Smith and Christoph
Diehl used the Address Sanitizer to find a buffer overflow when parsing an MPEG4
video with an invalid size in an ESDS chunk lead to memory corruption.Each of these reported issues result in potentially exploitable crashes that
could allow for remote code execution.

Mozilla developers and community identified and fixed several memory safety
bugs in the browser engine used in Firefox and other Mozilla-based products.
Some of these bugs showed evidence of memory corruption under certain
circumstances, and we presume that with enough effort at least some of these
could be exploited to run arbitrary code.

Security researcher Holger Fuhrmannek reported that if the
Updater opens a MAR
format file with a specially crafted name, an out-of-bounds write will occur.
This can lead to a potentially exploitable crash but requires that the malicious
MAR format file be present on the local system and the Updater to be
run to use it.

Security researcher SkyLined reported a use-after-free issue
in how audio is handled through the Web Audio API during
MediaStream playback through interactions with the Web Audio API.
This results in a potentially exploitable crash.

Security researcher Gustavo Grieco reported a heap overflow
in gdk-pixbuf affecting Linux systems using Gnome. This issue is
triggered by the scaling of a malformed bitmap format image and results in a
potentially exploitable crash.
This issue only affects Linux systems running Gnome. Windows and
OS X operating systems are unaffected.

Security researcher James Forshaw, security researcher with
Google Project Zero, reported that the Mozilla Maintenance Service on Windows
can be made to write its log file in a restricted location with an arbitrary
file name through the use of a hard link by means of a race condition. This can
allow the log file to overwrite another named file that a user would not have
the privileges to change. If the overwritten file is used as source input or
script by a program with elevated privileges, it could allow for an escalation
of privilege attack. This requires local file system access and the ability to
execute local programs to be exploitable.
This issue only affects Windows systems. OS X and Linux
operating systems are unaffected.

Security researcher Ronald Crane reported three
vulnerabilities affecting released code that were found through code inspection.
These included one use of unowned memory, one use of a deleted object, and one
memory safety bug. These do not all have clear mechanisms to be exploited
through web content but are vulnerable if a mechanism can be found to trigger
them.

Security researcher Jukka Jylänki reported a crash that
occurs because JavaScript, when using shared memory, does not properly gate
access to Atomics or SharedArrayBuffer views in some
contexts. This leads to a non-exploitable crash.