Security update for Mozilla Firefox, Thunderbird and NSS SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2016:3011-1 Final 1 1 2016-12-05T14:56:04Z current 2016-12-05T14:56:04Z 2016-12-05T14:56:04Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for Mozilla Firefox, Thunderbird and NSS This update to Mozilla Firefox 50.0.2, Thunderbird 45.5.1 and NSS 3.16.2 fixes a number of security issues. The following vulnerabilities were fixed in Mozilla Firefox (MFSA 2016-89): - CVE-2016-5296: Heap-buffer-overflow WRITE in rasterize_edges_1 (bmo#1292443) - CVE-2016-5292: URL parsing causes crash (bmo#1288482) - CVE-2016-5297: Incorrect argument length checking in Javascript (bmo#1303678) - CVE-2016-9064: Addons update must verify IDs match between current and new versions (bmo#1303418) - CVE-2016-9066: Integer overflow leading to a buffer overflow in nsScriptLoadHandler (bmo#1299686) - CVE-2016-9067: heap-use-after-free in nsINode::ReplaceOrInsertBefore (bmo#1301777, bmo#1308922 (CVE-2016-9069)) - CVE-2016-9068: heap-use-after-free in nsRefreshDriver (bmo#1302973) - CVE-2016-9075: WebExtensions can access the mozAddonManager API and use it to gain elevated privileges (bmo#1295324) - CVE-2016-9077: Canvas filters allow feDisplacementMaps to be applied to cross-origin images, allowing timing attacks on them (bmo#1298552) - CVE-2016-5291: Same-origin policy violation using local HTML file and saved shortcut file (bmo#1292159) - CVE-2016-9070: Sidebar bookmark can have reference to chrome window (bmo#1281071) - CVE-2016-9073: windows.create schema doesn't specify 'format': 'relativeUrl' (bmo#1289273) - CVE-2016-9076: select dropdown menu can be used for URL bar spoofing on e10s (bmo#1276976) - CVE-2016-9063: Possible integer overflow to fix inside XML_Parse in expat (bmo#1274777) - CVE-2016-9071: Probe browser history via HSTS/301 redirect + CSP (bmo#1285003) - CVE-2016-5289: Memory safety bugs fixed in Firefox 50 - CVE-2016-5290: Memory safety bugs fixed in Firefox 50 and Firefox ESR 45.5 The following vulnerabilities were fixed in Mozilla NSS 3.26.1: - CVE-2016-9074: Insufficient timing side-channel resistance in divSpoiler (bmo#1293334) Mozilla Firefox now requires mozilla-nss 3.26.2. New features in Mozilla Firefox: - Updates to keyboard shortcuts Set a preference to have Ctrl+Tab cycle through tabs in recently used order View a page in Reader Mode by using Ctrl+Alt+R - Added option to Find in page that allows users to limit search to whole words only - Added download protection for a large number of executable file types on Windows, Mac and Linux - Fixed rendering of dashed and dotted borders with rounded corners (border-radius) - Added a built-in Emoji set for operating systems without native Emoji fonts - Blocked versions of libavcodec older than 54.35.1 - additional locale mozilla-nss was updated to 3.26.2, incorporating the following changes: - the selfserv test utility has been enhanced to support ALPN (HTTP/1.1) and 0-RTT - The following CA certificate was added: CN = ISRG Root X1 - NPN is disabled and ALPN is enabled by default - MD5 signature algorithms sent by the server in CertificateRequest messages are now properly ignored The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://lists.opensuse.org/opensuse-security-announce/2016-12/msg00010.html E-Mail link for openSUSE-SU-2016:3011-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings MozillaFirefox-50.0.2-131.1 MozillaFirefox-branding-upstream-50.0.2-131.1 MozillaFirefox-buildsymbols-50.0.2-131.1 MozillaFirefox-devel-50.0.2-131.1 MozillaFirefox-translations-common-50.0.2-131.1 MozillaFirefox-translations-other-50.0.2-131.1 MozillaThunderbird-45.5.1-70.92.1 MozillaThunderbird-buildsymbols-45.5.1-70.92.1 MozillaThunderbird-devel-45.5.1-70.92.1 MozillaThunderbird-translations-common-45.5.1-70.92.1 MozillaThunderbird-translations-other-45.5.1-70.92.1 libfreebl3-3.26.2-94.1 libfreebl3-32bit-3.26.2-94.1 libsoftokn3-3.26.2-94.1 libsoftokn3-32bit-3.26.2-94.1 mozilla-nss-3.26.2-94.1 mozilla-nss-32bit-3.26.2-94.1 mozilla-nss-certs-3.26.2-94.1 mozilla-nss-certs-32bit-3.26.2-94.1 mozilla-nss-devel-3.26.2-94.1 mozilla-nss-sysinit-3.26.2-94.1 mozilla-nss-sysinit-32bit-3.26.2-94.1 mozilla-nss-tools-3.26.2-94.1 Memory safety bugs were reported in Firefox 49. Some of these bugs showed evidence of memory corruption and we presume that with enough effort that some of these could be exploited to run arbitrary code. This vulnerability affects Firefox < 50. CVE-2016-5289 important 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P Please Install the update. https://lists.opensuse.org/opensuse-security-announce/2016-12/msg00010.html https://www.suse.com/security/cve/CVE-2016-5289.html CVE-2016-5289 https://bugzilla.suse.com/1009026 SUSE Bug 1009026 https://bugzilla.suse.com/1010426 SUSE Bug 1010426 Memory safety bugs were reported in Firefox 49 and Firefox ESR 45.4. Some of these bugs showed evidence of memory corruption and we presume that with enough effort that some of these could be exploited to run arbitrary code. This vulnerability affects Thunderbird < 45.5, Firefox ESR < 45.5, and Firefox < 50. CVE-2016-5290 important 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P Please Install the update. https://lists.opensuse.org/opensuse-security-announce/2016-12/msg00010.html https://www.suse.com/security/cve/CVE-2016-5290.html CVE-2016-5290 https://bugzilla.suse.com/1009026 SUSE Bug 1009026 https://bugzilla.suse.com/1010427 SUSE Bug 1010427 A same-origin policy bypass with local shortcut files to load arbitrary local content from disk. This vulnerability affects Thunderbird < 45.5, Firefox ESR < 45.5, and Firefox < 50. CVE-2016-5291 moderate 4.3 AV:N/AC:M/Au:N/C:N/I:P/A:N Please Install the update. https://lists.opensuse.org/opensuse-security-announce/2016-12/msg00010.html https://www.suse.com/security/cve/CVE-2016-5291.html CVE-2016-5291 https://bugzilla.suse.com/1009026 SUSE Bug 1009026 https://bugzilla.suse.com/1010410 SUSE Bug 1010410 During URL parsing, a maliciously crafted URL can cause a potentially exploitable crash. This vulnerability affects Firefox < 50. CVE-2016-5292 moderate 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P Please Install the update. https://lists.opensuse.org/opensuse-security-announce/2016-12/msg00010.html https://www.suse.com/security/cve/CVE-2016-5292.html CVE-2016-5292 https://bugzilla.suse.com/1009026 SUSE Bug 1009026 https://bugzilla.suse.com/1010399 SUSE Bug 1010399 When the Mozilla Updater is run, if the Updater's log file in the working directory points to a hardlink, data can be appended to an arbitrary local file. This vulnerability requires local system access. Note: this issue only affects Windows operating systems. This vulnerability affects Firefox ESR < 45.5 and Firefox < 50. CVE-2016-5293 moderate Please Install the update. https://lists.opensuse.org/opensuse-security-announce/2016-12/msg00010.html https://www.suse.com/security/cve/CVE-2016-5293.html CVE-2016-5293 https://bugzilla.suse.com/1009026 SUSE Bug 1009026 https://bugzilla.suse.com/1010400 SUSE Bug 1010400 The Mozilla Updater can be made to choose an arbitrary target working directory for output files resulting from the update process. This vulnerability requires local system access. Note: this issue only affects Windows operating systems. This vulnerability affects Thunderbird < 45.5, Firefox ESR < 45.5, and Firefox < 50. CVE-2016-5294 moderate Please Install the update. https://lists.opensuse.org/opensuse-security-announce/2016-12/msg00010.html https://www.suse.com/security/cve/CVE-2016-5294.html CVE-2016-5294 https://bugzilla.suse.com/1009026 SUSE Bug 1009026 https://bugzilla.suse.com/1010396 SUSE Bug 1010396 This vulnerability allows an attacker to use the Mozilla Maintenance Service to escalate privilege by having the Maintenance Service invoke the Mozilla Updater to run malicious local files. This vulnerability requires local system access and is a variant of MFSA2013-44. Note: this issue only affects Windows operating systems. This vulnerability affects Firefox < 50. CVE-2016-5295 moderate Please Install the update. https://lists.opensuse.org/opensuse-security-announce/2016-12/msg00010.html https://www.suse.com/security/cve/CVE-2016-5295.html CVE-2016-5295 https://bugzilla.suse.com/1009026 SUSE Bug 1009026 https://bugzilla.suse.com/1010411 SUSE Bug 1010411 A heap-buffer-overflow in Cairo when processing SVG content caused by compiler optimization, resulting in a potentially exploitable crash. This vulnerability affects Thunderbird < 45.5, Firefox ESR < 45.5, and Firefox < 50. CVE-2016-5296 important 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P Please Install the update. https://lists.opensuse.org/opensuse-security-announce/2016-12/msg00010.html https://www.suse.com/security/cve/CVE-2016-5296.html CVE-2016-5296 https://bugzilla.suse.com/1009026 SUSE Bug 1009026 https://bugzilla.suse.com/1010395 SUSE Bug 1010395 An error in argument length checking in JavaScript, leading to potential integer overflows or other bounds checking issues. This vulnerability affects Thunderbird < 45.5, Firefox ESR < 45.5, and Firefox < 50. CVE-2016-5297 moderate 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P Please Install the update. https://lists.opensuse.org/opensuse-security-announce/2016-12/msg00010.html https://www.suse.com/security/cve/CVE-2016-5297.html CVE-2016-5297 https://bugzilla.suse.com/1009026 SUSE Bug 1009026 https://bugzilla.suse.com/1010401 SUSE Bug 1010401 A mechanism where disruption of the loading of a new web page can cause the previous page's favicon and SSL indicator to not be reset when the new page is loaded. Note: this issue only affects Firefox for Android. Desktop Firefox is unaffected. This vulnerability affects Firefox < 50. CVE-2016-5298 moderate Please Install the update. https://lists.opensuse.org/opensuse-security-announce/2016-12/msg00010.html https://www.suse.com/security/cve/CVE-2016-5298.html CVE-2016-5298 https://bugzilla.suse.com/1009026 SUSE Bug 1009026 https://bugzilla.suse.com/1010412 SUSE Bug 1010412 A previously installed malicious Android application with same signature-level permissions as Firefox can intercept AuthTokens meant for Firefox only. Note: This issue only affects Firefox for Android. Other versions and operating systems are unaffected. This vulnerability affects Firefox < 50. CVE-2016-5299 moderate Please Install the update. https://lists.opensuse.org/opensuse-security-announce/2016-12/msg00010.html https://www.suse.com/security/cve/CVE-2016-5299.html CVE-2016-5299 https://bugzilla.suse.com/1009026 SUSE Bug 1009026 https://bugzilla.suse.com/1010413 SUSE Bug 1010413 A previously installed malicious Android application which defines a specific signature-level permissions used by Firefox can access API keys meant for Firefox only. Note: This issue only affects Firefox for Android. Other versions and operating systems are unaffected. This vulnerability affects Firefox < 50. CVE-2016-9061 moderate Please Install the update. https://lists.opensuse.org/opensuse-security-announce/2016-12/msg00010.html https://www.suse.com/security/cve/CVE-2016-9061.html CVE-2016-9061 https://bugzilla.suse.com/1009026 SUSE Bug 1009026 https://bugzilla.suse.com/1010418 SUSE Bug 1010418 Private browsing mode leaves metadata information, such as URLs, for sites visited in "browser.db" and "browser.db-wal" files within the Firefox profile after the mode is exited. Note: This issue only affects Firefox for Android. Other versions and operating systems are unaffected. This vulnerability affects Firefox < 50. CVE-2016-9062 moderate Please Install the update. https://lists.opensuse.org/opensuse-security-announce/2016-12/msg00010.html https://www.suse.com/security/cve/CVE-2016-9062.html CVE-2016-9062 https://bugzilla.suse.com/1009026 SUSE Bug 1009026 https://bugzilla.suse.com/1010419 SUSE Bug 1010419 An integer overflow during the parsing of XML using the Expat library. This vulnerability affects Firefox < 50. CVE-2016-9063 moderate 5.1 AV:N/AC:H/Au:N/C:P/I:P/A:P Please Install the update. https://lists.opensuse.org/opensuse-security-announce/2016-12/msg00010.html https://www.suse.com/security/cve/CVE-2016-9063.html CVE-2016-9063 https://bugzilla.suse.com/1009026 SUSE Bug 1009026 https://bugzilla.suse.com/1010424 SUSE Bug 1010424 https://bugzilla.suse.com/1047240 SUSE Bug 1047240 https://bugzilla.suse.com/1123115 SUSE Bug 1123115 Add-on updates failed to verify that the add-on ID inside the signed package matched the ID of the add-on being updated. An attacker who could perform a man-in-the-middle attack on the user's connection to the update server and defeat the certificate pinning protection could provide a malicious signed add-on instead of a valid update. This vulnerability affects Firefox ESR < 45.5 and Firefox < 50. CVE-2016-9064 moderate 4 AV:N/AC:H/Au:N/C:P/I:P/A:N Please Install the update. https://lists.opensuse.org/opensuse-security-announce/2016-12/msg00010.html https://www.suse.com/security/cve/CVE-2016-9064.html CVE-2016-9064 https://bugzilla.suse.com/1009026 SUSE Bug 1009026 https://bugzilla.suse.com/1010402 SUSE Bug 1010402 The location bar in Firefox for Android can be spoofed by forcing a user into fullscreen mode, blocking its exiting, and creating of a fake location bar without any user notification. Note: This issue only affects Firefox for Android. Other versions and operating systems are unaffected. This vulnerability affects Firefox < 50. CVE-2016-9065 moderate Please Install the update. https://lists.opensuse.org/opensuse-security-announce/2016-12/msg00010.html https://www.suse.com/security/cve/CVE-2016-9065.html CVE-2016-9065 https://bugzilla.suse.com/1009026 SUSE Bug 1009026 https://bugzilla.suse.com/1010403 SUSE Bug 1010403 A buffer overflow resulting in a potentially exploitable crash due to memory allocation issues when handling large amounts of incoming data. This vulnerability affects Thunderbird < 45.5, Firefox ESR < 45.5, and Firefox < 50. CVE-2016-9066 moderate 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P Please Install the update. https://lists.opensuse.org/opensuse-security-announce/2016-12/msg00010.html https://www.suse.com/security/cve/CVE-2016-9066.html CVE-2016-9066 https://bugzilla.suse.com/1009026 SUSE Bug 1009026 https://bugzilla.suse.com/1010404 SUSE Bug 1010404 Two use-after-free errors during DOM operations resulting in potentially exploitable crashes. This vulnerability affects Firefox < 50. CVE-2016-9067 moderate 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P Please Install the update. https://lists.opensuse.org/opensuse-security-announce/2016-12/msg00010.html https://www.suse.com/security/cve/CVE-2016-9067.html CVE-2016-9067 https://bugzilla.suse.com/1009026 SUSE Bug 1009026 https://bugzilla.suse.com/1010405 SUSE Bug 1010405 A use-after-free during web animations when working with timelines resulting in a potentially exploitable crash. This vulnerability affects Firefox < 50. CVE-2016-9068 moderate 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P Please Install the update. https://lists.opensuse.org/opensuse-security-announce/2016-12/msg00010.html https://www.suse.com/security/cve/CVE-2016-9068.html CVE-2016-9068 https://bugzilla.suse.com/1009026 SUSE Bug 1009026 https://bugzilla.suse.com/1010406 SUSE Bug 1010406 A use-after-free in nsINode::ReplaceOrInsertBefore during DOM operations resulting in potentially exploitable crashes. This vulnerability affects Firefox < 50. CVE-2016-9069 moderate Please Install the update. https://lists.opensuse.org/opensuse-security-announce/2016-12/msg00010.html https://www.suse.com/security/cve/CVE-2016-9069.html CVE-2016-9069 https://bugzilla.suse.com/1009026 SUSE Bug 1009026 https://bugzilla.suse.com/1010405 SUSE Bug 1010405 A maliciously crafted page loaded to the sidebar through a bookmark can reference a privileged chrome window and engage in limited JavaScript operations violating cross-origin protections. This vulnerability affects Firefox < 50. CVE-2016-9070 moderate 4 AV:N/AC:H/Au:N/C:P/I:P/A:N Please Install the update. https://lists.opensuse.org/opensuse-security-announce/2016-12/msg00010.html https://www.suse.com/security/cve/CVE-2016-9070.html CVE-2016-9070 https://bugzilla.suse.com/1009026 SUSE Bug 1009026 https://bugzilla.suse.com/1010420 SUSE Bug 1010420 Content Security Policy combined with HTTP to HTTPS redirection can be used by malicious server to verify whether a known site is within a user's browser history. This vulnerability affects Firefox < 50. CVE-2016-9071 low 2.6 AV:N/AC:H/Au:N/C:P/I:N/A:N Please Install the update. https://lists.opensuse.org/opensuse-security-announce/2016-12/msg00010.html https://www.suse.com/security/cve/CVE-2016-9071.html CVE-2016-9071 https://bugzilla.suse.com/1009026 SUSE Bug 1009026 https://bugzilla.suse.com/1010425 SUSE Bug 1010425 When a new Firefox profile is created on 64-bit Windows installations, the sandbox for 64-bit NPAPI plugins is not enabled by default. Note: This issue only affects 64-bit Windows. 32-bit Windows and other operating systems are unaffected. This vulnerability affects Firefox < 50. CVE-2016-9072 moderate Please Install the update. https://lists.opensuse.org/opensuse-security-announce/2016-12/msg00010.html https://www.suse.com/security/cve/CVE-2016-9072.html CVE-2016-9072 https://bugzilla.suse.com/1009026 SUSE Bug 1009026 https://bugzilla.suse.com/1010407 SUSE Bug 1010407 WebExtensions can bypass security checks to load privileged URLs and potentially escape the WebExtension sandbox. This vulnerability affects Firefox < 50. CVE-2016-9073 moderate 4 AV:N/AC:H/Au:N/C:P/I:P/A:N Please Install the update. https://lists.opensuse.org/opensuse-security-announce/2016-12/msg00010.html https://www.suse.com/security/cve/CVE-2016-9073.html CVE-2016-9073 https://bugzilla.suse.com/1009026 SUSE Bug 1009026 https://bugzilla.suse.com/1010421 SUSE Bug 1010421 An existing mitigation of timing side-channel attacks is insufficient in some circumstances. This issue is addressed in Network Security Services (NSS) 3.26.1. This vulnerability affects Thunderbird < 45.5, Firefox ESR < 45.5, and Firefox < 50. CVE-2016-9074 moderate 4 AV:N/AC:H/Au:N/C:P/I:P/A:N Please Install the update. https://lists.opensuse.org/opensuse-security-announce/2016-12/msg00010.html https://www.suse.com/security/cve/CVE-2016-9074.html CVE-2016-9074 https://bugzilla.suse.com/1009026 SUSE Bug 1009026 https://bugzilla.suse.com/1010422 SUSE Bug 1010422 An issue where WebExtensions can use the mozAddonManager API to elevate privilege due to privileged pages being allowed in the permissions list. This allows a malicious extension to then install additional extensions without explicit user permission. This vulnerability affects Firefox < 50. CVE-2016-9075 moderate 4.6 AV:N/AC:H/Au:S/C:P/I:P/A:P Please Install the update. https://lists.opensuse.org/opensuse-security-announce/2016-12/msg00010.html https://www.suse.com/security/cve/CVE-2016-9075.html CVE-2016-9075 https://bugzilla.suse.com/1009026 SUSE Bug 1009026 https://bugzilla.suse.com/1010408 SUSE Bug 1010408 An issue where a "<select>" dropdown menu can be used to cover location bar content, resulting in potential spoofing attacks. This attack requires e10s to be enabled in order to function. This vulnerability affects Firefox < 50. CVE-2016-9076 moderate 5.8 AV:N/AC:M/Au:N/C:P/I:P/A:N Please Install the update. https://lists.opensuse.org/opensuse-security-announce/2016-12/msg00010.html https://www.suse.com/security/cve/CVE-2016-9076.html CVE-2016-9076 https://bugzilla.suse.com/1009026 SUSE Bug 1009026 https://bugzilla.suse.com/1010423 SUSE Bug 1010423 Canvas allows the use of the "feDisplacementMap" filter on images loaded cross-origin. The rendering by the filter is variable depending on the input pixel, allowing for timing attacks when the images are loaded from third party locations. This vulnerability affects Firefox < 50. CVE-2016-9077 moderate 2.6 AV:N/AC:H/Au:N/C:P/I:N/A:N Please Install the update. https://lists.opensuse.org/opensuse-security-announce/2016-12/msg00010.html https://www.suse.com/security/cve/CVE-2016-9077.html CVE-2016-9077 https://bugzilla.suse.com/1009026 SUSE Bug 1009026 https://bugzilla.suse.com/1010409 SUSE Bug 1010409 Redirection from an HTTP connection to a "data:" URL assigns the referring site's origin to the "data:" URL in some circumstances. This can result in same-origin violations against a domain if it loads resources from malicious sites. Cross-origin setting of cookies has been demonstrated without the ability to read them. Note: This issue only affects Firefox 49 and 50. This vulnerability affects Firefox < 50.0.1. CVE-2016-9078 moderate 5.8 AV:N/AC:M/Au:N/C:P/I:P/A:N Please Install the update. https://lists.opensuse.org/opensuse-security-announce/2016-12/msg00010.html https://www.suse.com/security/cve/CVE-2016-9078.html CVE-2016-9078 https://bugzilla.suse.com/1012807 SUSE Bug 1012807 A use-after-free vulnerability in SVG Animation has been discovered. An exploit built on this vulnerability has been discovered in the wild targeting Firefox and Tor Browser users on Windows. This vulnerability affects Firefox < 50.0.2, Firefox ESR < 45.5.1, and Thunderbird < 45.5.1. CVE-2016-9079 moderate 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P Please Install the update. https://lists.opensuse.org/opensuse-security-announce/2016-12/msg00010.html https://www.suse.com/security/cve/CVE-2016-9079.html CVE-2016-9079 https://bugzilla.suse.com/1012964 SUSE Bug 1012964