Bug 44858 - firefox-esr: Security issues from 45.9.0esr..52.3.0esr (4.2)
firefox-esr: Security issues from 45.9.0esr..52.3.0esr (4.2)
Status: CLOSED FIXED
Product: UCS
Classification: Unclassified
Component: Security updates
UCS 4.2
Other Linux
: P5 normal (vote)
: UCS 4.2-1-errata
Assigned To: Arvid Requate
Erik Damrose
https://www.mozilla.org/en-US/securit...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2017-06-26 15:04 CEST by Arvid Requate
Modified: 2017-08-16 12:44 CEST (History)
0 users

See Also:
What kind of report is it?: Security Issue
What type of bug is this?: ---
Who will be affected by this bug?: ---
How will those affected feel about the bug?: ---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Ticket number:
Bug group (optional): Security
Max CVSS v3 score: 7.3 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)
requate: Patch_Available+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Arvid Requate univentionstaff 2017-06-26 15:04:10 CEST
Upstream Debian package version 52.2.0esr-1~deb7u1 fixes all of the following:


Firefox ESR 52.0.1 fixes the following issue:

* CVE-2017-5428: integer overflow in createImageBitmap()

Firefox ESR 52.1 fixes the following issues:

* CVE-2017-5433: Use-after-free in SMIL animation functions
* CVE-2017-5435: Use-after-free during transaction processing in the editor
* CVE-2017-5436: Out-of-bounds write with malicious font in Graphite 2
* CVE-2017-5461: Out-of-bounds write in Base64 encoding in NSS
* CVE-2017-5459: Buffer overflow in WebGL
* CVE-2017-5466: Origin confusion when reloading isolated data:text/html URL
* CVE-2017-5434: Use-after-free during focus handling
* CVE-2017-5432: Use-after-free in text input selection
* CVE-2017-5460: Use-after-free in frame selection
* CVE-2017-5438: Use-after-free in nsAutoPtr during XSLT processing
* CVE-2017-5439: Use-after-free in nsTArray Length() during XSLT processing
* CVE-2017-5440: Use-after-free in txExecutionState destructor during XSLT processing
* CVE-2017-5441: Use-after-free with selection during scroll events
* CVE-2017-5442: Use-after-free during style changes
* CVE-2017-5464: Memory corruption with accessibility and DOM manipulation
* CVE-2017-5443: Out-of-bounds write during BinHex decoding
* CVE-2017-5444: Buffer overflow while parsing application/http-index-format content
* CVE-2017-5446: Out-of-bounds read when HTTP/2 DATA frames are sent with incorrect data
* CVE-2017-5447: Out-of-bounds read during glyph processing
* CVE-2017-5465: Out-of-bounds read in ConvolvePixel
* CVE-2017-5448: Out-of-bounds write in ClearKeyDecryptor
* CVE-2016-10196: Vulnerabilities in Libevent library
* CVE-2017-5454: Sandbox escape allowing file system read access through file picker
* CVE-2017-5455: Sandbox escape through internal feed reader APIs
* CVE-2017-5456: Sandbox escape allowing local file system access
* CVE-2017-5469: Potential Buffer overflow in flex-generated code
* CVE-2017-5445: Uninitialized values used while parsing application/http-index-format content
* CVE-2017-5449: Crash during bidirectional unicode manipulation with animation
* CVE-2017-5451: Addressbar spoofing with onblur event
* CVE-2017-5462: DRBG flaw in NSS
* CVE-2017-5467: Memory corruption when drawing Skia content
* CVE-2017-5430: Memory safety bugs fixed in Firefox 53 and Firefox ESR 52.1
* CVE-2017-5429: Memory safety bugs fixed in Firefox 53, Firefox ESR 45.9, and Firefox ESR 52.1

Firefox ESR 52.1.1 fixes the following issue:

* CVE-2017-5031: Use after free in ANGLE

Firefox ESR 52.2 fixes the following issues:

* CVE-2017-5472: Use-after-free using destroyed node when regenerating trees
* CVE-2017-7749: Use-after-free during docshell reloading
* CVE-2017-7750: Use-after-free with track elements
* CVE-2017-7751: Use-after-free with content viewer listeners
* CVE-2017-7752: Use-after-free with IME input
* CVE-2017-7754: Out-of-bounds read in WebGL with ImageInfo object
* CVE-2017-7755: Privilege escalation through Firefox Installer with same directory DLL files
* CVE-2017-7756: Use-after-free and use-after-scope logging XHR header errors
* CVE-2017-7757: Use-after-free in IndexedDB
* CVE-2017-7778: Vulnerabilities in the Graphite 2 library
* CVE-2017-7758: Out-of-bounds read in Opus encoder
* CVE-2017-7760: File manipulation and privilege escalation via callback parameter in Mozilla Windows Updater and Maintenance Service
* CVE-2017-7761: File deletion and privilege escalation through Mozilla Maintenance Service helper.exe application
* CVE-2017-7763: Mac fonts render some unicode characters as spaces
* CVE-2017-7764: Domain spoofing with combination of Canadian Syllabics and other unicode blocks
* CVE-2017-7765: Mark of the Web bypass when saving executable files
* CVE-2017-7766: File execution and privilege escalation through updater.ini, Mozilla Windows Updater, and Mozilla Maintenance Service
* CVE-2017-7767: Privilege escalation and arbitrary file overwrites through Mozilla Windows Updater and Mozilla Maintenance Service
* CVE-2017-7768: 32 byte arbitrary file read through Mozilla Maintenance Service
* CVE-2017-5470: Memory safety bugs fixed in Firefox 54 and Firefox ESR 52.2
Comment 1 Arvid Requate univentionstaff 2017-08-10 12:35:45 CEST
Upstream Debian package version 52.3.0esr-1~deb8u1 fixes all of the following:

* Out-of-bounds read with cached style data and pseudo-elements (CVE-2017-7753)
* Memory safety bugs fixed in Firefox 55 and Firefox ESR 52.3 (CVE-2017-7779)
* Use-after-free with image observers (CVE-2017-7784)
* Buffer overflow manipulating ARIA attributes in DOM (CVE-2017-7785)
* Buffer overflow while painting non-displayable SVG (CVE-2017-7786)
* Same-origin policy bypass with iframes through page reloads (CVE-2017-7787)
* Spoofing following page navigation with data: protocol and modal alerts (CVE-2017-7791)
* Buffer overflow viewing certificates with an extremely long OID (CVE-2017-7792)
* XUL injection in the style editor in devtools (CVE-2017-7798)
* Use-after-free in WebSockets during disconnection (CVE-2017-7800)
* Use-after-free with marquee during window resizing (CVE-2017-7801)
* Use-after-free resizing image elements (CVE-2017-7802)
* CSP containing 'sandbox' improperly applied (CVE-2017-7803)
* Domain hijacking through AppCache fallback (CVE-2017-7807)
* Use-after-free while deleting attached editor DOM node (CVE-2017-7809)
Comment 2 Arvid Requate univentionstaff 2017-08-10 13:43:41 CEST
I've imported Debian upstream binary package 52.2.0esr-1~deb8u1 via

=========================================================================
debian_package="firefox-esr"
svn_checkout=~/svn/dev/branches
repong_checkout="$svn_checkout/ucs-3.2/internal/repo-ng"
errata_checkout="$svn_checkout/ucs-4.2/ucs-4.2-1/doc/errata"

svn up "$repong_checkout"
svn up "$errata_checkout"
mkdir -p "/tmp/$USER"

python -m univention.repong.debmirror \
       --errata "$errata_checkout" \
       --sql -vvvv --work "/tmp/$USER/work.yaml" \
       --overwrite \
       "$repong_checkout/mirror/update_ucs42_mirror_from_debian.tsv" \
       --save="/tmp/$USER/repo-debmirror.pickle" \
       --process COPY \
       --package "$debian_package"
=========================================================================

Advisory: ucs-4.2-1/doc/errata/staging/firefox-esr.yaml
Comment 3 Erik Damrose univentionstaff 2017-08-14 13:18:39 CEST
Reopen: comment 1 mentions 52.3.0esr-1~deb8u1, but the imported version is 52.2.0esr-1~deb8u1
The yaml however mentions the fixes from the 52.3 version.
Comment 4 Arvid Requate univentionstaff 2017-08-15 15:07:59 CEST
Ok, firefox-esr has a new dependency on libjsoncpp0 which was unmaintained. I've added it to svn/triggers/ucs_4.2-0-ucs4.2-1.txt and rebuilt the maintained packages lists using the corresponding Jenkins job.

For QA I've annonced the scope to the test repo. In a test-VM in can be activated by running:

eval "$(ucr shell)"
component="repository/online/component/${version_version}-${version_patchlevel}-errata-test"

ucr set "$component"/description="Preview errata updates for UCS ${version_version}-${version_patchlevel}" \
        "$component"/version="${version_version}" \
        "$component"/server=apt.knut.univention.de \
        "$component"=enabled

Possibly repository credentials are required too.
Comment 5 Arvid Requate univentionstaff 2017-08-15 15:19:15 CEST
Additional Advisory: libjsoncpp.yaml
Comment 6 Erik Damrose univentionstaff 2017-08-16 11:29:12 CEST
OK: libjsoncpp.yaml
OK: firefox-esr.yaml
OK: package installation
OK: system setup run (setup new master) with updated package
Verified