Bug 1015541 (CVE-2016-9893)

Summary: VUL-0: CVE-2016-9893: MozillaFirefox: Memory safety bugs fixed in Firefox 50.1 and Firefox ESR 45.6
Product: [Novell Products] SUSE Security Incidents Reporter: Marcus Meissner <meissner>
Component: IncidentsAssignee: Petr Cerny <pcerny>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Critical    
Priority: P3 - Medium    
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
Whiteboard: CVSSv2:SUSE:CVE-2016-9894:6.8:(AV:N/AC:M/Au:N/C:P/I:P/A:P) CVSSv2:SUSE:CVE-2016-9905:6.8:(AV:N/AC:M/Au:N/C:P/I:P/A:P) CVSSv2:RedHat:CVE-2016-9900:4.3:(AV:N/AC:M/Au:N/C:P/I:N/A:N) CVSSv2:RedHat:CVE-2016-9897:5.1:(AV:N/AC:H/Au:N/C:P/I:P/A:P) CVSSv2:RedHat:CVE-2016-9898:5.1:(AV:N/AC:H/Au:N/C:P/I:P/A:P) CVSSv2:RedHat:CVE-2016-9902:4.3:(AV:N/AC:M/Au:N/C:P/I:N/A:N) CVSSv2:RedHat:CVE-2016-9899:6.8:(AV:N/AC:M/Au:N/C:P/I:P/A:P) CVSSv2:SUSE:CVE-2016-9899:6.8:(AV:N/AC:M/Au:N/C:P/I:P/A:P) CVSSv2:SUSE:CVE-2016-9897:5.1:(AV:N/AC:H/Au:N/C:P/I:P/A:P) CVSSv2:SUSE:CVE-2016-9893:6.8:(AV:N/AC:M/Au:N/C:P/I:P/A:P) CVSSv2:SUSE:CVE-2016-9900:4.3:(AV:N/AC:M/Au:N/C:P/I:N/A:N) CVSSv2:SUSE:CVE-2016-9903:0.0:(AV:N/AC:H/Au:M/C:N/I:N/A:N) CVSSv2:SUSE:CVE-2016-9901:5.1:(AV:N/AC:H/Au:N/C:P/I:P/A:P) CVSSv2:SUSE:CVE-2016-9896:6.8:(AV:N/AC:M/Au:N/C:P/I:P/A:P) CVSSv2:RedHat:CVE-2016-9905:5.1:(AV:N/AC:H/Au:N/C:P/I:P/A:P) CVSSv2:RedHat:CVE-2016-9893:6.8:(AV:N/AC:M/Au:N/C:P/I:P/A:P) CVSSv2:SUSE:CVE-2016-9898:6.8:(AV:N/AC:M/Au:N/C:P/I:P/A:P) CVSSv2:SUSE:CVE-2016-9080:6.8:(AV:N/AC:M/Au:N/C:P/I:P/A:P) CVSSv2:SUSE:CVE-2016-9895:6.8:(AV:N/AC:M/Au:N/C:P/I:P/A:P) CVSSv2:SUSE:CVE-2016-9902:6.8:(AV:N/AC:M/Au:N/C:P/I:P/A:P) CVSSv2:RedHat:CVE-2016-9895:4.3:(AV:N/AC:M/Au:N/C:N/I:P/A:N) CVSSv2:SUSE:CVE-2016-9904:4.3:(AV:N/AC:M/Au:N/C:P/I:N/A:N) CVSSv2:RedHat:CVE-2016-9901:4.3:(AV:N/AC:M/Au:N/C:P/I:N/A:N) CVSSv2:RedHat:CVE-2016-9904:4.3:(AV:N/AC:M/Au:N/C:P/I:N/A:N) CVSSv3:RedHat:CVE-2016-9898:5.6:(AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L) CVSSv3:RedHat:CVE-2016-9902:5.3:(AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N) CVSSv3:RedHat:CVE-2016-9900:5.3:(AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N) CVSSv3:RedHat:CVE-2016-9893:7.3:(AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L) CVSSv3:RedHat:CVE-2016-9905:5.6:(AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L) CVSSv3:RedHat:CVE-2016-9899:7.3:(AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L) CVSSv3:RedHat:CVE-2016-9904:5.3:(AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N) CVSSv3:RedHat:CVE-2016-9901:5.3:(AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N) CVSSv3:RedHat:CVE-2016-9895:6.1:(AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N) CVSSv3:RedHat:CVE-2016-9897:5.6:(AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L) CVSSv2:NVD:CVE-2016-9080:7.5:(AV:N/AC:L/Au:N/C:P/I:P/A:P) CVSSv2:NVD:CVE-2016-9893:7.5:(AV:N/AC:L/Au:N/C:P/I:P/A:P) CVSSv2:NVD:CVE-2016-9894:5.0:(AV:N/AC:L/Au:N/C:N/I:N/A:P) CVSSv2:NVD:CVE-2016-9895:4.3:(AV:N/AC:M/Au:N/C:N/I:P/A:N) CVSSv2:NVD:CVE-2016-9896:6.8:(AV:N/AC:M/Au:N/C:P/I:P/A:P) CVSSv2:NVD:CVE-2016-9897:5.0:(AV:N/AC:L/Au:N/C:N/I:N/A:P) CVSSv2:NVD:CVE-2016-9898:7.5:(AV:N/AC:L/Au:N/C:P/I:P/A:P) CVSSv2:NVD:CVE-2016-9899:7.5:(AV:N/AC:L/Au:N/C:P/I:P/A:P) CVSSv2:NVD:CVE-2016-9900:5.0:(AV:N/AC:L/Au:N/C:P/I:N/A:N) CVSSv2:NVD:CVE-2016-9901:7.5:(AV:N/AC:L/Au:N/C:P/I:P/A:P) CVSSv2:NVD:CVE-2016-9902:5.0:(AV:N/AC:L/Au:N/C:N/I:P/A:N) CVSSv2:NVD:CVE-2016-9903:4.3:(AV:N/AC:M/Au:N/C:N/I:P/A:N) CVSSv2:NVD:CVE-2016-9904:5.0:(AV:N/AC:L/Au:N/C:P/I:N/A:N) CVSSv2:NVD:CVE-2016-9905:6.8:(AV:N/AC:M/Au:N/C:P/I:P/A:P) CVSSv3:NVD:CVE-2016-9080:9.8:(AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) CVSSv3:NVD:CVE-2016-9893:9.8:(AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) CVSSv3:NVD:CVE-2016-9894:7.5:(AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) CVSSv3:NVD:CVE-2016-9895:6.1:(AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N) CVSSv3:NVD:CVE-2016-9896:8.1:(AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H) CVSSv3:NVD:CVE-2016-9897:7.5:(AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) CVSSv3:NVD:CVE-2016-9898:9.8:(AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) CVSSv3:NVD:CVE-2016-9899:9.8:(AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) CVSSv3:NVD:CVE-2016-9900:7.5:(AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N) CVSSv3:NVD:CVE-2016-9901:9.8:(AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) CVSSv3:NVD:CVE-2016-9902:7.5:(AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N) CVSSv3:NVD:CVE-2016-9903:6.1:(AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N) CVSSv3:NVD:CVE-2016-9904:7.5:(AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N) CVSSv3:NVD:CVE-2016-9905:8.8:(AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---
Bug Depends on:    
Bug Blocks: 1015422    

Description Marcus Meissner 2016-12-14 13:27:06 UTC
Security vulnerabilities fixed in Firefox 50.1
https://www.mozilla.org/en-US/security/advisories/mfsa2016-94/

Discovered by: Mozilla developers
Mozilla developers and community members Jan de Mooij, Iris Hsiao, Christian Holler, Carsten Book, Timothy Nikkel, Christoph Diehl, Olli Pettay, Raymond Forbes, and Boris Zbarsky reported memory safety bugs present in Firefox 50.0.2 and Firefox ESR 45.5.1. Some of these bugs showed evidence of memory corruption and we presume that with enough effort that some of these could be exploited to run arbitrary code.

https://bugzilla.mozilla.org/buglist.cgi?bug_id=1319524%2C1298773%2C1299098%2C1309834%2C1312609%2C1313212%2C1317805%2C1312548%2C1315631%2C1287912
Comment 1 Swamp Workflow Management 2016-12-14 23:02:56 UTC
bugbot adjusting priority
Comment 2 Petr Cerny 2017-08-10 14:52:30 UTC
Released
Comment 3 Petr Cerny 2017-08-10 14:54:52 UTC
Released.