Bug 1021824 (CVE-2017-5373)

Summary: VUL-0: CVE-2017-5373: MozillaFirefox: Memory safety bugs fixed in Firefox 51 and Firefox ESR 45.7
Product: [Novell Products] SUSE Security Incidents Reporter: Andreas Stieger <astieger>
Component: IncidentsAssignee: Petr Cerny <pcerny>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Major    
Priority: P3 - Medium CC: wolfgang
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
Whiteboard: CVSSv2:NVD:CVE-2017-5373:7.5:(AV:N/AC:L/Au:N/C:P/I:P/A:P) CVSSv2:RedHat:CVE-2017-5373:6.8:(AV:N/AC:M/Au:N/C:P/I:P/A:P) CVSSv2:SUSE:CVE-2017-5373:6.8:(AV:N/AC:M/Au:N/C:P/I:P/A:P) CVSSv3:NVD:CVE-2017-5373:9.8:(AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) CVSSv3:RedHat:CVE-2017-5373:7.3:(AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L) maint:released:oes2015:63395 maint:running:63380:important
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---
Bug Depends on:    
Bug Blocks: 1021991    

Description Andreas Stieger 2017-01-25 09:07:29 UTC
Security vulnerabilities fixed in Firefox ESR 45.7, Firefox 51
https://www.mozilla.org/en-US/security/advisories/mfsa2017-01/
https://www.mozilla.org/en-US/security/advisories/mfsa2017-02/

Discovered by: Mozilla developers and community
Mozilla developers and community members Christian Holler, Gary Kwong, André Bargull, Jan de Mooij, Tom Schuster, and Oriol reported memory safety bugs present in Firefox 50.1 and Firefox ESR 45.6. Some of these bugs showed evidence of memory corruption and we presume that with enough effort that some of these could be exploited to run arbitrary code.

https://bugzilla.mozilla.org/buglist.cgi?bug_id=1322315%2C1328834%2C1322420%2C1285833%2C1285960%2C1328251%2C1331058%2C1325938%2C1325877
Comment 1 Andreas Stieger 2017-01-25 09:13:44 UTC
Firefox on SLE and openSUSE, cc openSUSE maintainer
Comment 2 Bernhard Wiedemann 2017-01-25 21:01:36 UTC
This is an autogenerated message for OBS integration:
This bug (1021824) was mentioned in
https://build.opensuse.org/request/show/452490 42.1+42.2+Backports:SLE-12 / MozillaThunderbird
Comment 3 Bernhard Wiedemann 2017-01-26 11:03:51 UTC
This is an autogenerated message for OBS integration:
This bug (1021824) was mentioned in
https://build.opensuse.org/request/show/452598 Factory / MozillaThunderbird
Comment 4 Bernhard Wiedemann 2017-01-27 15:03:38 UTC
This is an autogenerated message for OBS integration:
This bug (1021824) was mentioned in
https://build.opensuse.org/request/show/452961 42.1+42.2+Backports:SLE-12 / MozillaThunderbird
Comment 5 Swamp Workflow Management 2017-02-01 23:09:59 UTC
openSUSE-SU-2017:0354-1: An update that solves 8 vulnerabilities and has one errata is now available.

Category: security (moderate)
Bug References: 1021814,1021817,1021818,1021819,1021820,1021821,1021822,1021824,1021991
CVE References: CVE-2017-5373,CVE-2017-5375,CVE-2017-5376,CVE-2017-5378,CVE-2017-5380,CVE-2017-5383,CVE-2017-5390,CVE-2017-5396
Sources used:
SUSE Package Hub for SUSE Linux Enterprise 12 (src):    MozillaThunderbird-45.7.0-23.1
Comment 6 Swamp Workflow Management 2017-02-01 23:12:51 UTC
openSUSE-SU-2017:0357-1: An update that solves 8 vulnerabilities and has one errata is now available.

Category: security (moderate)
Bug References: 1021814,1021817,1021818,1021819,1021820,1021821,1021822,1021824,1021991
CVE References: CVE-2017-5373,CVE-2017-5375,CVE-2017-5376,CVE-2017-5378,CVE-2017-5380,CVE-2017-5383,CVE-2017-5390,CVE-2017-5396
Sources used:
openSUSE Leap 42.2 (src):    MozillaThunderbird-45.7.0-34.1
openSUSE Leap 42.1 (src):    MozillaThunderbird-45.7.0-34.1
Comment 7 Swamp Workflow Management 2017-02-01 23:14:55 UTC
openSUSE-SU-2017:0358-1: An update that fixes 24 vulnerabilities is now available.

Category: security (important)
Bug References: 1017174,1021814,1021817,1021818,1021819,1021820,1021821,1021822,1021823,1021824,1021826,1021827,1021828,1021830,1021831,1021832,1021833,1021835,1021837,1021839,1021840,1021841
CVE References: CVE-2017-5373,CVE-2017-5374,CVE-2017-5375,CVE-2017-5376,CVE-2017-5377,CVE-2017-5378,CVE-2017-5379,CVE-2017-5380,CVE-2017-5381,CVE-2017-5382,CVE-2017-5383,CVE-2017-5384,CVE-2017-5385,CVE-2017-5386,CVE-2017-5387,CVE-2017-5388,CVE-2017-5389,CVE-2017-5390,CVE-2017-5391,CVE-2017-5392,CVE-2017-5393,CVE-2017-5394,CVE-2017-5395,CVE-2017-5396
Sources used:
openSUSE Leap 42.2 (src):    MozillaFirefox-51.0.1-50.2
openSUSE Leap 42.1 (src):    MozillaFirefox-51.0.1-50.2
Comment 8 Swamp Workflow Management 2017-02-08 17:12:13 UTC
SUSE-SU-2017:0426-1: An update that solves 9 vulnerabilities and has one errata is now available.

Category: security (important)
Bug References: 1021814,1021817,1021818,1021819,1021820,1021821,1021822,1021823,1021824,1021991
CVE References: CVE-2017-5373,CVE-2017-5375,CVE-2017-5376,CVE-2017-5378,CVE-2017-5380,CVE-2017-5383,CVE-2017-5386,CVE-2017-5390,CVE-2017-5396
Sources used:
SUSE OpenStack Cloud 5 (src):    MozillaFirefox-45.7.0esr-65.2
SUSE Manager Proxy 2.1 (src):    MozillaFirefox-45.7.0esr-65.2
SUSE Manager 2.1 (src):    MozillaFirefox-45.7.0esr-65.2
SUSE Linux Enterprise Software Development Kit 11-SP4 (src):    MozillaFirefox-45.7.0esr-65.2
SUSE Linux Enterprise Server 11-SP4 (src):    MozillaFirefox-45.7.0esr-65.2
SUSE Linux Enterprise Server 11-SP3-LTSS (src):    MozillaFirefox-45.7.0esr-65.2
SUSE Linux Enterprise Point of Sale 11-SP3 (src):    MozillaFirefox-45.7.0esr-65.2
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    MozillaFirefox-45.7.0esr-65.2
SUSE Linux Enterprise Debuginfo 11-SP3 (src):    MozillaFirefox-45.7.0esr-65.2
Comment 9 Swamp Workflow Management 2017-02-09 02:09:20 UTC
SUSE-SU-2017:0427-1: An update that solves 9 vulnerabilities and has one errata is now available.

Category: security (important)
Bug References: 1021814,1021817,1021818,1021819,1021820,1021821,1021822,1021823,1021824,1021991
CVE References: CVE-2017-5373,CVE-2017-5375,CVE-2017-5376,CVE-2017-5378,CVE-2017-5380,CVE-2017-5383,CVE-2017-5386,CVE-2017-5390,CVE-2017-5396
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP2 (src):    MozillaFirefox-45.7.0esr-99.1
SUSE Linux Enterprise Software Development Kit 12-SP1 (src):    MozillaFirefox-45.7.0esr-99.1
SUSE Linux Enterprise Server for SAP 12 (src):    MozillaFirefox-45.7.0esr-99.1
SUSE Linux Enterprise Server for Raspberry Pi 12-SP2 (src):    MozillaFirefox-45.7.0esr-99.1
SUSE Linux Enterprise Server 12-SP2 (src):    MozillaFirefox-45.7.0esr-99.1
SUSE Linux Enterprise Server 12-SP1 (src):    MozillaFirefox-45.7.0esr-99.1
SUSE Linux Enterprise Server 12-LTSS (src):    MozillaFirefox-45.7.0esr-99.1
SUSE Linux Enterprise Desktop 12-SP2 (src):    MozillaFirefox-45.7.0esr-99.1
SUSE Linux Enterprise Desktop 12-SP1 (src):    MozillaFirefox-45.7.0esr-99.1
Comment 10 Marcus Meissner 2017-10-24 13:19:26 UTC
released