|
Bugzilla – Full Text Bug Listing |
| Summary: | VUL-0: MozillaFirefox / MozillaThunderbird: update to 121 and 115.6esr | ||
|---|---|---|---|
| Product: | [Novell Products] SUSE Security Incidents | Reporter: | Martin Sirringhaus <martin.sirringhaus> |
| Component: | Incidents | Assignee: | Security Team bot <security-team> |
| Status: | RESOLVED FIXED | QA Contact: | Security Team bot <security-team> |
| Severity: | Normal | ||
| Priority: | P3 - Medium | CC: | meissner, wolfgang |
| Version: | unspecified | ||
| Target Milestone: | --- | ||
| Hardware: | Other | ||
| OS: | Other | ||
| Whiteboard: | |||
| Found By: | --- | Services Priority: | |
| Business Priority: | Blocker: | --- | |
| Marketing QA Status: | --- | IT Deployment: | --- |
Mozilla Foundation Security Advisory 2023-56
Security Vulnerabilities fixed in Firefox 121
Announced
December 19, 2023
Impact
high
Products
Firefox
Fixed in
Firefox 121
#CVE-2023-6856: Heap-buffer-overflow affecting WebGL <code>DrawElementsInstanced</code> method with Mesa VM driver
Reporter
DoHyun Lee
Impact
high
Description
The WebGL DrawElementsInstanced method was susceptible to a heap buffer overflow when used on systems with the Mesa VM driver. This issue could allow an attacker to perform remote code execution and sandbox escape.
References
Bug 1843782
#CVE-2023-6135: NSS susceptible to "Minerva" attack
Reporter
George Pantela (Red Hat) and Hubert Kario (Red Hat)
Impact
high
Description
Multiple NSS NIST curves were susceptible to a side-channel attack known as "Minerva". This attack could potentially allow an attacker to recover the private key.
References
Bug 1853908
#CVE-2023-6865: Potential exposure of uninitialized data in <code>EncryptingOutputStream</code>
Reporter
Jan Varga
Impact
high
Description
EncryptingOutputStream was susceptible to exposing uninitialized data. This issue could only be abused in order to write data to a local disk which may have implications for private browsing mode.
References
Bug 1864123
#CVE-2023-6857: Symlinks may resolve to smaller than expected buffers
Reporter
Jed Davis
Impact
moderate
Description
When resolving a symlink, a race may occur where the buffer passed to readlink may actually be smaller than necessary.
This bug only affects Firefox on Unix-based operating systems (Android, Linux, MacOS). Windows is unaffected.
References
Bug 1796023
#CVE-2023-6858: Heap buffer overflow in <code>nsTextFragment</code>
Reporter
Irvan Kurniawan
Impact
moderate
Description
Firefox was susceptible to a heap buffer overflow in nsTextFragment due to insufficient OOM handling.
References
Bug 1826791
#CVE-2023-6859: Use-after-free in PR_GetIdentitiesLayer
Reporter
Irvan Kurniawan
Impact
moderate
Description
A use-after-free condition affected TLS socket creation when under memory pressure.
References
Bug 1840144
#CVE-2023-6866: TypedArrays lack sufficient exception handling
Reporter
Tom Schuster
Impact
moderate
Description
TypedArrays can be fallible and lacked proper exception handling. This could lead to abuse in other APIs which expect TypedArrays to always succeed.
References
Bug 1849037
#CVE-2023-6860: Potential sandbox escape due to <code>VideoBridge</code> lack of texture validation
Reporter
Andrew Osmond
Impact
moderate
Description
The VideoBridge allowed any content process to use textures produced by remote decoders. This could be abused to escape the sandbox.
References
Bug 1854669
#CVE-2023-6867: Clickjacking permission prompts using the popup transition
Reporter
Hafiizh
Impact
moderate
Description
The timing of a button click causing a popup to disappear was approximately the same length as the anti-clickjacking delay on permission prompts. It was possible to use this fact to surprise users by luring them to click where the permission grant button would be about to appear.
References
Bug 1863863
#CVE-2023-6861: Heap buffer overflow affected <code>nsWindow::PickerOpen(void)</code> in headless mode
Reporter
Yangkang of 360 ATA Team
Impact
moderate
Description
The nsWindow::PickerOpen(void) method was susceptible to a heap buffer overflow when running in headless mode.
References
Bug 1864118
#CVE-2023-6868: WebPush requests on Firefox for Android did not require VAPID key
Reporter
John-Mark Gurney
Impact
moderate
Description
In some instances, the user-agent would allow push requests which lacked a valid VAPID even though the push manager subscription defined one. This could allow empty messages to be sent from unauthorized parties.
This bug only affects Firefox on Android.
References
Bug 1865488
#CVE-2023-6869: Content can paint outside of sandboxed iframe
Reporter
Oriol Brufau
Impact
low
Description
A
#CVE-2023-6870: Android Toast notifications may obscure fullscreen event notifications
Reporter
Hafiizh
Impact
low
Description
Applications which spawn a Toast notification in a background thread may have obscured fullscreen notifications displayed by Firefox.
This issue only affects Android versions of Firefox and Firefox Focus.
References
Bug 1823316
#CVE-2023-6871: Lack of protocol handler warning in some instances
Reporter
Roy Gunsen
Impact
low
Description
Under certain conditions, Firefox did not display a warning when a user attempted to navigate to a new protocol handler.
References
Bug 1828334
#CVE-2023-6872: Browsing history leaked to syslogs via GNOME
Reporter
honorton via Tor Browser
Impact
low
Description
Browser tab titles were being leaked by GNOME to system logs. This could potentially expose the browsing habits of users running in a private tab.
References
Bug 1849186
#CVE-2023-6863: Undefined behavior in <code>ShutdownObserver()</code>
Reporter
Ronald Crane
Impact
low
Description
The ShutdownObserver() was susceptible to potentially undefined behavior due to its reliance on a dynamic type that lacked a virtual destructor.
References
Bug 1868901
#CVE-2023-6864: Memory safety bugs fixed in Firefox 121, Firefox ESR 115.6, and Thunderbird 115.6
Reporter
Andrew McCreight, the Mozilla Fuzzing Team, Randell Jesup, Valentin Gosu (he/him), Karl Tomlinson
Impact
high
Description
Memory safety bugs present in Firefox 120, Firefox ESR 115.5, and Thunderbird 115.5. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code.
References
Memory safety bugs fixed in Firefox 121, Firefox ESR 115.6, and Thunderbird 115.6
#CVE-2023-6873: Memory safety bugs fixed in Firefox 121
Reporter
Andrew McCreight, Yury Delendik
Impact
high
Description
Memory safety bugs present in Firefox 120. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code.
References
Memory safety bugs fixed in Firefox 121
SUSE-SU-2023:4912-1: An update that solves 18 vulnerabilities can now be installed. Category: security (important) Bug References: 1217230, 1217974 CVE References: CVE-2023-6204, CVE-2023-6205, CVE-2023-6206, CVE-2023-6207, CVE-2023-6208, CVE-2023-6209, CVE-2023-6212, CVE-2023-6856, CVE-2023-6857, CVE-2023-6858, CVE-2023-6859, CVE-2023-6860, CVE-2023-6861, CVE-2023-6862, CVE-2023-6863, CVE-2023-6864, CVE-2023-6865, CVE-2023-6867 Sources used: SUSE Linux Enterprise Software Development Kit 12 SP5 (src): MozillaFirefox-115.6.0-112.194.1 SUSE Linux Enterprise High Performance Computing 12 SP5 (src): MozillaFirefox-115.6.0-112.194.1 SUSE Linux Enterprise Server 12 SP5 (src): MozillaFirefox-115.6.0-112.194.1 SUSE Linux Enterprise Server for SAP Applications 12 SP5 (src): MozillaFirefox-115.6.0-112.194.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination. SUSE-SU-2023:4929-1: An update that solves 18 vulnerabilities can now be installed. Category: security (important) Bug References: 1217230, 1217974 CVE References: CVE-2023-6204, CVE-2023-6205, CVE-2023-6206, CVE-2023-6207, CVE-2023-6208, CVE-2023-6209, CVE-2023-6212, CVE-2023-6856, CVE-2023-6857, CVE-2023-6858, CVE-2023-6859, CVE-2023-6860, CVE-2023-6861, CVE-2023-6862, CVE-2023-6863, CVE-2023-6864, CVE-2023-6865, CVE-2023-6867 Sources used: SUSE CaaS Platform 4.0 (src): MozillaFirefox-115.6.0-150000.150.119.1 SUSE Linux Enterprise High Performance Computing 15 SP1 LTSS 15-SP1 (src): MozillaFirefox-115.6.0-150000.150.119.1 SUSE Linux Enterprise Server 15 SP1 LTSS 15-SP1 (src): MozillaFirefox-115.6.0-150000.150.119.1 SUSE Linux Enterprise Server for SAP Applications 15 SP1 (src): MozillaFirefox-115.6.0-150000.150.119.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination. SUSE-SU-2023:4928-1: An update that solves 18 vulnerabilities can now be installed. Category: security (important) Bug References: 1217230, 1217974 CVE References: CVE-2023-6204, CVE-2023-6205, CVE-2023-6206, CVE-2023-6207, CVE-2023-6208, CVE-2023-6209, CVE-2023-6212, CVE-2023-6856, CVE-2023-6857, CVE-2023-6858, CVE-2023-6859, CVE-2023-6860, CVE-2023-6861, CVE-2023-6862, CVE-2023-6863, CVE-2023-6864, CVE-2023-6865, CVE-2023-6867 Sources used: SUSE Linux Enterprise Server 15 SP4 LTSS 15-SP4 (src): MozillaFirefox-115.6.0-150200.152.120.1 SUSE Linux Enterprise Server for SAP Applications 15 SP2 (src): MozillaFirefox-115.6.0-150200.152.120.1 SUSE Linux Enterprise Server for SAP Applications 15 SP3 (src): MozillaFirefox-115.6.0-150200.152.120.1 SUSE Linux Enterprise Server for SAP Applications 15 SP4 (src): MozillaFirefox-115.6.0-150200.152.120.1 SUSE Enterprise Storage 7.1 (src): MozillaFirefox-115.6.0-150200.152.120.1 openSUSE Leap 15.4 (src): MozillaFirefox-115.6.0-150200.152.120.1 openSUSE Leap 15.5 (src): MozillaFirefox-115.6.0-150200.152.120.1 Desktop Applications Module 15-SP4 (src): MozillaFirefox-115.6.0-150200.152.120.1 Desktop Applications Module 15-SP5 (src): MozillaFirefox-115.6.0-150200.152.120.1 SUSE Linux Enterprise High Performance Computing 15 SP2 LTSS 15-SP2 (src): MozillaFirefox-115.6.0-150200.152.120.1 SUSE Linux Enterprise High Performance Computing ESPOS 15 SP3 (src): MozillaFirefox-115.6.0-150200.152.120.1 SUSE Linux Enterprise High Performance Computing LTSS 15 SP3 (src): MozillaFirefox-115.6.0-150200.152.120.1 SUSE Linux Enterprise High Performance Computing ESPOS 15 SP4 (src): MozillaFirefox-115.6.0-150200.152.120.1 SUSE Linux Enterprise High Performance Computing LTSS 15 SP4 (src): MozillaFirefox-115.6.0-150200.152.120.1 SUSE Linux Enterprise Real Time 15 SP4 (src): MozillaFirefox-115.6.0-150200.152.120.1 SUSE Linux Enterprise Desktop 15 SP4 LTSS 15-SP4 (src): MozillaFirefox-115.6.0-150200.152.120.1 SUSE Linux Enterprise Server 15 SP2 LTSS 15-SP2 (src): MozillaFirefox-115.6.0-150200.152.120.1 SUSE Linux Enterprise Server 15 SP3 LTSS 15-SP3 (src): MozillaFirefox-115.6.0-150200.152.120.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination. This is an autogenerated message for OBS integration: This bug (1217974) was mentioned in https://build.opensuse.org/request/show/1134603 Factory / MozillaFirefox SUSE-SU-2024:0044-1: An update that solves 11 vulnerabilities can now be installed. Category: security (important) Bug References: 1217974 CVE References: CVE-2023-50761, CVE-2023-50762, CVE-2023-6856, CVE-2023-6857, CVE-2023-6858, CVE-2023-6859, CVE-2023-6860, CVE-2023-6861, CVE-2023-6862, CVE-2023-6863, CVE-2023-6864 Sources used: openSUSE Leap 15.5 (src): MozillaThunderbird-115.6.0-150200.8.142.2 SUSE Package Hub 15 15-SP5 (src): MozillaThunderbird-115.6.0-150200.8.142.2 SUSE Linux Enterprise Desktop 15 SP4 LTSS 15-SP4 (src): MozillaThunderbird-115.6.0-150200.8.142.2 SUSE Linux Enterprise Workstation Extension 15 SP5 (src): MozillaThunderbird-115.6.0-150200.8.142.2 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination. done |
Security Vulnerabilities fixed in Firefox ESR 115.6 Announced December 19, 2023 Impact high Products Firefox ESR Fixed in Firefox ESR 115.6 #CVE-2023-6856: Heap-buffer-overflow affecting WebGL <code>DrawElementsInstanced</code> method with Mesa VM driver Reporter DoHyun Lee Impact high Description The WebGL DrawElementsInstanced method was susceptible to a heap buffer overflow when used on systems with the Mesa VM driver. This issue could allow an attacker to perform remote code execution and sandbox escape. References Bug 1843782 #CVE-2023-6865: Potential exposure of uninitialized data in <code>EncryptingOutputStream</code> Reporter Jan Varga Impact high Description EncryptingOutputStream was susceptible to exposing uninitialized data. This issue could only be abused in order to write data to a local disk which may have implications for private browsing mode. References Bug 1864123 #CVE-2023-6857: Symlinks may resolve to smaller than expected buffers Reporter Jed Davis Impact moderate Description When resolving a symlink, a race may occur where the buffer passed to readlink may actually be smaller than necessary. This bug only affects Firefox on Unix-based operating systems (Android, Linux, MacOS). Windows is unaffected. References Bug 1796023 #CVE-2023-6858: Heap buffer overflow in <code>nsTextFragment</code> Reporter Irvan Kurniawan Impact moderate Description Firefox was susceptible to a heap buffer overflow in nsTextFragment due to insufficient OOM handling. References Bug 1826791 #CVE-2023-6859: Use-after-free in PR_GetIdentitiesLayer Reporter Irvan Kurniawan Impact moderate Description A use-after-free condition affected TLS socket creation when under memory pressure. References Bug 1840144 #CVE-2023-6860: Potential sandbox escape due to <code>VideoBridge</code> lack of texture validation Reporter Andrew Osmond Impact moderate Description The VideoBridge allowed any content process to use textures produced by remote decoders. This could be abused to escape the sandbox. References Bug 1854669 #CVE-2023-6867: Clickjacking permission prompts using the popup transition Reporter Hafiizh Impact moderate Description The timing of a button click causing a popup to disappear was approximately the same length as the anti-clickjacking delay on permission prompts. It was possible to use this fact to surprise users by luring them to click where the permission grant button would be about to appear. References Bug 1863863 #CVE-2023-6861: Heap buffer overflow affected <code>nsWindow::PickerOpen(void)</code> in headless mode Reporter Yangkang of 360 ATA Team Impact moderate Description The nsWindow::PickerOpen(void) method was susceptible to a heap buffer overflow when running in headless mode. References Bug 1864118 #CVE-2023-6862: Use-after-free in <code>nsDNSService</code> Reporter Randell Jesup Impact moderate Description A use-after-free was identified in the nsDNSService::Init. This issue appears to manifest rarely during start-up. References Bug 1868042 #CVE-2023-6863: Undefined behavior in <code>ShutdownObserver()</code> Reporter Ronald Crane Impact low Description The ShutdownObserver() was susceptible to potentially undefined behavior due to its reliance on a dynamic type that lacked a virtual destructor. References Bug 1868901 #CVE-2023-6864: Memory safety bugs fixed in Firefox 121, Firefox ESR 115.6, and Thunderbird 115.6 Reporter Andrew McCreight, the Mozilla Fuzzing Team, Karl Tomlinson, Valentin Gosu, Randell Jesup, Yury Delendik Impact high Description Memory safety bugs present in Firefox 120, Firefox ESR 115.5, and Thunderbird 115.5. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. References Memory safety bugs fixed in Firefox 121, Firefox ESR 115.6, and Thunderbird 115.6