Bug 963632 (CVE-2016-1930)

Summary: VUL-0: CVE-2016-1930: MozillaFirefox: Memory safety bugs fixed in Firefox ESR 38.6 and Firefox 44
Product: [Novell Products] SUSE Security Incidents Reporter: Andreas Stieger <astieger>
Component: IncidentsAssignee: Petr Cerny <pcerny>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Major    
Priority: P5 - None CC: astieger, cgrobertson, meissner, pcerny, security-team, wolfgang
Version: unspecified   
Target Milestone: ---   
Hardware: All   
OS: All   
Whiteboard: CVSSv2:RedHat:CVE-2016-1930:6.8:(AV:N/AC:M/Au:N/C:P/I:P/A:P) CVSSv2:SUSE:CVE-2016-1930:6.8:(AV:N/AC:M/Au:N/C:P/I:P/A:P) CVSSv2:NVD:CVE-2016-1930:10.0:(AV:N/AC:L/Au:N/C:C/I:C/A:C) maint:released:sle10-sp3:62467
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---
Bug Depends on: 963520    
Bug Blocks:    

Description Andreas Stieger 2016-01-26 18:03:59 UTC 
https://www.mozilla.org/en-US/security/advisories/mfsa2016-01/

Mozilla developers and community identified and fixed several memory safety bugs in the browser engine used in Firefox and other Mozilla-based products. Some of these bugs showed evidence of memory corruption under certain circumstances, and we presume that with enough effort at least some of these could be exploited to run arbitrary code. 

References:
https://bugzilla.mozilla.org/buglist.cgi?bug_id=1230483,1233152,1233925,1234280,1233346,1221385,1223670,1230639,1230668,1230686,1224200,1234571
Comment 1 Andreas Stieger 2016-01-26 18:46:10 UTC 
Considering the description, common precautions and use of MozillaFirefox ESR, rating as important/major.
Comment 2 Swamp Workflow Management 2016-01-26 18:50:32 UTC 
An update workflow for this issue was started.
This issue was rated as important.
Please submit fixed packages until 2016-02-02.
When done, reassign the bug to security-team@suse.de.
https://swamp.suse.de/webswamp/wf/62466
Comment 3 Swamp Workflow Management 2016-02-02 01:14:33 UTC 
openSUSE-SU-2016:0310-1: An update that fixes two vulnerabilities is now available.

Category: security (important)
Bug References: 963632,963635
CVE References: CVE-2016-1930,CVE-2016-1935
Sources used:
openSUSE Leap 42.1 (src):    xulrunner-38.6.0-10.2
Comment 4 Swamp Workflow Management 2016-02-04 18:12:37 UTC 
SUSE-SU-2016:0334-1: An update that solves three vulnerabilities and has two fixes is now available.

Category: security (important)
Bug References: 954447,963520,963632,963635,963731
CVE References: CVE-2016-1930,CVE-2016-1935,CVE-2016-1938
Sources used:
SUSE Linux Enterprise Software Development Kit 11-SP4 (src):    MozillaFirefox-38.6.0esr-31.3, mozilla-nss-3.20.2-25.2
SUSE Linux Enterprise Software Development Kit 11-SP3 (src):    MozillaFirefox-38.6.0esr-31.3, mozilla-nss-3.20.2-25.2
SUSE Linux Enterprise Server for VMWare 11-SP3 (src):    MozillaFirefox-38.6.0esr-31.3, mozilla-nss-3.20.2-25.2
SUSE Linux Enterprise Server 11-SP4 (src):    MozillaFirefox-38.6.0esr-31.3, MozillaFirefox-branding-SLED-38-18.24, mozilla-nss-3.20.2-25.2
SUSE Linux Enterprise Server 11-SP3 (src):    MozillaFirefox-38.6.0esr-31.3, MozillaFirefox-branding-SLED-38-18.24, mozilla-nss-3.20.2-25.2
SUSE Linux Enterprise Desktop 11-SP4 (src):    MozillaFirefox-38.6.0esr-31.3, MozillaFirefox-branding-SLED-38-18.24, mozilla-nss-3.20.2-25.2
SUSE Linux Enterprise Desktop 11-SP3 (src):    MozillaFirefox-38.6.0esr-31.3, MozillaFirefox-branding-SLED-38-18.24, mozilla-nss-3.20.2-25.2
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    MozillaFirefox-38.6.0esr-31.3, mozilla-nss-3.20.2-25.2
SUSE Linux Enterprise Debuginfo 11-SP3 (src):    MozillaFirefox-38.6.0esr-31.3, mozilla-nss-3.20.2-25.2
Comment 5 Swamp Workflow Management 2016-02-04 18:16:39 UTC 
SUSE-SU-2016:0338-1: An update that solves three vulnerabilities and has three fixes is now available.

Category: security (important)
Bug References: 954447,963520,963632,963635,963731,964332
CVE References: CVE-2016-1930,CVE-2016-1935,CVE-2016-1938
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP1 (src):    MozillaFirefox-38.6.0esr-57.3, mozilla-nss-3.20.2-37.1
SUSE Linux Enterprise Software Development Kit 12 (src):    MozillaFirefox-38.6.0esr-57.3, mozilla-nss-3.20.2-37.1
SUSE Linux Enterprise Server 12-SP1 (src):    MozillaFirefox-38.6.0esr-57.3, MozillaFirefox-branding-SLE-31.0-20.1, mozilla-nss-3.20.2-37.1
SUSE Linux Enterprise Server 12 (src):    MozillaFirefox-38.6.0esr-57.3, MozillaFirefox-branding-SLE-31.0-20.1, mozilla-nss-3.20.2-37.1
SUSE Linux Enterprise Desktop 12-SP1 (src):    MozillaFirefox-38.6.0esr-57.3, MozillaFirefox-branding-SLE-31.0-20.1, mozilla-nss-3.20.2-37.1
SUSE Linux Enterprise Desktop 12 (src):    MozillaFirefox-38.6.0esr-57.3, MozillaFirefox-branding-SLE-31.0-20.1, mozilla-nss-3.20.2-37.1
Comment 6 Swamp Workflow Management 2016-02-17 11:14:53 UTC 
openSUSE-SU-2016:0492-1: An update that solves two vulnerabilities and has one errata is now available.

Category: security (moderate)
Bug References: 963520,963632,963635
CVE References: CVE-2016-1930,CVE-2016-1935
Sources used:
openSUSE Leap 42.1 (src):    MozillaThunderbird-38.6.0-10.1
openSUSE 13.2 (src):    MozillaThunderbird-38.6.0-37.1
Comment 7 Swamp Workflow Management 2016-02-25 19:13:51 UTC 
SUSE-SU-2016:0584-1: An update that solves 5 vulnerabilities and has two fixes is now available.

Category: security (moderate)
Bug References: 954447,959888,963520,963632,963635,963731,967087
CVE References: CVE-2015-7575,CVE-2016-1523,CVE-2016-1930,CVE-2016-1935,CVE-2016-1938
Sources used:
SUSE Linux Enterprise Server 11-SP2-LTSS (src):    MozillaFirefox-38.6.1esr-33.1, MozillaFirefox-branding-SLED-38-15.58, mozilla-nss-3.20.2-17.5
SUSE Linux Enterprise Debuginfo 11-SP2 (src):    MozillaFirefox-38.6.1esr-33.1, mozilla-nss-3.20.2-17.5
Comment 8 Marcus Meissner 2016-03-02 10:17:40 UTC 
released