Bug 966438 (CVE-2016-1949)

Summary: VUL-0: CVE-2016-1949: MozillaFirefox: MFSA2016-13: Same-origin-policy violation using Service Workers with plugins
Product: [Novell Products] SUSE Security Incidents Reporter: Alexander Bergmann <abergmann>
Component: IncidentsAssignee: Petr Cerny <pcerny>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Major    
Priority: P3 - Medium CC: astieger, smash_bz, wolfgang
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/161849/
Whiteboard: CVSSv2:RedHat:CVE-2016-1949:6.8:(AV:N/AC:M/Au:N/C:P/I:P/A:P) CVSSv2:SUSE:CVE-2016-1949:6.8:(AV:N/AC:M/Au:N/C:P/I:P/A:P)
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Alexander Bergmann 2016-02-12 09:44:56 UTC 
https://www.mozilla.org/en-US/security/advisories/mfsa2016-13/

Same-origin-policy violation using Service Workers with plugins

Announced: February 11, 2016
Reporter:  Jason Pang
Impact:    Critical
Products:  Firefox
Fixed in:  Firefox 44.0.2

Description:
Jason Pang of OneSignal reported that service workers intercept responses to plugin network requests made through the browser. Plugins which make security decisions based on the content of network requests can have these decisions subverted if a service worker forges responses to those requests. For example, a forged crossdomain.xml could allow a malicious site to violate the same-origin policy using the Flash plugin.

References:
NPAPI-initiated network requests can be intercepted by service workers breaking plugin origin expectations (CVE-2016-1949)

References:
https://bugzilla.redhat.com/show_bug.cgi?id=1306856
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-1949
http://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-1949.html
Comment 1 Swamp Workflow Management 2016-02-12 23:00:39 UTC 
bugbot adjusting priority
Comment 2 Bernhard Wiedemann 2016-02-16 10:00:09 UTC 
This is an autogenerated message for OBS integration:
This bug (966438) was mentioned in
https://build.opensuse.org/request/show/359592 13.1 / MozillaFirefox
Comment 3 Andreas Stieger 2016-02-17 07:07:49 UTC 
releasing update
Comment 4 Swamp Workflow Management 2016-02-17 11:11:45 UTC 
openSUSE-SU-2016:0489-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 966438
CVE References: CVE-2016-1949
Sources used:
openSUSE Leap 42.1 (src):    MozillaFirefox-44.0.2-15.2
openSUSE 13.2 (src):    MozillaFirefox-44.0.2-62.1
Comment 5 Petr Cerny 2016-02-17 15:25:21 UTC 
Firefox 38.x ESR isnot affected by this one (it is by bug 965810 though)
Comment 6 Swamp Workflow Management 2016-02-24 11:11:43 UTC 
openSUSE-SU-2016:0553-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 966438
CVE References: CVE-2016-1949
Sources used:
openSUSE 13.1 (src):    MozillaFirefox-44.0.2-106.1
Comment 7 Bernhard Wiedemann 2016-02-26 23:00:10 UTC 
This is an autogenerated message for OBS integration:
This bug (966438) was mentioned in
https://build.opensuse.org/request/show/362048 Factory / MozillaFirefox