Bug 1010426 – VUL-0: CVE-2016-5289: MozillaFirefox: Memory safety bugs fixed in Firefox 50

Bug 1010426 - (CVE-2016-5289) VUL-0: CVE-2016-5289: MozillaFirefox: Memory safety bugs fixed in Firefox 50

(CVE-2016-5289)
Summary:	VUL-0: CVE-2016-5289: MozillaFirefox: Memory safety bugs fixed in Firefox 50

Status:	RESOLVED FIXED

Classification:	Novell Products
Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents
Version:	unspecified
Hardware:	Other openSUSE 42.1

Priority:	P3 - Medium Severity: Critical
Target Milestone:	---
Assigned To:	Security Team bot
QA Contact:	Security Team bot

URL:
Whiteboard:	CVSSv2:SUSE:CVE-2016-5289:6.8:(AV:N/A...
Keywords:

Depends on:
Blocks:	1009026
	Show dependency tree / graph

Create test case

Clone This Bug

Reported:	2016-11-16 09:42 UTC by Johannes Segitz
Modified:	2019-10-31 15:50 UTC (History)
CC List:	2 users (show)

See Also:
Found By:	---
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Johannes Segitz 2016-11-16 09:42:01 UTC

Security vulnerabilities fixed in Firefox 50
https://www.mozilla.org/security/announce/2016/mfsa2016-89.html

Discovered by: Mozilla developers
Mozilla developers and community members Christian Holler, Andrew McCreight, Dan Minor, Tyson Smith, Jon Coppeard, Jan-Ivar Bruaroey, Jesse Ruderman, and Markus Stange reported memory safety bugs present in Firefox 49. Some of these bugs showed evidence of memory corruption and we presume that with enough effort that some of these could be exploited to run arbitrary code.

https://bugzilla.mozilla.org/buglist.cgi?bug_id=1296649%2C1298107%2C1300129%2C1305876%2C1314667%2C1301252%2C1277866%2C1307254%2C1252511%2C1264053

Comment 1 Swamp Workflow Management 2016-11-16 23:02:50 UTC

bugbot adjusting priority

Comment 2 Andreas Stieger 2016-11-17 15:56:11 UTC

This issue is fixed in MozillaFirefox 50 (openSUSE) only, not Mozilla Firefox ESR (SLE)

Comment 3 Andreas Stieger 2016-11-18 12:27:15 UTC

Releasing Mozilla Firefox 50.
My understanding is that this issue is exclusive to 50 and not ESR, Thunderbird or Seamonkey: closing

Comment 4 Swamp Workflow Management 2016-11-18 16:10:03 UTC

openSUSE-SU-2016:2861-1: An update that fixes 19 vulnerabilities is now available.

Category: security (important)
Bug References: 1009026,1010395,1010399,1010401,1010402,1010404,1010405,1010406,1010408,1010409,1010410,1010420,1010421,1010422,1010423,1010424,1010425,1010426,1010427
CVE References: CVE-2016-5289,CVE-2016-5290,CVE-2016-5291,CVE-2016-5292,CVE-2016-5296,CVE-2016-5297,CVE-2016-9063,CVE-2016-9064,CVE-2016-9066,CVE-2016-9067,CVE-2016-9068,CVE-2016-9069,CVE-2016-9070,CVE-2016-9071,CVE-2016-9073,CVE-2016-9074,CVE-2016-9075,CVE-2016-9076,CVE-2016-9077
Sources used:
openSUSE Leap 42.2 (src):    MozillaFirefox-50.0-39.2, mozilla-nss-3.26.2-32.1
openSUSE Leap 42.1 (src):    MozillaFirefox-50.0-39.1, mozilla-nss-3.26.2-32.1
openSUSE 13.2 (src):    MozillaFirefox-50.0-88.1, mozilla-nss-3.26.2-49.1

Comment 6 Swamp Workflow Management 2019-10-31 11:18:44 UTC

SUSE-SU-2019:2872-1: An update that fixes 51 vulnerabilities is now available.

Category: security (important)
Bug References: 1010399,1010405,1010406,1010408,1010409,1010421,1010423,1010424,1010425,1010426,1025108,1043008,1047281,1074235,1092611,1120374,1137990,1149429,1154738,959933,983922
CVE References: CVE-2016-2830,CVE-2016-5289,CVE-2016-5292,CVE-2016-9063,CVE-2016-9067,CVE-2016-9068,CVE-2016-9069,CVE-2016-9071,CVE-2016-9073,CVE-2016-9075,CVE-2016-9076,CVE-2016-9077,CVE-2017-7789,CVE-2018-5150,CVE-2018-5151,CVE-2018-5152,CVE-2018-5153,CVE-2018-5154,CVE-2018-5155,CVE-2018-5157,CVE-2018-5158,CVE-2018-5159,CVE-2018-5160,CVE-2018-5163,CVE-2018-5164,CVE-2018-5165,CVE-2018-5166,CVE-2018-5167,CVE-2018-5168,CVE-2018-5169,CVE-2018-5172,CVE-2018-5173,CVE-2018-5174,CVE-2018-5175,CVE-2018-5176,CVE-2018-5177,CVE-2018-5178,CVE-2018-5179,CVE-2018-5180,CVE-2018-5181,CVE-2018-5182,CVE-2018-5183,CVE-2019-11757,CVE-2019-11758,CVE-2019-11759,CVE-2019-11760,CVE-2019-11761,CVE-2019-11762,CVE-2019-11763,CVE-2019-11764,CVE-2019-15903
Sources used:
SUSE OpenStack Cloud Crowbar 8 (src):    MozillaFirefox-68.2.0-109.95.2
SUSE OpenStack Cloud 8 (src):    MozillaFirefox-68.2.0-109.95.2
SUSE OpenStack Cloud 7 (src):    MozillaFirefox-68.2.0-109.95.2
SUSE Linux Enterprise Software Development Kit 12-SP5 (src):    MozillaFirefox-68.2.0-109.95.2
SUSE Linux Enterprise Software Development Kit 12-SP4 (src):    MozillaFirefox-68.2.0-109.95.2
SUSE Linux Enterprise Server for SAP 12-SP3 (src):    MozillaFirefox-68.2.0-109.95.2
SUSE Linux Enterprise Server for SAP 12-SP2 (src):    MozillaFirefox-68.2.0-109.95.2
SUSE Linux Enterprise Server for SAP 12-SP1 (src):    MozillaFirefox-68.2.0-109.95.2
SUSE Linux Enterprise Server 12-SP5 (src):    MozillaFirefox-68.2.0-109.95.2
SUSE Linux Enterprise Server 12-SP4 (src):    MozillaFirefox-68.2.0-109.95.2
SUSE Linux Enterprise Server 12-SP3-LTSS (src):    MozillaFirefox-68.2.0-109.95.2
SUSE Linux Enterprise Server 12-SP3-BCL (src):    MozillaFirefox-68.2.0-109.95.2
SUSE Linux Enterprise Server 12-SP2-LTSS (src):    MozillaFirefox-68.2.0-109.95.2
SUSE Linux Enterprise Server 12-SP2-BCL (src):    MozillaFirefox-68.2.0-109.95.2
SUSE Linux Enterprise Server 12-SP1-LTSS (src):    MozillaFirefox-68.2.0-109.95.2
SUSE Linux Enterprise Desktop 12-SP4 (src):    MozillaFirefox-68.2.0-109.95.2
SUSE Enterprise Storage 5 (src):    MozillaFirefox-68.2.0-109.95.2
HPE Helion Openstack 8 (src):    MozillaFirefox-68.2.0-109.95.2

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.