Bug 977378 - (CVE-2016-2810) VUL-0: CVE-2016-2810: MozillaFirefox: Content providers protected with signature-level permissions can be accessed by an application (MFSA 2016-41)
(CVE-2016-2810)
VUL-0: CVE-2016-2810: MozillaFirefox: Content providers protected with signat...
Status: RESOLVED INVALID
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
All All
: P5 - None : Normal
: ---
Assigned To: Security Team bot
Security Team bot
:
Depends on: 977333
Blocks:
  Show dependency treegraph
 
Reported: 2016-04-27 08:41 UTC by Andreas Stieger
Modified: 2020-04-05 18:21 UTC (History)
6 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Andreas Stieger 2016-04-27 08:41:34 UTC
https://www.mozilla.org/en-US/security/advisories/mfsa2016-41/

Security researcher Ken Okuyama reported an issue on Firefox for Android where a previously installed malicious application can access content provider permissions for Firefox in order to read data. This data includes browser history and locally saved passwords. This issue occurs when a list of permissions is defined to match those that Firefox uses for content providers and bypasses signature protections. This issue does not occur on Android 5.0 or later versions of Android. 

Content providers protected with signature-level permissions can be accessed by an application (CVE-2016-2810)
https://bugzilla.mozilla.org/show_bug.cgi?id=1229681
Comment 1 Andreas Stieger 2016-04-27 08:43:11 UTC
This issue only affects Firefox for Android. Other versions and operating systems are unaffected.
Comment 2 Bernhard Wiedemann 2016-04-30 08:00:49 UTC
This is an autogenerated message for OBS integration:
This bug (977378) was mentioned in
https://build.opensuse.org/request/show/392977 Factory / MozillaFirefox
https://build.opensuse.org/request/show/392978 42.1 / MozillaFirefox
https://build.opensuse.org/request/show/392979 13.2 / MozillaFirefox
https://build.opensuse.org/request/show/392980 13.1 / MozillaFirefox
Comment 3 Bernhard Wiedemann 2016-05-04 06:00:37 UTC
This is an autogenerated message for OBS integration:
This bug (977378) was mentioned in
https://build.opensuse.org/request/show/393514 Factory / MozillaFirefox
Comment 4 Swamp Workflow Management 2016-05-06 14:08:37 UTC
openSUSE-SU-2016:1251-1: An update that fixes 13 vulnerabilities is now available.

Category: security (moderate)
Bug References: 977333,977373,977375,977376,977377,977378,977379,977380,977381,977382,977384,977386,977388
CVE References: CVE-2016-2804,CVE-2016-2806,CVE-2016-2807,CVE-2016-2808,CVE-2016-2809,CVE-2016-2810,CVE-2016-2811,CVE-2016-2812,CVE-2016-2813,CVE-2016-2814,CVE-2016-2816,CVE-2016-2817,CVE-2016-2820
Sources used:
openSUSE 13.1 (src):    MozillaFirefox-46.0-113.2, mozilla-nss-3.22.3-77.1