Bug 977378 – VUL-0: CVE-2016-2810: MozillaFirefox: Content providers protected with signature-level permissions can be accessed by an application (MFSA 2016-41)

Bug 977378 - (CVE-2016-2810) VUL-0: CVE-2016-2810: MozillaFirefox: Content providers protected with signature-level permissions can be accessed by an application (MFSA 2016-41)

(CVE-2016-2810)
Summary:	VUL-0: CVE-2016-2810: MozillaFirefox: Content providers protected with signat...

Status:	RESOLVED INVALID

Classification:	Novell Products
Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents
Version:	unspecified
Hardware:	All All

Priority:	P5 - None Severity: Normal
Target Milestone:	---
Assigned To:	Security Team bot
QA Contact:	Security Team bot

URL:
Whiteboard:
Keywords:

Depends on:	977333
Blocks:
	Show dependency tree / graph

Create test case

Clone This Bug

Reported:	2016-04-27 08:41 UTC by Andreas Stieger
Modified:	2020-04-05 18:21 UTC (History)
CC List:	6 users (show)

See Also:
Found By:	Security Response Team
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Andreas Stieger 2016-04-27 08:41:34 UTC

https://www.mozilla.org/en-US/security/advisories/mfsa2016-41/

Security researcher Ken Okuyama reported an issue on Firefox for Android where a previously installed malicious application can access content provider permissions for Firefox in order to read data. This data includes browser history and locally saved passwords. This issue occurs when a list of permissions is defined to match those that Firefox uses for content providers and bypasses signature protections. This issue does not occur on Android 5.0 or later versions of Android. 

Content providers protected with signature-level permissions can be accessed by an application (CVE-2016-2810)
https://bugzilla.mozilla.org/show_bug.cgi?id=1229681

Comment 1 Andreas Stieger 2016-04-27 08:43:11 UTC

This issue only affects Firefox for Android. Other versions and operating systems are unaffected.

Comment 2 Bernhard Wiedemann 2016-04-30 08:00:49 UTC

This is an autogenerated message for OBS integration:
This bug (977378) was mentioned in
https://build.opensuse.org/request/show/392977 Factory / MozillaFirefox
https://build.opensuse.org/request/show/392978 42.1 / MozillaFirefox
https://build.opensuse.org/request/show/392979 13.2 / MozillaFirefox
https://build.opensuse.org/request/show/392980 13.1 / MozillaFirefox

Comment 3 Bernhard Wiedemann 2016-05-04 06:00:37 UTC

This is an autogenerated message for OBS integration:
This bug (977378) was mentioned in
https://build.opensuse.org/request/show/393514 Factory / MozillaFirefox

Comment 4 Swamp Workflow Management 2016-05-06 14:08:37 UTC

openSUSE-SU-2016:1251-1: An update that fixes 13 vulnerabilities is now available.

Category: security (moderate)
Bug References: 977333,977373,977375,977376,977377,977378,977379,977380,977381,977382,977384,977386,977388
CVE References: CVE-2016-2804,CVE-2016-2806,CVE-2016-2807,CVE-2016-2808,CVE-2016-2809,CVE-2016-2810,CVE-2016-2811,CVE-2016-2812,CVE-2016-2813,CVE-2016-2814,CVE-2016-2816,CVE-2016-2817,CVE-2016-2820
Sources used:
openSUSE 13.1 (src):    MozillaFirefox-46.0-113.2, mozilla-nss-3.22.3-77.1