Bug 1021818 - (CVE-2017-5378) VUL-0: CVE-2017-5378: MozillaFirefox: Pointer and frame data leakage of Javascript objects
(CVE-2017-5378)
VUL-0: CVE-2017-5378: MozillaFirefox: Pointer and frame data leakage of Javas...
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Normal
: ---
Assigned To: Petr Cerny
Security Team bot
CVSSv2:NVD:CVE-2017-5378:5.0:(AV:N/AC...
:
Depends on:
Blocks: 1021991
  Show dependency treegraph
 
Reported: 2017-01-25 09:06 UTC by Andreas Stieger
Modified: 2020-05-12 17:59 UTC (History)
1 user (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Andreas Stieger 2017-01-25 09:06:39 UTC
Security vulnerabilities fixed in Firefox ESR 45.7, Firefox 51
https://www.mozilla.org/en-US/security/advisories/mfsa2017-01/
https://www.mozilla.org/en-US/security/advisories/mfsa2017-02/

Discovered by: Jann Horn
Hashed codes of JavaScript objects are shared between pages. This allows for pointer leaks because an object’s address can be discovered through hash codes, and also allows for data leakage of an object’s content using these hash codes.

https://bugzilla.mozilla.org/show_bug.cgi?id=1312001
https://bugzilla.mozilla.org/show_bug.cgi?id=1330769
Comment 1 Andreas Stieger 2017-01-25 09:13:42 UTC
Firefox on SLE and openSUSE, cc openSUSE maintainer
Comment 2 Bernhard Wiedemann 2017-01-25 11:01:11 UTC
This is an autogenerated message for OBS integration:
This bug (1021818) was mentioned in
https://build.opensuse.org/request/show/452370 Factory / MozillaFirefox
https://build.opensuse.org/request/show/452371 42.2 / MozillaFirefox
https://build.opensuse.org/request/show/452372 42.1 / MozillaFirefox
Comment 3 Bernhard Wiedemann 2017-01-25 21:01:04 UTC
This is an autogenerated message for OBS integration:
This bug (1021818) was mentioned in
https://build.opensuse.org/request/show/452490 42.1+42.2+Backports:SLE-12 / MozillaThunderbird
Comment 4 Bernhard Wiedemann 2017-01-26 11:03:17 UTC
This is an autogenerated message for OBS integration:
This bug (1021818) was mentioned in
https://build.opensuse.org/request/show/452598 Factory / MozillaThunderbird
Comment 5 Bernhard Wiedemann 2017-01-27 15:03:12 UTC
This is an autogenerated message for OBS integration:
This bug (1021818) was mentioned in
https://build.opensuse.org/request/show/452961 42.1+42.2+Backports:SLE-12 / MozillaThunderbird
Comment 6 Bernhard Wiedemann 2017-01-27 19:02:23 UTC
This is an autogenerated message for OBS integration:
This bug (1021818) was mentioned in
https://build.opensuse.org/request/show/453010 Factory / MozillaFirefox
Comment 7 Swamp Workflow Management 2017-02-01 23:09:07 UTC
openSUSE-SU-2017:0354-1: An update that solves 8 vulnerabilities and has one errata is now available.

Category: security (moderate)
Bug References: 1021814,1021817,1021818,1021819,1021820,1021821,1021822,1021824,1021991
CVE References: CVE-2017-5373,CVE-2017-5375,CVE-2017-5376,CVE-2017-5378,CVE-2017-5380,CVE-2017-5383,CVE-2017-5390,CVE-2017-5396
Sources used:
SUSE Package Hub for SUSE Linux Enterprise 12 (src):    MozillaThunderbird-45.7.0-23.1
Comment 8 Swamp Workflow Management 2017-02-01 23:12:03 UTC
openSUSE-SU-2017:0357-1: An update that solves 8 vulnerabilities and has one errata is now available.

Category: security (moderate)
Bug References: 1021814,1021817,1021818,1021819,1021820,1021821,1021822,1021824,1021991
CVE References: CVE-2017-5373,CVE-2017-5375,CVE-2017-5376,CVE-2017-5378,CVE-2017-5380,CVE-2017-5383,CVE-2017-5390,CVE-2017-5396
Sources used:
openSUSE Leap 42.2 (src):    MozillaThunderbird-45.7.0-34.1
openSUSE Leap 42.1 (src):    MozillaThunderbird-45.7.0-34.1
Comment 9 Swamp Workflow Management 2017-02-01 23:13:50 UTC
openSUSE-SU-2017:0358-1: An update that fixes 24 vulnerabilities is now available.

Category: security (important)
Bug References: 1017174,1021814,1021817,1021818,1021819,1021820,1021821,1021822,1021823,1021824,1021826,1021827,1021828,1021830,1021831,1021832,1021833,1021835,1021837,1021839,1021840,1021841
CVE References: CVE-2017-5373,CVE-2017-5374,CVE-2017-5375,CVE-2017-5376,CVE-2017-5377,CVE-2017-5378,CVE-2017-5379,CVE-2017-5380,CVE-2017-5381,CVE-2017-5382,CVE-2017-5383,CVE-2017-5384,CVE-2017-5385,CVE-2017-5386,CVE-2017-5387,CVE-2017-5388,CVE-2017-5389,CVE-2017-5390,CVE-2017-5391,CVE-2017-5392,CVE-2017-5393,CVE-2017-5394,CVE-2017-5395,CVE-2017-5396
Sources used:
openSUSE Leap 42.2 (src):    MozillaFirefox-51.0.1-50.2
openSUSE Leap 42.1 (src):    MozillaFirefox-51.0.1-50.2
Comment 10 Swamp Workflow Management 2017-02-08 17:11:05 UTC
SUSE-SU-2017:0426-1: An update that solves 9 vulnerabilities and has one errata is now available.

Category: security (important)
Bug References: 1021814,1021817,1021818,1021819,1021820,1021821,1021822,1021823,1021824,1021991
CVE References: CVE-2017-5373,CVE-2017-5375,CVE-2017-5376,CVE-2017-5378,CVE-2017-5380,CVE-2017-5383,CVE-2017-5386,CVE-2017-5390,CVE-2017-5396
Sources used:
SUSE OpenStack Cloud 5 (src):    MozillaFirefox-45.7.0esr-65.2
SUSE Manager Proxy 2.1 (src):    MozillaFirefox-45.7.0esr-65.2
SUSE Manager 2.1 (src):    MozillaFirefox-45.7.0esr-65.2
SUSE Linux Enterprise Software Development Kit 11-SP4 (src):    MozillaFirefox-45.7.0esr-65.2
SUSE Linux Enterprise Server 11-SP4 (src):    MozillaFirefox-45.7.0esr-65.2
SUSE Linux Enterprise Server 11-SP3-LTSS (src):    MozillaFirefox-45.7.0esr-65.2
SUSE Linux Enterprise Point of Sale 11-SP3 (src):    MozillaFirefox-45.7.0esr-65.2
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    MozillaFirefox-45.7.0esr-65.2
SUSE Linux Enterprise Debuginfo 11-SP3 (src):    MozillaFirefox-45.7.0esr-65.2
Comment 11 Swamp Workflow Management 2017-02-09 02:08:15 UTC
SUSE-SU-2017:0427-1: An update that solves 9 vulnerabilities and has one errata is now available.

Category: security (important)
Bug References: 1021814,1021817,1021818,1021819,1021820,1021821,1021822,1021823,1021824,1021991
CVE References: CVE-2017-5373,CVE-2017-5375,CVE-2017-5376,CVE-2017-5378,CVE-2017-5380,CVE-2017-5383,CVE-2017-5386,CVE-2017-5390,CVE-2017-5396
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP2 (src):    MozillaFirefox-45.7.0esr-99.1
SUSE Linux Enterprise Software Development Kit 12-SP1 (src):    MozillaFirefox-45.7.0esr-99.1
SUSE Linux Enterprise Server for SAP 12 (src):    MozillaFirefox-45.7.0esr-99.1
SUSE Linux Enterprise Server for Raspberry Pi 12-SP2 (src):    MozillaFirefox-45.7.0esr-99.1
SUSE Linux Enterprise Server 12-SP2 (src):    MozillaFirefox-45.7.0esr-99.1
SUSE Linux Enterprise Server 12-SP1 (src):    MozillaFirefox-45.7.0esr-99.1
SUSE Linux Enterprise Server 12-LTSS (src):    MozillaFirefox-45.7.0esr-99.1
SUSE Linux Enterprise Desktop 12-SP2 (src):    MozillaFirefox-45.7.0esr-99.1
SUSE Linux Enterprise Desktop 12-SP1 (src):    MozillaFirefox-45.7.0esr-99.1
Comment 12 Marcus Meissner 2017-10-24 13:16:10 UTC
released