Path to this page:
Subject: CVS commit: pkgsrc/www/firefox52
From: Ryo ONODERA
Date: 2017-08-19 06:13:51
Message id: 20170819041351.A5F05FAD0@cvs.NetBSD.org
Log Message:
Update to 52.3.0
Changelog:
#CVE-2017-7798: XUL injection in the style editor in devtools
Reporter
Frederik Braun
Impact
critical
Description
The Developer Tools feature suffers from a XUL injection vulnerability due to \
improper sanitization of the web page source code. In the worst case, this could \
allow arbitrary code execution when opening a malicious page with the style \
editor tool.
References
Bug 1371586, 1372112
#CVE-2017-7800: Use-after-free in WebSockets during disconnection
Reporter
Looben Yang
Impact
critical
Description
A use-after-free vulnerability can occur in WebSockets when the object holding \
the connection is freed before the disconnection operation is finished. This \
results in an exploitable crash.
References
Bug 1374047
#CVE-2017-7801: Use-after-free with marquee during window resizing
Reporter
Nils
Impact
critical
Description
A use-after-free vulnerability can occur while re-computing layout for a marquee \
element during window resizing where the updated style object is freed while \
still in use. This results in a potentially exploitable crash.
References
Bug 1371259
#CVE-2017-7809: Use-after-free while deleting attached editor DOM node
Reporter
Nils
Impact
high
Description
A use-after-free vulnerability can occur when an editor DOM node is deleted \
prematurely during tree traversal while still bound to the document. This \
results in a potentially exploitable crash.
References
Bug 1380284
#CVE-2017-7784: Use-after-free with image observers
Reporter
Nils
Impact
high
Description
A use-after-free vulnerability can occur when reading an image observer during \
frame reconstruction after the observer has been freed. This results in a \
potentially exploitable crash.
References
Bug 1376087
#CVE-2017-7802: Use-after-free resizing image elements
Reporter
Nils
Impact
high
Description
A use-after-free vulnerability can occur when manipulating the DOM during the \
resize event of an image element. If these elements have been freed due to a \
lack of strong references, a potentially exploitable crash may occur when the \
freed elements are accessed.
References
Bug 1378147
#CVE-2017-7785: Buffer overflow manipulating ARIA attributes in DOM
Reporter
Nils
Impact
high
Description
A buffer overflow can occur when manipulating Accessible Rich Internet \
Applications (ARIA) attributes within the DOM. This results in a potentially \
exploitable crash.
References
Bug 1356985
#CVE-2017-7786: Buffer overflow while painting non-displayable SVG
Reporter
Nils
Impact
high
Description
A buffer overflow can occur when the image renderer attempts to paint \
non-displayable SVG elements. This results in a potentially exploitable crash.
References
Bug 1365189
#CVE-2017-7753: Out-of-bounds read with cached style data and pseudo-elements
Reporter
SkyLined
Impact
high
Description
An out-of-bounds read occurs when applying style rules to pseudo-elements, such \
as ::first-line, using cached style data.
References
Bug 1353312
#CVE-2017-7787: Same-origin policy bypass with iframes through page reloads
Reporter
Oliver Wagner
Impact
high
Description
Same-origin policy protections can be bypassed on pages with embedded iframes \
during page reloads, allowing the iframes to access content on the top level \
page, leading to information disclosure.
References
Bug 1322896
#CVE-2017-7807: Domain hijacking through AppCache fallback
Reporter
Mathias Karlsson
Impact
high
Description
A mechanism that uses AppCache to hijack a URL in a domain using fallback by \
serving the files from a sub-path on the domain. This has been addressed by \
requiring fallback files be inside the manifest directory.
References
Bug 1376459
#CVE-2017-7792: Buffer overflow viewing certificates with an extremely long OID
Reporter
Fraser Tweedale
Impact
high
Description
A buffer overflow will occur when viewing a certificate in the certificate \
manager if the certificate has an extremely long object identifier (OID). This \
results in a potentially exploitable crash.
References
Bug 1368652
#CVE-2017-7804: Memory protection bypass through WindowsDllDetourPatcher
Reporter
Stephen Fewer
Impact
high
Description
The destructor function for the WindowsDllDetourPatcher class can be re-purposed \
by malicious code in concert with another vulnerability to write arbitrary data \
to an attacker controlled location in memory. This can be used to bypass \
existing memory protections in this situation.
Note: This attack only affects Windows operating systems. Other operating \
systems are not affected.
References
Bug 1372849
#CVE-2017-7791: Spoofing following page navigation with data: protocol and modal \
alerts
Reporter
Jose MarÃa Acuña
Impact
moderate
Description
On pages containing an iframe, the data: protocol can be used to create a modal \
alert that will render over arbitrary domains following page navigation, \
spoofing of the origin of the modal alert from the iframe content.
References
Bug 1365875
#CVE-2017-7782: WindowsDllDetourPatcher allocates memory without DEP protections
Reporter
Arthur Edelstein
Impact
moderate
Description
An error in the WindowsDllDetourPatcher where a RWX \
("Read/Write/Execute") 4k block is allocated but never protected, \
violating DEP his attack only affects Windows operating systems. Other operating \
systems are not affected.
References
Bug 1344034
#CVE-2017-7803: CSP containing 'sandbox' improperly applied
Reporter
Rhys Enniks
Impact
moderate
Description
When a pageâer directives are ignored. This results in the incorrect \
enforcement of CSP.
References
Bug 1377426
#CVE-2017-7779: Memory safety bugs fixed in Firefox 55 and Firefox ESR 52.3
Reporter
Mozilla developers and community
Impact
critical
Descrlla developers and community members Masayuki Nakano, Gary Kwong, Ronald \
Crane, Andrew McCreight, Tyson Smith, Bevis Tseng, Christian Holler, Bryce Van \
Dyk, Dragana Damjanovic, Kartikaya Gupta, Philipp, Tristan Bourvon, and \
Andi-Bogdan Postelnicu reported presume that with enough effort that some of \
these could be exploited to run arbitrary code.
References
Memory safety bugs fixed in Firefox 55 and Firefox ESR 52.3
Files: