Subject: CVS commit: pkgsrc/www/firefox52
From: Ryo ONODERA
Date: 2017-08-19 06:13:51
Message id: 20170819041351.A5F05FAD0@cvs.NetBSD.org
Log Message:
Update to 52.3.0

Changelog:
#CVE-2017-7798: XUL injection in the style editor in devtools

Reporter
    Frederik Braun
Impact
    critical

Description

The Developer Tools feature suffers from a XUL injection vulnerability due to \ 
improper sanitization of the web page source code. In the worst case, this could \ 
allow arbitrary code execution when opening a malicious page with the style \ 
editor tool.
References

    Bug 1371586, 1372112

#CVE-2017-7800: Use-after-free in WebSockets during disconnection

Reporter
    Looben Yang
Impact
    critical

Description

A use-after-free vulnerability can occur in WebSockets when the object holding \ 
the connection is freed before the disconnection operation is finished. This \ 
results in an exploitable crash.
References

    Bug 1374047

#CVE-2017-7801: Use-after-free with marquee during window resizing

Reporter
    Nils
Impact
    critical

Description

A use-after-free vulnerability can occur while re-computing layout for a marquee \ 
element during window resizing where the updated style object is freed while \ 
still in use. This results in a potentially exploitable crash.
References

    Bug 1371259

#CVE-2017-7809: Use-after-free while deleting attached editor DOM node

Reporter
    Nils
Impact
    high

Description

A use-after-free vulnerability can occur when an editor DOM node is deleted \ 
prematurely during tree traversal while still bound to the document. This \ 
results in a potentially exploitable crash.
References

    Bug 1380284

#CVE-2017-7784: Use-after-free with image observers

Reporter
    Nils
Impact
    high

Description

A use-after-free vulnerability can occur when reading an image observer during \ 
frame reconstruction after the observer has been freed. This results in a \ 
potentially exploitable crash.
References

    Bug 1376087

#CVE-2017-7802: Use-after-free resizing image elements

Reporter
    Nils
Impact
    high

Description

A use-after-free vulnerability can occur when manipulating the DOM during the \ 
resize event of an image element. If these elements have been freed due to a \ 
lack of strong references, a potentially exploitable crash may occur when the \ 
freed elements are accessed.
References

    Bug 1378147

#CVE-2017-7785: Buffer overflow manipulating ARIA attributes in DOM

Reporter
    Nils
Impact
    high

Description

A buffer overflow can occur when manipulating Accessible Rich Internet \ 
Applications (ARIA) attributes within the DOM. This results in a potentially \ 
exploitable crash.
References

    Bug 1356985

#CVE-2017-7786: Buffer overflow while painting non-displayable SVG

Reporter
    Nils
Impact
    high

Description

A buffer overflow can occur when the image renderer attempts to paint \ 
non-displayable SVG elements. This results in a potentially exploitable crash.
References

    Bug 1365189

#CVE-2017-7753: Out-of-bounds read with cached style data and pseudo-elements

Reporter
    SkyLined
Impact
    high

Description

An out-of-bounds read occurs when applying style rules to pseudo-elements, such \ 
as ::first-line, using cached style data.
References

    Bug 1353312

#CVE-2017-7787: Same-origin policy bypass with iframes through page reloads

Reporter
    Oliver Wagner
Impact
    high

Description

Same-origin policy protections can be bypassed on pages with embedded iframes \ 
during page reloads, allowing the iframes to access content on the top level \ 
page, leading to information disclosure.
References

    Bug 1322896

#CVE-2017-7807: Domain hijacking through AppCache fallback

Reporter
    Mathias Karlsson
Impact
    high

Description

A mechanism that uses AppCache to hijack a URL in a domain using fallback by \ 
serving the files from a sub-path on the domain. This has been addressed by \ 
requiring fallback files be inside the manifest directory.
References

    Bug 1376459

#CVE-2017-7792: Buffer overflow viewing certificates with an extremely long OID

Reporter
    Fraser Tweedale
Impact
    high

Description

A buffer overflow will occur when viewing a certificate in the certificate \ 
manager if the certificate has an extremely long object identifier (OID). This \ 
results in a potentially exploitable crash.
References

    Bug 1368652

#CVE-2017-7804: Memory protection bypass through WindowsDllDetourPatcher

Reporter
    Stephen Fewer
Impact
    high

Description

The destructor function for the WindowsDllDetourPatcher class can be re-purposed \ 
by malicious code in concert with another vulnerability to write arbitrary data \ 
to an attacker controlled location in memory. This can be used to bypass \ 
existing memory protections in this situation.
Note: This attack only affects Windows operating systems. Other operating \ 
systems are not affected.
References

    Bug 1372849

#CVE-2017-7791: Spoofing following page navigation with data: protocol and modal \ 
alerts

Reporter
    Jose María Acuña
Impact
    moderate

Description

On pages containing an iframe, the data: protocol can be used to create a modal \ 
alert that will render over arbitrary domains following page navigation, \ 
spoofing of the origin of the modal alert from the iframe content.
References

    Bug 1365875

#CVE-2017-7782: WindowsDllDetourPatcher allocates memory without DEP protections

Reporter
    Arthur Edelstein
Impact
    moderate

Description

An error in the WindowsDllDetourPatcher where a RWX \ 
("Read/Write/Execute") 4k block is allocated but never protected, \ 
violating DEP his attack only affects Windows operating systems. Other operating \ 
systems are not affected.
References

    Bug 1344034

#CVE-2017-7803: CSP containing 'sandbox' improperly applied

Reporter
    Rhys Enniks
Impact
    moderate

Description

When a pageâ€er directives are ignored. This results in the incorrect \ 
enforcement of CSP.
References

    Bug 1377426

#CVE-2017-7779: Memory safety bugs fixed in Firefox 55 and Firefox ESR 52.3

Reporter
    Mozilla developers and community
Impact
    critical

Descrlla developers and community members Masayuki Nakano, Gary Kwong, Ronald \ 
Crane, Andrew McCreight, Tyson Smith, Bevis Tseng, Christian Holler, Bryce Van \ 
Dyk, Dragana Damjanovic, Kartikaya Gupta, Philipp, Tristan Bourvon, and \ 
Andi-Bogdan Postelnicu reported presume that with enough effort that some of \ 
these could be exploited to run arbitrary code.
References

    Memory safety bugs fixed in Firefox 55 and Firefox ESR 52.3
Files:
RevisionActionfile
1.6modifypkgsrc/www/firefox52/Makefile
1.5modifypkgsrc/www/firefox52/distinfo