The setAttr function in Graphite 2 before 1.3.6, as used in Mozilla Firefox before 45.0 and Firefox ESR 38.x before 38.6.1, allows remote attackers to cause a denial of service (out-of-bounds write) or possibly have unspecified other impact via a crafted Graphite smart font.

The specific version of Firefox that the system is running is reportedly affected by the following vulnerabilities:

- Mozilla Firefox contains a flaw in the ValueNumberer::fixupOSROnlyLoop() function in jit/ValueNumbering.cpp that is triggered as user-supplied input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code. (CVE-2016-1952)

- Mozilla Firefox contains a flaw in the Downscaler::BeginFrame() function in image/Downscaler.cpp that is triggered when failing to compute filters for image downscaling. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code. (CVE-2016-1952)

- Mozilla Firefox contains a flaw that is triggered as user-supplied input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code. (CVE-2016-1952)

- Mozilla Firefox contains a flaw in the JSScript::maybeSweepTypes() function in vm/TypeInference.cpp that is triggered as user-supplied input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code. (CVE-2016-1952)

- Mozilla Firefox contains a flaw that is triggered as user-supplied input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code. (CVE-2016-1952)

- Mozilla Firefox contains a flaw in the DispatchEvents() function in layout/style/nsAnimationManager.h and layout/style/nsTransitionManager.h that is triggered as user-supplied input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code. (CVE-2016-1952)

- Mozilla Firefox contains a flaw in dom/base/Console.cpp that is triggered as user-supplied input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code. (CVE-2016-1952)

- Mozilla Firefox contains a flaw in the PeerConnectionMedia::SelfDestruct_m() function in media/webrtc/signaling/src/peerconnection/PeerConnectionMedia.cpp that is triggered as user-supplied input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code. (CVE-2016-1952)

- Mozilla Firefox contains a flaw that is triggered as user-supplied input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code. (CVE-2016-1952)

- Mozilla Firefox contains a flaw in the nsICODecoder::ReadDirEntry() function in image/decoders/nsICODecoder.cpp that is triggered when rendering ICO sub-images. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code. (CVE-2016-1953)

- Mozilla Firefox contains a flaw in the nsIDNService::IDNA2008ToUnicode() function in netwerk/dns/nsIDNService.cpp that is triggered as user-supplied input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code. (CVE-2016-1953)

- Mozilla Firefox contains a flaw that is triggered as user-supplied input is not properly validated when handling image decoding. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code. (CVE-2016-1953)

- Mozilla Firefox contains a flaw in the DiscardTransferables() function in vm/StructuredClone.cpp that is triggered as user-supplied input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code. (CVE-2016-1953)

- Mozilla Firefox contains a flaw in the Assembler::GetCF32Target() function in jit/arm/Assembler-arm.cpp that is triggered as user-supplied input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code. (CVE-2016-1953)

- Mozilla Firefox contains a flaw in the GetPcScript() function in jit/JitFrames.cpp that is triggered as user-supplied input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code. (CVE-2016-1953)

- Mozilla Firefox contains a flaw in the JSFunction::isDerivedClassConstructor() function in js/src/jsfun.cpp that is triggered when handling lazy self-hosted functions. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code. (CVE-2016-1953)

- Mozilla Firefox contains a flaw in js/src/jit/Lowering.cpp that is triggered as user-supplied input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code. (CVE-2016-1953)

- Mozilla Firefox contains a flaw that is triggered as user-supplied input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code. (CVE-2016-1953)

- Mozilla Firefox contains a flaw in the EventListenerManager::HandleEventInternal() function in dom/events/EventListenerManager.cpp. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code. (CVE-2016-1953)

- Mozilla Firefox contains a flaw in layout/base/nsRefreshDriver.cpp that is triggered when handling transition events. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code. (CVE-2016-1953)

- Mozilla Firefox contains a flaw in dom/media/systemservices/CamerasChild.cpp that is triggered as user-supplied input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code. (CVE-2016-1953)

- libvpx contains a flaw in the vp8_mb_init_dequantizer() function in vp8/decoder/decodeframe.c that is triggered as user-supplied input is not properly validated. With specially crafted media content, a context-dependent attacker can corrupt memory and potentially execute arbitrary code. (CVE-2016-1953)

- libvpx contains a flaw in the vp8_loop_filter_frame_init() function in media/libvpx/vp8/common/loopfilter.c that is triggered as user-supplied input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code. (CVE-2016-1953)

- Mozilla Firefox contains a flaw that is triggered as user-supplied input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code. (CVE-2016-1953)

- Mozilla Firefox contains a flaw in dom/xslt/xslt/txMozillaTextOutput.cpp that is triggered as user-supplied input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code. (CVE-2016-1953)

- Mozilla Firefox contains a flaw in dom/gamepad/windows/WindowsGamepad.cpp that is triggered when handling WindowsGamepadService shutdown. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code. (CVE-2016-1953)

- Mozilla Firefox contains a flaw in the nsCSPContext::SendReports() function in dom/security/nsCSPContext.cpp that is triggered during the handling of Content Security Policy (CSP) violation reports. This may allow a context-dependent attacker to overwrite arbitrary files on a user's machine and potentially gain elevated privileges. (CVE-2016-1954)

- Mozilla Firefox contains a flaw in dom/security/nsCSPContext.cpp that is due to Content Security Policy (CSP) violation reports containing full path information for cross-origin iframe navigations in violation of the CSP specification. This may allow a context-dependent attacker to gain unauthorized access to sensitive information. (CVE-2016-1955)

- Mozilla Firefox contains a flaw in gfx/gl/GLContext.cpp when using Intel Video cards that is triggered when performing WebGL operations that require a large amount buffer to be allocated from video memory. This may allow a context-dependent to cause a consumption of memory resources that will persist until the system has been restarted. (CVE-2016-1956)

- Google Stagefright contains a flaw that is triggered during the handling of array destruction during MPEG4 video file processing. This may allow a context-dependent attacker to cause a memory leak, with unspecified consequences.
 (CVE-2016-1957)

- Mozilla Firefox contains an unspecified flaw that may allow a context-dependent attacker to spoof the user's address bar. No further details have been provided. (CVE-2016-1958)

- Mozilla Firefox contains a flaw in Service Worker Manager that is triggered when handling the Clients API. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code. (CVE-2016-1959)

- Mozilla Firefox contains a use-after-free error in the HTML5 string parser. The issue is triggered when parsing a set of table-related tags in a foreign fragment context such as SVG. This may allow a context-dependent attacker to dereference already freed memory and potentially execute arbitrary code. (CVE-2016-1960)

- Mozilla Firefox contains a use-after-free error in the nsHTMLDocument::SetBody() function in dom/html/nsHTMLDocument.cpp. This may allow a context-dependent attacker to dereference already freed memory and potentially execute arbitrary code. (CVE-2016-1961)

- Mozilla Firefox contains a use-after-free error in netwerk/sctp/datachannel/DataChannel.cpp when using multiple WebRTC data channel connections and freeing a data channel connection from within a call. This may allow a context-dependent attacker to dereference already freed memory and potentially execute arbitrary code. (CVE-2016-1962)

- Mozilla Firefox contains a flaw in the FileReader::DoReadData() function in dom/base/FileReader.cpp. The issue is triggered as user-supplied input is not properly validated when handling modifications to local files that occur while they are being read with the FileReader API. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code. (CVE-2016-1963)

- Mozilla Firefox contains a use-after-free error in the txAttribute::execute() function in dom/xslt/xslt/txInstructions.cpp that is triggered when handling XML transformation operations. This may allow a context-dependent attacker to dereference already freed memory and potentially execute arbitrary code. (CVE-2016-1964)

- Mozilla Firefox contains a flaw in the nsLocation::SetProtocol() function in dom/base/nsLocation.cpp that is triggered when handling history navigation in combination with the location protocol property. This may allow a context-dependent attacker to spoof the contents of the address bar. (CVE-2016-1965)

- Mozilla Firefox contains a flaw that is triggered when handling history navigation in a restored browser session. This may potentially allow a context-dependent attacker to gain unauthorized access to cross-origin URL information. (CVE-2016-1967)

- Mozilla Firefox contains a pointer underflow condition in the Brotli library. The issue is triggered as user-supplied input is not properly validated when the library is performing decompression. This may allow a context-dependent attacker to cause a buffer overflow, potentially allowing the execution of arbitrary code. (CVE-2016-1968)

- Mozilla Firefox contains a use-after-free flaw in the Netscape Plugin Application Programming Interface (NPAPI) plugin within the nsNPObjWrapper::GetNewOrUsed() function in dom/plugins/base/nsJSNPRuntime.cpp. The issue is triggered when handling malicious scripted web content in concert with the plugin. This may allow a context-dependent attacker to dereference already freed memory and potentially execute arbitrary code. (CVE-2016-1966)

- Mozilla Firefox contains an integer underflow condition in the srtp_unprotect() function in netwerk/srtp/src/srtp/srtp.c that is triggered when handling SRTP packet lenghts. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code. (CVE-2016-1970)

- Mozilla Firefox contains a flaw in the I420VideoFrame::CreateFrame() function in WebRTC. The issue is triggered as user-supplied input is not properly validated due to a missing status check. This may potentially allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code. (CVE-2016-1971)

- Mozilla Firefox contains a race condition in dom/media/systemservices/CamerasChild.h. The issue is triggered as user-supplied input is not properly validated when handling block-level statistics. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code. (CVE-2016-1975)

- Mozilla Firefox contains a use-after-free flaw in DesktopDisplayDevice::operator= in media/webrtc/trunk/webrtc/modules/desktop_capture/desktop_device_info.cc. This may allow a context-dependent attacker to dereference already freed memory and potentially execute arbitrary code. (CVE-2016-1976)

- libvpx contains a use-after-free error in vpx_ports/vpx_once.h related to a race condition. This may allow a context-dependent attacker to dereference already freed memory and potentially execute arbitrary code.
 (CVE-2016-1972)

- Mozilla Firefox contains a use-after-free error that is triggered by a race condition in GetStaticInstance in WebRTC. This may allow a context-dependent attacker to dereference already freed memory and potentially execute arbitrary code. (CVE-2016-1973)

- Mozilla Firefox contains a flaw in the nsScannerString::AppendUnicodeTo() function in parser/htmlparser/nsScannerString.cpp. The issue is triggered when the program fails to allocate memory during handling of unicode strings. This may allow a context-dependent attacker to potentially execute arbitrary code. (CVE-2016-1974)

- Mozilla Network Security Services (NSS) contains a use-after-free error in the PK11_ImportDERPrivateKeyInfoAndReturnKey() function. The issue is triggered when handling DER encoded keys. This may allow a context-dependent attacker to dereference already freed memory and potentially execute arbitrary code.
 (CVE-2016-1979)

- Graphite/Libgraphite contains a flaw in the Machine::Code::decoder::analysis::set_ref() function. The issue is triggered as user-supplied input is not properly validated. With a specially crafted font, a context-dependent attacker can corrupt memory to cause a denial of service in a process linked against the library or potentially execute arbitrary code. (CVE-2016-1977)

- Graphite/Libgraphite contains a flaw in the GetTableInfo() function in TtfUtil.cpp related to the use of uninitialized memory when handling a specially crafted font. This may allow a context-dependent attacker to have an unspecified impact. (CVE-2016-2790)

- Graphite/Libgraphite contains an out-of-bounds read flaw in the GlyphCache::glyph() function that is triggered when handling maliciously crafted fonts. This may allow a context-dependent attacker to crash a process linked against the library or potentially disclose memory contents. (CVE-2016-2791)

- Graphite/Libgraphite contains an out-of-bounds read flaw in the getAttr() function in Slot.cpp that is triggered when handling maliciously crafted fonts. This may allow a context-dependent attacker to crash a process linked against the library or potentially disclose memory contents. (CVE-2016-2792)

- Graphite/Libgraphite contains an out-of-bounds read flaw in CachedCmap.cpp that is triggered when handling maliciously crafted fonts. This may allow a context-dependent attacker to crash a process linked against the library or potentially disclose memory contents. (CVE-2016-2793)

- Graphite/Libgraphite contains an out-of-bounds read flaw in the CmapSubtable12NextCodepoint() function in TtfUtil.cpp that is triggered when handling maliciously crafted fonts. This may allow a context-dependent attacker to crash a process linked against the library or potentially disclose memory contents. (CVE-2016-2794)

- Graphite/Libgraphite contains a flaw in the FileFace::get_table_fn() function related to the use of uninitialized memory when handling a specially crafted font. This may allow a context-dependent attacker to have an unspecified impact. (CVE-2016-2795)

- Graphite/Libgraphite contains an out-of-bounds write flaw in the vm::Machine::Code::Code() function that is triggered when handling maliciously crafted fonts. This may allow a context-dependent attacker to potentially execute arbitrary code. (CVE-2016-2796)

- Graphite/Libgraphite contains an out-of-bounds read flaw in the CmapSubtable12Lookup() function in TtfUtil.cpp that is triggered when handling maliciously crafted fonts. This may allow a context-dependent attacker to crash a process linked against the library or potentially disclose memory contents. (CVE-2016-2797)

- Graphite/Libgraphite contains an out-of-bounds read flaw in the GlyphCache::Loader::Loader() function that is triggered when handling maliciously crafted fonts. This may allow a context-dependent attacker to crash a process linked against the library or potentially disclose memory contents. (CVE-2016-2798)

- Graphite/Libgraphite contains an out-of-bounds write flaw in the setAttr() function in Slot.cpp that is triggered when handling maliciously crafted fonts. This may allow a context-dependent attacker to potentially execute arbitrary code. (CVE-2016-2799)

- Graphite/Libgraphite contains an out-of-bounds read flaw in the getAttr() function in Slot.cpp that is triggered when handling maliciously crafted fonts. This may allow a context-dependent attacker to crash a process linked against the library or potentially disclose memory contents. (CVE-2016-2800)

- Graphite/Libgraphite contains an out-of-bounds read flaw in the CmapSubtable12Lookup() function in TtfUtil.cpp that is triggered when handling maliciously crafted fonts. This may allow a context-dependent attacker to crash a process linked against the library or potentially disclose memory contents. (CVE-2016-2801)

- Graphite/Libgraphite contains an out-of-bounds read flaw in the CmapSubtable4NextCodepoint() function in TtfUtil.cpp that is triggered when handling maliciously crafted fonts. This may allow a context-dependent attacker to crash a process linked against the library or potentially disclose memory contents. (CVE-2016-2802)

- Graphite/Libgraphite contains an out-of-bounds write flaw in the setAttr() function that is triggered when handling maliciously crafted fonts. This may allow a context-dependent attacker to potentially execute arbitrary code. (CVE-2016-1969)

The remote host is affected by the vulnerability described in GLSA-201605-06 (Mozilla Products: Multiple vulnerabilities)

    Multiple vulnerabilities have been discovered in Firefox, NSS, NSPR, and       Thunderbird. Please review the CVE identifiers referenced below for       details.
  Impact :

    A remote attacker could entice a user to view a specially crafted web       page or email, possibly resulting in execution of arbitrary code or a       Denial of Service condition. Furthermore, a remote attacker may be able       to perform Man-in-the-Middle attacks, obtain sensitive information, spoof       the address bar, conduct clickjacking attacks, bypass security       restrictions and protection mechanisms, or have other unspecified       impacts.
  Workaround :

    There is no known workaround at this time.

The version of Firefox installed on the remote host is prior to 45.0 and is affected by multiple vulnerabilities : 

 - Mozilla Network Security Services (NSS) contains an overflow condition. The issue is triggered as user-supplied input is not properly validated when parsing ASN.1 structures. With a specially crafted certificate, a context-dependent attacker can cause a heap-based buffer overflow, resulting in a denial of service or potentially allowing the execution of arbitrary code. (CVE-2016-1950) 
 - A flaw exists in the 'ValueNumberer::fixupOSROnlyLoop()' function in 'jit/ValueNumbering.cpp' that is triggered as user-supplied input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code. (CVE-2016-1952)
 - A flaw in the 'Downscaler::BeginFrame()' function in 'image/Downscaler.cpp' exists that is triggered when failing to compute filters for image downscaling. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code. (CVE-2016-1952)
 - A flaw exists that is triggered as user-supplied input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code. (CVE-2016-1952, CVE-2016-1953)
 - A flaw exists in the 'JSScript::maybeSweepTypes()' function in 'vm/TypeInference.cpp' that is triggered as user-supplied input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code. (CVE-2016-1952)
 - A flaw exists in the 'DispatchEvents()' function in 'layout/style/nsAnimationManager.h' and 'layout/style/nsTransitionManager.h' that is triggered as user-supplied input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code. (CVE-2016-1952)
 - A flaw exists in 'dom/base/Console.cpp' that is triggered as user-supplied input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code. (CVE-2016-1952)
 - A flaw exists in the 'PeerConnectionMedia::SelfDestruct_m()' function in 'media/webrtc/signaling/src/peerconnection/PeerConnectionMedia.cpp' that is triggered as user-supplied input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code. (CVE-2016-1952)
 - A flaw exists in the 'nsICODecoder::ReadDirEntry()' function in 'image/decoders/nsICODecoder.cpp' that is triggered when rendering ICO sub-images. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code. (CVE-2016-1953)
 - A flaw exists in the 'nsIDNService::IDNA2008ToUnicode()' function in 'netwerk/dns/nsIDNService.cpp' that is triggered as user-supplied input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code. (CVE-2016-1953)
 - A flaw exists that is triggered as user-supplied input is not properly validated when handling image decoding. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code. (CVE-2016-1953)
 - A flaw exists in the 'DiscardTransferables()' function in 'vm/StructuredClone.cpp' that is triggered as user-supplied input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code. (CVE-2016-1953)
 - A flaw exits in the 'Assembler::GetCF32Target()' function in 'jit/arm/Assembler-arm.cpp' that is triggered as user-supplied input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code. (CVE-2016-1953)
 - A flaw exists in the 'GetPcScript()' function in 'jit/JitFrames.cpp' that is triggered as user-supplied input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code. (CVE-2016-1953)
 - A flaw exists in the 'JSFunction::isDerivedClassConstructor()' function in 'js/src/jsfun.cpp' that is triggered when handling lazy self-hosted functions. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code. (CVE-2016-1953)
 - A flaw exists in 'js/src/jit/Lowering.cpp' that is triggered as user-supplied input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code. (CVE-2016-1953)
 - A flaw exits in the 'EventListenerManager::HandleEventInternal()' function in 'dom/events/EventListenerManager.cpp'. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code. (CVE-2016-1953)
 - A flaw exists in 'layout/base/nsRefreshDriver.cpp' that is triggered when handling transition events. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code. (CVE-2016-1953)
 - A flaw exists in 'dom/media/systemservices/CamerasChild.cpp' that is triggered as user-supplied input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code. (CVE-2016-1953)
 - A flaw exists in 'dom/xslt/xslt/txMozillaTextOutput.cpp' that is triggered as user-supplied input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code. (CVE-2016-1953)
 - A flaw exists in 'dom/gamepad/windows/WindowsGamepad.cpp' that is triggered when handling 'WindowsGamepadService' shutdown. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code. (CVE-2016-1953)
 - A flaw exists in the 'nsCSPContext::SendReports()' function in 'dom/security/nsCSPContext.cpp' that is triggered during the handling of Content Security Policy (CSP) violation reports. This may allow a context-dependent attacker to overwrite arbitrary files on a user's machine and potentially gain elevated privileges. (CVE-2016-1954)
 - A flaw exists in 'dom/security/nsCSPContext.cpp' that is due to Content Security Policy (CSP) violation reports containing full path information for cross-origin iframe navigations in violation of the CSP specification. This may allow a context-dependent attacker to gain unauthorized access to sensitive information. (CVE-2016-1955)
 - A flaw exists in 'gfx/gl/GLContext.cpp' when using Intel Video cards that is triggered when performing WebGL operations that require a large amount buffer to be allocated from video memory. This may allow a context-dependent to cause a consumption of memory resources that will persist until the system has been restarted. (CVE-2016-1956)
 - Google Stagefright contains a flaw that is triggered during the handling of array destruction during MPEG4 video file processing. This may allow a context-dependent attacker to cause a memory leak, with unspecified consequences. (CVE-2016-1957)
 - An unspecified flaw exists that may allow a context-dependent attacker to spoof the user's address bar. No further details have been provided. (CVE-2016-1958)
 - A flaw exists  in Service Worker Manager that is triggered when handling the Clients API. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code. (CVE-2016-1959)
 - A flaw exists in  use-after-free error in the HTML5 string parser. The issue is triggered when parsing a set of table-related tags in a foreign fragment context such as SVG. This may allow a context-dependent attacker to dereference already freed memory and potentially execute arbitrary code. (CVE-2016-1960)
 - A flaw exists in use-after-free error in the 'nsHTMLDocument::SetBody()' function in 'dom/html/nsHTMLDocument.cpp'. This may allow a context-dependent attacker to dereference already freed memory and potentially execute arbitrary code. (CVE-2016-1961)
 - A flaw exists in use-after-free error in 'netwerk/sctp/datachannel/DataChannel.cpp' when using multiple 'WebRTC' data channel connections and freeing a data channel connection from within a call. This may allow a context-dependent attacker to dereference already freed memory and potentially execute arbitrary code. (CVE-2016-1962)
 - A flaw exists in the 'FileReader::DoReadData()' function in 'dom/base/FileReader.cpp'. The issue is triggered as user-supplied input is not properly validated when handling modifications to local files that occur while they are being read with the FileReader API. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code. (CVE-2016-1963)
 - A flaw exists in use-after-free error in the 'txAttribute::execute()' function in 'dom/xslt/xslt/txInstructions.cpp' that is triggered when handling XML transformation operations. This may allow a context-dependent attacker to dereference already freed memory and potentially execute arbitrary code. (CVE-2016-1964)
 - A flaw exists in the 'nsLocation::SetProtocol()' function in 'dom/base/nsLocation.cpp' that is triggered when handling history navigation in combination with the location protocol property. This may allow a context-dependent attacker to spoof the contents of the address bar. (CVE-2016-1965)
 - A flaw exists that is triggered when handling history navigation in a restored browser session. This may potentially allow a context-dependent attacker to gain unauthorized access to cross-origin URL information. (CVE-2016-1967)
 - A pointer underflow condition exists in the 'Brotli' library. The issue is triggered as user-supplied input is not properly validated when the library is performing decompression. This may allow a context-dependent attacker to cause a buffer overflow, potentially allowing the execution of arbitrary code. (CVE-2016-1968)
 - A use-after-free flaw exists in the Netscape Plugin Application Programming Interface (NPAPI) plugin within the 'nsNPObjWrapper::GetNewOrUsed()' function in 'dom/plugins/base/nsJSNPRuntime.cpp'. The issue is triggered when handling malicious scripted web content in concert with the plugin. This may allow a context-dependent attacker to dereference already freed memory and potentially execute arbitrary code. (CVE-2016-1966)
 - An integer underflow condition exists in the 'srtp_unprotect()' function in 'netwerk/srtp/src/srtp/srtp.c' that is triggered when handling SRTP packet lenghts. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code. (CVE-2016-1970)
 - A flaw exists in the 'I420VideoFrame::CreateFrame()' function in WebRTC. The issue is triggered as user-supplied input is not properly validated due to a missing status check. This may potentially allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code. (CVE-2016-1971)
 - 'ibvpx' contains a use-after-free error in 'vpx_ports/vpx_once.h' related to a race condition. This may allow a context-dependent attacker to dereference already freed memory and potentially execute arbitrary code. (CVE-2016-1972)
 - A race condition exists in 'dom/media/systemservices/CamerasChild.h'. The issue is triggered as user-supplied input is not properly validated when handling block-level statistics. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code. (CVE-2016-1975)
 - A use-after-free flaw exists in 'DesktopDisplayDevice::operator=' in 'media/webrtc/trunk/webrtc/modules/desktop_capture/desktop_device_info.cc'. This may allow a context-dependent attacker to dereference already freed memory and potentially execute arbitrary code. (CVE-2016-1976)
 - A flaw exists in use-after-free error that is triggered by a race condition in 'GetStaticInstance' in WebRTC. This may allow a context-dependent attacker to dereference already freed memory and potentially execute arbitrary code. (CVE-2016-1973)
 - A flaw exists in the 'nsScannerString::AppendUnicodeTo()' function in 'parser/htmlparser/nsScannerString.cpp'. The issue is triggered when the program fails to allocate memory during handling of unicode strings. This may allow a context-dependent attacker to potentially execute arbitrary code. (CVE-2016-1974)
 - Mozilla Network Security Services (NSS) contains a use-after-free error in the 'PK11_ImportDERPrivateKeyInfoAndReturnKey()' function. The issue is triggered when handling DER encoded keys. This may allow a context-dependent attacker to dereference already freed memory and potentially execute arbitrary code. (CVE-2016-1979)

 The Graphite/Libgraphite component used in Mozilla Firefox contains the following vulnerabilities : 

 - An out-of-bounds write flaw exists in the 'setAttr()' function that is triggered when handling maliciously crafted fonts. This may allow a context-dependent attacker to potentially execute arbitrary code. (CVE-2016-1969)
 - A flaw exists in the 'Machine::Code::decoder::analysis::set_ref()' function. The issue is triggered as user-supplied input is not properly validated. With a specially crafted font, a context-dependent attacker can corrupt memory to cause a denial of service in a process linked against the library or potentially execute arbitrary code. (CVE-2016-1977)
 - A flaw exists in the 'GetTableInfo()' function in 'TtfUtil.cpp' related to the use of uninitialized memory when handling a specially crafted font. This may allow a context-dependent attacker to have an unspecified impact. (CVE-2016-2790)
 - An out-of-bounds read flaw exists in the 'GlyphCache::glyph()' function that is triggered when handling maliciously crafted fonts. This may allow a context-dependent attacker to crash a process linked against the library or potentially disclose memory contents. (CVE-2016-2791)
 - An out-of-bounds read flaw exist in the 'getAttr()' function in 'Slot.cpp' that is triggered when handling maliciously crafted fonts. This may allow a context-dependent attacker to crash a process linked against the library or potentially disclose memory contents. (CVE-2016-2792)
 - An out-of-bounds read flaw in 'CachedCmap.cpp' that is triggered when handling maliciously crafted fonts. This may allow a context-dependent attacker to crash a process linked against the library or potentially disclose memory contents. (CVE-2016-2793)
 - An out-of-bounds read flaw in the 'CmapSubtable12NextCodepoint()' function in 'TtfUtil.cpp' that is triggered when handling maliciously crafted fonts. This may allow a context-dependent attacker to crash a process linked against the library or potentially disclose memory contents. (CVE-2016-2794)
 - A flaw exists in the 'FileFace::get_table_fn()' function related to the use of uninitialized memory when handling a specially crafted font. This may allow a context-dependent attacker to have an unspecified impact. (CVE-2016-2795)
 - An out-of-bounds write flaw exixts in the 'vm::Machine::Code::Code()' function that is triggered when handling maliciously crafted fonts. This may allow a context-dependent attacker to potentially execute arbitrary code. (CVE-2016-2796)
 - An out-of-bounds read flaw exists in the 'CmapSubtable12Lookup()' function in 'TtfUtil.cpp' that is triggered when handling maliciously crafted fonts. This may allow a context-dependent attacker to crash a process linked against the library or potentially disclose memory contents. (CVE-2016-2797)
 - An out-of-bounds read flaw exists in the 'GlyphCache::Loader::Loader()' function that is triggered when handling maliciously crafted fonts. This may allow a context-dependent attacker to crash a process linked against the library or potentially disclose memory contents. (CVE-2016-2798)
 - An out-of-bounds write flaw exists in the 'setAttr()' function in 'Slot.cpp' that is triggered when handling maliciously crafted fonts. This may allow a context-dependent attacker to potentially execute arbitrary code. (CVE-2016-2799)
 - An out-of-bounds read flaw exists in the 'getAttr()' function in 'Slot.cpp' that is triggered when handling maliciously crafted fonts. This may allow a context-dependent attacker to crash a process linked against the library or potentially disclose memory contents. (CVE-2016-2800)
 - An out-of-bounds read flaw exists in the 'CmapSubtable12Lookup()' function in 'TtfUtil.cpp' that is triggered when handling maliciously crafted fonts. This may allow a context-dependent attacker to crash a process linked against the library or potentially disclose memory contents. (CVE-2016-2801)
 - An out-of-bounds read flaw existsin the 'CmapSubtable4NextCodepoint()' function in 'TtfUtil.cpp' that is triggered when handling maliciously crafted fonts. This may allow a context-dependent attacker to crash a process linked against the library or potentially disclose memory contents. (CVE-2016-2802)

The version of Firefox installed on the remote Windows host is prior to 45. It is, therefore, affected by multiple vulnerabilities, the majority of which are remote code execution vulnerabilities. An unauthenticated, remote attacker can exploit these issues by convincing a user to visit a specially crafted website, resulting in the execution of arbitrary code in the context of the current user.

The version of Firefox installed on the remote Mac OS X host is prior to 45. It is, therefore, affected by multiple vulnerabilities, the majority of which are remote code execution vulnerabilities. An unauthenticated, remote attacker can exploit these issues by convincing a user to visit a specially crafted website, resulting in the execution of arbitrary code in the context of the current user.

Mozilla Foundation reports :

Security researcher Holger Fuhrmannek and Mozilla security engineer Tyson Smith reported a number of security vulnerabilities in the Graphite 2 library affecting version 1.3.5.

The issue reported by Holger Fuhrmannek is a mechanism to induce stack corruption with a malicious graphite font. This leads to a potentially exploitable crash when the font is loaded.

Tyson Smith used the Address Sanitizer tool in concert with a custom software fuzzer to find a series of uninitialized memory, out-of-bounds read, and out-of-bounds write errors when working with fuzzed graphite fonts.

Security researcher James Clawson used the Address Sanitizer tool to discover an out-of-bounds write in the Graphite 2 library when loading a crafted Graphite font file. This results in a potentially exploitable crash.

Updated firefox packages that fix multiple security issues are now available for Red Hat Enterprise Linux 5, 6, and 7.

Red Hat Product Security has rated this update as having Critical security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.

Mozilla Firefox is an open source web browser. XULRunner provides the XUL Runtime environment for Mozilla Firefox.

Multiple security flaws were found in the graphite2 font library shipped with Firefox. A web page containing malicious content could cause Firefox to crash or, potentially, execute arbitrary code with the privileges of the user running Firefox. (CVE-2016-1521, CVE-2016-1522, CVE-2016-1523)

All Firefox users should upgrade to these updated packages, which contain Firefox version 38.6.1 ESR, which corrects these issues. After installing the update, Firefox must be restarted for the changes to take effect.

From Red Hat Security Advisory 2016:0197 :

Updated firefox packages that fix multiple security issues are now available for Red Hat Enterprise Linux 5, 6, and 7.

Red Hat Product Security has rated this update as having Critical security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.

Mozilla Firefox is an open source web browser. XULRunner provides the XUL Runtime environment for Mozilla Firefox.

Multiple security flaws were found in the graphite2 font library shipped with Firefox. A web page containing malicious content could cause Firefox to crash or, potentially, execute arbitrary code with the privileges of the user running Firefox. (CVE-2016-1521, CVE-2016-1522, CVE-2016-1523)

All Firefox users should upgrade to these updated packages, which contain Firefox version 38.6.1 ESR, which corrects these issues. After installing the update, Firefox must be restarted for the changes to take effect.

The version of Mozilla Firefox ESR installed on the remote Windows host is prior to 38.6.1. It is, therefore, affected by multiple remote code execution vulnerabilities in the Graphite 2 library :

  - An overflow condition exists in the Context Item     functionality due to improper validation of     user-supplied input. An unauthenticated, remote attacker     can exploit this, via a crafted Graphite smart font, to     cause a heap-based buffer overflow, resulting in a     denial of service or the execution of arbitrary code.
    (CVE-2016-1523)

  - An out-of-bounds write error exists in the setAttr()     function that is triggered when handling maliciously     crafted fonts. An unauthenticated, remote attacker can     exploit this to execute arbitrary code. (CVE-2016-1969)

The version of Mozilla Firefox ESR installed on the remote Mac OS X host is prior to 38.6.1. It is, therefore, affected by multiple remote code execution vulnerabilities in the Graphite 2 library :

  - An overflow condition exists in the Context Item     functionality due to improper validation of     user-supplied input. An unauthenticated, remote attacker     can exploit this, via a crafted Graphite smart font, to     cause a heap-based buffer overflow, resulting in a     denial of service or the execution of arbitrary code.
    (CVE-2016-1523)

  - An out-of-bounds write error exists in the setAttr()     function that is triggered when handling maliciously     crafted fonts. An unauthenticated, remote attacker can     exploit this to execute arbitrary code. (CVE-2016-1969

ID	Name	Product	Family	Severity
802023	Firefox < 45 Multiple Vulnerabilities	Log Correlation Engine	Web Clients	critical
91379	GLSA-201605-06 : Mozilla Products: Multiple vulnerabilities (Logjam) (SLOTH)	Nessus	Gentoo Local Security Checks	critical
9207	Mozilla Firefox < 45.0 Multiple Vulnerabilities	Nessus Network Monitor	Web Clients	high
89875	Firefox < 45 Multiple Vulnerabilities	Nessus	Windows	critical
89873	Firefox < 45 Multiple Vulnerabilities (Mac OS X)	Nessus	MacOS X Local Security Checks	critical
89767	FreeBSD : graphite2 -- multiple vulnerabilities (adffe823-e692-4921-ae9c-0b825c218372)	Nessus	FreeBSD Local Security Checks	high
88789	RHEL 5 / 6 / 7 : firefox (RHSA-2016:0197)	Nessus	Red Hat Local Security Checks	high
88781	Oracle Linux 5 / 6 / 7 : firefox (ELSA-2016-0197)	Nessus	Oracle Linux Local Security Checks	high
88762	CentOS 5 / 6 / 7 : firefox (CESA-2016:0197)	Nessus	CentOS Local Security Checks	high
88753	Firefox ESR < 38.6.1 Multiple Graphite 2 Library RCE	Nessus	Windows	high
88751	Firefox ESR < 38.6.1 Multiple Graphite 2 Library RCE (Mac OS X)	Nessus	MacOS X Local Security Checks	high

Detections

Analytics

CVE-2016-1969

high

Tenable Plugins

critical

critical

high

critical

critical

high

high

high

high

high

high