The TSymbolTableLevel class in ANGLE, as used in Mozilla Firefox before 47.0 and Firefox ESR 45.x before 45.2 on Windows, allows remote attackers to cause a denial of service (out-of-bounds write and application crash) or possibly have unspecified other impact by triggering use of a WebGL shader that writes to an array.

MozillaFirefox, MozillaFirefox-branding-SLE, mozilla-nspr and mozilla-nss were updated to fix nine security issues. Mozilla Firefox was updated to version 45.3.0 ESR. mozilla-nss was updated to version 3.21.1, mozilla-nspr to version 4.12. These security issues were fixed in 45.3.0ESR :

  - CVE-2016-2835/CVE-2016-2836: Miscellaneous memory safety     hazards (rv:48.0 / rv:45.3) (MFSA 2016-62)

  - CVE-2016-2830: Favicon network connection can persist     when page is closed (MFSA 2016-63)

  - CVE-2016-2838: Buffer overflow rendering SVG with     bidirectional content (MFSA 2016-64)

  - CVE-2016-2839: Cairo rendering crash due to memory     allocation issue with FFmpeg 0.10 (MFSA 2016-65)

  - CVE-2016-5252: Stack underflow during 2D graphics     rendering (MFSA 2016-67)

  - CVE-2016-5254: Use-after-free when using alt key and     toplevel menus (MFSA 2016-70)

  - CVE-2016-5258: Use-after-free in DTLS during WebRTC     session shutdown (MFSA 2016-72)

  - CVE-2016-5259: Use-after-free in service workers with     nested sync events (MFSA 2016-73)

  - CVE-2016-5262: Scripts on marquee tag can execute in     sandboxed iframes (MFSA 2016-76)

  - CVE-2016-2837: Buffer overflow in ClearKey Content     Decryption Module (CDM) during video playback (MFSA     2016-77)

  - CVE-2016-5263: Type confusion in display transformation     (MFSA 2016-78)

  - CVE-2016-5264: Use-after-free when applying SVG effects     (MFSA 2016-79)

  - CVE-2016-5265: Same-origin policy violation using local     HTML file and saved shortcut file (MFSA 2016-80)

  - CVE-2016-6354: Fix for possible buffer overrun     (bsc#990856) Security issues fixed in 45.2.0.ESR :

  - CVE-2016-2834: Memory safety bugs in NSS (MFSA 2016-61)     (bsc#983639).

  - CVE-2016-2824: Out-of-bounds write with WebGL shader     (MFSA 2016-53) (bsc#983651).

  - CVE-2016-2822: Addressbar spoofing though the SELECT     element (MFSA 2016-52) (bsc#983652).

  - CVE-2016-2821: Use-after-free deleting tables from a     contenteditable document (MFSA 2016-51) (bsc#983653).

  - CVE-2016-2819: Buffer overflow parsing HTML5 fragments     (MFSA 2016-50) (bsc#983655).

  - CVE-2016-2828: Use-after-free when textures are used in     WebGL operations after recycle pool destruction (MFSA     2016-56) (bsc#983646).

  - CVE-2016-2831: Entering fullscreen and persistent     pointerlock without user permission (MFSA 2016-58)     (bsc#983643).

  - CVE-2016-2815, CVE-2016-2818: Miscellaneous memory     safety hazards (MFSA 2016-49) (bsc#983638)

The update package also includes non-security fixes. See advisory for details.

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

MozillaFirefox, MozillaFirefox-branding-SLE and mozilla-nss were updated to fix nine security issues. Mozilla Firefox was updated to version 45.2.0 ESR. mozilla-nss was updated to version 3.21.1. These security issues were fixed :

  - CVE-2016-2834: Memory safety bugs in NSS (MFSA 2016-61)     (bsc#983639).

  - CVE-2016-2824: Out-of-bounds write with WebGL shader     (MFSA 2016-53) (bsc#983651).

  - CVE-2016-2822: Addressbar spoofing though the SELECT     element (MFSA 2016-52) (bsc#983652).

  - CVE-2016-2821: Use-after-free deleting tables from a     contenteditable document (MFSA 2016-51) (bsc#983653).

  - CVE-2016-2819: Buffer overflow parsing HTML5 fragments     (MFSA 2016-50) (bsc#983655).

  - CVE-2016-2828: Use-after-free when textures are used in     WebGL operations after recycle pool destruction (MFSA     2016-56) (bsc#983646).

  - CVE-2016-2831: Entering fullscreen and persistent     pointerlock without user permission (MFSA 2016-58)     (bsc#983643).

  - CVE-2016-2815, CVE-2016-2818: Miscellaneous memory     safety hazards (MFSA 2016-49) (bsc#983638)

The update package also includes non-security fixes. See advisory for details.

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

MozillaFirefox, MozillaFirefox-branding-SLE, mozilla-nss and mozilla-nspr were updated to fix nine security issues.

Mozilla Firefox was updated to version 45.2.0 ESR. mozilla-nss was updated to version 3.21.1.

These security issues were fixed :

  - CVE-2016-2834: Memory safety bugs in NSS (MFSA 2016-61)     (bsc#983639).

  - CVE-2016-2824: Out-of-bounds write with WebGL shader     (MFSA 2016-53) (bsc#983651).

  - CVE-2016-2822: Addressbar spoofing though the SELECT     element (MFSA 2016-52) (bsc#983652).

  - CVE-2016-2821: Use-after-free deleting tables from a     contenteditable document (MFSA 2016-51) (bsc#983653).

  - CVE-2016-2819: Buffer overflow parsing HTML5 fragments     (MFSA 2016-50) (bsc#983655).

  - CVE-2016-2828: Use-after-free when textures are used in     WebGL operations after recycle pool destruction (MFSA     2016-56) (bsc#983646).

  - CVE-2016-2831: Entering fullscreen and persistent     pointerlock without user permission (MFSA 2016-58)     (bsc#983643).

  - CVE-2016-2815, CVE-2016-2818: Miscellaneous memory     safety hazards (MFSA 2016-49) (bsc#983638)

The update package also includes non-security fixes. See advisory for details.

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Versions of Mozilla Firefox earlier than 45.2 are unpatched for the following vulnerabilities :

 - Multiple memory corruption issues exist that allow an unauthenticated, remote attacker to execute arbitrary code. (CVE-2016-2815, CVE-2016-2818)
 - An overflow condition exists that is triggered when handling HTML5 fragments in foreign contexts (e.g., under <svg> nodes).  An unauthenticated, remote attacker can exploit this to cause a heap-based buffer overflow, resulting in the execution of arbitrary code. (CVE-2016-2819)
 - A use-after-free error exists that is triggered when deleting DOM table elements in 'contenteditable' mode.  An unauthenticated, remote attacker can exploit this to dereference already freed memory, resulting in the execution of arbitrary code. (CVE-2016-2821)
 - A spoofing vulnerability exists due to improper handling of SELECT elements.  An unauthenticated, remote attacker can exploit this to spoof the contents of the address bar. (CVE-2016-2822)
 - An out-of-bounds write flaw in 'TSymbolTableLevel' is triggered when size values for array writes are not properly checked during WebGL shader operations. This may allow a context-dependent attacker to potentially execute arbitrary code. (CVE-2016-2824)
 - A flaw exists in the Windows updater utility's 'toolkit/mozapps/update/updater/updater.cpp' extraction of files from MAR archives.  These files are not properly locked for writing, which may allow a local attacker to replace these files and potentially leverage them to gain elevated privileges. (CVE-2016-2826)
 - A use-after-free error exists that is triggered when destroying the recycle pool of a texture used during the processing of WebGL content.  An unauthenticated, remote attacker can exploit this to dereference already freed memory, resulting in the execution of arbitrary code. (CVE-2016-2828)
 - A flaw exists that is triggered when handling paired fullscreen and pointerlock requests in combination with closing windows.  An unauthenticated, remote attacker can exploit this to create an unauthorized pointerlock, resulting in a denial of service condition.  Additionally, an attacker can exploit this to conduct spoofing and clickjacking attacks. (CVE-2016-2831)

This update to Mozilla Firefox 47 fixes the following issues (boo#983549) :

Security fixes :

  - CVE-2016-2815/CVE-2016-2818: Miscellaneous memory safety     hazards (boo#983638 MFSA 2016-49)

  - CVE-2016-2819: Buffer overflow parsing HTML5 fragments     (boo#983655 MFSA 2016-50)

  - CVE-2016-2821: Use-after-free deleting tables from a     contenteditable document (boo#983653 MFSA 2016-51)

  - CVE-2016-2822: Addressbar spoofing though the SELECT     element (boo#983652 MFSA 2016-52)

  - CVE-2016-2824: Out-of-bounds write with WebGL shader     (boo#983651 MFSA 2016-53)

  - CVE-2016-2825: Partial same-origin-policy through     setting location.host through data URI (boo#983649 MFSA     2016-54)

  - CVE-2016-2828: Use-after-free when textures are used in     WebGL operations after recycle pool destruction     (boo#983646 MFSA 2016-56)

  - CVE-2016-2829: Incorrect icon displayed on permissions     notifications (boo#983644 MFSA 2016-57)

  - CVE-2016-2831: Entering fullscreen and persistent     pointerlock without user permission (boo#983643 MFSA     2016-58)

  - CVE-2016-2832: Information disclosure of disabled     plugins through CSS pseudo-classes (boo#983632 MFSA     2016-59)

  - CVE-2016-2833: Java applets bypass CSP protections     (boo#983640 MFSA 2016-60)

Mozilla NSS was updated to 3.23 to address the following vulnerabilities :

  - CVE-2016-2834: Memory safety bugs (boo#983639     MFSA-2016-61)

    The following non-security changes are included :

  - Enable VP9 video codec for users with fast machines

  - Embedded YouTube videos now play with HTML5 video if     Flash is not installed

  - View and search open tabs from your smartphone or     another computer in a sidebar

  - Allow no-cache on back/forward navigations for https     resources

    The following packaging changes are included :

  - boo#981695: cleanup configure options, notably removing     GStreamer support which is gone from FF

  - boo#980384: enable build with PIE and full relro on     x86_64

    The following new functionality is provided :

  - ChaCha20/Poly1305 cipher and TLS cipher suites now     supported

  - The list of TLS extensions sent in the TLS handshake has     been reordered to increase compatibility of the Extended     Master Secret with with servers

This update to Mozilla Firefox 47 fixes the following issues (boo#983549) :

Security fixes :

  - CVE-2016-2815/CVE-2016-2818: Miscellaneous memory safety     hazards (boo#983638 MFSA 2016-49)

  - CVE-2016-2819: Buffer overflow parsing HTML5 fragments     (boo#983655 MFSA 2016-50)

  - CVE-2016-2821: Use-after-free deleting tables from a     contenteditable document (boo#983653 MFSA 2016-51)

  - CVE-2016-2822: Addressbar spoofing though the SELECT     element (boo#983652 MFSA 2016-52)

  - CVE-2016-2824: Out-of-bounds write with WebGL shader     (boo#983651 MFSA 2016-53)

  - CVE-2016-2825: Partial same-origin-policy through     setting location.host through data URI (boo#983649 MFSA     2016-54)

  - CVE-2016-2828: Use-after-free when textures are used in     WebGL operations after recycle pool destruction     (boo#983646 MFSA 2016-56)

  - CVE-2016-2829: Incorrect icon displayed on permissions     notifications (boo#983644 MFSA 2016-57)

  - CVE-2016-2831: Entering fullscreen and persistent     pointerlock without user permission (boo#983643 MFSA     2016-58)

  - CVE-2016-2832: Information disclosure of disabled     plugins through CSS pseudo-classes (boo#983632 MFSA     2016-59)

  - CVE-2016-2833: Java applets bypass CSP protections     (boo#983640 MFSA 2016-60)

Mozilla NSS was updated to 3.23 to address the following vulnerabilities :

  - CVE-2016-2834: Memory safety bugs (boo#983639     MFSA-2016-61) The following non-security changes are     included :

  - Enable VP9 video codec for users with fast machines

  - Embedded YouTube videos now play with HTML5 video if     Flash is not installed

  - View and search open tabs from your smartphone or     another computer in a sidebar

  - Allow no-cache on back/forward navigations for https     resources

The following packaging changes are included :

  - boo#981695: cleanup configure options, notably removing     GStreamer support which is gone from FF

  - boo#980384: enable build with PIE and full relro on     x86_64

The following new functionality is provided :

  - ChaCha20/Poly1305 cipher and TLS cipher suites now     supported

  - The list of TLS extensions sent in the TLS handshake has     been reordered to increase compatibility of the Extended     Master Secret with with servers

The version of Firefox installed on the remote Windows host is prior to 47. It is, therefore, affected by multiple vulnerabilities :

  - Multiple memory corruption issues exist that allow an     unauthenticated, remote attacker to execute arbitrary     code. (CVE-2016-2815, CVE-2016-2818)

  - An overflow condition exists that is triggered when     handling HTML5 fragments in foreign contexts (e.g.,     under <svg> nodes). An unauthenticated, remote attacker     can exploit this to cause a heap-based buffer overflow,     resulting in the execution of arbitrary code.
    (CVE-2016-2819)

  - A use-after-free error exists that is triggered when     deleting DOM table elements in 'contenteditable' mode.
    An unauthenticated, remote attacker can exploit this to     dereference already freed memory, resulting in the     execution of arbitrary code. (CVE-2016-2821)

  - A spoofing vulnerability exists due to improper handling     of SELECT elements. An unauthenticated, remote attacker     can exploit this to spoof the contents of the address     bar. (CVE-2016-2822)

  - An out-of-bounds write error exists in the ANGLE     graphics library due to improper size checking while     writing to an array during WebGL shader operations. An     unauthenticated, remote attacker can exploit this to     execute arbitrary code. (CVE-2016-2824)

  - A same-origin bypass vulnerability exists that is     triggered when handling location.host property values     set after the creation of invalid 'data:' URIs. An     unauthenticated, remote attacker can exploit this to     partially bypass same-origin policy protections.
    (CVE-2016-2825)

  - A privilege escalation vulnerability exists in the     Windows updater utility due to improper extraction of     files from MAR archives. A local attacker can exploit     this to replace the extracted files, allowing the     attacker to gain elevated privileges. (CVE-2016-2826)

  - A use-after-free error exists that is triggered when     destroying the recycle pool of a texture used during the     processing of WebGL content. An unauthenticated, remote     attacker can exploit this to dereference already freed     memory, resulting in the execution of arbitrary code.
    (CVE-2016-2828)

  - A flaw exists in browser/modules/webrtcUI.jsm that is     triggered when handling a large number of permission     requests over a small period of time. An     unauthenticated, remote attacker can exploit this to     cause the incorrect icon to be displayed in a given     permission request, potentially resulting in a user     approving unintended permission requests.
    (CVE-2016-2829)

  - A flaw exists that is triggered when handling paired     fullscreen and pointerlock requests in combination with     closing windows. An unauthenticated, remote attacker can     exploit this to create an unauthorized pointerlock,     resulting in a denial of service condition.
    Additionally, an attacker can exploit this to conduct     spoofing and clickjacking attacks. (CVE-2016-2831)

  - An information disclosure vulnerability exists that is     triggered when handling CSS pseudo-classes. An     unauthenticated, remote attacker can exploit this     disclose a list of installed plugins. (CVE-2016-2832)

  - A Content Security Policy (CSP) bypass exists that is     triggered when handling specially crafted cross-domain     Java applets. An unauthenticated, remote attacker can     exploit this to bypass the CSP and conduct cross-site     scripting attacks. (CVE-2016-2833)

  - Multiple unspecified flaws exist in the Mozilla Network     Security Services (NSS) component that allow an attacker     to have an unspecified impact. (CVE-2016-2834)

The version of Firefox ESR installed on the remote Windows host is 45.x prior to 45.2. It is, therefore, affected by multiple vulnerabilities :

  - Multiple memory corruption issues exist that allow an     unauthenticated, remote attacker to execute arbitrary     code. (CVE-2016-2818)

  - An overflow condition exists that is triggered when     handling HTML5 fragments in foreign contexts (e.g.,     under <svg> nodes). An unauthenticated, remote attacker     can exploit this to cause a heap-based buffer overflow,     resulting in the execution of arbitrary code.
    (CVE-2016-2819)

  - A use-after-free error exists that is triggered when     deleting DOM table elements in 'contenteditable' mode.
    An unauthenticated, remote attacker can exploit this to     dereference already freed memory, resulting in the     execution of arbitrary code. (CVE-2016-2821)

  - A spoofing vulnerability exists due to improper handling     of SELECT elements. An unauthenticated, remote attacker     can exploit this to spoof the contents of the address     bar. (CVE-2016-2822)

  - An out-of-bounds write error exists in the ANGLE     graphics library due to improper size checking while     writing to an array during WebGL shader operations. An     unauthenticated, remote attacker can exploit this to     execute arbitrary code. (CVE-2016-2824)

  - A privilege escalation vulnerability exists in the     Windows updater utility due to improper extraction of     files from MAR archives. A local attacker can exploit     this to replace the extracted files, allowing the     attacker to gain elevated privileges. (CVE-2016-2826)

  - A use-after-free error exists that is triggered when     destroying the recycle pool of a texture used during the     processing of WebGL content. An unauthenticated, remote     attacker can exploit this to dereference already freed     memory, resulting in the execution of arbitrary code.
    (CVE-2016-2828)

  - A flaw exists that is triggered when handling paired     fullscreen and pointerlock requests in combination with     closing windows. An unauthenticated, remote attacker can     exploit this to create an unauthorized pointerlock,     resulting in a denial of service condition.
    Additionally, an attacker can exploit this to conduct     spoofing and clickjacking attacks. (CVE-2016-2831)

ID	Name	Product	Family	Severity
93288	SUSE SLES11 Security Update : MozillaFirefox, MozillaFirefox-branding-SLED, mozilla-nspr / mozilla-nss (SUSE-SU-2016:2061-1)	Nessus	SuSE Local Security Checks	critical
93182	SUSE SLES11 Security Update : MozillaFirefox, MozillaFirefox-branding-SLE / mozilla-nss (SUSE-SU-2016:1799-1)	Nessus	SuSE Local Security Checks	high
93166	SUSE SLED12 / SLES12 Security Update : MozillaFirefox, MozillaFirefox-branding-SLE, mozilla-nspr, mozilla-nss (SUSE-SU-2016:1691-1)	Nessus	SuSE Local Security Checks	high
9382	Mozilla Firefox ESR < 45.2 Multiple Vulnerabilities	Nessus Network Monitor	Web Clients	high
91589	openSUSE Security Update : MozillaFirefox / mozilla-nss (openSUSE-2016-714)	Nessus	SuSE Local Security Checks	high
91586	openSUSE Security Update : MozillaFirefox / mozilla-nss (openSUSE-2016-704)	Nessus	SuSE Local Security Checks	high
91547	Firefox < 47 Multiple Vulnerabilities	Nessus	Windows	high
91546	Firefox ESR 45.x < 45.2 Multiple Vulnerabilities	Nessus	Windows	high

Detections

Analytics

CVE-2016-2824

high

Tenable Plugins

critical

high

high

high

high

high

high

high