Bug 963641 (CVE-2016-1937) - VUL-0: CVE-2016-1937: MozillaFirefox: Missing delay following user click events in protocol handler dialog
Summary: VUL-0: CVE-2016-1937: MozillaFirefox: Missing delay following user click even...
Status: RESOLVED FIXED
: 977736 (view as bug list)
Alias: CVE-2016-1937
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: All openSUSE 42.1
: P3 - Medium : Normal
Target Milestone: ---
Assignee: Security Team bot
QA Contact: Security Team bot
URL:
Whiteboard:
Keywords:
Depends on: 963520
Blocks:
  Show dependency treegraph
 
Reported: 2016-01-26 18:16 UTC by Andreas Stieger
Modified: 2020-04-05 18:20 UTC (History)
7 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Andreas Stieger 2016-01-26 18:16:21 UTC 
https://www.mozilla.org/en-US/security/advisories/mfsa2016-06/

Security researcher window reported an issue where the protocol handler dialog appears, double click events are treated as two single click events. This was caused by the lack of a delay following the initial focus in the file download dialog. This could cause a second dialog to be sent the second click, leading to unintentional user initiated actions, such as the running of downloaded software from a maliciously positioned prompt. 

https://bugzilla.mozilla.org/show_bug.cgi?id=724353

openSUSE only.
Comment 1 Swamp Workflow Management 2016-01-26 23:00:47 UTC 
bugbot adjusting priority
Comment 2 Andreas Stieger 2016-01-27 10:40:37 UTC 
openSUSE update is running
Comment 3 Andreas Stieger 2016-02-01 21:26:27 UTC 
Releasing updates for openSUSE only bugs.
Comment 4 Swamp Workflow Management 2016-02-02 01:13:30 UTC 
openSUSE-SU-2016:0309-1: An update that fixes 14 vulnerabilities is now available.

Category: security (important)
Bug References: 963633,963634,963635,963637,963641,963643,963644,963645,963731
CVE References: CVE-2015-7208,CVE-2016-1930,CVE-2016-1931,CVE-2016-1933,CVE-2016-1935,CVE-2016-1937,CVE-2016-1938,CVE-2016-1939,CVE-2016-1942,CVE-2016-1943,CVE-2016-1944,CVE-2016-1945,CVE-2016-1946,CVE-2016-1947
Sources used:
openSUSE Leap 42.1 (src):    MozillaFirefox-44.0-12.2, mozilla-nspr-4.11-7.1, mozilla-nss-3.21-9.1
openSUSE 13.2 (src):    MozillaFirefox-44.0-59.1, mozilla-nspr-4.11-12.1, mozilla-nss-3.21-25.1
Comment 5 Marcus Meissner 2016-04-29 06:29:36 UTC 
*** Bug 977736 has been marked as a duplicate of this bug. ***
Comment 6 Andreas Stieger 2016-06-06 07:56:46 UTC 
*** Bug 977736 has been marked as a duplicate of this bug. ***