977376 – (CVE-2016-2807) VUL-0: CVE-2016-2807: MozillaFirefox: Memory safety bugs fixed in Firefox ESR 45.1, Firefox ESR 38.8 and Firefox 46 (MFSA 2016-39

Bug 977376 (CVE-2016-2807) - VUL-0: CVE-2016-2807: MozillaFirefox: Memory safety bugs fixed in Firefox ESR 45.1, Firefox ESR 38.8 and Firefox 46 (MFSA 2016-39

Summary: VUL-0: CVE-2016-2807: MozillaFirefox: Memory safety bugs fixed in Firefox ESR...

Status:	RESOLVED FIXED

Alias:	CVE-2016-2807

Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents (show other bugs)
Version:	unspecified
Hardware:	All All

Priority:	P3 - Medium Severity: Major
Target Milestone:	---
Deadline:	2016-05-18
Assignee:	Security Team bot
QA Contact:	Security Team bot

URL:
Whiteboard:	CVSSv2:SUSE:CVE-2016-2807:6.8:(AV:N/A...
Keywords:

Depends on:	977333
Blocks:
	Show dependency tree / graph

Clone This Bug

Reported:	2016-04-27 08:34 UTC by Andreas Stieger
Modified:	2020-04-05 18:21 UTC (History)
CC List:	7 users (show)

See Also:
Found By:	Security Response Team
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Andreas Stieger 2016-04-27 08:34:25 UTC

https://www.mozilla.org/en-US/security/advisories/mfsa2016-39/

Mozilla developers fixed several memory safety bugs in the browser engine used in Firefox and other Mozilla-based products. Some of these bugs showed evidence of memory corruption under certain circumstances, and we presume that with enough effort at least some of these could be exploited to run arbitrary code. 

Christian Holler, Tyson Smith, and Phil Ringalda reported memory safety problems and crashes that are fixed in Firefox ESR 45.1, Firefox ESR 38.8 and Firefox 46.

Memory safety bugs fixed in Firefox ESR 45.1, Firefox ESR 38.8 and Firefox 46 (CVE-2016-2807)
https://bugzilla.mozilla.org/buglist.cgi?bug_id=1254164,1254622,1187420,1254876,1252707

Comment 1 Swamp Workflow Management 2016-04-27 11:48:06 UTC

An update workflow for this issue was started.
This issue was rated as critical.
Please submit fixed packages until 2016-04-29.
When done, reassign the bug to security-team@suse.de.
https://swamp.suse.de/webswamp/wf/62674

Comment 2 Swamp Workflow Management 2016-04-27 22:01:02 UTC

bugbot adjusting priority

Comment 3 Andreas Stieger 2016-04-28 12:19:46 UTC

Adjust severity for memory safety bugs

Comment 4 Bernhard Wiedemann 2016-04-30 08:00:29 UTC

This is an autogenerated message for OBS integration:
This bug (977376) was mentioned in
https://build.opensuse.org/request/show/392977 Factory / MozillaFirefox
https://build.opensuse.org/request/show/392978 42.1 / MozillaFirefox
https://build.opensuse.org/request/show/392979 13.2 / MozillaFirefox
https://build.opensuse.org/request/show/392980 13.1 / MozillaFirefox

Comment 5 Andreas Stieger 2016-04-30 11:38:35 UTC

All submission received, incidents running

Comment 6 Bernhard Wiedemann 2016-05-04 06:00:27 UTC

This is an autogenerated message for OBS integration:
This bug (977376) was mentioned in
https://build.opensuse.org/request/show/393514 Factory / MozillaFirefox

Comment 7 Swamp Workflow Management 2016-05-04 13:09:17 UTC

openSUSE-SU-2016:1211-1: An update that fixes 10 vulnerabilities is now available.

Category: security (important)
Bug References: 977333,977373,977375,977376,977379,977381,977382,977384,977386,977388
CVE References: CVE-2016-2804,CVE-2016-2806,CVE-2016-2807,CVE-2016-2808,CVE-2016-2811,CVE-2016-2812,CVE-2016-2814,CVE-2016-2816,CVE-2016-2817,CVE-2016-2820
Sources used:
openSUSE Leap 42.1 (src):    MozillaFirefox-46.0-21.1, mozilla-nss-3.22.3-15.2
openSUSE 13.2 (src):    MozillaFirefox-46.0-68.1, mozilla-nss-3.22.3-31.1

Comment 8 Swamp Workflow Management 2016-05-06 14:08:21 UTC

openSUSE-SU-2016:1251-1: An update that fixes 13 vulnerabilities is now available.

Category: security (moderate)
Bug References: 977333,977373,977375,977376,977377,977378,977379,977380,977381,977382,977384,977386,977388
CVE References: CVE-2016-2804,CVE-2016-2806,CVE-2016-2807,CVE-2016-2808,CVE-2016-2809,CVE-2016-2810,CVE-2016-2811,CVE-2016-2812,CVE-2016-2813,CVE-2016-2814,CVE-2016-2816,CVE-2016-2817,CVE-2016-2820
Sources used:
openSUSE 13.1 (src):    MozillaFirefox-46.0-113.2, mozilla-nss-3.22.3-77.1

Comment 9 Swamp Workflow Management 2016-05-06 18:08:18 UTC

SUSE-SU-2016:1258-1: An update that solves four vulnerabilities and has one errata is now available.

Category: security (important)
Bug References: 977333,977374,977376,977381,977386
CVE References: CVE-2016-2805,CVE-2016-2807,CVE-2016-2808,CVE-2016-2814
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP1 (src):    MozillaFirefox-38.8.0esr-66.2
SUSE Linux Enterprise Software Development Kit 12 (src):    MozillaFirefox-38.8.0esr-66.2
SUSE Linux Enterprise Server 12-SP1 (src):    MozillaFirefox-38.8.0esr-66.2
SUSE Linux Enterprise Server 12 (src):    MozillaFirefox-38.8.0esr-66.2
SUSE Linux Enterprise Desktop 12-SP1 (src):    MozillaFirefox-38.8.0esr-66.2
SUSE Linux Enterprise Desktop 12 (src):    MozillaFirefox-38.8.0esr-66.2

Comment 10 Swamp Workflow Management 2016-05-11 15:59:31 UTC

An update workflow for this issue was started.
This issue was rated as important.
Please submit fixed packages until 2016-05-18.
When done, reassign the bug to security-team@suse.de.
https://swamp.suse.de/webswamp/wf/62716

Comment 11 Swamp Workflow Management 2016-05-18 16:09:59 UTC

SUSE-SU-2016:1342-1: An update that solves four vulnerabilities and has one errata is now available.

Category: security (moderate)
Bug References: 977333,977374,977376,977381,977386
CVE References: CVE-2016-2805,CVE-2016-2807,CVE-2016-2808,CVE-2016-2814
Sources used:
SUSE Linux Enterprise Server 11-SP2-LTSS (src):    MozillaFirefox-38.8.0esr-40.1
SUSE Linux Enterprise Debuginfo 11-SP2 (src):    MozillaFirefox-38.8.0esr-40.1

Comment 12 Swamp Workflow Management 2016-05-18 19:08:09 UTC

SUSE-SU-2016:1352-1: An update that solves four vulnerabilities and has one errata is now available.

Category: security (important)
Bug References: 977333,977374,977376,977381,977386
CVE References: CVE-2016-2805,CVE-2016-2807,CVE-2016-2808,CVE-2016-2814
Sources used:
SUSE Linux Enterprise Server 10 SP4 LTSS (src):    MozillaFirefox-38.8.0esr-0.5.1

Comment 13 Swamp Workflow Management 2016-05-20 17:08:41 UTC

SUSE-SU-2016:1374-1: An update that solves four vulnerabilities and has one errata is now available.

Category: security (important)
Bug References: 977333,977374,977376,977381,977386
CVE References: CVE-2016-2805,CVE-2016-2807,CVE-2016-2808,CVE-2016-2814
Sources used:
SUSE OpenStack Cloud 5 (src):    MozillaFirefox-38.8.0esr-40.5, mozilla-nspr-4.12-26.1, mozilla-nss-3.20.2-30.1
SUSE Manager Proxy 2.1 (src):    MozillaFirefox-38.8.0esr-40.5, mozilla-nspr-4.12-26.1, mozilla-nss-3.20.2-30.1
SUSE Manager 2.1 (src):    MozillaFirefox-38.8.0esr-40.5, mozilla-nspr-4.12-26.1, mozilla-nss-3.20.2-30.1
SUSE Linux Enterprise Software Development Kit 11-SP4 (src):    MozillaFirefox-38.8.0esr-40.5, mozilla-nspr-4.12-26.1, mozilla-nss-3.20.2-30.1
SUSE Linux Enterprise Server 11-SP4 (src):    MozillaFirefox-38.8.0esr-40.5, mozilla-nspr-4.12-26.1, mozilla-nss-3.20.2-30.1
SUSE Linux Enterprise Server 11-SP3-LTSS (src):    MozillaFirefox-38.8.0esr-40.5, mozilla-nspr-4.12-26.1, mozilla-nss-3.20.2-30.1
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    MozillaFirefox-38.8.0esr-40.5, mozilla-nspr-4.12-26.1, mozilla-nss-3.20.2-30.1
SUSE Linux Enterprise Debuginfo 11-SP3 (src):    MozillaFirefox-38.8.0esr-40.5, mozilla-nspr-4.12-26.1, mozilla-nss-3.20.2-30.1

Comment 14 Sebastian Krahmer 2016-05-23 11:16:10 UTC

released

Comment 15 Swamp Workflow Management 2016-07-10 14:08:41 UTC

openSUSE-SU-2016:1767-1: An update that fixes 28 vulnerabilities is now available.

Category: security (important)
Bug References: 969894,977333,977375,977376,983549,984126,984637,986162
CVE References: CVE-2016-1952,CVE-2016-1953,CVE-2016-1954,CVE-2016-1955,CVE-2016-1956,CVE-2016-1957,CVE-2016-1960,CVE-2016-1961,CVE-2016-1964,CVE-2016-1974,CVE-2016-1977,CVE-2016-2790,CVE-2016-2791,CVE-2016-2792,CVE-2016-2793,CVE-2016-2794,CVE-2016-2795,CVE-2016-2796,CVE-2016-2797,CVE-2016-2798,CVE-2016-2799,CVE-2016-2800,CVE-2016-2801,CVE-2016-2802,CVE-2016-2806,CVE-2016-2807,CVE-2016-2815,CVE-2016-2818
Sources used:
openSUSE 13.1 (src):    MozillaThunderbird-45.2-70.83.1

Comment 16 Swamp Workflow Management 2016-07-10 22:08:36 UTC

openSUSE-SU-2016:1769-1: An update that fixes 28 vulnerabilities is now available.

Category: security (important)
Bug References: 969894,977333,977375,977376,983549,984126,984637,986162
CVE References: CVE-2016-1952,CVE-2016-1953,CVE-2016-1954,CVE-2016-1955,CVE-2016-1956,CVE-2016-1957,CVE-2016-1960,CVE-2016-1961,CVE-2016-1964,CVE-2016-1974,CVE-2016-1977,CVE-2016-2790,CVE-2016-2791,CVE-2016-2792,CVE-2016-2793,CVE-2016-2794,CVE-2016-2795,CVE-2016-2796,CVE-2016-2797,CVE-2016-2798,CVE-2016-2799,CVE-2016-2800,CVE-2016-2801,CVE-2016-2802,CVE-2016-2806,CVE-2016-2807,CVE-2016-2815,CVE-2016-2818
Sources used:
SUSE Package Hub for SUSE Linux Enterprise 12 (src):    MozillaThunderbird-45.2-6.1

Comment 17 Swamp Workflow Management 2016-07-10 22:13:52 UTC

openSUSE-SU-2016:1778-1: An update that fixes 28 vulnerabilities is now available.

Category: security (important)
Bug References: 969894,977333,977375,977376,983549,984126,984637,986162
CVE References: CVE-2016-1952,CVE-2016-1953,CVE-2016-1954,CVE-2016-1955,CVE-2016-1956,CVE-2016-1957,CVE-2016-1960,CVE-2016-1961,CVE-2016-1964,CVE-2016-1974,CVE-2016-1977,CVE-2016-2790,CVE-2016-2791,CVE-2016-2792,CVE-2016-2793,CVE-2016-2794,CVE-2016-2795,CVE-2016-2796,CVE-2016-2797,CVE-2016-2798,CVE-2016-2799,CVE-2016-2800,CVE-2016-2801,CVE-2016-2802,CVE-2016-2806,CVE-2016-2807,CVE-2016-2815,CVE-2016-2818
Sources used:
openSUSE Leap 42.1 (src):    MozillaThunderbird-45.2-16.1
openSUSE 13.2 (src):    MozillaThunderbird-45.2-43.1