=====================================================================

                               CERT-Renater

                     Note d'Information No. 2023/VULN360

_____________________________________________________________________

DATE                : 28/09/2023

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running Firefox  versions prior to 118,
                                       ESR 115.3.

=====================================================================
https://www.mozilla.org/en-US/security/advisories/mfsa2023-41/
https://www.mozilla.org/en-US/security/advisories/mfsa2023-42/
_____________________________________________________________________


Mozilla Foundation Security Advisory 2023-41
Security Vulnerabilities fixed in Firefox 118

Announced
     September 26, 2023
Impact
     high
Products
     Firefox
Fixed in

         Firefox 118

#CVE-2023-5168: Out-of-bounds write in FilterNodeD2D1

Reporter
     sonakkbi
Impact
     high

Description

A compromised content process could have provided malicious data
to FilterNodeD2D1 resulting in an out-of-bounds write, leading to
a potentially exploitable crash in a privileged process.
This bug only affects Firefox on Windows. Other operating systems
are unaffected.


References

     Bug 1846683


#CVE-2023-5169: Out-of-bounds write in PathOps

Reporter
     sonakkbi
Impact
     high

Description

A compromised content process could have provided malicious data in
a PathRecording resulting in an out-of-bounds write, leading to a
potentially exploitable crash in a privileged process.

References

     Bug 1846685


#CVE-2023-5170: Memory leak from a privileged process

Reporter
     sonakkbi
Impact
     high

Description

In canvas rendering, a compromised content process could have caused
a surface to change unexpectedly, leading to a memory leak of a
privileged process. This memory leak could be used to effect a
sandbox escape if the correct data was leaked.

References

     Bug 1846686

#CVE-2023-5171: Use-after-free in Ion Compiler

Reporter
     Lukas Bernhard
Impact
     high

Description

During Ion compilation, a Garbage Collection could have resulted in
a use-after-free condition, allowing an attacker to write two NUL
bytes, and cause a potentially exploitable crash.

References

     Bug 1851599


#CVE-2023-5172: Memory Corruption in Ion Hints

Reporter
     Mozilla Fuzzing Team
Impact
     high

Description

A hashtable in the Ion Engine could have been mutated while there was
a live interior reference, leading to a potential use-after-free and
exploitable crash.

References

     Bug 1852218


#CVE-2023-5173: Out-of-bounds write in HTTP Alternate Services

Reporter
     Ronald Crane
Impact
     moderate

Description

In a non-standard configuration of Firefox, an integer overflow could
have occurred based on network traffic (possibly under influence of
a local unprivileged webpage), leading to an out-of-bounds write to
privileged process memory.
This bug only affects Firefox if a non-standard preference allowing
non-HTTPS Alternate Services (network.http.altsvc.oe) is enabled.

References

     Bug 1823172

#CVE-2023-5174: Double-free in process spawning on Windows

Reporter
     Ronald Crane
Impact
     moderate

Description

If Windows failed to duplicate a handle during process creation, the
sandbox code may have inadvertently freed a pointer twice, resulting
in a use-after-free and a potentially exploitable crash.
This bug only affects Firefox on Windows when run in non-standard
configurations (such as using runas). Other operating systems are
unaffected.

References

     Bug 1848454


#CVE-2023-5175: Use-after-free of ImageBitmap during process shutdown

Reporter
     Yangkang of 360 ATA Team
Impact
     low

Description

During process shutdown, it was possible that an ImageBitmap was created
that would later be used after being freed from a different codepath,
leading to a potentially exploitable crash.

References

     Bug 1849704


#CVE-2023-5176: Memory safety bugs fixed in Firefox 118, Firefox
ESR 115.3, and Thunderbird 115.3

Reporter
     Chris Peterson, Andrew McCreight, André Bargull, Nika Layzell and
the Mozilla Fuzzing Team

Impact
     high

Description

Memory safety bugs present in Firefox 117, Firefox ESR 115.2, and
Thunderbird 115.2. Some of these bugs showed evidence of memory
corruption and we presume that with enough effort some of these
could have been exploited to run arbitrary code.
References

     Memory safety bugs fixed in Firefox 118, Firefox ESR 115.3,
and Thunderbird 115.3

_____________________________________________________________________


Mozilla Foundation Security Advisory 2023-42
Security Vulnerabilities fixed in Firefox ESR 115.3

Announced
     September 26, 2023
Impact
     high
Products
     Firefox ESR
Fixed in

         Firefox ESR 115.3

#CVE-2023-5168: Out-of-bounds write in FilterNodeD2D1

Reporter
     sonakkbi
Impact
     high

Description

A compromised content process could have provided malicious data to
FilterNodeD2D1 resulting in an out-of-bounds write, leading to a
potentially exploitable crash in a privileged process.
This bug only affects Firefox on Windows. Other operating systems are
unaffected.

References

     Bug 1846683


#CVE-2023-5169: Out-of-bounds write in PathOps

Reporter
     sonakkbi
Impact
     high

Description

A compromised content process could have provided malicious data in
a PathRecording resulting in an out-of-bounds write, leading to a
potentially exploitable crash in a privileged process.

References

     Bug 1846685


#CVE-2023-5171: Use-after-free in Ion Compiler

Reporter
     Lukas Bernhard
Impact
     high

Description

During Ion compilation, a Garbage Collection could have resulted in
a use-after-free condition, allowing an attacker to write two NUL
bytes, and cause a potentially exploitable crash.

References

     Bug 1851599

#CVE-2023-5174: Double-free in process spawning on Windows

Reporter
     Ronald Crane
Impact
     moderate

Description

If Windows failed to duplicate a handle during process creation, the
sandbox code may have inadvertently freed a pointer twice, resulting
in a use-after-free and a potentially exploitable crash.
This bug only affects Firefox on Windows when run in non-standard
configurations (such as using runas). Other operating systems are
unaffected.

References

     Bug 1848454


#CVE-2023-5176: Memory safety bugs fixed in Firefox 118,
Firefox ESR 115.3, and Thunderbird 115.3

Reporter
     Chris Peterson, Andrew McCreight, André Bargull, Nika Layzell
and the Mozilla Fuzzing Team

Impact
     high

Description

Memory safety bugs present in Firefox 117, Firefox ESR 115.2, and
Thunderbird 115.2. Some of these bugs showed evidence of memory
corruption and we presume that with enough effort some of these
could have been exploited to run arbitrary code.
References

     Memory safety bugs fixed in Firefox 118, Firefox ESR 115.3,
and Thunderbird 115.3



=========================================================
+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=========================================================