Mozilla has released security updates to address vulnerabilities in Firefox, Firefox ESR, and Thunderbird. An attacker could exploit some of these vulnerabilities to take control of an affected system.
Security Vulnerabilities fixed in Firefox ESR 91.8
#CVE-2022-1097: Use-after-free in NSSToken objects: NSSToken
objects were referenced via direct points, and could have been accessed in an
unsafe way on different threads, leading to a use-after-free and potentially
exploitable crash.
#CVE-2022-28281: Out of bounds write due to unexpected WebAuthN
Extensions: If a compromised content process sent an unexpected number of
WebAuthN Extensions in a Register command to the parent process, an out of
bounds write would have occurred leading to memory corruption and a
potentially exploitable crash.
#CVE-2022-1196: Use-after-free after VR Process destruction: After
a VR Process is destroyed, a reference to it may have been retained and used,
leading to a use-after-free and potentially exploitable crash.
#CVE-2022-28282: Use-after-free in
DocumentL10n::TranslateDocument: By using a link with rel="localization"
a use-after-free could have been triggered by destroying an object during
JavaScript execution and then referencing the object through a freed pointer,
leading to a potential exploitable crash.
#CVE-2022-28285: Incorrect AliasSet used in JIT Codegen: When
generating the assembly code for MLoadTypedArrayElementHole, an incorrect
AliasSet was used. In conjunction with another vulnerability this could have
been used for an out of bounds memory read.
Security Vulnerabilities fixed in Firefox 99
#CVE-2022-1097: Use-after-free in NSSToken objects: NSSToken
objects were referenced via direct points, and could have been accessed in an
unsafe way on different threads, leading to a use-after-free and potentially
exploitable crash.
#CVE-2022-28281: Out of bounds write due to unexpected WebAuthN
Extensions: If a compromised content process sent an unexpected number of
WebAuthN Extensions in a Register command to the parent process, an out of
bounds write would have occurred leading to memory corruption and a
potentially exploitable crash.
#CVE-2022-28282: Use-after-free in
DocumentL10n::TranslateDocument: By using a link with rel="localization"
a use-after-free could have been triggered by destroying an object during
JavaScript execution and then referencing the object through a freed pointer,
leading to a potentially exploitable crash.
#CVE-2022-28283: Missing security checks for fetching
sourceMapURL: The sourceMapURL feature in devtools was missing security
checks that would have allowed a webpage to attempt to include local files or
other files that should have been inaccessible.
#CVE-2022-28284: Script could be executed via svg's use
element: SVG's <use> element could have been used to load
unexpected content that could have executed script in certain circumstances.
While the specification seems to allow this, other browsers do not, and web
developers relied on this property for script security so gecko's
implementation was aligned with theirs.
#CVE-2022-28285: Incorrect AliasSet used in JIT Codegen: When
generating the assembly code for MLoadTypedArrayElementHole, an incorrect
AliasSet was used. In conjunction with another vulnerability this could have
been used for an out of bounds memory read.
Security Vulnerabilities fixed in Thunderbird 91.8
In general, these flaws cannot be exploited through email in the Thunderbird
product because scripting is disabled when reading mail, but are potentially
risks in browser or browser-like contexts.
#CVE-2022-1097: Use-after-free in NSSToken objects: NSSToken
objects were referenced via direct points, and could have been accessed in an
unsafe way on different threads, leading to a use-after-free and potentially
exploitable crash.
#CVE-2022-28281: Out of bounds write due to unexpected WebAuthN
Extensions: If a compromised content process sent an unexpected number of
WebAuthN Extensions in a Register command to the parent process, an out of
bounds write would have occurred leading to memory corruption and a
potentially exploitable crash.
#CVE-2022-1197: OpenPGP revocation information was ignored: When
importing a revoked key that specified key compromise as the revocation
reason, Thunderbird did not update the existing copy of the key that was not
yet revoked, and the existing key was kept as non-revoked. Revocation
statements that used another revocation reason, or that didn't specify a
revocation reason, were unaffected.
#CVE-2022-1196: Use-after-free after VR Process destruction: After
a VR Process is destroyed, a reference to it may have been retained and used,
leading to a use-after-free and potentially exploitable crash.
#CVE-2022-28282: Use-after-free in
DocumentL10n::TranslateDocument: By using a link with rel="localization"
a use-after-free could have been triggered by destroying an object during
JavaScript execution and then referencing the object through a freed pointer,
leading to a potential exploitable crash.
#CVE-2022-28285: Incorrect AliasSet used in JIT Codegen: When
generating the assembly code for MLoadTypedArrayElementHole, an incorrect
AliasSet was used. In conjunction with another vulnerability this could have
been used for an out of bounds memory read.
Source:
