6

A number of vulnerabilities were fixed in Firefox in the latest update. MSFA2021-08 describes it only as "memory issues that may be exploitable", and doesn't give any information:

Mozilla developers Alexis Beingessner, Tyson Smith, Nika Layzell, and Mats Palmgren reported memory safety bugs present in Firefox 85 and Firefox ESR 78.7. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code.

This is the boilerplate information they give for nearly every MSFA which bundles nearly all memory safety issues into one description. As usual, the bug reference is linked but it cannot be viewed.

When looking up the CVE, the only reference I can see is to this website which says the following:

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a boundary error when processing HTML content. A remote attacker can create a specially crafted webpage, trick the victim into opening it, trigger memory corruption and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

This implies that it's one bug. Where did they get this information from, and are all the "safety bugs" in MFSA-2021-08 really specific to the HTML parser? So really, what is CVE-2021-23978?

forest
  • 64,616
  • 20
  • 206
  • 257
  • 1
    If you're motivated and you know how to read code, i suggest you to have a look to the patchset between both versions .... Source code never lie nor hide :-) – binarym Aug 17 '21 at 14:13
  • 1
    @binarym In almost any other situation I would, but have you ever seen just how gargantuan the diffs between two releases of Firefox ESR are? They are even less transparent when it comes to security fixes than something like Linux, which is actually saying something. – forest Nov 12 '21 at 20:29

1 Answers1

0

The bugs seem to have been made public now. There are four of them: two use-after-frees, an integer overflow, and a data race. The summaries I've written here are based on a very brief look at the comments on the bug reports and the patch, so take my descriptions with a grain of salt. Links to commits that fix the issue are for Firefox ESR78. The four bugs are as follows:

Bug 1687597

This is a heap UAF caused by a thread being scheduled for deletion before being reset. According to the maintainers, it's unclear how it could be triggered. Fixed in commit 9c662ba11011.

Bug 1682928

This is a race on the value of a pointer in code which was not adequately protected by mutexes because it was not built with multi-threading in mind. Fixed in commit 21131db75e03.

Bug 786797

This is an integer overflow on 64-bit machines with a large amount of memory that would lead to a buffer overflow. If the buffer overflow is reachable, it would allow writing attacker-controlled data to the heap due to improper buffer size calculations. Fixed in commit 4d73b6090b11

Bug 1687391

This is a potential race condition in locking code between two threads resulting in a refcount for a pointer hitting 0 prematurely, causing a UAF. Fixed in commit cecd979ce5ff.

forest
  • 64,616
  • 20
  • 206
  • 257
  • 1
    I'm not accepting my own answer because I haven't put enough effort into it and likely won't because of to my unfamiliarity with the Firefox codebase. If anyone else posts an answer which goes into more detail or explains how the vulnerable code may realistically be reached, I'll accept their answer. – forest Mar 26 '22 at 00:40