Headline
CVE-2021-29989: Security Vulnerabilities fixed in Firefox ESR 78.13
Mozilla developers reported memory safety bugs present in Firefox 90 and Firefox ESR 78.12. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Thunderbird < 78.13, Firefox ESR < 78.13, and Firefox < 91.
Mozilla Foundation Security Advisory 2021-34
Announced
August 10, 2021
Impact
high
Products
Firefox ESR
Fixed in
- Firefox ESR 78.13
#CVE-2021-29986: Race condition when resolving DNS names could have led to memory corruption
Reporter
pahhur
Impact
high
Description
A suspected race condition when calling getaddrinfo led to memory corruption and a potentially exploitable crash.
Note: This issue only affected Linux operating systems. Other operating systems are unaffected.
References
- Bug 1696138
#CVE-2021-29988: Memory corruption as a result of incorrect style treatment
Reporter
Irvan Kurniawan
Impact
high
Description
Firefox incorrectly treated an inline list-item element as a block element, resulting in an out of bounds read or memory corruption, and a potentially exploitable crash.
References
- Bug 1717922
#CVE-2021-29984: Incorrect instruction reordering during JIT optimization
Reporter
Lukas Bernhard
Impact
high
Description
Instruction reordering resulted in a sequence of instructions that would cause an object to be incorrectly considered during garbage collection. This led to memory corruption and a potentially exploitable crash.
References
- Bug 1720031
#CVE-2021-29980: Uninitialized memory in a canvas object could have led to memory corruption
Reporter
Irvan Kurniawan
Impact
high
Description
Uninitialized memory in a canvas object could have caused an incorrect free() leading to memory corruption and a potentially exploitable crash.
References
- Bug 1722204
#CVE-2021-29985: Use-after-free media channels
Reporter
Marcin ‘Icewall’ Noga of Cisco Talos
Impact
moderate
Description
A use-after-free vulnerability in media channels could have led to memory corruption and a potentially exploitable crash.
References
- Bug 1722083
#CVE-2021-29989: Memory safety bugs fixed in Firefox 91 and Firefox ESR 78.13
Reporter
Mozilla developers and community
Impact
high
Description
Mozilla developers Christoph Kerschbaumer, Simon Giesecke, Sandor Molnar, and Olli Pettay reported memory safety bugs present in Firefox 90 and Firefox ESR 78.12. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code.
References
- Memory safety bugs fixed in Firefox 91 and Firefox ESR 78.13
Related news
Gentoo Linux Security Advisory 202208-14 - Multiple vulnerabilities have been found in Mozilla Thunderbird, the worst of which could result in the arbitrary execution of code. Versions less than 91.12.0 are affected.
Gentoo Linux Security Advisory 202208-14 - Multiple vulnerabilities have been found in Mozilla Thunderbird, the worst of which could result in the arbitrary execution of code. Versions less than 91.12.0 are affected.
Gentoo Linux Security Advisory 202208-14 - Multiple vulnerabilities have been found in Mozilla Thunderbird, the worst of which could result in the arbitrary execution of code. Versions less than 91.12.0 are affected.
Gentoo Linux Security Advisory 202208-14 - Multiple vulnerabilities have been found in Mozilla Thunderbird, the worst of which could result in the arbitrary execution of code. Versions less than 91.12.0 are affected.
Gentoo Linux Security Advisory 202208-14 - Multiple vulnerabilities have been found in Mozilla Thunderbird, the worst of which could result in the arbitrary execution of code. Versions less than 91.12.0 are affected.
Gentoo Linux Security Advisory 202208-14 - Multiple vulnerabilities have been found in Mozilla Thunderbird, the worst of which could result in the arbitrary execution of code. Versions less than 91.12.0 are affected.