Bug 1330274 (CVE-2016-2810)

Summary: CVE-2016-2810 Mozilla: Content provider permission bypass allows malicious application to access data (MFSA 2016-41)
Product: [Other] Security Response Reporter: Siddharth Sharma <sisharma>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: security-response-team
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-05-09 04:49:24 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1306172    

Description Siddharth Sharma 2016-04-25 18:49:37 UTC 
Security researcher Ken Okuyama reported an issue on Firefox for Android where a previously installed malicious application can access content provider permissions for Firefox in order to read data. This data includes browser history and locally saved passwords. This issue occurs when a list of permissions is defined to match those that Firefox uses for content providers and bypasses signature protections. This issue does not occur on Android 5.0 or later versions of Android.

This issue only affects Firefox for Android. Other versions and operating systems are unaffected.

External Reference:

https://www.mozilla.org/security/announce/2016/mfsa2016-41.html
Comment 1 Siddharth Sharma 2016-04-25 18:49:44 UTC 
Acknowledgments:

Name: the Mozilla project
Upstream: Ken Okuyama