Arch Linux Security Advisory ASA-201502-14 ========================================== Severity: Critical Date : 2015-02-25 CVE-ID : CVE-2015-0819 CVE-2015-0821 CVE-2015-0822 CVE-2015-0823 CVE-2015-0824 CVE-2015-0825 CVE-2015-0826 CVE-2015-0827 CVE-2015-0829 CVE-2015-0830 CVE-2015-0831 CVE-2015-0832 CVE-2015-0834 CVE-2015-0835 CVE-2015-0836 Package : firefox Type : multiple issues Remote : Yes Link : https://wiki.archlinux.org/index.php/CVE Summary ======= The package firefox before version 36.0-1 is vulnerable to multiple issues, including denial of service, information leak and remote code execution. Resolution ========== Upgrade to 36.0-1. # pacman -Syu "firefox>=36.0-1" The problem has been fixed upstream in version 36.0. Workaround ========== None. Description =========== - CVE-2015-0819 (tab spoofing): Mozilla developer Matthew Noorenberghe reported that whitelisted Mozilla domains could make UITour API calls while the UI Tour pages for Firefox are present in background tabs. If one of these Mozilla domains was compromised and open in another tab, an attacker could then use that tab to engage in spoofing and clickjacking in any foreground tab. - CVE-2015-0821: Security researcher Armin Razmdjou reported that opening hyperlinks on a page with the mouse and specific keyboard key combinations could allow a Chrome privileged URL to be opened without context restrictions being preserved. This could also allow for the opening of local files or resources from a known location to be opened with local privileges, bypassing security protections. - CVE-2015-0822 (information leak): Security researcher Armin Razmdjou reported that a user readable file in a known local path could be uploaded to a malicious site. This was done by manipulating the autocomplete feature in a form and user interaction with it. While the local file is not visibly uploaded through the form, its contents are made available through the Document Object Model (DOM) to script content on the attacking page, leading to information disclosure. - CVE-2015-0823 (use-after-free): Using the Address Sanitizer tool, security researcher Atte Kettunen found a problem with OpenType Sanitiser (OTS) that resulted in a use-after-free while expanding macros in some circumstances. This use-after-free was only used for information displayed in the developer console and was not exploitable. - CVE-2015-0824 (denial of service): Security researcher Atte Kettunen used the Address Sanitizer tool to discover a crash while drawing images through the Cairo graphics library while using the DrawTarget function. This can result in a segmentation fault due to zero-ing out of memory outside the bounds of the image. - CVE-2015-0825 (information leak): Security researcher Atte Kettunen used the Address Sanitizer tool to discover a buffer underflow during audio playback of a badly formatted MP3 audio files. Through memory allocation manipulation it may be possible to incorporate parts of Firefox memory into an MP3 stream accessible to scripts on the page. - CVE-2015-0826 (out-of-bounds read possibly leading to remote code execution): Security researcher Atte Kettunen used the Address Sanitizer tool to discover an out-of-bounds read during the application of restyling and reflowing changes of web content using CSS. This results in a potentially exploitable crash. - CVE-2015-0827 (out-of-bounds read and write, possibly leading to remote code execution) Security researcher Abhishek Arya (Inferno) of the Google Chrome Security Team used the Address Sanitizer tool to report an out-of-bounds read and an out-of-bounds write when rendering an improperly formatted SVG graphic. This could potentially allow the attacker to read uninitialized memory. - CVE-2015-0829 (buffer overflow possibily leading to remote code execution) Security researcher Pantrombka reported a buffer overflow in the libstagefright library during video playback when certain invalid MP4 video files led to the allocation of a buffer that was too small for the content. This led to a potentially exploitable crash. - CVE-2015-0830 (denial of service) Security researcher Daniele Di Proietto discovered that when WebGL content crafted in a specific manner wrote strings, it would cause a crash when this content was run. - CVE-2015-0831 (use-after-free, possibily leading to remote code execution) Security researcher Paul Bandha used the used the Address Sanitizer tool to discover a use-after-free vulnerability when running specific web content with IndexedDB to create an index. This leads to a potentially exploitable crash. - CVE-2015-0832 (HPKP and HSTS bypass): Security researcher Muneaki Nishimura reported that when certificate pinning is set to "strict" mode, a period ('.') appended to a hostname in the address of a site allowed the bypass key pinning (HPKP) and HTTP Strict Transport Security (HSTS). Sites with a period appended were treated as having a different origin than sites without the period. If an attacker had a security certificate for a domain with the added period, this would allow for a Man-in-the-middle (MITM) attack on users. - CVE-2015-0834 (information leak): Security researcher Alexander Kolesnik reported while the Mozilla platform does not yet support TLS connections to TURN and STUN servers, the WebRTC implementation would accept turns: and stuns: URIs and then attempt plaintext connections to the servers when these were used. This can lead to disclosure of credentials through a Man-in-the-middle (MITM) attack as the connection is not encrypted. - CVE-2015-0835, CVE-2015-0836 (remote code execution): Mozilla developers and community identified and fixed several memory safety bugs in the browser engine used in Firefox and other Mozilla-based products. Some of these bugs showed evidence of memory corruption under certain circumstances, and we presume that with enough effort at least some of these could be exploited to run arbitrary code. Impact ====== A remote attacker may be able to access sensitive information from the memory or from files stored locally, crash the browser or execute arbitrary code. References ========== https://www.mozilla.org/en-US/security/advisories/ https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0819 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0821 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0822 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0823 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0824 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0825 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0826 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0827 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0829 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0830 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0831 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0832 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0834 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0835 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0836