Arch Linux Security Advisory ASA-201509-9 ========================================= Severity: Critical Date : 2015-09-23 CVE-ID : CVE-2015-4500 CVE-2015-4501 CVE-2015-4502 CVE-2015-4504 CVE-2015-4506 CVE-2015-4507 CVE-2015-4508 CVE-2015-4509 CVE-2015-4510 CVE-2015-4511 CVE-2015-4512 CVE-2015-4516 CVE-2015-4517 CVE-2015-4519 CVE-2015-4520 CVE-2015-4521 CVE-2015-4522 CVE-2015-7174 CVE-2015-7175 CVE-2015-7176 CVE-2015-7177 CVE-2015-7180 Package : firefox Type : multiple issues Remote : Yes Link : https://wiki.archlinux.org/index.php/CVE Summary ======= The package firefox before version 41.0-1 is vulnerable to multiple issues. Resolution ========== Upgrade to 41.0-1. # pacman -Syu "firefox>=41.0-1" The problem has been fixed upstream in version 41.0. Workaround ========== None. Description =========== - CVE-2015-4500 (Memory safety bugs fixed in Firefox ESR 38.3 and Firefox 41): Andrew Osmond, Olli Pettay, Andrew Sutherland, Christian Holler, David Major, Andrew McCreight and Cameron McCormack reported memory safety problems and crashes that affect Firefox ESR 38.2 and Firefox 40. Some of these bugs showed evidence of memory corruption under certain circumstances, and Mozilla presume that with enough effort at least some of these could be exploited to run arbitrary code. - CVE-2015-4501 (Memory safety bugs fixed in Firefox 41): Bob Clary and Randell Jesup reported crash and memory safety problems that affect Firefox 40. Mozilla developers and community identified and fixed several memory safety bugs in the browser engine used in Firefox and other Mozilla-based products. Some of these bugs showed evidence of memory corruption under certain circumstances, and Mozilla presume that with enough effort at least some of these could be exploited to run arbitrary code. - CVE-2015-4502 (Scripted proxies can access inner window): Security researcher André Bargull reported that when a web page creates a scripted proxy for the window with a handler defined a certain way, a reference to the inner window will be passed, rather than that of the outer window in violation of the specification. - CVE-2015-4504 (Out of bounds read in QCMS library with ICC V4 profile attributes): Security researcher Felix Gröbert of Google discovered an out of bounds read in the QCMS color management library while manipulating an image with specific attributes in its ICC V4 profile. This causes a crash and could lead to information disclosure. - CVE-2015-4506 (Buffer overflow in libvpx while parsing vp9 format video): Security researcher Khalil Zhani reported that a maliciously crafted vp9 format video could be used to trigger a buffer overflow while parsing the file. This leads to a potentially exploitable crash due to a flaw in the libvpx library. - CVE-2015-4507 (Crash when using debugger with SavedStacks in JavaScript): Security researcher Spandan Veggalam reported a crash while using the debugger API with SavedStacks in JavaScript. This crash can only occurs when the debugger is in use but may be potentially exploitable. - CVE-2015-4508 (URL spoofing in reader mode): Security researcher Juho Nurminen reported a mechanism to spoof the URL displayed in the address bar in reader mode by manipulating the loaded URL. This flaw allows for the URL displayed to be different than that the web content rendered. This allows for potential spoofing but the effects are mitigated due to the restrictions reader mode places when rendering content. - CVE-2015-4509 (Use-after-free while manipulating HTML media content): An anonymous researcher reported, via HP's Zero Day Initiative, a use-after-free vulnerability with HTML media elements on a page during script manipulation of the URI table of these elements. This results in a potentially exploitable crash. - CVE-2015-4510 (Use-after-free with shared workers and IndexedDB): Security researcher Looben Yang discovered a use-after-free vulnerability when using a shared worker with IndexedDB due to a race condition with the worker. This results in a potentially exploitable crash that can be triggered through web content. - CVE-2015-4511 (Buffer overflow while decoding WebM video): Using the Address Sanitizer tool, security researcher Atte Kettunen discovered a buffer overflow in the nestegg library when decoding a WebM format video with maliciously formatted headers. This leads to a potentially exploitable crash. - CVE-2015-4512 (Out-of-bounds read during 2D canvas display on Linux 16-bit color depth systems): Security researcher Francisco Alonso of the NowSecure Research Team used the Address Sanitizer tool to discover an out-of-bounds read issue during 2D canvas rendering. This was due to an issue in the cairo graphics library when surfaces are created with 32-bit color depth but displayed on a 16-bit color depth system, which is unsupported. This allows an attacker to read an amount of random memory following the heap for the 16-bit surface leading to information disclosure. - CVE-2015-4516 (JavaScript immutable property enforcement can be bypassed): Mozilla developer Jeff Walden reported that in Gecko's implementation of ECMAScript 5 API's enforces non-configurable properties with logic specific to each API. Scripts that do not go through these APIs can bypass these protections and make changes to the immutable properties in violation of security protections. This could potentially allow for web content to run in a privileged context leading to arbitrary code execution. - CVE-2015-4519 (Dragging and dropping images exposes final URL after redirects): Security researcher Mario Gomes reported that when a previously loaded image on a page is drag and dropped into content after a redirect, the redirected URL is available to scripts. This is a violation of the Fetch specification's defined behavior for "Atomic HTTP redirect handling" which states that redirected URLs are not exposed to any APIs. This can allow for information leakage. - CVE-2015-4520 (Errors in the handling of CORS preflight request headers): Mozilla developer Ehsan Akhgari reported two issues with Cross-origin resource sharing (CORS) "preflight" requests. The first issue is that in some circumstances the same cache key can be generated for two preflight requests on a site. As a result, if a second request is made that will match the cached key generated by an earlier request, CORS checks will be bypassed because the system will see the previously cached request as applicable. In the second issue, when some Access-Control- headers are missing from CORS responses, the values from different Access-Control- headers can be used that present in the same response. - CVE-2015-4517 (Memory-safety bugs in NetworkUtils.cpp generally), CVE-2015-4521 (Memory-safety bugs in ConvertDialogOptions), CVE-2015-4522 (Overflow in nsUnicodeToUTF8::GetMaxLength can create memory-safety bugs in callers), CVE-2015-7174 (Overflow in nsAttrAndChildArray::GrowBy causes memory-safety bug), CVE-2015-7175 (Overflow in XULContentSinkImpl::AddText causes memory-safety bug), CVE-2015-7176 (Bad sscanf argument in AnimationThread overruns stack variable), CVE-2015-7177 (Memory-safety bug in InitTextures), CVE-2015-7180 (Mishandling return status in ReadbackResultWriterD3D11::Run might cause memory-safety bug): Security researcher Ronald Crane reported eight vulnerabilities affecting released code that were found through code inspection. These included several potential memory safety issues resulting from the use of snprintf, one use of unowned memory, one use of a string without overflow checks, and five memory safety bugs. These do not all have clear mechanisms to be exploited through web content but are vulnerable if a mechanism can be found to trigger them. Impact ====== A remote attacker might be able to spoof the URL displayed in the address bar, steal sensitive information, crash the browser or execute arbitrary code on the affected host. References ========== https://www.mozilla.org/en-US/security/known-vulnerabilities/firefox/#firefo... https://access.redhat.com/security/cve/CVE-2015-4500 https://access.redhat.com/security/cve/CVE-2015-4501 https://access.redhat.com/security/cve/CVE-2015-4502 https://access.redhat.com/security/cve/CVE-2015-4504 https://access.redhat.com/security/cve/CVE-2015-4506 https://access.redhat.com/security/cve/CVE-2015-4507 https://access.redhat.com/security/cve/CVE-2015-4508 https://access.redhat.com/security/cve/CVE-2015-4509 https://access.redhat.com/security/cve/CVE-2015-4510 https://access.redhat.com/security/cve/CVE-2015-4511 https://access.redhat.com/security/cve/CVE-2015-4512 https://access.redhat.com/security/cve/CVE-2015-4516 https://access.redhat.com/security/cve/CVE-2015-4517 https://access.redhat.com/security/cve/CVE-2015-4519 https://access.redhat.com/security/cve/CVE-2015-4520 https://access.redhat.com/security/cve/CVE-2015-4521 https://access.redhat.com/security/cve/CVE-2015-4522 https://access.redhat.com/security/cve/CVE-2015-7174 https://access.redhat.com/security/cve/CVE-2015-7175 https://access.redhat.com/security/cve/CVE-2015-7176 https://access.redhat.com/security/cve/CVE-2015-7177 https://access.redhat.com/security/cve/CVE-2015-7180