Arch Linux Security Advisory ASA-201412-3 ========================================= Severity: Critical Date : 2014-12-03 CVE-ID : CVE-2014-1587 CVE-2014-1588 CVE-2014-1589 CVE-2014-1590 CVE-2014-1591 CVE-2014-1592 CVE-2014-1593 CVE-2014-1594 CVE-2014-8631 CVE-2014-8632 Package : firefox Type : multiple issues Remote : Yes Link : https://wiki.archlinux.org/index.php/CVE-2014 Summary ======= The package firefox before version 34.0.5-1 is vulnerable to multiple issues, including denial of service, information leak and remote code execution. Resolution ========== Upgrade to 34.0.5-1. # pacman -Syu "firefox>=34.0.5-1" The problem has been fixed upstream in version 34.0.5. Workaround ========== None. Description =========== CVE-2014-1587: Gary Kwong, Randell Jesup, Nils Ohlmeier, Jesse Ruderman, and Max Jonas Werner reported memory safety problems and crashes that affect Firefox ESR 31.2 and Firefox 33. CVE-2014-1588: Christian Holler, Gary Kwong, Jon Coppeard, Eric Rahm, Byron Campen, Eric Rescorla, and Xidorn Quan reported memory safety problems and crashes that affect Firefox 33. CVE-2014-1589: Security researcher Cody Crews reported a method to trigger chrome level XML Binding Language (XBL) bindings through web content. This was possible because some chrome accessible CSS stylesheets had their primary namespace improperly declared. When this occurred, it was possible to use these stylesheets to manipulate XBL bindings, allowing web content to bypass security restrictions. This issue was limited to a specific set of stylesheets. CVE-2014-1590: Security researcher Joe Vennix from Rapid7 reported that passing a JavaScript object to XMLHttpRequest that mimics an input stream will a crash. This crash is not exploitable and can only be used for denial of service attacks. CVE-2014-1591: Security researcher Muneaki Nishimura discovered that Content Security Policy (CSP) violation reports triggered by a redirect did not remove path information as required by the CSP specification. This potentially reveals information about the redirect that would not otherwise be known to the original site. This could be used by a malicious site to obtain sensitive information such as usernames or single-sign-on tokens encoded within the target URLs. CVE-2014-1592: Security researcher Berend-Jan Wever reported a use-after-free created by triggering the creation of a second root element while parsing HTML written to a document created with document.open(). This leads to a potentially exploitable crash. CVE-2014-1593: Security researcher Abhishek Arya (Inferno) of the Google Chrome Security Team used the Address Sanitizer tool to discover a buffer overflow during the parsing of media content. This leads to a potentially exploitable crash. CVE-2014-1594: Security researchers Byoungyoung Lee, Chengyu Song, and Taesoo Kim at the Georgia Tech Information Security Center (GTISC) reported a bad casting from the BasicThebesLayer to BasicContainerLayer, resulting in undefined behavior. This behavior is potentially exploitable with some compilers but no clear mechanism to trigger it through web content was identified. CVE-2014-8631: CVE-2014-8632: Privileged access to security wrapped protected objects. Both of these issues could allow web content to access DOM objects that are intended to be chrome-only. Impact ====== A remote attacker, controlling a malicious website or in position of man-in-the-middle might be able to steal sensitive information, crash the firefox browser or execute arbitrary code. References ========== https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-1587 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-1588 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-1589 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-1590 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-1591 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-1592 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-1593 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-1594 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-8631 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-8632 https://www.mozilla.org/fr/security/known-vulnerabilities/firefox/