Arch Linux Security Advisory ASA-201511-2 ========================================= Severity: Critical Date : 2015-11-04 CVE-ID : CVE-2015-4513 CVE-2015-4514 CVE-2015-4515 CVE-2015-4518 CVE-2015-7181 CVE-2015-7182 CVE-2015-7183 CVE-2015-7187 CVE-2015-7188 CVE-2015-7189 CVE-2015-7193 CVE-2015-7194 CVE-2015-7195 CVE-2015-7196 CVE-2015-7197 CVE-2015-7198 CVE-2015-7199 CVE-2015-7200 Package : firefox Type : multiple issues Remote : Yes Link : https://wiki.archlinux.org/index.php/CVE Summary ======= The package firefox before version 42.0-1 is vulnerable to multiple issues, including but no limited to information leak, policy bypass and remote code execution. Resolution ========== Upgrade to 42.0-1. # pacman -Syu "firefox>=42.0-1" The problem has been fixed upstream in version 42.0. Workaround ========== None. Description =========== - CVE-2015-4513 (Miscellaneous memory safety hazards): Christian Holler, David Major, Jesse Ruderman, Tyson Smith, Boris Zbarsky, Randell Jesup, Olli Pettay, Karl Tomlinson, Jeff Walden, and Gary Kwong reported memory safety problems and crashes that affect Firefox ESR 38.3 and Firefox 41. - CVE-2015-4514 (Miscellaneous memory safety hazards): Christian Holler, Andrew McCreight, Georg Fritzsche, Tyson Smith, and Carsten Book reported crash and memory safety problems that affect Firefox 41. - CVE-2015-4515 (Information disclosure through NTLM authentication): Security researcher Tim Brown reported that Firefox discloses the hostname and possibly the Windows domain through NTLM-based HTTP authentication when sending type 3 messages as part of the authentication exchange. This is because the Workstation field is populated with the hostname of the system making the request. An attacker can craft a malicious page to send a silent NTLM request that will disclose the information without visibility in the client, leading to information disclosure. This is mitigated because NTLM v1 is disabled by default configurations. - CVE-2015-4518 (CSP bypass due to permissive Reader mode whitelist): Security researcher Mario Heiderich reported an issue where the security protections of Reader mode in Firefox can be bypassed, allowing scripts to be run. Mozilla developer Frederik Braun independently discovered and reported this same issue as well. This issue happens even though Reader View explicitly disables script for rendered pages through a whitelist of allowed HTML content. Mario discovered that the whitelist was too permissive and a malicious site could manipulate content to bypass CSP protections, allowing for possible cross-site scripting (XSS) attacks. - CVE-2015-7181, CVE-2015-7182 (NSS memory corruption issues): Mozilla engineers Tyson Smith and David Keeler reported a use-after-poison and buffer overflow in the ASN.1 decoder in Network Security Services (NSS). These issues were in octet string parsing and were found through fuzzing and code inspection. If these issues were triggered, they would lead to a potentially exploitable crash. These issues were fixed in NSS version 3.19.2.1 and 3.19.4, shipped in Firefox and Firefox ESR, respectively, as well as NSS 3.20.1. - CVE-2015-7183 (NSPR overflow in PL_ARENA_ALLOCATE can lead to crash, potential memory corruption): Google security engineer Ryan Sleevi reported an integer overflow in the Netscape Portable Runtime (NSPR) due to a lack of checks during memory allocation. This leads to a potentially exploitable crash. This issue is fixed in NSPR 4.10.10. - CVE-2015-7187 (Disabling scripts in Add-on SDK panels has no effect): Add-on authors Jason Hamilton and Peter Arremann with AMO editor Sylvain Giroux reported a vulnerability when a panel is created using the Add-on SDK in a browser extension. Defining a panel with script: false is supposed to disable script execution but it was found that inline script would still execute. This flaw allows for the potential execution of script content in an extension when it was been explicitly disallowed. The potential impact of this flaw would depend on whether the add-on was relying on script: false as a security mechanism and from location the panel content was loaded. No add-ons served from addons.mozilla.org are vulnerable to this flaw but add-ons installed from third party sites may be. - CVE-2015-7188 (Trailing whitespace in IP address hostnames can bypass same-origin policy): Security researcher Michał Bentkowski reported that adding white-space characters to hostnames that are IP addresses can bypass same-origin policy. This flaw was caused by trailing whitespaces being evaluated differently when parsing IP addresses instead of alphanumeric hostnames. This could lead to a cross-site script (XSS) attack. - CVE-2015-7189 (Buffer overflow during image interactions in canvas): Security researcher Looben Yang reported a buffer overflow in the JPEGEncoder function during script interactions with a canvas element. This is caused by a race condition and incorrectly matched sizes following image interactions. This leads to a potentially exploitable crash. - CVE-2015-7193 (CORS preflight is bypassed when non-standard Content-Type headers are received): Security researcher Shinto K Anto reported an issue with cross-origin resource sharing (CORS) "preflight" requests when receiving certain Content-Type headers. This is due to an error in implementation resulting in trying to process multiple media types when they are returned in the Content-Type headers from a server. This is disallowed in the CORS specification and results in a simple instead of a "preflight" request, leading to potential same-origin policy violation. - CVE-2015-7194 (Memory corruption in libjar through zip files): Security researcher Gustavo Grieco reported a buffer underflow in libjar triggered through a maliciously crafted ZIP format file. This results in a potentially exploitable crash. - CVE-2015-7195 (Certain escaped characters in host of Location-header are being treated as non-escaped): Security researcher Frans Rosén reported that URLs with certain escaped characters in hostnames are parsed incorrectly. This leads to parsing being abandoned when an effected escaped character is encountered followed by a navigation to the previously parsed version of the URL. When combined with a site allowing for navigation redirection that allows for escaped characters, this could lead to potential extraction of site specific tokens. - CVE-2015-7196 (JavaScript garbage collection crash with Java applet): Mozilla community member Vytautas Staraitis reported an issue with the interaction of Java applets and JavaScript. The Java plugin can deallocate a JavaScript wrapper when it is still in use, which leads to a JavaScript garbage collection crash. This crash is potentially exploitable. This issue only affects systems where Java is installed and enabled as a browser plugin. Other systems are unaffected. - CVE-2015-7197 (Mixed content WebSocket policy bypass through workers): Mozilla developer Ehsan Akhgari reported a mechanism through which a web worker could be used to bypass secure requirements for WebSockets when workers are used to create WebSockets. This allows for the bypassing of mixed content WebSocket policy. - CVE-2015-7198, CVE-2015-7199 CVE-2015-7200 (Vulnerabilities found through code inspection): Security researcher Ronald Crane reported three vulnerabilities affecting released code that were found through code inspection. These included a buffer overflow in the ANGLE graphics library and two issues of missing status checks in SVG rendering and during cryptographic key manipulation. These do not all have clear mechanisms to be exploited through web content but are vulnerable if a mechanism can be found to trigger them. Impact ====== A remote attacker can cause a denial of service, access sensitive information or execute arbitrary code. References ========== https://www.mozilla.org/en-US/security/advisories/mfsa2015-116/ https://www.mozilla.org/en-US/security/advisories/mfsa2015-117/ https://www.mozilla.org/en-US/security/advisories/mfsa2015-118/ https://www.mozilla.org/en-US/security/advisories/mfsa2015-121/ https://www.mozilla.org/en-US/security/advisories/mfsa2015-122/ https://www.mozilla.org/en-US/security/advisories/mfsa2015-123/ https://www.mozilla.org/en-US/security/advisories/mfsa2015-127/ https://www.mozilla.org/en-US/security/advisories/mfsa2015-128/ https://www.mozilla.org/en-US/security/advisories/mfsa2015-129/ https://www.mozilla.org/en-US/security/advisories/mfsa2015-130/ https://www.mozilla.org/en-US/security/advisories/mfsa2015-131/ https://www.mozilla.org/en-US/security/advisories/mfsa2015-132/ https://www.mozilla.org/en-US/security/advisories/mfsa2015-133/ https://access.redhat.com/security/cve/CVE-2015-4513 https://access.redhat.com/security/cve/CVE-2015-4514 https://access.redhat.com/security/cve/CVE-2015-4515 https://access.redhat.com/security/cve/CVE-2015-4518 https://access.redhat.com/security/cve/CVE-2015-7181 https://access.redhat.com/security/cve/CVE-2015-7182 https://access.redhat.com/security/cve/CVE-2015-7183 https://access.redhat.com/security/cve/CVE-2015-7187 https://access.redhat.com/security/cve/CVE-2015-7188 https://access.redhat.com/security/cve/CVE-2015-7189 https://access.redhat.com/security/cve/CVE-2015-7193 https://access.redhat.com/security/cve/CVE-2015-7194 https://access.redhat.com/security/cve/CVE-2015-7195 https://access.redhat.com/security/cve/CVE-2015-7196 https://access.redhat.com/security/cve/CVE-2015-7197 https://access.redhat.com/security/cve/CVE-2015-7198 https://access.redhat.com/security/cve/CVE-2015-7199 https://access.redhat.com/security/cve/CVE-2015-7200