[arch-security] [ASA-201512-9] firefox: multiple issues
Arch Linux Security Advisory ASA-201512-9 ========================================= Severity: Critical Date : 2015-12-15 CVE-ID : CVE-2015-7201 CVE-2015-7202 CVE-2015-7203 CVE-2015-7204 CVE-2015-7205 CVE-2015-7207 CVE-2015-7208 CVE-2015-7210 CVE-2015-7211 CVE-2015-7212 CVE-2015-7213 CVE-2015-7214 CVE-2015-7215 CVE-2015-7216 CVE-2015-7217 CVE-2015-7218 CVE-2015-7219 CVE-2015-7220 CVE-2015-7221 CVE-2015-7222 CVE-2015-7223 Package : firefox Type : multiple issues Remote : Yes Link : https://wiki.archlinux.org/index.php/CVE Summary ======= The package firefox before version 43.0-1 is vulnerable to multiple issues including but not limited to arbitrary code execution, denial of service, information disclosure, same-origin policy bypass, cookie injection, URL spoofing and privilege escalation. Resolution ========== Upgrade to 43.0-1. # pacman -Syu "firefox>=43.0-1" The problems have been fixed upstream in version 43.0. Workaround ========== None. Description =========== - CVE-2015-7201 CVE-2015-7202 (arbitrary code execution) Mozilla developers and community identified and fixed several memory safety bugs in the browser engine used in Firefox and other Mozilla-based products. Some of these bugs showed evidence of memory corruption under certain circumstances, and we presume that with enough effort at least some of these could be exploited to run arbitrary code. - CVE-2015-7203 CVE-2015-7220 CVE-2015-7221 (buffer overflow) Security researcher Ronald Crane reported three buffer overflows affecting released code that were found through code inspection. They do not all have clear mechanisms to be exploited through web content but are vulnerable if a mechanism can be found to trigger them. - CVE-2015-7204 (denial of service) Security researcher Cajus Pollmeier reported crashing during some Javascript variable assignments. The issue was caused by an implementation error with unboxed objects and property storing in the JavaScript engine. This error could result in a potentially exploitable crash when triggered by JavaScript content as well as leading to errors on some websites. - CVE-2015-7205 (information disclosure) Security researcher Ronald Crane reported an underflow found through code inspection. This does not all have a clear mechanism to be exploited through web content but could be vulnerable if a means can be found to trigger it. - CVE-2015-7207 (same-origin policy bypass) Security researcher cgvwzq reported that it is possible to read cross-origin URLs following a redirect if perfomance.getEntries() is used along with an iframe to host a page. Navigating back in history through script, content is pulled from the browser cache for the redirected location instead of going to the original location. This is a same-origin policy violation and could allow for data theft. - CVE-2015-7208 (cookie injection) Security researcher musicDespiteEverything reported an issue when ASCII code 11 for vertical tab is stored in a cookie in violation of RFC6265. This may result in incorrect cookie handling by servers, resulting in the potential ability to set cookie values and read cookie data from users in concert with some web servers if the vertical tab character is mishandled during parsing. - CVE-2015-7210 (arbitrary code execution) Security researcher Looben Yang reported a use-after-free error in WebRTC that occurs due to timing issues in WebRTC when closing channels. WebRTC may still believe is has a datachannel open after another WebRTC function has closed it. This results in attempts to use the now destroyed datachannel, leading to a potentially exploitable crash. - CVE-2015-7211 (URL spoofing) Security researcher Abdulrahman Alqabandi reported that when a data: URI is parsed, the hash ('#') symbol is incorrectly handled, allowing for spoofing attacks. This issue could result in the wrong URI being displayed as a location, which can mislead users to believe they are on a different site than the one loaded. - CVE-2015-7212 (denial of service) Security researcher Abhishek Arya (Inferno) of the Google Chrome Security Team used the Address Sanitizer tool to discover an integer overflow when when allocating textures of extremely larges sizes during graphics operations. This results in a potentially exploitable crash when triggered. - CVE-2015-7213 (denial of service) Security researcher Ronald Crane reported a vulnerability found through code inspection. This issue is an integer overflow while processing an MP4 format video file when an a erroneously-small buffer is allocated and then overrun, resulting in a potentially exploitable crash. - CVE-2015-7214 (cross-origin restriction bypass) Security researcher Tsubasa Iinuma reported a mechanism to violate same-origin policy to content using data: and view-soure: URIs to confuse protections and bypass restrictions. This resulted in the ability to read data from cross-site URLs and local files. - CVE-2015-7215 (information disclosure) Security researcher Masato Kinugawa reported a cross-origin information leak through the error events in web workers. This violates same-origin policy and the leaked information could potentially be used by a malicious party to gather authentication tokens and other data from third-party websites. - CVE-2015-7216 CVE-2015-7217 (denial of service) Security researcher Gustavo Grieco reported that on Linux Gnome systems the dialog for choosing local files uses the operating system's gdk-pixbuf library to render thumbnails for image file types. This library supports various image decoders, and Grieco reported that the Jasper and TGA decoders were unmaintained and have several known vulnerabilities. Firefox has disabled the use of those decoders in gdk-pixbuf. - CVE-2015-7218 CVE-2015-7219 (denial of service) Security researcher Stuart Larsen reported two issues with HTTP/2 resulting in integer underflows that lead to intentional aborts when the errors are detected. In the first issue, if a malformed HTTP2 header frame is received with only a single byte, an integer underflow can be created in some circumstances. In the second issue, a malformed HTTP2 PushPromse frame is received and the length of the decompressed buffer is miscalculated, leading to another integer underflow. In both of these instances, more memory is allocated than is allowed, triggering assertions and intentional aborts (a denial of service) but no exploitable crashes. - CVE-2015-7222 (denial of service) Mozilla developer Gerald Squelart fixed an integer underflow in the libstagefright library initially reported by Joshua Drake to Google. The issues occurred in MP4 format video file while parsing cover metadata, leading to a buffer overflow. This results in a potentially exploitable crash and can be triggered by a malformed MP4 file served by web content. - CVE-2015-7223 (privilege escalation) Mozilla developer Kris Maglione reported a mechanism where WebExtension APIs could be used to escalate privilege. This could allow arbitrary web content to execute code with the privileges of a particular WebExtension when using these API calls. Depending on the privileges of the extension used, this could result in personal information theft and cross-site scripting (XSS) attacks, including theft of browser cookies. This is mitigated by the requirement to have a WebExtension installed that is vulnerable to this issue. Impact ====== A remote attacker is able execute arbitrary code, perform a denial of service attack, obtain sensitive information and files, bypass the same-origin policy, inject arbitrary cookies, spoof the displayed URL and escalation privileges via various vectors. References ========== https://www.mozilla.org/en-US/security/known-vulnerabilities/firefox/#firefo... https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7201 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7202 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7203 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7204 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7205 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7207 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7208 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7210 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7211 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7212 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7213 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7214 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7215 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7216 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7217 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7218 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7219 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7220 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7221 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7222 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7223
participants (1)
-
Levente Polyak