Arch Linux Security Advisory ASA-201501-6 ========================================= Severity: Critical Date : 2015-01-14 CVE-ID : CVE-2014-8634 CVE-2014-8635 CVE-2014-8636 CVE-2014-8637 CVE-2014-8638 CVE-2014-8639 CVE-2014-8640 CVE-2014-8641 CVE-2014-8642 Package : firefox Type : multiple issues Remote : Yes Link : https://wiki.archlinux.org/index.php/CVE Summary ======= The package firefox before version 35.0-1 is vulnerable to multiple issues, including but not limited to remote code execution. Resolution ========== Upgrade to 35.0-1. # pacman -Syu "firefox>=35.0-1" The problem has been fixed upstream in version 35.0. Workaround ========== None. Description =========== - CVE-2014-8634 (arbitrary remote code execution) Christian Holler and Patrick McManus reported memory safety problems and crashes that affect Firefox ESR 31.3 and Firefox 34. - CVE-2014-8635 (arbitrary remote code execution) Christoph Diehl, Christian Holler, Gary Kwong, Jesse Ruderman, Byron Campen, Terrence Cole, and Nils Ohlmeier reported memory safety problems and crashes that affect Firefox 34. - CVE-2014-8636 (arbitrary javascript code execution, privilege escalation) Mozilla developer Bobby Holley reported that Document Object Model (DOM) objects with some specific properties can bypass XrayWrappers. This can allow web content to confuse privileged code, potentially enabling privilege escalation. - CVE-2014-8637 (information leakage) Google security researcher Michal Zalewski reported that when a malformed bitmap image is rendered by the bitmap decoder within a <canvas> element, memory may not always be properly initialized. The resulting image then uses this uninitialized memory during rendering, allowing data to potentially leak to web content. - CVE-2014-8638 (XSRF) Security researcher Muneaki Nishimura reported that navigator.sendBeacon() does not follow the cross-origin resource sharing (CORS) specification. This results in the request from sendBeacon() lacking an origin header in violation of the W3C Beacon specification and not being treated as a CORS request. This allows for a potential Cross-site request forgery (XSRF) attack from malicious websites. - CVE-2014-8639 (cookie injection) Security researcher Xiaofeng Zheng of the Blue Lotus Team at Tsinghua University reported reported that a Web Proxy returning a 407 Proxy Authentication response with a Set-Cookie header could inject cookies into the originally requested domain. This could be used for session-fixation attacks. This attack only allows cookies to be written but does not allow them to be read. - CVE-2014-8640 (denial of service) Security researcher Holger Fuhrmannek used the used the Address Sanitizer tool to discover a crash in Web Audio while manipulating timelines. This allowed for the a small block of memory with an uninitialized pointer to be read. The crash is not exploitable. - CVE-2014-8641 (remote code execution) Security researcher Mitchell Harper discovered a read-after-free in WebRTC due to the way tracks are handled. This results in a either a potentially exploitable crash or incorrect WebRTC behavior. - CVE-2014-8642 (OCSP bypass) Brian Smith reported that delegated Online Certificate Status Protocol (OCSP) responder certificates fail to recognize the id-pkix-ocsp-nocheck extension. If this extension is present in a delegated OCSP response signing certificate, it will be discarded if it is signed by such a certificate. This could result in a user connecting to a site with a revoked certificate. Impact ====== An attacker controlling a malicious website or in position of man-in-the-middle may be able to access sensitive information, exploit existing sessions, crash the browser, or remotely execute arbitrary code. References ========== https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-8634 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-8635 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-8636 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-8637 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-8638 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-8639 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-8640 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-8641 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-8642 https://www.mozilla.org/en-US/security/known-vulnerabilities/firefox/