[arch-security] [ASA-201508-4] firefox: multiple issues
Arch Linux Security Advisory ASA-201508-4 ========================================= Severity: Critical Date : 2015-08-12 CVE-ID : CVE-2015-4473 CVE-2015-4474 CVE-2015-4475 CVE-2015-4477 CVE-2015-4478 CVE-2015-4479 CVE-2015-4480 CVE-2015-4482 CVE-2015-4483 CVE-2015-4484 CVE-2015-4485 CVE-2015-4486 CVE-2015-4487 CVE-2015-4488 CVE-2015-4489 CVE-2015-4490 CVE-2015-4491 CVE-2015-4492 CVE-2015-4493 Package : firefox Type : multiple issues Remote : Yes Link : https://wiki.archlinux.org/index.php/CVE Summary ======= The package firefox before version 40.0-1 is vulnerable to multiple issues, up to remote code execution. Resolution ========== Upgrade to 40.0-1. # pacman -Syu "firefox>=40.0-1" The problem has been fixed upstream in version 40.0. Workaround ========== None. Description =========== - CVE-2015-4473 (Memory safety bugs fixed in Firefox ESR 38.2 and Firefox 40): Gary Kwong, Christian Holler, and Byron Campen reported memory safety problems and crashes that affect Firefox ESR 38.1 and Firefox 39. - CVE-2015-4474 (Memory safety bugs fixed in Firefox 40): Tyson Smith, Bobby Holley, Chris Coulson, Byron Campen, and Eric Rahm reported memory safety problems and crashes that affect Firefox 39. - CVE-2015-4475 (out of bounds read at mozilla::AudioSink): Security researcher Aki Helin used the Address Sanitizer tool to discover an out-of-bounds read during playback of a malformed MP3 format audio file which switches sample formats. This could trigger a potentially exploitable crash or the reading of out-of-bounds memory content in some circumstances. - CVE-2015-4477 (MediaStream use-after-free): Security researcher SkyLined reported a use-after-free issue in how audio is handled through the Web Audio API during MediaStream playback through interactions with the Web Audio API. This results in a potentially exploitable crash. - CVE-2015-4478 (JSON.parse with reviver allows redefining non-configurable properties): Security researcher André Bargull reported non-configurable properties on JavaScript objects can be redefined while parsing JSON in violation of the ECMAScript 6 standard. This allows malicious web content to bypass same-origin policy by editing these properties to arbitrary values. - CVE-2015-4479 (MPEG4 saio Chunk Integer Overflow (libstagefright)): An anonymous researcher reported, via TippingPoint's Zero Day Initiative, reported two integer overflows that could be triggered by a malicious 'saio' chunk in an MPEG4 video, leading to potential arbitrary code execution. This issue was independently reported by security researcher laf.intel. - CVE-2015-4480 (crash in [@ stagefright::SampleTable::isValid() ] with h264 mp4): Security researcher Massimiliano Tomassoli discovered an integer overflow issue when parsing an invalid MPEG4 video. - CVE-2015-4482 (Out of bounds write in mar_read.c): Security researcher Holger Fuhrmannek reported that if the Updater opens a MAR format file with a specially crafted name, an out-of-bounds write will occur. This can lead to a potentially exploitable crash but requires that the malicious MAR format file be present on the local system and the Updater to be run to use it. - CVE-2015-4483 (feed: protocol + POST method => mixed scripting): Security researcher Masato Kinugawa reported that opening a target page using a POST to the url prefixed with the feed: protocol disables the mixed content blocker for that page. This could allow for the risk of a man-in-the-middle (MITM) scripting attack on pages that accidentally include insecure content which would otherwise be blocked. - CVE-2015-4484 (crash in void js::jit::AssemblerX86Shared::lock_addl<js::jit::Imm32>): Security researcher Jukka Jylänki reported a crash that occurs because JavaScript, when using shared memory, does not properly gate access to Atomics or SharedArrayBuffer views in some contexts. This leads to a non-exploitable crash. - CVE-2015-4485 (Heap-buffer-overflow WRITE in resize_context_buffers), - CVE-2015-4486 (Out of bounds read in decrease_ref_count): Security researcher Abhishek Arya (Inferno) of the Google Chrome Security Team used the Address Sanitizer tool to discover two buffer overflow issues in the Libvpx library used for WebM video when decoding a malformed WebM video file. These buffer overflows result in potentially exploitable crashes. - CVE-2015-4487 (Overflow nsTSubstring::ReplacePrep causes memory-safety bugs in string library), - CVE-2015-4488 (StyleAnimationValue::operator= uses objects after delete on self-assignment), - CVE-2015-4489 (Self-assignment in nsTArray_Impl causes memory-safety bug): Security researcher Ronald Crane reported three vulnerabilities affecting released code that were found through code inspection. These included one use of unowned memory, one use of a deleted object, and one memory safety bug. These do not all have clear mechanisms to be exploited through web content but are vulnerable if a mechanism can be found to trigger them. - CVE-2015-4490 (Mozilla Content Security Policy allows for asterisk wildcards in violation of CSP specification): Mozilla security engineer Christoph Kerschbaumer reported a discrepancy in Mozilla's implementation of Content Security Policy and the CSP specification. The specification states that blob:, data:, and filesystem: URLs should be excluded in case of a wildcard when matching source expressions but Mozilla's implementation allows these in the case of an asterisk wildcard. This could allow for more permissive CSP usage than expected by a web developer, possibly allowing for cross-site scripting (XSS) attacks. - CVE-2015-4491 (gdk-pixbuf heap overflow and DoS affecting Firefox): Security researcher Gustavo Grieco reported a heap overflow in gdk-pixbuf affecting Linux systems using Gnome. This issue is triggered by the scaling of a malformed bitmap format image and results in a potentially exploitable crash. - CVE-2015-4492 (Use-after-free in XMLHttpRequest with shared workers): Security researcher Looben Yang discovered a use-after-free vulnerability when recursively calling .open() on an XMLHttpRequest in a SharedWorker. - CVE-2015-4493 (Stagefright: heap-buffer-overflow crash [@stagefright::ESDS::parseESDescriptor]): Mozilla security engineer Tyson Smith used the Address Sanitizer to find a buffer overflow when parsing an MPEG4 video with an invalid size in an ESDS chunk lead to memory corruption. Impact ====== A remote attacker can execute arbitrary code on the affected host. References ========== https://www.mozilla.org/en-US/security/known-vulnerabilities/firefox/#firefo... https://access.redhat.com/security/cve/CVE-2015-4473 https://access.redhat.com/security/cve/CVE-2015-4474 https://access.redhat.com/security/cve/CVE-2015-4475 https://access.redhat.com/security/cve/CVE-2015-4477 https://access.redhat.com/security/cve/CVE-2015-4478 https://access.redhat.com/security/cve/CVE-2015-4479 https://access.redhat.com/security/cve/CVE-2015-4480 https://access.redhat.com/security/cve/CVE-2015-4482 https://access.redhat.com/security/cve/CVE-2015-4483 https://access.redhat.com/security/cve/CVE-2015-4484 https://access.redhat.com/security/cve/CVE-2015-4485 https://access.redhat.com/security/cve/CVE-2015-4486 https://access.redhat.com/security/cve/CVE-2015-4487 https://access.redhat.com/security/cve/CVE-2015-4488 https://access.redhat.com/security/cve/CVE-2015-4489 https://access.redhat.com/security/cve/CVE-2015-4490 https://access.redhat.com/security/cve/CVE-2015-4491 https://access.redhat.com/security/cve/CVE-2015-4492 https://access.redhat.com/security/cve/CVE-2015-4493
participants (1)
-
Remi Gacogne