[arch-security] [Arch Linux Security Advisory ASA-201412-3] firefox: multiple issues

Wed Dec 3 09:30:27 UTC 2014

Arch Linux Security Advisory ASA-201412-3
=========================================

Severity: Critical
Date    : 2014-12-03
CVE-ID  : CVE-2014-1587 CVE-2014-1588 CVE-2014-1589 CVE-2014-1590
CVE-2014-1591 CVE-2014-1592 CVE-2014-1593 CVE-2014-1594 CVE-2014-8631
CVE-2014-8632
Package : firefox
Type    : multiple issues
Remote  : Yes
Link    : https://wiki.archlinux.org/index.php/CVE-2014

Summary
=======

The package firefox before version 34.0.5-1 is vulnerable to multiple
issues, including denial of service, information leak and remote code
execution.

Resolution
==========

Upgrade to 34.0.5-1.

# pacman -Syu "firefox>=34.0.5-1"

The problem has been fixed upstream in version 34.0.5.

Workaround
==========

None.

Description
===========

CVE-2014-1587: Gary Kwong, Randell Jesup, Nils Ohlmeier, Jesse Ruderman,
and Max Jonas Werner reported memory safety problems and crashes that
affect Firefox ESR 31.2 and Firefox 33.

CVE-2014-1588: Christian Holler, Gary Kwong, Jon Coppeard, Eric Rahm,
Byron Campen, Eric Rescorla, and Xidorn Quan reported memory safety
problems and crashes that affect Firefox 33.

CVE-2014-1589: Security researcher Cody Crews reported a method to
trigger chrome level XML Binding Language (XBL) bindings through web
content. This was possible because some chrome accessible CSS
stylesheets had their primary namespace improperly declared. When this
occurred, it was possible to use these stylesheets to manipulate XBL
bindings, allowing web content to bypass security restrictions. This
issue was limited to a specific set of stylesheets.

CVE-2014-1590: Security researcher Joe Vennix from Rapid7 reported that
passing a JavaScript object to XMLHttpRequest that mimics an input
stream will a crash. This crash is not exploitable and can only be used
for denial of service attacks.

CVE-2014-1591: Security researcher Muneaki Nishimura discovered that
Content Security Policy (CSP) violation reports triggered by a redirect
did not remove path information as required by the CSP specification.
This potentially reveals information about the redirect that would not
otherwise be known to the original site. This could be used by a
malicious site to obtain sensitive information such as usernames or
single-sign-on tokens encoded within the target URLs.

CVE-2014-1592: Security researcher Berend-Jan Wever reported a
use-after-free created by triggering the creation of a second root
element while parsing HTML written to a document created with
document.open(). This leads to a potentially exploitable crash.

CVE-2014-1593: Security researcher Abhishek Arya (Inferno) of the Google
Chrome Security Team used the Address Sanitizer tool to discover a
buffer overflow during the parsing of media content. This leads to a
potentially exploitable crash.

CVE-2014-1594: Security researchers Byoungyoung Lee, Chengyu Song, and
Taesoo Kim at the Georgia Tech Information Security Center (GTISC)
reported a bad casting from the BasicThebesLayer to BasicContainerLayer,
resulting in undefined behavior. This behavior is potentially
exploitable with some compilers but no clear mechanism to trigger it
through web content was identified.

CVE-2014-8631: CVE-2014-8632: Privileged access to security wrapped
protected objects. Both of these issues could allow web content to
access DOM objects that are intended to be chrome-only.

Impact
======

A remote attacker, controlling a malicious website or in position of
man-in-the-middle might be able to steal sensitive information, crash
the firefox browser or execute arbitrary code.

References
==========

https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-1587
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-1588
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-1589
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-1590
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-1591
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-1592
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-1593
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-1594
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-8631
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-8632
https://www.mozilla.org/fr/security/known-vulnerabilities/firefox/

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <https://lists.archlinux.org/pipermail/arch-security/attachments/20141203/6d658e63/attachment.bin>