[arch-security] [Arch Linux Security Advisory ASA-201412-3] firefox: multiple issues

Remi Gacogne rgacogne at archlinux.org
Wed Dec 3 09:30:27 UTC 2014

Arch Linux Security Advisory ASA-201412-3

Severity: Critical
Date    : 2014-12-03
CVE-ID  : CVE-2014-1587 CVE-2014-1588 CVE-2014-1589 CVE-2014-1590
CVE-2014-1591 CVE-2014-1592 CVE-2014-1593 CVE-2014-1594 CVE-2014-8631
Package : firefox
Type    : multiple issues
Remote  : Yes
Link    : https://wiki.archlinux.org/index.php/CVE-2014


The package firefox before version 34.0.5-1 is vulnerable to multiple
issues, including denial of service, information leak and remote code


Upgrade to 34.0.5-1.

# pacman -Syu "firefox>=34.0.5-1"

The problem has been fixed upstream in version 34.0.5.




CVE-2014-1587: Gary Kwong, Randell Jesup, Nils Ohlmeier, Jesse Ruderman,
and Max Jonas Werner reported memory safety problems and crashes that
affect Firefox ESR 31.2 and Firefox 33.

CVE-2014-1588: Christian Holler, Gary Kwong, Jon Coppeard, Eric Rahm,
Byron Campen, Eric Rescorla, and Xidorn Quan reported memory safety
problems and crashes that affect Firefox 33.

CVE-2014-1589: Security researcher Cody Crews reported a method to
trigger chrome level XML Binding Language (XBL) bindings through web
content. This was possible because some chrome accessible CSS
stylesheets had their primary namespace improperly declared. When this
occurred, it was possible to use these stylesheets to manipulate XBL
bindings, allowing web content to bypass security restrictions. This
issue was limited to a specific set of stylesheets.

CVE-2014-1590: Security researcher Joe Vennix from Rapid7 reported that
passing a JavaScript object to XMLHttpRequest that mimics an input
stream will a crash. This crash is not exploitable and can only be used
for denial of service attacks.

CVE-2014-1591: Security researcher Muneaki Nishimura discovered that
Content Security Policy (CSP) violation reports triggered by a redirect
did not remove path information as required by the CSP specification.
This potentially reveals information about the redirect that would not
otherwise be known to the original site. This could be used by a
malicious site to obtain sensitive information such as usernames or
single-sign-on tokens encoded within the target URLs.

CVE-2014-1592: Security researcher Berend-Jan Wever reported a
use-after-free created by triggering the creation of a second root
element while parsing HTML written to a document created with
document.open(). This leads to a potentially exploitable crash.

CVE-2014-1593: Security researcher Abhishek Arya (Inferno) of the Google
Chrome Security Team used the Address Sanitizer tool to discover a
buffer overflow during the parsing of media content. This leads to a
potentially exploitable crash.

CVE-2014-1594: Security researchers Byoungyoung Lee, Chengyu Song, and
Taesoo Kim at the Georgia Tech Information Security Center (GTISC)
reported a bad casting from the BasicThebesLayer to BasicContainerLayer,
resulting in undefined behavior. This behavior is potentially
exploitable with some compilers but no clear mechanism to trigger it
through web content was identified.

CVE-2014-8631: CVE-2014-8632: Privileged access to security wrapped
protected objects. Both of these issues could allow web content to
access DOM objects that are intended to be chrome-only.


A remote attacker, controlling a malicious website or in position of
man-in-the-middle might be able to steal sensitive information, crash
the firefox browser or execute arbitrary code.



-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <https://lists.archlinux.org/pipermail/arch-security/attachments/20141203/6d658e63/attachment.bin>

More information about the arch-security mailing list