[arch-security] [ASA-201504-1] firefox: multiple issues

Levente Polyak anthraxx at archlinux.org
Wed Apr 1 01:10:44 UTC 2015


Arch Linux Security Advisory ASA-201504-1
=========================================

Severity: Critical
Date    : 2015-04-01
CVE-ID  : CVE-2015-0801 CVE-2015-0802 CVE-2015-0803 CVE-2015-0804
          CVE-2015-0805 CVE-2015-0806 CVE-2015-0807 CVE-2015-0808
          CVE-2015-0811 CVE-2015-0812 CVE-2015-0813 CVE-2015-0814
          CVE-2015-0815 CVE-2015-0816
Package : firefox
Type    : multiple issues
Remote  : Yes
Link    : https://wiki.archlinux.org/index.php/CVE

Summary
=======

The package firefox before version 37.0-1 is vulnerable to multiple
issues including but not limited to arbitrary code execution,
same-origin bypass, information disclosure, cross-site request forgery
and denial of service.

Resolution
==========

Upgrade to 37.0-1.

# pacman -Syu "firefox>=37.0-1"

The problems have been fixed upstream in version 37.0.

Workaround
==========

None.

Description
===========

- CVE-2015-0801 (same-origin bypass)

Mozilla developer Olli Pettay reported that while investigating Mozilla
Foundation Security Advisory 2015-28, he and Mozilla developer Boris
Zbarsky found an alternate way to trigger a similar vulnerability. The
previously reported flaw used an issue with SVG content navigation to
bypass same-origin policy protections to run scripts in a privileged
context. This newer variant found that the same flaw could be used
during anchor navigation of a page, allowing bypassing of same-origin
policy protections.

- CVE-2015-0802 (privilege boundary violation)

Mozilla developer Bobby Holley reported that windows created to hold
privileged UI content retained access to privileged internal methods if
later navigated to unprivileged content. If a separate flaw was found
that allowed for web content to reference these privileged windows, an
attacker could use this reference to navigate them to their own content
allowing for an escalation of privilege and arbitrary code execution. On
its own, this flaw does not allow for privilege escalation by web content.

- CVE-2015-0803 (use-after-free)

Security researcher Nils used the Address Sanitizer tool to discover two
type confusion flaws. The first of these occurs while setting specific
attributes of a source element resulting in incorrect object casting.
The second flaw occurs when binding a source to a tree when the function
fails to validate the namespace. These flaws lead to use-after-free
errors, resulting in potentially exploitable crashes.

- CVE-2015-0804 (use-after-free)

Security researcher Nils used the Address Sanitizer tool to discover two
type confusion flaws. The first of these occurs while setting specific
attributes of a source element resulting in incorrect object casting.
The second flaw occurs when binding a source to a tree when the function
fails to validate the namespace. These flaws lead to use-after-free
errors, resulting in potentially exploitable crashes.

- CVE-2015-0805 (memory corruption)

Security researcher Abhishek Arya (Inferno) of the Google Chrome
Security Team used the Address Sanitizer tool to discover two memory
corruption crashes during 2D graphics rendering due to problems in Off
Main Thread Compositing. These crashes are potentially exploitable.

- CVE-2015-0806 (memory corruption)

Security researcher Abhishek Arya (Inferno) of the Google Chrome
Security Team used the Address Sanitizer tool to discover two memory
corruption crashes during 2D graphics rendering due to problems in Off
Main Thread Compositing. These crashes are potentially exploitable.

- CVE-2015-0807 (cross-site request forgery)

A flaw was found in the Beacon interface implementation in Firefox. A
web page containing malicious content could allow a remote attacker to
conduct a Cross-Site Request Forgery (CSRF) attack.

- CVE-2015-0808 (mismatched free)

Security researcher Mitchell Harper used Valgrind to discover incorrect
memory management for simple-type arrays in WebRTC. This was undefined
behavior which is theoretically dangerous but was determined to be safe
in this instance.

- CVE-2015-0811 (information disclosure)

Security researcher Felix Gröbert of Google used the Address Sanitizer
tool to discover an out of bounds read in the QCMS color management
library while transforming images with certain parameters. This could
lead to information disclosure.

- CVE-2015-0812 (approval bypass)

Security researcher Armin Razmdjou discovered that a man-in-the-middle
(MITM) attacker spoofing a Mozilla sub-domain could bypass user approval
messages to install a Firefox lightweight theme. This was possible
because add-on installations of the lightweight themes do not require
the use of HTTP over SSL. Firefox extensions were not directly affected
and still required user approval for installation.

- CVE-2015-0813 (use-after-free)

Security researcher Aki Helin reported a use-after-free when playing
certain MP3 format audio files on the web using the Fluendo MP3 plugin
for GStreamer on Linux. This is due to a flaw in handling certain MP3
files by the plugin and its interaction with Mozilla code. This can lead
to a potentially exploitable crash.

- CVE-2015-0814 (arbitrary code execution)

Mozilla developers and community identified and fixed several memory
safety bugs in the browser engine used in Firefox and other
Mozilla-based products. Some of these bugs showed evidence of memory
corruption under certain circumstances, and we presume that with enough
effort at least some of these could be exploited to run arbitrary code.

- CVE-2015-0815 (arbitrary code execution)

Mozilla developers and community identified and fixed several memory
safety bugs in the browser engine used in Firefox and other
Mozilla-based products. Some of these bugs showed evidence of memory
corruption under certain circumstances, and we presume that with enough
effort at least some of these could be exploited to run arbitrary code.

- CVE-2015-0816 (arbitrary code execution)

Security researcher Mariusz Mlynski reported, through HP Zero Day
Initiative's Pwn2Own contest, that documents loaded though a resource:
URL, such as Mozilla's PDF.js PDF file viewer, were able to subsequently
load privileged chrome pages. The privilege restrictions on resource:
URLs was handled incorrectly and these restrictions could be bypassed if
this flaw was combined with a separate vulnerability allowing for
same-origin policy violation, it could be used to run arbitrary code.

Impact
======

A remote attacker is able to execute arbitrary code, bypass the
same-origin policy, conduct cross-site request forgery, take advantage
of information disclosure, perform denial of service or possibly have
other impact via various vectors.

References
==========

https://www.mozilla.org/en-US/security/advisories/mfsa2015-30/
https://www.mozilla.org/en-US/security/advisories/mfsa2015-31/
https://www.mozilla.org/en-US/security/advisories/mfsa2015-32/
https://www.mozilla.org/en-US/security/advisories/mfsa2015-33/
https://www.mozilla.org/en-US/security/advisories/mfsa2015-34/
https://www.mozilla.org/en-US/security/advisories/mfsa2015-36/
https://www.mozilla.org/en-US/security/advisories/mfsa2015-38/
https://www.mozilla.org/en-US/security/advisories/mfsa2015-39/
https://www.mozilla.org/en-US/security/advisories/mfsa2015-40/
https://www.mozilla.org/en-US/security/advisories/mfsa2015-42/
https://access.redhat.com/security/cve/CVE-2015-0801
https://security-tracker.debian.org/tracker/CVE-2015-0802
https://security-tracker.debian.org/tracker/CVE-2015-0803
https://security-tracker.debian.org/tracker/CVE-2015-0804
https://security-tracker.debian.org/tracker/CVE-2015-0805
https://security-tracker.debian.org/tracker/CVE-2015-0806
https://access.redhat.com/security/cve/CVE-2015-0807
https://security-tracker.debian.org/tracker/CVE-2015-0808
https://security-tracker.debian.org/tracker/CVE-2015-0811
https://security-tracker.debian.org/tracker/CVE-2015-0812
https://security-tracker.debian.org/tracker/CVE-2015-0813
https://security-tracker.debian.org/tracker/CVE-2015-0814
https://access.redhat.com/security/cve/CVE-2015-0815
https://access.redhat.com/security/cve/CVE-2015-0816

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <https://lists.archlinux.org/pipermail/arch-security/attachments/20150401/a373fd1f/attachment.asc>


More information about the arch-security mailing list