[arch-security] [ASA-201512-9] firefox: multiple issues

Levente Polyak anthraxx at archlinux.org
Tue Dec 15 23:49:46 UTC 2015


Arch Linux Security Advisory ASA-201512-9
=========================================

Severity: Critical
Date    : 2015-12-15
CVE-ID  : CVE-2015-7201 CVE-2015-7202 CVE-2015-7203 CVE-2015-7204
          CVE-2015-7205 CVE-2015-7207 CVE-2015-7208 CVE-2015-7210
          CVE-2015-7211 CVE-2015-7212 CVE-2015-7213 CVE-2015-7214
          CVE-2015-7215 CVE-2015-7216 CVE-2015-7217 CVE-2015-7218
          CVE-2015-7219 CVE-2015-7220 CVE-2015-7221 CVE-2015-7222
          CVE-2015-7223
Package : firefox
Type    : multiple issues
Remote  : Yes
Link    : https://wiki.archlinux.org/index.php/CVE

Summary
=======

The package firefox before version 43.0-1 is vulnerable to multiple
issues including but not limited to arbitrary code execution, denial of
service, information disclosure, same-origin policy bypass, cookie
injection, URL spoofing and privilege escalation.

Resolution
==========

Upgrade to 43.0-1.

# pacman -Syu "firefox>=43.0-1"

The problems have been fixed upstream in version 43.0.

Workaround
==========

None.

Description
===========

- CVE-2015-7201 CVE-2015-7202 (arbitrary code execution)

Mozilla developers and community identified and fixed several memory
safety bugs in the browser engine used in Firefox and other
Mozilla-based products. Some of these bugs showed evidence of memory
corruption under certain circumstances, and we presume that with enough
effort at least some of these could be exploited to run arbitrary code.

- CVE-2015-7203 CVE-2015-7220 CVE-2015-7221 (buffer overflow)

Security researcher Ronald Crane reported three buffer overflows
affecting released code that were found through code inspection. They do
not all have clear mechanisms to be exploited through web content but
are vulnerable if a mechanism can be found to trigger them.

- CVE-2015-7204 (denial of service)

Security researcher Cajus Pollmeier reported crashing during some
Javascript variable assignments. The issue was caused by an
implementation error with unboxed objects and property storing in the
JavaScript engine. This error could result in a potentially exploitable
crash when triggered by JavaScript content as well as leading to errors
on some websites.

- CVE-2015-7205 (information disclosure)

Security researcher Ronald Crane reported an underflow found through
code inspection. This does not all have a clear mechanism to be
exploited through web content but could be vulnerable if a means can be
found to trigger it.

- CVE-2015-7207 (same-origin policy bypass)

Security researcher cgvwzq reported that it is possible to read
cross-origin URLs following a redirect if perfomance.getEntries() is
used along with an iframe to host a page. Navigating back in history
through script, content is pulled from the browser cache for the
redirected location instead of going to the original location. This is a
same-origin policy violation and could allow for data theft.

- CVE-2015-7208 (cookie injection)

Security researcher musicDespiteEverything reported an issue when ASCII
code 11 for vertical tab is stored in a cookie in violation of RFC6265.
This may result in incorrect cookie handling by servers, resulting in
the potential ability to set cookie values and read cookie data from
users in concert with some web servers if the vertical tab character is
mishandled during parsing.

- CVE-2015-7210 (arbitrary code execution)

Security researcher Looben Yang reported a use-after-free error in
WebRTC that occurs due to timing issues in WebRTC when closing channels.
WebRTC may still believe is has a datachannel open after another WebRTC
function has closed it. This results in attempts to use the now
destroyed datachannel, leading to a potentially exploitable crash.

- CVE-2015-7211 (URL spoofing)

Security researcher Abdulrahman Alqabandi reported that when a data: URI
is parsed, the hash ('#') symbol is incorrectly handled, allowing for
spoofing attacks. This issue could result in the wrong URI being
displayed as a location, which can mislead users to believe they are on
a different site than the one loaded.

- CVE-2015-7212 (denial of service)

Security researcher Abhishek Arya (Inferno) of the Google Chrome
Security Team used the Address Sanitizer tool to discover an integer
overflow when when allocating textures of extremely larges sizes during
graphics operations. This results in a potentially exploitable crash
when triggered.

- CVE-2015-7213 (denial of service)

Security researcher Ronald Crane reported a vulnerability found through
code inspection. This issue is an integer overflow while processing an
MP4 format video file when an a erroneously-small buffer is allocated
and then overrun, resulting in a potentially exploitable crash.

- CVE-2015-7214 (cross-origin restriction bypass)

Security researcher Tsubasa Iinuma reported a mechanism to violate
same-origin policy to content using data: and view-soure: URIs to
confuse protections and bypass restrictions. This resulted in the
ability to read data from cross-site URLs and local files.

- CVE-2015-7215 (information disclosure)

Security researcher Masato Kinugawa reported a cross-origin information
leak through the error events in web workers. This violates same-origin
policy and the leaked information could potentially be used by a
malicious party to gather authentication tokens and other data from
third-party websites.

- CVE-2015-7216 CVE-2015-7217 (denial of service)

Security researcher Gustavo Grieco reported that on Linux Gnome systems
the dialog for choosing local files uses the operating system's
gdk-pixbuf library to render thumbnails for image file types. This
library supports various image decoders, and Grieco reported that the
Jasper and TGA decoders were unmaintained and have several known
vulnerabilities. Firefox has disabled the use of those decoders in
gdk-pixbuf.

- CVE-2015-7218 CVE-2015-7219 (denial of service)

Security researcher Stuart Larsen reported two issues with HTTP/2
resulting in integer underflows that lead to intentional aborts when the
errors are detected.
In the first issue, if a malformed HTTP2 header frame is received with
only a single byte, an integer underflow can be created in some
circumstances. In the second issue, a malformed HTTP2 PushPromse frame
is received and the length of the decompressed buffer is miscalculated,
leading to another integer underflow. In both of these instances, more
memory is allocated than is allowed, triggering assertions and
intentional aborts (a denial of service) but no exploitable crashes.

- CVE-2015-7222 (denial of service)

Mozilla developer Gerald Squelart fixed an integer underflow in the
libstagefright library initially reported by Joshua Drake to Google. The
issues occurred in MP4 format video file while parsing cover metadata,
leading to a buffer overflow. This results in a potentially exploitable
crash and can be triggered by a malformed MP4 file served by web content.

- CVE-2015-7223 (privilege escalation)

Mozilla developer Kris Maglione reported a mechanism where WebExtension
APIs could be used to escalate privilege. This could allow arbitrary web
content to execute code with the privileges of a particular WebExtension
when using these API calls. Depending on the privileges of the extension
used, this could result in personal information theft and cross-site
scripting (XSS) attacks, including theft of browser cookies. This is
mitigated by the requirement to have a WebExtension installed that is
vulnerable to this issue.

Impact
======

A remote attacker is able execute arbitrary code, perform a denial of
service attack, obtain sensitive information and files, bypass the
same-origin policy, inject arbitrary cookies, spoof the displayed URL
and escalation privileges via various vectors.

References
==========

https://www.mozilla.org/en-US/security/known-vulnerabilities/firefox/#firefox43
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7201
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7202
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7203
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7204
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7205
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7207
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7208
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7210
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7211
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7212
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7213
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7214
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7215
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7216
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7217
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7218
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7219
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7220
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7221
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7222
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7223

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <https://lists.archlinux.org/pipermail/arch-security/attachments/20151216/c711f7c2/attachment.asc>


More information about the arch-security mailing list