[arch-security] [ASA-201502-14] firefox: multiple issues

Remi Gacogne rgacogne at archlinux.org
Wed Feb 25 17:32:42 UTC 2015 

Arch Linux Security Advisory ASA-201502-14
==========================================

Severity: Critical
Date    : 2015-02-25
CVE-ID  : CVE-2015-0819 CVE-2015-0821 CVE-2015-0822 CVE-2015-0823
CVE-2015-0824 CVE-2015-0825 CVE-2015-0826 CVE-2015-0827 CVE-2015-0829
CVE-2015-0830 CVE-2015-0831 CVE-2015-0832 CVE-2015-0834 CVE-2015-0835
CVE-2015-0836
Package : firefox
Type    : multiple issues
Remote  : Yes
Link    : https://wiki.archlinux.org/index.php/CVE

Summary
=======

The package firefox before version 36.0-1 is vulnerable to multiple
issues, including denial of service, information leak and remote code
execution.

Resolution
==========

Upgrade to 36.0-1.

# pacman -Syu "firefox>=36.0-1"

The problem has been fixed upstream in version 36.0.

Workaround
==========

None.

Description
===========

- CVE-2015-0819 (tab spoofing):

Mozilla developer Matthew Noorenberghe reported that whitelisted Mozilla
domains could make UITour API calls while the UI Tour pages for Firefox
are present in background tabs. If one of these Mozilla domains was
compromised and open in another tab, an attacker could then use that tab
to engage in spoofing and clickjacking in any foreground tab.

- CVE-2015-0821:

Security researcher Armin Razmdjou reported that opening hyperlinks on a
page with the mouse and specific keyboard key combinations could allow a
Chrome privileged URL to be opened without context restrictions being
preserved. This could also allow for the opening of local files or
resources from a known location to be opened with local privileges,
bypassing security protections.

- CVE-2015-0822 (information leak):

Security researcher Armin Razmdjou reported that a user readable file in
a known local path could be uploaded to a malicious site. This was done
by manipulating the autocomplete feature in a form and user interaction
with it. While the local file is not visibly uploaded through the form,
its contents are made available through the Document Object Model (DOM)
to script content on the attacking page, leading to information disclosure.

- CVE-2015-0823 (use-after-free):

Using the Address Sanitizer tool, security researcher Atte Kettunen
found a problem with OpenType Sanitiser (OTS) that resulted in a
use-after-free while expanding macros in some circumstances. This
use-after-free was only used for information displayed in the developer
console and was not exploitable.

- CVE-2015-0824 (denial of service):

Security researcher Atte Kettunen used the Address Sanitizer tool to
discover a crash while drawing images through the Cairo graphics library
while using the DrawTarget function. This can result in a segmentation
fault due to zero-ing out of memory outside the bounds of the image.

- CVE-2015-0825 (information leak):

Security researcher Atte Kettunen used the Address Sanitizer tool to
discover a buffer underflow during audio playback of a badly formatted
MP3 audio files. Through memory allocation manipulation it may be
possible to incorporate parts of Firefox memory into an MP3 stream
accessible to scripts on the page.

- CVE-2015-0826 (out-of-bounds read possibly leading to remote code
execution):

Security researcher Atte Kettunen used the Address Sanitizer tool to
discover an out-of-bounds read during the application of restyling and
reflowing changes of web content using CSS. This results in a
potentially exploitable crash.

- CVE-2015-0827 (out-of-bounds read and write, possibly leading to
remote code execution)

Security researcher Abhishek Arya (Inferno) of the Google Chrome
Security Team used the Address Sanitizer tool to report an out-of-bounds
read and an out-of-bounds write when rendering an improperly formatted
SVG graphic. This could potentially allow the attacker to read
uninitialized memory.

- CVE-2015-0829 (buffer overflow possibily leading to remote code execution)

Security researcher Pantrombka reported a buffer overflow in the
libstagefright library during video playback when certain invalid MP4
video files led to the allocation of a buffer that was too small for the
content. This led to a potentially exploitable crash.

- CVE-2015-0830 (denial of service)

Security researcher Daniele Di Proietto discovered that when WebGL
content crafted in a specific manner wrote strings, it would cause a
crash when this content was run.

- CVE-2015-0831 (use-after-free, possibily leading to remote code execution)

Security researcher Paul Bandha used the used the Address Sanitizer tool
to discover a use-after-free vulnerability when running specific web
content with IndexedDB to create an index. This leads to a potentially
exploitable crash.

- CVE-2015-0832 (HPKP and HSTS bypass):

Security researcher Muneaki Nishimura reported that when certificate
pinning is set to "strict" mode, a period ('.') appended to a hostname
in the address of a site allowed the bypass key pinning (HPKP) and HTTP
Strict Transport Security (HSTS). Sites with a period appended were
treated as having a different origin than sites without the period. If
an attacker had a security certificate for a domain with the added
period, this would allow for a Man-in-the-middle (MITM) attack on users.

- CVE-2015-0834 (information leak):

Security researcher Alexander Kolesnik reported while the Mozilla
platform does not yet support TLS connections to TURN and STUN servers,
the WebRTC implementation would accept turns: and stuns: URIs and then
attempt plaintext connections to the servers when these were used. This
can lead to disclosure of credentials through a Man-in-the-middle (MITM)
attack as the connection is not encrypted.

- CVE-2015-0835, CVE-2015-0836 (remote code execution):

Mozilla developers and community identified and fixed several memory
safety bugs in the browser engine used in Firefox and other
Mozilla-based products. Some of these bugs showed evidence of memory
corruption under certain circumstances, and we presume that with enough
effort at least some of these could be exploited to run arbitrary code.

Impact
======

A remote attacker may be able to access sensitive information from the
memory or from files stored locally, crash the browser or execute
arbitrary code.

References
==========

https://www.mozilla.org/en-US/security/advisories/
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0819
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0821
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0822
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0823
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0824
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0825
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0826
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0827
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0829
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0830
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0831
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0832
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0834
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0835
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0836

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <https://lists.archlinux.org/pipermail/arch-security/attachments/20150225/6c4464cb/attachment.asc>

More information about the arch-security mailing list