[arch-security] [ASA-201501-6] firefox: multiple issues

Wed Jan 14 16:32:47 UTC 2015

Arch Linux Security Advisory ASA-201501-6
=========================================

Severity: Critical
Date    : 2015-01-14
CVE-ID  : CVE-2014-8634 CVE-2014-8635 CVE-2014-8636 CVE-2014-8637
CVE-2014-8638 CVE-2014-8639 CVE-2014-8640 CVE-2014-8641 CVE-2014-8642
Package : firefox
Type    : multiple issues
Remote  : Yes
Link    : https://wiki.archlinux.org/index.php/CVE

Summary
=======

The package firefox before version 35.0-1 is vulnerable to multiple
issues, including but not limited to remote code execution.

Resolution
==========

Upgrade to 35.0-1.

# pacman -Syu "firefox>=35.0-1"

The problem has been fixed upstream in version 35.0.

Workaround
==========

None.

Description
===========

- CVE-2014-8634 (arbitrary remote code execution)

Christian Holler and Patrick McManus reported memory safety problems and
crashes that affect Firefox ESR 31.3 and Firefox 34.

- CVE-2014-8635 (arbitrary remote code execution)

Christoph Diehl, Christian Holler, Gary Kwong, Jesse Ruderman, Byron
Campen, Terrence Cole, and Nils Ohlmeier reported memory safety problems
and crashes that affect Firefox 34.

- CVE-2014-8636 (arbitrary javascript code execution, privilege escalation)

Mozilla developer Bobby Holley reported that Document Object Model (DOM)
objects with some specific properties can bypass XrayWrappers. This can
allow web content to confuse privileged code, potentially enabling
privilege escalation.

- CVE-2014-8637 (information leakage)

Google security researcher Michal Zalewski reported that when a
malformed bitmap image is rendered by the bitmap decoder within a
<canvas> element, memory may not always be properly initialized. The
resulting image then uses this uninitialized memory during rendering,
allowing data to potentially leak to web content.

- CVE-2014-8638 (XSRF)

Security researcher Muneaki Nishimura reported that
navigator.sendBeacon() does not follow the cross-origin resource sharing
(CORS) specification. This results in the request from sendBeacon()
lacking an origin header in violation of the W3C Beacon specification
and not being treated as a CORS request. This allows for a potential
Cross-site request forgery (XSRF) attack from malicious websites.

- CVE-2014-8639 (cookie injection)

Security researcher Xiaofeng Zheng of the Blue Lotus Team at Tsinghua
University reported reported that a Web Proxy returning a 407 Proxy
Authentication response with a Set-Cookie header could inject cookies
into the originally requested domain. This could be used for
session-fixation attacks. This attack only allows cookies to be written
but does not allow them to be read.

- CVE-2014-8640 (denial of service)

Security researcher Holger Fuhrmannek used the used the Address
Sanitizer tool to discover a crash in Web Audio while manipulating
timelines. This allowed for the a small block of memory with an
uninitialized pointer to be read. The crash is not exploitable.

- CVE-2014-8641 (remote code execution)

Security researcher Mitchell Harper discovered a read-after-free in
WebRTC due to the way tracks are handled. This results in a either a
potentially exploitable crash or incorrect WebRTC behavior.

- CVE-2014-8642 (OCSP bypass)

Brian Smith reported that delegated Online Certificate Status Protocol
(OCSP) responder certificates fail to recognize the id-pkix-ocsp-nocheck
extension. If this extension is present in a delegated OCSP response
signing certificate, it will be discarded if it is signed by such a
certificate. This could result in a user connecting to a site with a
revoked certificate.

Impact
======

An attacker controlling a malicious website or in position of
man-in-the-middle may be able to access sensitive information, exploit
existing sessions, crash the browser, or remotely execute arbitrary code.

References
==========

https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-8634
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-8635
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-8636
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-8637
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-8638
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-8639
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-8640
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-8641
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-8642
https://www.mozilla.org/en-US/security/known-vulnerabilities/firefox/

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <https://lists.archlinux.org/pipermail/arch-security/attachments/20150114/aab3989b/attachment.asc>