[arch-security] [ASA-201511-2] firefox: multiple issues

Remi Gacogne rgacogne at archlinux.org
Wed Nov 4 13:07:07 UTC 2015

Arch Linux Security Advisory ASA-201511-2

Severity: Critical
Date    : 2015-11-04
CVE-ID  : CVE-2015-4513 CVE-2015-4514 CVE-2015-4515 CVE-2015-4518
CVE-2015-7181 CVE-2015-7182 CVE-2015-7183 CVE-2015-7187 CVE-2015-7188
CVE-2015-7189 CVE-2015-7193 CVE-2015-7194 CVE-2015-7195 CVE-2015-7196
CVE-2015-7197 CVE-2015-7198 CVE-2015-7199 CVE-2015-7200
Package : firefox
Type    : multiple issues
Remote  : Yes
Link    : https://wiki.archlinux.org/index.php/CVE


The package firefox before version 42.0-1 is vulnerable to multiple
issues, including but no limited to information leak, policy bypass and
remote code execution.


Upgrade to 42.0-1.

# pacman -Syu "firefox>=42.0-1"

The problem has been fixed upstream in version 42.0.




- CVE-2015-4513 (Miscellaneous memory safety hazards):

Christian Holler, David Major, Jesse Ruderman, Tyson Smith, Boris
Zbarsky, Randell Jesup, Olli Pettay, Karl Tomlinson, Jeff Walden, and
Gary Kwong reported memory safety problems and crashes that affect
Firefox ESR 38.3 and Firefox 41.

- CVE-2015-4514 (Miscellaneous memory safety hazards):

Christian Holler, Andrew McCreight, Georg Fritzsche, Tyson Smith, and
Carsten Book reported crash and memory safety problems that affect
Firefox 41.

- CVE-2015-4515 (Information disclosure through NTLM authentication):

Security researcher Tim Brown reported that Firefox discloses the
hostname and possibly the Windows domain through NTLM-based HTTP
authentication when sending type 3 messages as part of the
authentication exchange. This is because the Workstation field is
populated with the hostname of the system making the request. An
attacker can craft a malicious page to send a silent NTLM request that
will disclose the information without visibility in the client, leading
to information disclosure. This is mitigated because NTLM v1 is disabled
by default configurations.

- CVE-2015-4518 (CSP bypass due to permissive Reader mode whitelist):

Security researcher Mario Heiderich reported an issue where the security
protections of Reader mode in Firefox can be bypassed, allowing scripts
to be run. Mozilla developer Frederik Braun independently discovered and
reported this same issue as well. This issue happens even though Reader
View explicitly disables script for rendered pages through a whitelist
of allowed HTML content. Mario discovered that the whitelist was too
permissive and a malicious site could manipulate content to bypass CSP
protections, allowing for possible cross-site scripting (XSS) attacks.

- CVE-2015-7181, CVE-2015-7182 (NSS memory corruption issues):

Mozilla engineers Tyson Smith and David Keeler reported a
use-after-poison and buffer overflow in the ASN.1 decoder in Network
Security Services (NSS). These issues were in octet string parsing and
were found through fuzzing and code inspection. If these issues were
triggered, they would lead to a potentially exploitable crash. These
issues were fixed in NSS version and 3.19.4, shipped in Firefox
and Firefox ESR, respectively, as well as NSS 3.20.1.

- CVE-2015-7183 (NSPR overflow in PL_ARENA_ALLOCATE can lead to crash,
potential memory corruption):

Google security engineer Ryan Sleevi reported an integer overflow in the
Netscape Portable Runtime (NSPR) due to a lack of checks during memory
allocation. This leads to a potentially exploitable crash. This issue is
fixed in NSPR 4.10.10.

- CVE-2015-7187 (Disabling scripts in Add-on SDK panels has no effect):

Add-on authors Jason Hamilton and Peter Arremann with AMO editor Sylvain
Giroux reported a vulnerability when a panel is created using the Add-on
SDK in a browser extension. Defining a panel with script: false is
supposed to disable script execution but it was found that inline script
would still execute. This flaw allows for the potential execution of
script content in an extension when it was been explicitly disallowed.

The potential impact of this flaw would depend on whether the add-on was
relying on script: false as a security mechanism and from location the
panel content was loaded. No add-ons served from addons.mozilla.org are
vulnerable to this flaw but add-ons installed from third party sites may be.

- CVE-2015-7188 (Trailing whitespace in IP address hostnames can bypass
same-origin policy):

Security researcher Michał Bentkowski reported that adding white-space
characters to hostnames that are IP addresses can bypass same-origin
policy. This flaw was caused by trailing whitespaces being evaluated
differently when parsing IP addresses instead of alphanumeric hostnames.
This could lead to a cross-site script (XSS) attack.

- CVE-2015-7189 (Buffer overflow during image interactions in canvas):

Security researcher Looben Yang reported a buffer overflow in the
JPEGEncoder function during script interactions with a canvas element.
This is caused by a race condition and incorrectly matched sizes
following image interactions. This leads to a potentially exploitable crash.

- CVE-2015-7193 (CORS preflight is bypassed when non-standard
Content-Type headers are received):

Security researcher Shinto K Anto reported an issue with cross-origin
resource sharing (CORS) "preflight" requests when receiving certain
Content-Type headers. This is due to an error in implementation
resulting in trying to process multiple media types when they are
returned in the Content-Type headers from a server. This is disallowed
in the CORS specification and results in a simple instead of a
"preflight" request, leading to potential same-origin policy violation.

- CVE-2015-7194 (Memory corruption in libjar through zip files):

Security researcher Gustavo Grieco reported a buffer underflow in libjar
triggered through a maliciously crafted ZIP format file. This results in
a potentially exploitable crash.

- CVE-2015-7195 (Certain escaped characters in host of Location-header
are being treated as non-escaped):

Security researcher Frans Rosén reported that URLs with certain escaped
characters in hostnames are parsed incorrectly. This leads to parsing
being abandoned when an effected escaped character is encountered
followed by a navigation to the previously parsed version of the URL.
When combined with a site allowing for navigation redirection that
allows for escaped characters, this could lead to potential extraction
of site specific tokens.

- CVE-2015-7196 (JavaScript garbage collection crash with Java applet):

Mozilla community member Vytautas Staraitis reported an issue with the
interaction of Java applets and JavaScript. The Java plugin can
deallocate a JavaScript wrapper when it is still in use, which leads to
a JavaScript garbage collection crash. This crash is potentially

This issue only affects systems where Java is installed and enabled as a
browser plugin. Other systems are unaffected.

- CVE-2015-7197 (Mixed content WebSocket policy bypass through workers):

Mozilla developer Ehsan Akhgari reported a mechanism through which a web
worker could be used to bypass secure requirements for WebSockets when
workers are used to create WebSockets. This allows for the bypassing of
mixed content WebSocket policy.

- CVE-2015-7198, CVE-2015-7199 CVE-2015-7200 (Vulnerabilities found
through code inspection):

Security researcher Ronald Crane reported three vulnerabilities
affecting released code that were found through code inspection. These
included a buffer overflow in the ANGLE graphics library and two issues
of missing status checks in SVG rendering and during cryptographic key
manipulation. These do not all have clear mechanisms to be exploited
through web content but are vulnerable if a mechanism can be found to
trigger them.


A remote attacker can cause a denial of service, access sensitive
information or execute arbitrary code.



-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: OpenPGP digital signature
URL: <https://lists.archlinux.org/pipermail/arch-security/attachments/20151104/c7f32016/attachment.asc>

More information about the arch-security mailing list