[arch-security] [ASA-201509-9] firefox: multiple issues

Remi Gacogne rgacogne at archlinux.org
Wed Sep 23 14:57:49 UTC 2015

Arch Linux Security Advisory ASA-201509-9

Severity: Critical
Date    : 2015-09-23
CVE-ID  : CVE-2015-4500 CVE-2015-4501 CVE-2015-4502 CVE-2015-4504
CVE-2015-4506 CVE-2015-4507 CVE-2015-4508 CVE-2015-4509 CVE-2015-4510
CVE-2015-4511 CVE-2015-4512 CVE-2015-4516 CVE-2015-4517 CVE-2015-4519
CVE-2015-4520 CVE-2015-4521 CVE-2015-4522 CVE-2015-7174 CVE-2015-7175
CVE-2015-7176 CVE-2015-7177 CVE-2015-7180
Package : firefox
Type    : multiple issues
Remote  : Yes
Link    : https://wiki.archlinux.org/index.php/CVE


The package firefox before version 41.0-1 is vulnerable to multiple issues.


Upgrade to 41.0-1.

# pacman -Syu "firefox>=41.0-1"

The problem has been fixed upstream in version 41.0.




- CVE-2015-4500 (Memory safety bugs fixed in Firefox ESR 38.3 and
Firefox 41):

Andrew Osmond, Olli Pettay, Andrew Sutherland, Christian Holler, David
Major, Andrew McCreight and Cameron McCormack reported memory safety
problems and crashes that affect Firefox ESR 38.2 and Firefox 40. Some
of these bugs showed evidence of memory corruption under certain
circumstances, and Mozilla presume that with enough effort at least some
of these could be exploited to run arbitrary code.

- CVE-2015-4501 (Memory safety bugs fixed in Firefox 41):

Bob Clary and Randell Jesup reported crash and memory safety problems
that affect Firefox 40. Mozilla developers and community identified and
fixed several memory safety bugs in the browser engine used in Firefox
and other Mozilla-based products. Some of these bugs showed evidence of
memory corruption under certain circumstances, and Mozilla presume that
with enough effort at least some of these could be exploited to run
arbitrary code.

- CVE-2015-4502 (Scripted proxies can access inner window):

Security researcher André Bargull reported that when a web page creates
a scripted proxy for the window with a handler defined a certain way, a
reference to the inner window will be passed, rather than that of the
outer window in violation of the specification.

- CVE-2015-4504 (Out of bounds read in QCMS library with ICC V4 profile

Security researcher Felix Gröbert of Google discovered an out of bounds
read in the QCMS color management library while manipulating an image
with specific attributes in its ICC V4 profile. This causes a crash and
could lead to information disclosure.

- CVE-2015-4506 (Buffer overflow in libvpx while parsing vp9 format video):

Security researcher Khalil Zhani reported that a maliciously crafted vp9
format video could be used to trigger a buffer overflow while parsing
the file. This leads to a potentially exploitable crash due to a flaw in
the libvpx library.

- CVE-2015-4507 (Crash when using debugger with SavedStacks in JavaScript):

Security researcher Spandan Veggalam reported a crash while using the
debugger API with SavedStacks in JavaScript. This crash can only occurs
when the debugger is in use but may be potentially exploitable.

- CVE-2015-4508 (URL spoofing in reader mode):

Security researcher Juho Nurminen reported a mechanism to spoof the URL
displayed in the address bar in reader mode by manipulating the loaded
URL. This flaw allows for the URL displayed to be different than that
the web content rendered. This allows for potential spoofing but the
effects are mitigated due to the restrictions reader mode places when
rendering content.

- CVE-2015-4509 (Use-after-free while manipulating HTML media content):

An anonymous researcher reported, via HP's Zero Day Initiative, a
use-after-free vulnerability with HTML media elements on a page during
script manipulation of the URI table of these elements. This results in
a potentially exploitable crash.

- CVE-2015-4510 (Use-after-free with shared workers and IndexedDB):

Security researcher Looben Yang discovered a use-after-free
vulnerability when using a shared worker with IndexedDB due to a race
condition with the worker. This results in a potentially exploitable
crash that can be triggered through web content.

- CVE-2015-4511 (Buffer overflow while decoding WebM video):

Using the Address Sanitizer tool, security researcher Atte Kettunen
discovered a buffer overflow in the nestegg library when decoding a WebM
format video with maliciously formatted headers. This leads to a
potentially exploitable crash.

- CVE-2015-4512 (Out-of-bounds read during 2D canvas display on Linux
16-bit color depth systems):

Security researcher Francisco Alonso of the NowSecure Research Team used
the Address Sanitizer tool to discover an out-of-bounds read issue
during 2D canvas rendering. This was due to an issue in the cairo
graphics library when surfaces are created with 32-bit color depth but
displayed on a 16-bit color depth system, which is unsupported. This
allows an attacker to read an amount of random memory following the heap
for the 16-bit surface leading to information disclosure.

- CVE-2015-4516 (JavaScript immutable property enforcement can be bypassed):

Mozilla developer Jeff Walden reported that in Gecko's implementation of
ECMAScript 5 API's enforces non-configurable properties with logic
specific to each API. Scripts that do not go through these APIs can
bypass these protections and make changes to the immutable properties in
violation of security protections. This could potentially allow for web
content to run in a privileged context leading to arbitrary code execution.

- CVE-2015-4519 (Dragging and dropping images exposes final URL after

Security researcher Mario Gomes reported that when a previously loaded
image on a page is drag and dropped into content after a redirect, the
redirected URL is available to scripts. This is a violation of the Fetch
specification's defined behavior for "Atomic HTTP redirect handling"
which states that redirected URLs are not exposed to any APIs. This can
allow for information leakage.

- CVE-2015-4520 (Errors in the handling of CORS preflight request headers):

Mozilla developer Ehsan Akhgari reported two issues with Cross-origin
resource sharing (CORS) "preflight" requests.

The first issue is that in some circumstances the same cache key can be
generated for two preflight requests on a site. As a result, if a second
request is made that will match the cached key generated by an earlier
request, CORS checks will be bypassed because the system will see the
previously cached request as applicable.

In the second issue, when some Access-Control- headers are missing from
CORS responses, the values from different Access-Control- headers can be
used that present in the same response.

- CVE-2015-4517 (Memory-safety bugs in NetworkUtils.cpp generally),
  CVE-2015-4521 (Memory-safety bugs in ConvertDialogOptions),
  CVE-2015-4522 (Overflow in nsUnicodeToUTF8::GetMaxLength can create
memory-safety bugs in callers),
  CVE-2015-7174 (Overflow in nsAttrAndChildArray::GrowBy causes
memory-safety bug),
  CVE-2015-7175 (Overflow in XULContentSinkImpl::AddText causes
memory-safety bug),
  CVE-2015-7176 (Bad sscanf argument in AnimationThread overruns stack
  CVE-2015-7177 (Memory-safety bug in InitTextures),
  CVE-2015-7180 (Mishandling return status in
ReadbackResultWriterD3D11::Run might cause memory-safety bug):

Security researcher Ronald Crane reported eight vulnerabilities
affecting released code that were found through code inspection. These
included several potential memory safety issues resulting from the use
of snprintf, one use of unowned memory, one use of a string without
overflow checks, and five memory safety bugs. These do not all have
clear mechanisms to be exploited through web content but are vulnerable
if a mechanism can be found to trigger them.


A remote attacker might be able to spoof the URL displayed in the
address bar, steal sensitive information, crash the browser or execute
arbitrary code on the affected host.



-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: OpenPGP digital signature
URL: <https://lists.archlinux.org/pipermail/arch-security/attachments/20150923/86a3a57c/attachment.asc>

More information about the arch-security mailing list