Arch Linux Security Advisory ASA-201502-14
=========================================
Severity: Critical
Date    : 2015-02-25
CVE-ID  : CVE-2015-0819 CVE-2015-0821 CVE-2015-0822 CVE-2015-0823
CVE-2015-0824 CVE-2015-0825 CVE-2015-0826 CVE-2015-0827 CVE-2015-0829
CVE-2015-0830 CVE-2015-0831 CVE-2015-0832 CVE-2015-0834 CVE-2015-0835
CVE-2015-0836
Package : firefox
Type    : multiple issues
Remote  : Yes
Link    : https://wiki.archlinux.org/title/CVE

Summary
======
The package firefox before version 36.0-1 is vulnerable to multiple
issues, including denial of service, information leak and remote code
execution.

Resolution
=========
Upgrade to 36.0-1.

# pacman -Syu "firefox>=36.0-1"

The problem has been fixed upstream in version 36.0.

Workaround
=========
None.

Description
==========
- CVE-2015-0819 (tab spoofing):

Mozilla developer Matthew Noorenberghe reported that whitelisted Mozilla
domains could make UITour API calls while the UI Tour pages for Firefox
are present in background tabs. If one of these Mozilla domains was
compromised and open in another tab, an attacker could then use that tab
to engage in spoofing and clickjacking in any foreground tab.

- CVE-2015-0821:

Security researcher Armin Razmdjou reported that opening hyperlinks on a
page with the mouse and specific keyboard key combinations could allow a
Chrome privileged URL to be opened without context restrictions being
preserved. This could also allow for the opening of local files or
resources from a known location to be opened with local privileges,
bypassing security protections.

- CVE-2015-0822 (information leak):

Security researcher Armin Razmdjou reported that a user readable file in
a known local path could be uploaded to a malicious site. This was done
by manipulating the autocomplete feature in a form and user interaction
with it. While the local file is not visibly uploaded through the form,
its contents are made available through the Document Object Model (DOM)
to script content on the attacking page, leading to information disclosure.

- CVE-2015-0823 (use-after-free):

Using the Address Sanitizer tool, security researcher Atte Kettunen
found a problem with OpenType Sanitiser (OTS) that resulted in a
use-after-free while expanding macros in some circumstances. This
use-after-free was only used for information displayed in the developer
console and was not exploitable.

- CVE-2015-0824 (denial of service):

Security researcher Atte Kettunen used the Address Sanitizer tool to
discover a crash while drawing images through the Cairo graphics library
while using the DrawTarget function. This can result in a segmentation
fault due to zero-ing out of memory outside the bounds of the image.

- CVE-2015-0825 (information leak):

Security researcher Atte Kettunen used the Address Sanitizer tool to
discover a buffer underflow during audio playback of a badly formatted
MP3 audio files. Through memory allocation manipulation it may be
possible to incorporate parts of Firefox memory into an MP3 stream
accessible to scripts on the page.

- CVE-2015-0826 (out-of-bounds read possibly leading to remote code
execution):

Security researcher Atte Kettunen used the Address Sanitizer tool to
discover an out-of-bounds read during the application of restyling and
reflowing changes of web content using CSS. This results in a
potentially exploitable crash.

- CVE-2015-0827 (out-of-bounds read and write, possibly leading to
remote code execution)

Security researcher Abhishek Arya (Inferno) of the Google Chrome
Security Team used the Address Sanitizer tool to report an out-of-bounds
read and an out-of-bounds write when rendering an improperly formatted
SVG graphic. This could potentially allow the attacker to read
uninitialized memory.

- CVE-2015-0829 (buffer overflow possibily leading to remote code execution)

Security researcher Pantrombka reported a buffer overflow in the
libstagefright library during video playback when certain invalid MP4
video files led to the allocation of a buffer that was too small for the
content. This led to a potentially exploitable crash.

- CVE-2015-0830 (denial of service)

Security researcher Daniele Di Proietto discovered that when WebGL
content crafted in a specific manner wrote strings, it would cause a
crash when this content was run.

- CVE-2015-0831 (use-after-free, possibily leading to remote code execution)

Security researcher Paul Bandha used the used the Address Sanitizer tool
to discover a use-after-free vulnerability when running specific web
content with IndexedDB to create an index. This leads to a potentially
exploitable crash.

- CVE-2015-0832 (HPKP and HSTS bypass):

Security researcher Muneaki Nishimura reported that when certificate
pinning is set to "strict" mode, a period ('.') appended to a hostname
in the address of a site allowed the bypass key pinning (HPKP) and HTTP
Strict Transport Security (HSTS). Sites with a period appended were
treated as having a different origin than sites without the period. If
an attacker had a security certificate for a domain with the added
period, this would allow for a Man-in-the-middle (MITM) attack on users.

- CVE-2015-0834 (information leak):

Security researcher Alexander Kolesnik reported while the Mozilla
platform does not yet support TLS connections to TURN and STUN servers,
the WebRTC implementation would accept turns: and stuns: URIs and then
attempt plaintext connections to the servers when these were used. This
can lead to disclosure of credentials through a Man-in-the-middle (MITM)
attack as the connection is not encrypted.

- CVE-2015-0835, CVE-2015-0836 (remote code execution):

Mozilla developers and community identified and fixed several memory
safety bugs in the browser engine used in Firefox and other
Mozilla-based products. Some of these bugs showed evidence of memory
corruption under certain circumstances, and we presume that with enough
effort at least some of these could be exploited to run arbitrary code.

Impact
=====
A remote attacker may be able to access sensitive information from the
memory or from files stored locally, crash the browser or execute
arbitrary code.

References
=========
https://www.mozilla.org/en-US/security/advisories/
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0819
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0821
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0822
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0823
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0824
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0825
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0826
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0827
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0829
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0830
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0831
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0832
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0834
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0835
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0836

ArchLinux: 201502-14: firefox: multiple issues

February 25, 2015

Summary

- CVE-2015-0819 (tab spoofing): Mozilla developer Matthew Noorenberghe reported that whitelisted Mozilla domains could make UITour API calls while the UI Tour pages for Firefox are present in background tabs. If one of these Mozilla domains was compromised and open in another tab, an attacker could then use that tab to engage in spoofing and clickjacking in any foreground tab.
- CVE-2015-0821:
Security researcher Armin Razmdjou reported that opening hyperlinks on a page with the mouse and specific keyboard key combinations could allow a Chrome privileged URL to be opened without context restrictions being preserved. This could also allow for the opening of local files or resources from a known location to be opened with local privileges, bypassing security protections.
- CVE-2015-0822 (information leak):
Security researcher Armin Razmdjou reported that a user readable file in a known local path could be uploaded to a malicious site. This was done by manipulating the autocomplete feature in a form and user interaction with it. While the local file is not visibly uploaded through the form, its contents are made available through the Document Object Model (DOM) to script content on the attacking page, leading to information disclosure.
- CVE-2015-0823 (use-after-free):
Using the Address Sanitizer tool, security researcher Atte Kettunen found a problem with OpenType Sanitiser (OTS) that resulted in a use-after-free while expanding macros in some circumstances. This use-after-free was only used for information displayed in the developer console and was not exploitable.
- CVE-2015-0824 (denial of service):
Security researcher Atte Kettunen used the Address Sanitizer tool to discover a crash while drawing images through the Cairo graphics library while using the DrawTarget function. This can result in a segmentation fault due to zero-ing out of memory outside the bounds of the image.
- CVE-2015-0825 (information leak):
Security researcher Atte Kettunen used the Address Sanitizer tool to discover a buffer underflow during audio playback of a badly formatted MP3 audio files. Through memory allocation manipulation it may be possible to incorporate parts of Firefox memory into an MP3 stream accessible to scripts on the page.
- CVE-2015-0826 (out-of-bounds read possibly leading to remote code execution):
Security researcher Atte Kettunen used the Address Sanitizer tool to discover an out-of-bounds read during the application of restyling and reflowing changes of web content using CSS. This results in a potentially exploitable crash.
- CVE-2015-0827 (out-of-bounds read and write, possibly leading to remote code execution)
Security researcher Abhishek Arya (Inferno) of the Google Chrome Security Team used the Address Sanitizer tool to report an out-of-bounds read and an out-of-bounds write when rendering an improperly formatted SVG graphic. This could potentially allow the attacker to read uninitialized memory.
- CVE-2015-0829 (buffer overflow possibily leading to remote code execution)
Security researcher Pantrombka reported a buffer overflow in the libstagefright library during video playback when certain invalid MP4 video files led to the allocation of a buffer that was too small for the content. This led to a potentially exploitable crash.
- CVE-2015-0830 (denial of service)
Security researcher Daniele Di Proietto discovered that when WebGL content crafted in a specific manner wrote strings, it would cause a crash when this content was run.
- CVE-2015-0831 (use-after-free, possibily leading to remote code execution)
Security researcher Paul Bandha used the used the Address Sanitizer tool to discover a use-after-free vulnerability when running specific web content with IndexedDB to create an index. This leads to a potentially exploitable crash.
- CVE-2015-0832 (HPKP and HSTS bypass):
Security researcher Muneaki Nishimura reported that when certificate pinning is set to "strict" mode, a period ('.') appended to a hostname in the address of a site allowed the bypass key pinning (HPKP) and HTTP Strict Transport Security (HSTS). Sites with a period appended were treated as having a different origin than sites without the period. If an attacker had a security certificate for a domain with the added period, this would allow for a Man-in-the-middle (MITM) attack on users.
- CVE-2015-0834 (information leak):
Security researcher Alexander Kolesnik reported while the Mozilla platform does not yet support TLS connections to TURN and STUN servers, the WebRTC implementation would accept turns: and stuns: URIs and then attempt plaintext connections to the servers when these were used. This can lead to disclosure of credentials through a Man-in-the-middle (MITM) attack as the connection is not encrypted.
- CVE-2015-0835, CVE-2015-0836 (remote code execution):
Mozilla developers and community identified and fixed several memory safety bugs in the browser engine used in Firefox and other Mozilla-based products. Some of these bugs showed evidence of memory corruption under certain circumstances, and we presume that with enough effort at least some of these could be exploited to run arbitrary code.

Resolution

Upgrade to 36.0-1. # pacman -Syu "firefox>=36.0-1"
The problem has been fixed upstream in version 36.0.

References

https://www.mozilla.org/en-US/security/advisories/ https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0819 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0821 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0822 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0823 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0824 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0825 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0826 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0827 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0829 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0830 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0831 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0832 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0834 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0835 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0836

Severity
CVE-2015-0824 CVE-2015-0825 CVE-2015-0826 CVE-2015-0827 CVE-2015-0829
CVE-2015-0830 CVE-2015-0831 CVE-2015-0832 CVE-2015-0834 CVE-2015-0835
CVE-2015-0836
Package : firefox
Type : multiple issues
Remote : Yes
Link : https://wiki.archlinux.org/title/CVE

Workaround

None.

Related News

Linux Mint 22: Elevating Security and Usability for Admins
3 - 5 min read
Linux Mint has has long been recognized as a versatile and user-friendly distribution and has earned great popularity among administrators and
Exim 4.98 Addresses Critical Vulnerabilities, Bolsters Email Server Security
2 - 4 min read
Exim is one of Unix-like systems' most widely used mail transfer agents. It's essential for email delivery and handling and is a significant part of
Recent OpenSSH RCE Bug Explained: Impact & Mitigations
2 - 4 min read
In an era where cybersecurity threats loom larger than ever, the discovery of a Remote Code Execution (RCE) vulnerability in OpenSSH by Qualys’
CVE-2024-4577: A Swiftly Weaponized Vulnerability for Ransomware Distribution
2 - 4 min read
Security researchers recently issued an update detailing how attackers are exploiting a PHP code execution vulnerability to spread TellYouThePass
Play Ransomware Group Unleashes New Threat on ESXi Environments: Analysis & Mitigation Strategies
3 - 5 min read
The Play ransomware group, well-known for its double-extortion tactics, recently unveiled a Linux variant targeting ESXi environments. This
Critical Linux Kernel Vulnerabilities Patched in Ubuntu Azure Systems
2 - 4 min read
Canonical has fixed several recently identified critical Linux kernel vulnerabilities in July 2024. These vulnerabilities primarily affect Microsoft
The Urgent Need for Secure Software Development: New Report Serves as a Wake-Up Call for the Industry
3 - 5 min read
The Linux Foundation and Open Source Security Foundation recently published a report entitled "Secure Software Development Education 2024
Severe Linux Kernel Privilege Escalation Bugs Could Compromise Entire Systems
2 - 4 min read
The Cybersecurity and Infrastructure Security Agency (CISA) recently added a new Linux kernel privilege escalation bug ( CVE-2024-1086 ) to its

Get the Latest News & Insights

Sign up to get the latest security news affecting Linux and open source delivered straight to your inbox.

© 2024 Guardian Digital, Inc All Rights Reserved