Arch Linux Security Advisory ASA-201509-9
========================================
Severity: Critical
Date    : 2015-09-23
CVE-ID  : CVE-2015-4500 CVE-2015-4501 CVE-2015-4502 CVE-2015-4504
CVE-2015-4506 CVE-2015-4507 CVE-2015-4508 CVE-2015-4509 CVE-2015-4510
CVE-2015-4511 CVE-2015-4512 CVE-2015-4516 CVE-2015-4517 CVE-2015-4519
CVE-2015-4520 CVE-2015-4521 CVE-2015-4522 CVE-2015-7174 CVE-2015-7175
CVE-2015-7176 CVE-2015-7177 CVE-2015-7180
Package : firefox
Type    : multiple issues
Remote  : Yes
Link    : https://wiki.archlinux.org/title/CVE

Summary
======
The package firefox before version 41.0-1 is vulnerable to multiple issues.

Resolution
=========
Upgrade to 41.0-1.

# pacman -Syu "firefox>=41.0-1"

The problem has been fixed upstream in version 41.0.

Workaround
=========
None.

Description
==========
- CVE-2015-4500 (Memory safety bugs fixed in Firefox ESR 38.3 and
Firefox 41):

Andrew Osmond, Olli Pettay, Andrew Sutherland, Christian Holler, David
Major, Andrew McCreight and Cameron McCormack reported memory safety
problems and crashes that affect Firefox ESR 38.2 and Firefox 40. Some
of these bugs showed evidence of memory corruption under certain
circumstances, and Mozilla presume that with enough effort at least some
of these could be exploited to run arbitrary code.

- CVE-2015-4501 (Memory safety bugs fixed in Firefox 41):

Bob Clary and Randell Jesup reported crash and memory safety problems
that affect Firefox 40. Mozilla developers and community identified and
fixed several memory safety bugs in the browser engine used in Firefox
and other Mozilla-based products. Some of these bugs showed evidence of
memory corruption under certain circumstances, and Mozilla presume that
with enough effort at least some of these could be exploited to run
arbitrary code.

- CVE-2015-4502 (Scripted proxies can access inner window):

Security researcher André Bargull reported that when a web page creates
a scripted proxy for the window with a handler defined a certain way, a
reference to the inner window will be passed, rather than that of the
outer window in violation of the specification.

- CVE-2015-4504 (Out of bounds read in QCMS library with ICC V4 profile
attributes):

Security researcher Felix Gröbert of Google discovered an out of bounds
read in the QCMS color management library while manipulating an image
with specific attributes in its ICC V4 profile. This causes a crash and
could lead to information disclosure.

- CVE-2015-4506 (Buffer overflow in libvpx while parsing vp9 format video):

Security researcher Khalil Zhani reported that a maliciously crafted vp9
format video could be used to trigger a buffer overflow while parsing
the file. This leads to a potentially exploitable crash due to a flaw in
the libvpx library.

- CVE-2015-4507 (Crash when using debugger with SavedStacks in JavaScript):

Security researcher Spandan Veggalam reported a crash while using the
debugger API with SavedStacks in JavaScript. This crash can only occurs
when the debugger is in use but may be potentially exploitable.

- CVE-2015-4508 (URL spoofing in reader mode):

Security researcher Juho Nurminen reported a mechanism to spoof the URL
displayed in the address bar in reader mode by manipulating the loaded
URL. This flaw allows for the URL displayed to be different than that
the web content rendered. This allows for potential spoofing but the
effects are mitigated due to the restrictions reader mode places when
rendering content.

- CVE-2015-4509 (Use-after-free while manipulating HTML media content):

An anonymous researcher reported, via HP's Zero Day Initiative, a
use-after-free vulnerability with HTML media elements on a page during
script manipulation of the URI table of these elements. This results in
a potentially exploitable crash.

- CVE-2015-4510 (Use-after-free with shared workers and IndexedDB):

Security researcher Looben Yang discovered a use-after-free
vulnerability when using a shared worker with IndexedDB due to a race
condition with the worker. This results in a potentially exploitable
crash that can be triggered through web content.

- CVE-2015-4511 (Buffer overflow while decoding WebM video):

Using the Address Sanitizer tool, security researcher Atte Kettunen
discovered a buffer overflow in the nestegg library when decoding a WebM
format video with maliciously formatted headers. This leads to a
potentially exploitable crash.

- CVE-2015-4512 (Out-of-bounds read during 2D canvas display on Linux
16-bit color depth systems):

Security researcher Francisco Alonso of the NowSecure Research Team used
the Address Sanitizer tool to discover an out-of-bounds read issue
during 2D canvas rendering. This was due to an issue in the cairo
graphics library when surfaces are created with 32-bit color depth but
displayed on a 16-bit color depth system, which is unsupported. This
allows an attacker to read an amount of random memory following the heap
for the 16-bit surface leading to information disclosure.

- CVE-2015-4516 (JavaScript immutable property enforcement can be bypassed):

Mozilla developer Jeff Walden reported that in Gecko's implementation of
ECMAScript 5 API's enforces non-configurable properties with logic
specific to each API. Scripts that do not go through these APIs can
bypass these protections and make changes to the immutable properties in
violation of security protections. This could potentially allow for web
content to run in a privileged context leading to arbitrary code execution.

- CVE-2015-4519 (Dragging and dropping images exposes final URL after
redirects):

Security researcher Mario Gomes reported that when a previously loaded
image on a page is drag and dropped into content after a redirect, the
redirected URL is available to scripts. This is a violation of the Fetch
specification's defined behavior for "Atomic HTTP redirect handling"
which states that redirected URLs are not exposed to any APIs. This can
allow for information leakage.

- CVE-2015-4520 (Errors in the handling of CORS preflight request headers):

Mozilla developer Ehsan Akhgari reported two issues with Cross-origin
resource sharing (CORS) "preflight" requests.

The first issue is that in some circumstances the same cache key can be
generated for two preflight requests on a site. As a result, if a second
request is made that will match the cached key generated by an earlier
request, CORS checks will be bypassed because the system will see the
previously cached request as applicable.

In the second issue, when some Access-Control- headers are missing from
CORS responses, the values from different Access-Control- headers can be
used that present in the same response.

- CVE-2015-4517 (Memory-safety bugs in NetworkUtils.cpp generally),
  CVE-2015-4521 (Memory-safety bugs in ConvertDialogOptions),
  CVE-2015-4522 (Overflow in nsUnicodeToUTF8::GetMaxLength can create
memory-safety bugs in callers),
  CVE-2015-7174 (Overflow in nsAttrAndChildArray::GrowBy causes
memory-safety bug),
  CVE-2015-7175 (Overflow in XULContentSinkImpl::AddText causes
memory-safety bug),
  CVE-2015-7176 (Bad sscanf argument in AnimationThread overruns stack
variable),
  CVE-2015-7177 (Memory-safety bug in InitTextures),
  CVE-2015-7180 (Mishandling return status in
ReadbackResultWriterD3D11::Run might cause memory-safety bug):

Security researcher Ronald Crane reported eight vulnerabilities
affecting released code that were found through code inspection. These
included several potential memory safety issues resulting from the use
of snprintf, one use of unowned memory, one use of a string without
overflow checks, and five memory safety bugs. These do not all have
clear mechanisms to be exploited through web content but are vulnerable
if a mechanism can be found to trigger them.

Impact
=====
A remote attacker might be able to spoof the URL displayed in the
address bar, steal sensitive information, crash the browser or execute
arbitrary code on the affected host.

References
=========
https://www.mozilla.org/en-US/security/known-vulnerabilities/firefox/#firefox41
https://access.redhat.com/security/cve/CVE-2015-4500
https://access.redhat.com/security/cve/CVE-2015-4501
https://access.redhat.com/security/cve/CVE-2015-4502
https://access.redhat.com/security/cve/CVE-2015-4504
https://access.redhat.com/security/cve/CVE-2015-4506
https://access.redhat.com/security/cve/CVE-2015-4507
https://access.redhat.com/security/cve/CVE-2015-4508
https://access.redhat.com/security/cve/CVE-2015-4509
https://access.redhat.com/security/cve/CVE-2015-4510
https://access.redhat.com/security/cve/CVE-2015-4511
https://access.redhat.com/security/cve/CVE-2015-4512
https://access.redhat.com/security/cve/CVE-2015-4516
https://access.redhat.com/security/cve/CVE-2015-4517
https://access.redhat.com/security/cve/CVE-2015-4519
https://access.redhat.com/security/cve/CVE-2015-4520
https://access.redhat.com/security/cve/CVE-2015-4521
https://access.redhat.com/security/cve/CVE-2015-4522
https://access.redhat.com/security/cve/CVE-2015-7174
https://access.redhat.com/security/cve/CVE-2015-7175
https://access.redhat.com/security/cve/CVE-2015-7176
https://access.redhat.com/security/cve/CVE-2015-7177
https://access.redhat.com/security/cve/CVE-2015-7180

ArchLinux: 201509-9: firefox: multiple issues

September 23, 2015

Summary

- CVE-2015-4500 (Memory safety bugs fixed in Firefox ESR 38.3 and Firefox 41): Andrew Osmond, Olli Pettay, Andrew Sutherland, Christian Holler, David Major, Andrew McCreight and Cameron McCormack reported memory safety problems and crashes that affect Firefox ESR 38.2 and Firefox 40. Some of these bugs showed evidence of memory corruption under certain circumstances, and Mozilla presume that with enough effort at least some of these could be exploited to run arbitrary code.
- CVE-2015-4501 (Memory safety bugs fixed in Firefox 41):
Bob Clary and Randell Jesup reported crash and memory safety problems that affect Firefox 40. Mozilla developers and community identified and fixed several memory safety bugs in the browser engine used in Firefox and other Mozilla-based products. Some of these bugs showed evidence of memory corruption under certain circumstances, and Mozilla presume that with enough effort at least some of these could be exploited to run arbitrary code.
- CVE-2015-4502 (Scripted proxies can access inner window):
Security researcher André Bargull reported that when a web page creates a scripted proxy for the window with a handler defined a certain way, a reference to the inner window will be passed, rather than that of the outer window in violation of the specification.
- CVE-2015-4504 (Out of bounds read in QCMS library with ICC V4 profile attributes):
Security researcher Felix Gröbert of Google discovered an out of bounds read in the QCMS color management library while manipulating an image with specific attributes in its ICC V4 profile. This causes a crash and could lead to information disclosure.
- CVE-2015-4506 (Buffer overflow in libvpx while parsing vp9 format video):
Security researcher Khalil Zhani reported that a maliciously crafted vp9 format video could be used to trigger a buffer overflow while parsing the file. This leads to a potentially exploitable crash due to a flaw in the libvpx library.
- CVE-2015-4507 (Crash when using debugger with SavedStacks in JavaScript):
Security researcher Spandan Veggalam reported a crash while using the debugger API with SavedStacks in JavaScript. This crash can only occurs when the debugger is in use but may be potentially exploitable.
- CVE-2015-4508 (URL spoofing in reader mode):
Security researcher Juho Nurminen reported a mechanism to spoof the URL displayed in the address bar in reader mode by manipulating the loaded URL. This flaw allows for the URL displayed to be different than that the web content rendered. This allows for potential spoofing but the effects are mitigated due to the restrictions reader mode places when rendering content.
- CVE-2015-4509 (Use-after-free while manipulating HTML media content):
An anonymous researcher reported, via HP's Zero Day Initiative, a use-after-free vulnerability with HTML media elements on a page during script manipulation of the URI table of these elements. This results in a potentially exploitable crash.
- CVE-2015-4510 (Use-after-free with shared workers and IndexedDB):
Security researcher Looben Yang discovered a use-after-free vulnerability when using a shared worker with IndexedDB due to a race condition with the worker. This results in a potentially exploitable crash that can be triggered through web content.
- CVE-2015-4511 (Buffer overflow while decoding WebM video):
Using the Address Sanitizer tool, security researcher Atte Kettunen discovered a buffer overflow in the nestegg library when decoding a WebM format video with maliciously formatted headers. This leads to a potentially exploitable crash.
- CVE-2015-4512 (Out-of-bounds read during 2D canvas display on Linux 16-bit color depth systems):
Security researcher Francisco Alonso of the NowSecure Research Team used the Address Sanitizer tool to discover an out-of-bounds read issue during 2D canvas rendering. This was due to an issue in the cairo graphics library when surfaces are created with 32-bit color depth but displayed on a 16-bit color depth system, which is unsupported. This allows an attacker to read an amount of random memory following the heap for the 16-bit surface leading to information disclosure.
- CVE-2015-4516 (JavaScript immutable property enforcement can be bypassed):
Mozilla developer Jeff Walden reported that in Gecko's implementation of ECMAScript 5 API's enforces non-configurable properties with logic specific to each API. Scripts that do not go through these APIs can bypass these protections and make changes to the immutable properties in violation of security protections. This could potentially allow for web content to run in a privileged context leading to arbitrary code execution.
- CVE-2015-4519 (Dragging and dropping images exposes final URL after redirects):
Security researcher Mario Gomes reported that when a previously loaded image on a page is drag and dropped into content after a redirect, the redirected URL is available to scripts. This is a violation of the Fetch specification's defined behavior for "Atomic HTTP redirect handling" which states that redirected URLs are not exposed to any APIs. This can allow for information leakage.
- CVE-2015-4520 (Errors in the handling of CORS preflight request headers):
Mozilla developer Ehsan Akhgari reported two issues with Cross-origin resource sharing (CORS) "preflight" requests.
The first issue is that in some circumstances the same cache key can be generated for two preflight requests on a site. As a result, if a second request is made that will match the cached key generated by an earlier request, CORS checks will be bypassed because the system will see the previously cached request as applicable.
In the second issue, when some Access-Control- headers are missing from CORS responses, the values from different Access-Control- headers can be used that present in the same response.
- CVE-2015-4517 (Memory-safety bugs in NetworkUtils.cpp generally), CVE-2015-4521 (Memory-safety bugs in ConvertDialogOptions), CVE-2015-4522 (Overflow in nsUnicodeToUTF8::GetMaxLength can create memory-safety bugs in callers), CVE-2015-7174 (Overflow in nsAttrAndChildArray::GrowBy causes memory-safety bug), CVE-2015-7175 (Overflow in XULContentSinkImpl::AddText causes memory-safety bug), CVE-2015-7176 (Bad sscanf argument in AnimationThread overruns stack variable), CVE-2015-7177 (Memory-safety bug in InitTextures), CVE-2015-7180 (Mishandling return status in ReadbackResultWriterD3D11::Run might cause memory-safety bug):
Security researcher Ronald Crane reported eight vulnerabilities affecting released code that were found through code inspection. These included several potential memory safety issues resulting from the use of snprintf, one use of unowned memory, one use of a string without overflow checks, and five memory safety bugs. These do not all have clear mechanisms to be exploited through web content but are vulnerable if a mechanism can be found to trigger them.

Resolution

Upgrade to 41.0-1. # pacman -Syu "firefox>=41.0-1"
The problem has been fixed upstream in version 41.0.

References

https://www.mozilla.org/en-US/security/known-vulnerabilities/firefox/#firefox41 https://access.redhat.com/security/cve/CVE-2015-4500 https://access.redhat.com/security/cve/CVE-2015-4501 https://access.redhat.com/security/cve/CVE-2015-4502 https://access.redhat.com/security/cve/CVE-2015-4504 https://access.redhat.com/security/cve/CVE-2015-4506 https://access.redhat.com/security/cve/CVE-2015-4507 https://access.redhat.com/security/cve/CVE-2015-4508 https://access.redhat.com/security/cve/CVE-2015-4509 https://access.redhat.com/security/cve/CVE-2015-4510 https://access.redhat.com/security/cve/CVE-2015-4511 https://access.redhat.com/security/cve/CVE-2015-4512 https://access.redhat.com/security/cve/CVE-2015-4516 https://access.redhat.com/security/cve/CVE-2015-4517 https://access.redhat.com/security/cve/CVE-2015-4519 https://access.redhat.com/security/cve/CVE-2015-4520 https://access.redhat.com/security/cve/CVE-2015-4521 https://access.redhat.com/security/cve/CVE-2015-4522 https://access.redhat.com/security/cve/CVE-2015-7174 https://access.redhat.com/security/cve/CVE-2015-7175 https://access.redhat.com/security/cve/CVE-2015-7176 https://access.redhat.com/security/cve/CVE-2015-7177 https://access.redhat.com/security/cve/CVE-2015-7180

Severity
CVE-2015-4506 CVE-2015-4507 CVE-2015-4508 CVE-2015-4509 CVE-2015-4510
CVE-2015-4511 CVE-2015-4512 CVE-2015-4516 CVE-2015-4517 CVE-2015-4519
CVE-2015-4520 CVE-2015-4521 CVE-2015-4522 CVE-2015-7174 CVE-2015-7175
CVE-2015-7176 CVE-2015-7177 CVE-2015-7180
Package : firefox
Type : multiple issues
Remote : Yes
Link : https://wiki.archlinux.org/title/CVE

Workaround

None.

Related News