http://code.google.com/p/chromium/issues/detail?id=117627

http://googlechromereleases.blogspot.com/2012/04/stable-channel-update_30.html

openSUSE-SU-2015:0892

openSUSE-SU-2015:1266

openSUSE-SU-2015:0934

81645

RHSA-2015:1012

48992

DSA-3260

http://www.mozilla.org/security/announce/2015/mfsa2015-57.html

53309

1027001

https://bugzilla.mozilla.org/show_bug.cgi?id=1087565

chrome-ipc-validation-code-execution(75271)

oval:org.mitre.oval:def:14964

https://www.mozilla.org/en-US/security/known-vulnerabilities/thunderbird/#thunderbird31.7

The Mozilla Firefox web browser was updated to version 38.0.1 to fix several security and non-security issues. This update also includes a Mozilla Network Security Services (NSS) update to version 3.18.1.

The following vulnerabilities and issues were fixed :

Changes in Mozilla Firefox :

  - update to Firefox 38.0.1 stability and regression fixes

  - Systems with first generation NVidia Optimus graphics     cards may crash on start-up

  - Users who import cookies from Google Chrome can end up     with broken websites

  - Large animated images may fail to play and may stop     other images from loading

  - update to Firefox 38.0 (bnc#930622)

  - New tab-based preferences

  - Ruby annotation support

  - more info:
    https://www.mozilla.org/en-US/firefox/38.0/releasenotes/     security fixes :

  - MFSA 2015-46/CVE-2015-2708/CVE-2015-2709 Miscellaneous     memory safety hazards

  - MFSA 2015-47/VE-2015-0797 (bmo#1080995) Buffer overflow     parsing H.264 video with Linux Gstreamer

  - MFSA 2015-48/CVE-2015-2710 (bmo#1149542) Buffer overflow     with SVG content and CSS

  - MFSA 2015-49/CVE-2015-2711 (bmo#1113431) Referrer policy     ignored when links opened by middle-click and context     menu

  - MFSA 2015-50/CVE-2015-2712 (bmo#1152280) Out-of-bounds     read and write in asm.js validation

  - MFSA 2015-51/CVE-2015-2713 (bmo#1153478) Use-after-free     during text processing with vertical text enabled

  - MFSA 2015-53/CVE-2015-2715 (bmo#988698) Use-after-free     due to Media Decoder Thread creation during shutdown

  - MFSA 2015-54/CVE-2015-2716 (bmo#1140537) Buffer overflow     when parsing compressed XML

  - MFSA 2015-55/CVE-2015-2717 (bmo#1154683) Buffer overflow     and out-of-bounds read while parsing MP4 video metadata

  - MFSA 2015-56/CVE-2015-2718 (bmo#1146724) Untrusted site     hosting trusted page can intercept webchannel responses

  - MFSA 2015-57/CVE-2011-3079 (bmo#1087565) Privilege     escalation through IPC channel messages

Changes in Mozilla NSS :

  - update to 3.18.1

  - Firefox target release 38

  - No new functionality is introduced in this release.
    Notable Changes :

  - The following CA certificate had the Websites and Code     Signing trust bits restored to their original state to     allow more time to develop a better transition strategy     for affected sites :

  - OU = Equifax Secure Certificate Authority

  - The following CA certificate was removed :

  - CN = e-Guven Kok Elektronik Sertifika Hizmet Saglayicisi

  - The following intermediate CA certificate has been added     as actively distrusted because it was mis-used to issue     certificates for domain names the holder did not own or     control :

  - CN=MCSHOLDING TEST, O=MCSHOLDING, C=EG

  - The version number of the updated root CA list has been     set to 2.4

  - update to 3.18

  - Firefox target release 38 New functionality :

  - When importing certificates and keys from a PKCS#12     source, it's now possible to override the nicknames,     prior to importing them into the NSS database, using new     API SEC_PKCS12DecoderRenameCertNicknames.

  - The tstclnt test utility program has new command-line     options

    -C, -D, -b and -R. Use -C one, two or three times to     print information about the certificates received from a     server, and information about the locally found and     trusted issuer certificates, to diagnose server side     configuration issues. It is possible to run tstclnt

The Mozilla Thunderbird email, news, and chat client was updated to version 31.7.0 to fix several security issues.

The following vulnerabilities were fixed (bnc#930622) :

  - MFSA 2015-46/CVE-2015-2708 Miscellaneous memory safety     hazards

  - MFSA 2015-47/CVE-2015-0797 (bmo#1080995) Buffer overflow     parsing H.264 video with Linux Gstreamer

  - MFSA 2015-48/CVE-2015-2710 (bmo#1149542) Buffer overflow     with SVG content and CSS

  - MFSA 2015-51/CVE-2015-2713 (bmo#1153478) Use-after-free     during text processing with vertical text enabled

  - MFSA 2015-54/CVE-2015-2716 (bmo#1140537) Buffer overflow     when parsing compressed XML

  - MFSA 2015-57/CVE-2011-3079 (bmo#1087565) Privilege     escalation through IPC channel messages

An updated thunderbird package that fixes multiple security issues is now available for Red Hat Enterprise Linux 5, 6, and 7.

Red Hat Product Security has rated this update as having Important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.

Mozilla Thunderbird is a standalone mail and newsgroup client.

Several flaws were found in the processing of malformed web content. A web page containing malicious content could cause Thunderbird to crash or, potentially, execute arbitrary code with the privileges of the user running Thunderbird. (CVE-2015-2708, CVE-2015-2710, CVE-2015-2713)

A heap-based buffer overflow flaw was found in the way Thunderbird processed compressed XML data. An attacker could create specially crafted compressed XML content that, when processed by Thunderbird, could cause it to crash or execute arbitrary code with the privileges of the user running Thunderbird. (CVE-2015-2716)

Note: All of the above issues cannot be exploited by a specially crafted HTML mail message as JavaScript is disabled by default for mail messages. They could be exploited another way in Thunderbird, for example, when viewing the full remote content of an RSS feed.

Red Hat would like to thank the Mozilla project for reporting these issues. Upstream acknowledges Jesse Ruderman, Mats Palmgren, Byron Campen, Steve Fink, Atte Kettunen, Scott Bell, and Ucha Gobejishvili as the original reporters of these issues.

For technical details regarding these flaws, refer to the Mozilla security advisories for Thunderbird 31.7. You can find a link to the Mozilla advisories in the References section of this erratum.

All Thunderbird users should upgrade to this updated package, which contains Thunderbird version 31.7, which corrects these issues. After installing the update, Thunderbird must be restarted for the changes to take effect.

From Red Hat Security Advisory 2015:1012 :

An updated thunderbird package that fixes multiple security issues is now available for Red Hat Enterprise Linux 5, 6, and 7.

Red Hat Product Security has rated this update as having Important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.

Mozilla Thunderbird is a standalone mail and newsgroup client.

Several flaws were found in the processing of malformed web content. A web page containing malicious content could cause Thunderbird to crash or, potentially, execute arbitrary code with the privileges of the user running Thunderbird. (CVE-2015-2708, CVE-2015-2710, CVE-2015-2713)

A heap-based buffer overflow flaw was found in the way Thunderbird processed compressed XML data. An attacker could create specially crafted compressed XML content that, when processed by Thunderbird, could cause it to crash or execute arbitrary code with the privileges of the user running Thunderbird. (CVE-2015-2716)

Note: All of the above issues cannot be exploited by a specially crafted HTML mail message as JavaScript is disabled by default for mail messages. They could be exploited another way in Thunderbird, for example, when viewing the full remote content of an RSS feed.

Red Hat would like to thank the Mozilla project for reporting these issues. Upstream acknowledges Jesse Ruderman, Mats Palmgren, Byron Campen, Steve Fink, Atte Kettunen, Scott Bell, and Ucha Gobejishvili as the original reporters of these issues.

For technical details regarding these flaws, refer to the Mozilla security advisories for Thunderbird 31.7. You can find a link to the Mozilla advisories in the References section of this erratum.

All Thunderbird users should upgrade to this updated package, which contains Thunderbird version 31.7, which corrects these issues. After installing the update, Thunderbird must be restarted for the changes to take effect.

The version of Thunderbird installed on the remote Windows host is prior to 31.7. It is, therefore, affected by the following vulnerabilities :

  - A privilege escalation vulnerability exists in the     Inter-process Communications (IPC) implementation due     to a failure to validate the identity of a listener     process. (CVE-2011-3079)

  - Multiple memory corruption issues exist within the     browser engine. A remote attacker can exploit these to     corrupt memory and execute arbitrary code.
    (CVE-2015-2708)

  - A buffer overflow condition exists in SVGTextFrame.cpp     when rendering SVG graphics that are combined with     certain CSS properties due to improper validation of     user-supplied input. A remote attacker can exploit this     to cause a heap-based buffer overflow, resulting in the     execution of arbitrary code. (CVE-2015-2710)

  - A use-after-free error exists due to improper processing     of text when vertical text is enabled. A remote attacker     can exploit this to dereference already freed memory.
    (CVE-2015-2713)

  - A buffer overflow condition exists in the     XML_GetBuffer() function in xmlparse.c due to improper     validation of user-supplied input when handling     compressed XML content. An attacker can exploit this to     cause a buffer overflow, resulting in the execution of     arbitrary code. (CVE-2015-2716)

The version of Firefox installed on the remote Windows host is prior to 38.0. It is, therefore, affected by the following vulnerabilities :

  - A privilege escalation vulnerability exists in the     Inter-process Communications (IPC) implementation due     to a failure to validate the identity of a listener     process. (CVE-2011-3079)

  - An issue exists in the Mozilla updater in which DLL     files in the current working directory or Windows     temporary directories will be loaded, allowing the     execution of arbitrary code. (CVE-2015-0833 /     CVE-2015-2720)

  - Multiple memory corruption issues exist within the     browser engine. A remote attacker can exploit these to     corrupt memory and execute arbitrary code.
    (CVE-2015-2708, CVE-2015-2709)

  - A buffer overflow condition exists in SVGTextFrame.cpp     when rendering SVG graphics that are combined with     certain CSS properties due to improper validation of     user-supplied input. A remote attacker can exploit this     to cause a heap-based buffer overflow, resulting in the     execution of arbitrary code. (CVE-2015-2710)     
  - A security bypass vulnerability exists due to the     referrer policy not being enforced in certain situations     when opening links (e.g. using the context menu or a     middle-clicks by mouse). A remote attacker can exploit     this to bypass intended policy settings. (CVE-2015-2711)     
  - An out-of-bounds read and write issue exists in the     CheckHeapLengthCondition() function due to improper     JavaScript validation of heap lengths. A remote attacker     can exploit this, via a specially crafted web page, to     disclose memory contents. (CVE-2015-2712)

  - A use-after-free error exists due to improper processing     of text when vertical text is enabled. A remote attacker     can exploit this to dereference already freed memory.
    (CVE-2015-2713)

  - A use-after-free error exists in the     RegisterCurrentThread() function in nsThreadManager.cpp     due to a race condition related to media decoder threads     created during the shutdown process. A remote attacker     can exploit this to dereference already freed memory.
    (CVE-2015-2715)

  - A buffer overflow condition exists in the     XML_GetBuffer() function in xmlparse.c due to improper     validation of user-supplied input when handling     compressed XML content. An attacker can exploit this to     cause a buffer overflow, resulting in the execution of     arbitrary code. (CVE-2015-2716)

  - An integer overflow condition exists in the parseChunk()     function in MPEG4Extractor.cpp due to improper handling     of MP4 video metadata in chunks. A remote attacker can     exploit this, via specially crafted media content, to     cause a heap-based buffer overflow, resulting in the     execution of arbitrary code. (CVE-2015-2717)

  - A security bypass vulnerability exists in WebChannel.jsm     due to improper handling of message traffic. An     untrusted page hosting a trusted page within an iframe     can intercept webchannel responses for the trusted page.
    This allows a remote attacker, via a specially crafted     web page, to bypass origin restrictions, resulting in     the disclosure of sensitive information. (CVE-2015-2718)

  - Multiple integer overflow conditions exist in the     bundled libstagefright component due to improper     validation of user-supplied input when processing MPEG4     sample metadata. A remote attacker can exploit this, via     specially crafted media content, to execute arbitrary     code. (CVE-2015-4496)

The version of Firefox ESR 31.x installed on the remote Windows host is prior to 31.7. It is, therefore, affected by the following vulnerabilities :

  - A privilege escalation vulnerability exists in the     Inter-process Communications (IPC) implementation due     to a failure to validate the identity of a listener     process. (CVE-2011-3079)

  - Multiple memory corruption issues exist within the     browser engine. A remote attacker can exploit these to     corrupt memory and execute arbitrary code.
    (CVE-2015-2708)

  - A buffer overflow condition exists in SVGTextFrame.cpp     when rendering SVG graphics that are combined with     certain CSS properties due to improper validation of     user-supplied input. A remote attacker can exploit this     to cause a heap-based buffer overflow, resulting in the     execution of arbitrary code. (CVE-2015-2710)

  - A use-after-free error exists due to improper processing     of text when vertical text is enabled. A remote attacker     can exploit this to dereference already freed memory.
    (CVE-2015-2713)

  - A buffer overflow condition exists in the     XML_GetBuffer() function in xmlparse.c due to improper     validation of user-supplied input when handling     compressed XML content. An attacker can exploit this to     cause a buffer overflow, resulting in the execution of     arbitrary code. (CVE-2015-2716)

Multiple security issues have been found in Iceweasel, Debian's version of the Mozilla Firefox web browser: Multiple memory safety errors, buffer overflows and use-after-frees may lead to the execution of arbitrary code, privilege escalation or denial of service.

The Mozilla Project reports :

MFSA-2015-46 Miscellaneous memory safety hazards (rv:38.0 / rv:31.7)

MFSA-2015-47 Buffer overflow parsing H.264 video with Linux Gstreamer

MFSA-2015-48 Buffer overflow with SVG content and CSS

MFSA-2015-49 Referrer policy ignored when links opened by middle-click and context menu

MFSA-2015-50 Out-of-bounds read and write in asm.js validation

MFSA-2015-51 Use-after-free during text processing with vertical text enabled

MFSA-2015-52 Sensitive URL encoded information written to Android logcat

MFSA-2015-53 Use-after-free due to Media Decoder Thread creation during shutdown

MFSA-2015-54 Buffer overflow when parsing compressed XML

MFSA-2015-55 Buffer overflow and out-of-bounds read while parsing MP4 video metadata

MFSA-2015-56 Untrusted site hosting trusted page can intercept webchannel responses

MFSA-2015-57 Privilege escalation through IPC channel messages

MFSA-2015-58 Mozilla Windows updater can be run outside of application directory

MFSA 2015-93 Integer overflows in libstagefright while processing MP4 video metadata

Chromium version 20.0.1128 fixes several security issues :

  - CVE-2011-3078: Use after free in floats handling.

  - CVE-2012-1521: Use after free in xml parser.

  - CVE-2011-3079: IPC validation failure.

  - CVE-2011-3080: Race condition in sandbox IPC

  - CVE-2011-3081: Use after free in floats handling.

Versions of Google Chrome prior to 18.0.1025.168 are affected by the following vulnerabilities :

  - Use-after-free errors exist related to floating element handling and the xml parser. (CVE-2011-3078, CVE-2012-1521, CVE-2011-3081)

  - A validation error exists related to Inter-Process Communications (IPC). (CVE-2011-3079)

  - A race condition exists in the method 'CrossCallParamsEx::CreateFromBuffer' in the file 'sandbox/src/crosscall_server.cc' and is related to sandbox Inter-Process Communication (IPC). (CVE-2011-3080)

Google Chrome Releases reports :

[106413] High CVE-2011-3078: Use after free in floats handling. Credit to Google Chrome Security Team (Marty Barbella) and independent later discovery by miaubiz.

[117627] Medium CVE-2011-3079: IPC validation failure. Credit to PinkiePie.

[121726] Medium CVE-2011-3080: Race condition in sandbox IPC. Credit to Willem Pinckaers of Matasano.

[121899] High CVE-2011-3081: Use after free in floats handling. Credit to miaubiz.

[117110] High CVE-2012-1521: Use after free in xml parser. Credit to Google Chrome Security Team (SkyLined) and independent later discovery by wushi of team509 reported through iDefense VCP (V-874rcfpq7z).

The version of Google Chrome installed on the remote host is earlier than 18.0.1025.168 and is, therefore, affected by the following vulnerabilities :

  - Use-after-free errors exist related to floating element     handling and the xml parser. (CVE-2011-3078,     CVE-2012-1521, CVE-2011-3081)

  - A validation error exists related to Inter-Process     Communications (IPC). (CVE-2011-3079)

  - A race condition exists in the method     'CrossCallParamsEx::CreateFromBuffer' in the file     'sandbox/src/crosscall_server.cc' and is related to     sandbox Inter-Process Communication (IPC).
    (CVE-2011-3080)

ID	Name	Product	Family	Severity
83801	openSUSE Security Update : MozillaFirefox (openSUSE-2015-375)	Nessus	SuSE Local Security Checks	critical
83800	openSUSE Security Update : MozillaThunderbird (openSUSE-2015-374)	Nessus	SuSE Local Security Checks	critical
83537	RHEL 5 / 6 / 7 : thunderbird (RHSA-2015:1012)	Nessus	Red Hat Local Security Checks	critical
83535	Oracle Linux 6 / 7 : thunderbird (ELSA-2015-1012)	Nessus	Oracle Linux Local Security Checks	critical
83530	CentOS 5 / 6 / 7 : thunderbird (CESA-2015:1012)	Nessus	CentOS Local Security Checks	critical
83464	Mozilla Thunderbird < 31.7 Multiple Vulnerabilities	Nessus	Windows	critical
83439	Firefox < 38.0 Multiple Vulnerabilities	Nessus	Windows	high
83438	Firefox ESR 31.x < 31.7 Multiple Vulnerabilities	Nessus	Windows	high
83423	Debian DSA-3260-1 : iceweasel - security update	Nessus	Debian Local Security Checks	critical
83389	FreeBSD : mozilla -- multiple vulnerabilities (d9b43004-f5fd-4807-b1d7-dbf66455b244)	Nessus	FreeBSD Local Security Checks	critical
74622	openSUSE Security Update : chromium / v8 (openSUSE-SU-2012:0613-1)	Nessus	SuSE Local Security Checks	critical
800935	Google Chrome < 18.0.1025.168 Multiple Vulnerabilities	Log Correlation Engine	Web Clients	high
6783	Google Chrome < 18.0.1025.168 Multiple Vulnerabilities	Nessus Network Monitor	Web Clients	high
58963	FreeBSD : chromium -- multiple vulnerabilities (94c0ac4f-9388-11e1-b242-00262d5ed8ee)	Nessus	FreeBSD Local Security Checks	critical
58954	Google Chrome < 18.0.1025.168 Multiple Vulnerabilities	Nessus	Windows	high

CVE-2011-3079

Description

References

Details

Risk Information

CVSS v2.0

Vulnerable Software

Configuration 1

Configuration 2

Tenable Plugins