FEDORA-2014-14084

FEDORA-2014-13042

openSUSE-SU-2014:1344

openSUSE-SU-2014:1345

62022

62023

http://www.mozilla.org/security/announce/2014/mfsa2014-78.html

http://www.oracle.com/technetwork/topics/security/bulletinapr2016-2952098.html

70431

1031028

USN-2372-1

https://bugzilla.mozilla.org/show_bug.cgi?id=1063733

GLSA-201504-01

The remote host is affected by the vulnerability described in GLSA-201504-01 (Mozilla Products: Multiple vulnerabilities)

    Multiple vulnerabilities have been discovered in Firefox, Thunderbird,       and SeaMonkey. Please review the CVE identifiers referenced below for       details.
  Impact :

    A remote attacker could entice a user to view a specially crafted web       page or email, possibly resulting in execution of arbitrary code or a       Denial of Service condition. Furthermore, a remote attacker may be able       to perform Man-in-the-Middle attacks, obtain sensitive information, spoof       the address bar, conduct clickjacking attacks, bypass security       restrictions and protection mechanisms,  or have other unspecified       impact.
  Workaround :

    There are no known workarounds at this time.

seamonkey was updated to version 2.31 to fix 20 security issues.

These security issues were fixed :

  - Miscellaneous memory safety hazards (CVE-2014-1587,     CVE-2014-1588).

  - XBL bindings accessible via improper CSS declarations     (CVE-2014-1589).

  - XMLHttpRequest crashes with some input streams     (CVE-2014-1590).

  - CSP leaks redirect data via violation reports     (CVE-2014-1591).

  - Use-after-free during HTML5 parsing (CVE-2014-1592).

  - Buffer overflow while parsing media content     (CVE-2014-1593).

  - Bad casting from the BasicThebesLayer to     BasicContainerLayer (CVE-2014-1594).

  - Miscellaneous memory safety hazards (CVE-2014-1574,     CVE-2014-1575).

  - Buffer overflow during CSS manipulation (CVE-2014-1576).

  - Web Audio memory corruption issues with custom waveforms     (CVE-2014-1577).

  - Out-of-bounds write with WebM video (CVE-2014-1578).

  - Further uninitialized memory use during GIF rendering     (CVE-2014-1580).

  - Use-after-free interacting with text directionality     (CVE-2014-1581).

  - Key pinning bypasses (CVE-2014-1582, CVE-2014-1584).

  - Inconsistent video sharing within iframe (CVE-2014-1585,     CVE-2014-1586).

  - Accessing cross-origin objects via the Alarms API (only     relevant for installed web apps) (CVE-2014-1583).

This non-security issue was fixed :

  - define /usr/share/myspell as additional dictionary     location and remove add-plugins.sh finally (bnc#900639).

- update to Firefox 33.0 (bnc#900941) New features :

  - OpenH264 support (sandboxed)

  - Enhanced Tiles

  - Improved search experience through the location bar

  - Slimmer and faster JavaScript strings

  - New CSP (Content Security Policy) backend

  - Support for connecting to HTTP proxy over HTTPS

  - Improved reliability of the session restoration

  - Proprietary window.crypto properties/functions removed     Security :

  - MFSA 2014-74/CVE-2014-1574/CVE-2014-1575 Miscellaneous     memory safety hazards

  - MFSA 2014-75/CVE-2014-1576 (bmo#1041512) Buffer overflow     during CSS manipulation

  - MFSA 2014-76/CVE-2014-1577 (bmo#1012609) Web Audio     memory corruption issues with custom waveforms

  - MFSA 2014-77/CVE-2014-1578 (bmo#1063327) Out-of-bounds     write with WebM video

  - MFSA 2014-78/CVE-2014-1580 (bmo#1063733) Further     uninitialized memory use during GIF rendering

  - MFSA 2014-79/CVE-2014-1581 (bmo#1068218) Use-after-free     interacting with text directionality

  - MFSA 2014-80/CVE-2014-1582/CVE-2014-1584 (bmo#1049095,     bmo#1066190) Key pinning bypasses

  - MFSA 2014-81/CVE-2014-1585/CVE-2014-1586 (bmo#1062876,     bmo#1062981) Inconsistent video sharing within iframe

  - MFSA 2014-82/CVE-2014-1583 (bmo#1015540) Accessing     cross-origin objects via the Alarms API (only relevant     for installed web apps)

  - requires NSPR 4.10.7

  - requires NSS 3.17.1

  - removed obsolete patches :

  - mozilla-ppc.patch

  - mozilla-libproxy-compat.patch

  - added basic appdata information

  - update to SeaMonkey 2.30 (bnc#900941)

  - venkman debugger removed from application and therefore     obsolete package seamonkey-venkman

  - MFSA 2014-74/CVE-2014-1574/CVE-2014-1575 Miscellaneous     memory safety hazards

  - MFSA 2014-75/CVE-2014-1576 (bmo#1041512) Buffer overflow     during CSS manipulation

  - MFSA 2014-76/CVE-2014-1577 (bmo#1012609) Web Audio     memory corruption issues with custom waveforms

  - MFSA 2014-77/CVE-2014-1578 (bmo#1063327) Out-of-bounds     write with WebM video

  - MFSA 2014-78/CVE-2014-1580 (bmo#1063733) Further     uninitialized memory use during GIF rendering

  - MFSA 2014-79/CVE-2014-1581 (bmo#1068218) Use-after-free     interacting with text directionality

  - MFSA 2014-80/CVE-2014-1582/CVE-2014-1584 (bmo#1049095,     bmo#1066190) Key pinning bypasses

  - MFSA 2014-81/CVE-2014-1585/CVE-2014-1586 (bmo#1062876,     bmo#1062981) Inconsistent video sharing within iframe

  - MFSA 2014-82/CVE-2014-1583 (bmo#1015540) Accessing     cross-origin objects via the Alarms API (only relevant     for installed web apps)

  - requires NSPR 4.10.7

  - requires NSS 3.17.1

  - removed obsolete patches :

  - mozilla-ppc.patch

  - mozilla-libproxy-compat.patch

Changes in mozilla-nss :

  - update to 3.17.1 (bnc#897890)

  - Change library's signature algorithm default to SHA256

  - Add support for draft-ietf-tls-downgrade-scsv

  - Add clang-cl support to the NSS build system

  - Implement TLS 1.3 :

  - Part 1. Negotiate TLS 1.3

  - Part 2. Remove deprecated cipher suites andcompression.

  - Add support for little-endian powerpc64

  - update to 3.17

  - required for Firefox 33 New functionality :

  - When using ECDHE, the TLS server code may be configured     to generate a fresh ephemeral ECDH key for each     handshake, by setting the SSL_REUSE_SERVER_ECDHE_KEY     socket option to PR_FALSE. The     SSL_REUSE_SERVER_ECDHE_KEY option defaults to PR_TRUE,     which means the server's ephemeral ECDH key is reused     for multiple handshakes. This option does not affect the     TLS client code, which always generates a fresh     ephemeral ECDH key for each handshake. New Macros

  - SSL_REUSE_SERVER_ECDHE_KEY Notable Changes :

  - The manual pages for the certutil and pp tools have been     updated to document the new parameters that had been     added in NSS 3.16.2.

  - On Windows, the new build variable USE_STATIC_RTL can be     used to specify the static C runtime library should be     used. By default the dynamic C runtime library is used.
    Changes in mozilla-nspr :

  - update to version 4.10.7

  - bmo#836658: VC11+ defaults to SSE2 builds by default.

  - bmo#979278: TSan: data race     nsprpub/pr/src/threads/prtpd.c:103     PR_NewThreadPrivateIndex.

  - bmo#1026129: Replace some manual declarations of MSVC     intrinsics with #include <intrin.h>.

  - bmo#1026469: Use AC_CHECK_LIB instead of     MOZ_CHECK_PTHREADS. Skip compiler checks when using     MSVC, even when $CC is not literally 'cl'.

  - bmo#1034415: NSPR hardcodes the C compiler to cl on     Windows.

  - bmo#1042408: Compilation fix for Android > API level 19.

  - bmo#1043082: NSPR's build system hardcodes -MD.

- update to Firefox 33.0 (bnc#900941) New features :

  - OpenH264 support (sandboxed)

  - Enhanced Tiles

  - Improved search experience through the location bar

  - Slimmer and faster JavaScript strings

  - New CSP (Content Security Policy) backend

  - Support for connecting to HTTP proxy over HTTPS

  - Improved reliability of the session restoration

  - Proprietary window.crypto properties/functions removed     Security :

  - MFSA 2014-74/CVE-2014-1574/CVE-2014-1575 Miscellaneous     memory safety hazards

  - MFSA 2014-75/CVE-2014-1576 (bmo#1041512) Buffer overflow     during CSS manipulation

  - MFSA 2014-76/CVE-2014-1577 (bmo#1012609) Web Audio     memory corruption issues with custom waveforms

  - MFSA 2014-77/CVE-2014-1578 (bmo#1063327) Out-of-bounds     write with WebM video

  - MFSA 2014-78/CVE-2014-1580 (bmo#1063733) Further     uninitialized memory use during GIF rendering

  - MFSA 2014-79/CVE-2014-1581 (bmo#1068218) Use-after-free     interacting with text directionality

  - MFSA 2014-80/CVE-2014-1582/CVE-2014-1584 (bmo#1049095,     bmo#1066190) Key pinning bypasses

  - MFSA 2014-81/CVE-2014-1585/CVE-2014-1586 (bmo#1062876,     bmo#1062981) Inconsistent video sharing within iframe

  - MFSA 2014-82/CVE-2014-1583 (bmo#1015540) Accessing     cross-origin objects via the Alarms API (only relevant     for installed web apps)

  - requires NSPR 4.10.7

  - requires NSS 3.17.1

  - removed obsolete patches :

  - mozilla-ppc.patch

  - mozilla-libproxy-compat.patch

  - added basic appdata information

  - update to SeaMonkey 2.30 (bnc#900941)

  - venkman debugger removed from application and therefore     obsolete package seamonkey-venkman

  - MFSA 2014-74/CVE-2014-1574/CVE-2014-1575 Miscellaneous     memory safety hazards

  - MFSA 2014-75/CVE-2014-1576 (bmo#1041512) Buffer overflow     during CSS manipulation

  - MFSA 2014-76/CVE-2014-1577 (bmo#1012609) Web Audio     memory corruption issues with custom waveforms

  - MFSA 2014-77/CVE-2014-1578 (bmo#1063327) Out-of-bounds     write with WebM video

  - MFSA 2014-78/CVE-2014-1580 (bmo#1063733) Further     uninitialized memory use during GIF rendering

  - MFSA 2014-79/CVE-2014-1581 (bmo#1068218) Use-after-free     interacting with text directionality

  - MFSA 2014-80/CVE-2014-1582/CVE-2014-1584 (bmo#1049095,     bmo#1066190) Key pinning bypasses

  - MFSA 2014-81/CVE-2014-1585/CVE-2014-1586 (bmo#1062876,     bmo#1062981) Inconsistent video sharing within iframe

  - MFSA 2014-82/CVE-2014-1583 (bmo#1015540) Accessing     cross-origin objects via the Alarms API (only relevant     for installed web apps)

  - requires NSPR 4.10.7

  - requires NSS 3.17.1

  - removed obsolete patches :

  - mozilla-ppc.patch

  - mozilla-libproxy-compat.patch

Changes in mozilla-nspr :

  - update to version 4.10.7

  - bmo#836658: VC11+ defaults to SSE2 builds by default.

  - bmo#979278: TSan: data race     nsprpub/pr/src/threads/prtpd.c:103     PR_NewThreadPrivateIndex.

  - bmo#1026129: Replace some manual declarations of MSVC     intrinsics with #include <intrin.h>.

  - bmo#1026469: Use AC_CHECK_LIB instead of     MOZ_CHECK_PTHREADS. Skip compiler checks when using     MSVC, even when $CC is not literally 'cl'.

  - bmo#1034415: NSPR hardcodes the C compiler to cl on     Windows.

  - bmo#1042408: Compilation fix for Android > API level 19.

  - bmo#1043082: NSPR's build system hardcodes -MD.

Changes in mozilla-nss :

  - update to 3.17.1 (bnc#897890)

  - Change library's signature algorithm default to SHA256

  - Add support for draft-ietf-tls-downgrade-scsv

  - Add clang-cl support to the NSS build system

  - Implement TLS 1.3 :

  - Part 1. Negotiate TLS 1.3

  - Part 2. Remove deprecated cipher suites andcompression.

  - Add support for little-endian powerpc64

  - update to 3.17

  - required for Firefox 33 New functionality :

  - When using ECDHE, the TLS server code may be configured     to generate a fresh ephemeral ECDH key for each     handshake, by setting the SSL_REUSE_SERVER_ECDHE_KEY     socket option to PR_FALSE. The     SSL_REUSE_SERVER_ECDHE_KEY option defaults to PR_TRUE,     which means the server's ephemeral ECDH key is reused     for multiple handshakes. This option does not affect the     TLS client code, which always generates a fresh     ephemeral ECDH key for each handshake. New Macros

  - SSL_REUSE_SERVER_ECDHE_KEY Notable Changes :

  - The manual pages for the certutil and pp tools have been     updated to document the new parameters that had been     added in NSS 3.16.2.

  - On Windows, the new build variable USE_STATIC_RTL can be     used to specify the static C runtime library should be     used. By default the dynamic C runtime library is used.

New upstream version - Firefox 33. Update to the latest upstream 32.0.2.

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Versions of Mozilla Firefox earlier than 33.0 (or ESR version 31.1) are unpatched for the following vulnerabilities :

 - Buffer overflow vulnerability exists when capitalization style changes occur during CSS parsing. (CVE-2014-1576)
 - Out-of-bounds read error in the Web Audio component when invalid values are used in custom waveforms can lead to denial of service or information disclosure. (CVE-2014-1577)
 - Out-of-bounds write error when processing invalid tile sizes in 'WebM' format videos can be leveraged for arbitrary code execution. (CVE-2014-1578)
 - Memory is not properly initialized during GIF rendering within a '<canvas>' element, which can be leveraged via a specially crafted web script to acquire sensitive information from the process memory. (CVE-2014-1580)
 - Use-after-free error in the 'DirectionalityUtils' component when text direction is used in the text layout can be leveraged for arbitrary code execution. (CVE-2014-1581)
 - Multiple security bypass vulnerabilities exist in the implementation of Public Key Pinning (PKP); one issue can be triggered via SPDY's or HTTP/2's connection-coalescing property in the case of a shared IP address, and another issue is exposed by an unspecified issuer-verification error. Both scenarios can be leveraged for man-in-the-middle attacks. Note that key pinning was introduced in Firefox 32. (CVE-2014-1582, CVE-2014-1584)
 - A cross-origin policy bypass exists that could allow a malicious app to use 'AlarmAPI' to read cross-origin references and possibly perform unauthorized actions through the victim user's session. (CVE-2014-1583)
 - Multiple issues exist in WebRTC when the session is running within an 'iframe' element that will allow the session to be accessible even when sharing is stopped and when returning to the website. This could result in the video inadvertently being shared. (CVE-2014-1585, CVE-2014-1586)
 - Multiple memory safety flaws exist within the browser engine, which can likely be leveraged for denial of service or arbitrary code execution. (CVE-2014-1574, CVE-2014-1575)

The Mozilla Project reports :

MFSA 2014-74 Miscellaneous memory safety hazards (rv:33.0 / rv:31.2)

MFSA 2014-75 Buffer overflow during CSS manipulation

MFSA 2014-76 Web Audio memory corruption issues with custom waveforms

MFSA 2014-78 Further uninitialized memory use during GIF

MFSA 2014-79 Use-after-free interacting with text directionality

MFSA 2014-80 Key pinning bypasses

MFSA 2014-81 Inconsistent video sharing within iframe

MFSA 2014-82 Accessing cross-origin objects via the Alarms API

The version of Firefox installed on the remote Windows host is a version prior to 33.0. It is, therefore, affected by the following vulnerabilities :

  - Multiple memory safety flaws exist within the browser     engine. Exploiting these, an attacker can cause a denial     of service or execute arbitrary code. (CVE-2014-1574,     CVE-2014-1575)

  - A buffer overflow vulnerability exists when     capitalization style changes occur during CSS parsing.
    (CVE-2014-1576)

  - An out-of-bounds read error exists in the Web Audio     component when invalid values are used in custom     waveforms that leads to a denial of service or     information disclosure. (CVE-2014-1577)

  - An out-of-bounds write error exists when processing     invalid tile sizes in 'WebM' format videos that result     in arbitrary code execution. (CVE-2014-1578)

  - Memory is not properly initialized during GIF rendering     within a '<canvas>' element. Using a specially crafted     web script, a remote attacker can exploit this to     acquire sensitive information from the process memory.
    (CVE-2014-1580)

  - A use-after-free error exists in the     'DirectionalityUtils' component when text direction is     used in the text layout that results in arbitrary     code execution. (CVE-2014-1581)

  - Multiple security bypass vulnerabilities exist related     to key pinning, a method to prevent man-in-the-middle     attacks by verifying certificates. An attacker can use     SPDY or HTTP/2 connection coalescing to bypass key     pinning on websites that use a domain name that resolve     to the same IP address. Another issue exists in which     key pinning verification is not performed due to an     issue verifying the issuer of an SSL certificate. These     issues could result in man-in-the-middle attacks. Note     that key pinning was introduced in Firefox 32.
    (CVE-2014-1582, CVE-2014-1584)

  - An error exists that could allow a malicious app to use     'AlarmAPI' to read cross-origin references and possibly     allow for the same-origin policy to be bypassed.
    (CVE-2014-1583)

  - Multiple issues exist in WebRTC when the session is     running within an 'iframe' element that will allow the     session to be accessible even when sharing is stopped     and when returning to the website. This could lead to     video inadvertently being shared. (CVE-2014-1585,     CVE-2014-1586)

The version of Firefox installed on the remote Mac OS X host is a version prior to 33.0. It is, therefore, affected by the following vulnerabilities :

  - Multiple memory safety flaws exist within the browser     engine. Exploiting these, an attacker can cause a denial     of service or execute arbitrary code. (CVE-2014-1574,     CVE-2014-1575)

  - A buffer overflow vulnerability exists when     capitalization style changes occur during CSS parsing.
    (CVE-2014-1576)

  - An out-of-bounds read error exists in the Web Audio     component when invalid values are used in custom     waveforms that leads to a denial of service or     information disclosure. (CVE-2014-1577)

  - An out-of-bounds write error exists when processing     invalid tile sizes in 'WebM' format videos that result     in arbitrary code execution. (CVE-2014-1578)

  - Memory is not properly initialized during GIF rendering     within a '<canvas>' element. Using a specially crafted     web script, a remote attacker can exploit this to     acquire sensitive information from the process memory.
    (CVE-2014-1580)

  - A use-after-free error exists in the     'DirectionalityUtils' component when text direction is     used in the text layout that results in arbitrary     code execution. (CVE-2014-1581)

  - Multiple security bypass vulnerabilities exist related     to key pinning, a method to prevent man-in-the-middle     attacks by verifying certificates. An attacker can use     SPDY or HTTP/2 connection coalescing to bypass key     pinning on websites that use a domain name that resolve     to the same IP address. Another issue exists in which     key pinning verification is not performed due to an     issue verifying the issuer of an SSL certificate. These     issues could result in man-in-the-middle attacks. Note     that key pinning was introduced in Firefox 32.
    (CVE-2014-1582, CVE-2014-1584)

  - An error exists that could allow a malicious app to use     'AlarmAPI' to read cross-origin references and possibly     allow for the same-origin policy to be bypassed.
    (CVE-2014-1583)

  - Multiple issues exist in WebRTC when the session is     running within an 'iframe' element that will allow the     session to be accessible even when sharing is stopped     and when returning to the website. This could lead to     video inadvertently being shared. (CVE-2014-1585,     CVE-2014-1586)

Bobby Holley, Christian Holler, David Bolter, Byron Campen, Jon Coppeard, Carsten Book, Martijn Wargers, Shih-Chiang Chien, Terrence Cole and Jeff Walden discovered multiple memory safety issues in Firefox. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit these to cause a denial of service via application crash, or execute arbitrary code with the privileges of the user invoking Firefox. (CVE-2014-1574, CVE-2014-1575)

Atte Kettunen discovered a buffer overflow during CSS manipulation. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit this to cause a denial of service via application crash or execute arbitrary code with the privileges of the user invoking Firefox. (CVE-2014-1576)

Holger Fuhrmannek discovered an out-of-bounds read with Web Audio. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit this to steal sensitive information. (CVE-2014-1577)

Abhishek Arya discovered an out-of-bounds write when buffering WebM video in some circumstances. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit this to cause a denial of service via application crash or execute arbitrary code with the privileges of the user invoking Firefox.
(CVE-2014-1578)

Michal Zalewski discovered that memory may not be correctly initialized when rendering a malformed GIF in to a canvas in some circumstances. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit this to steal sensitive information. (CVE-2014-1580)

A use-after-free was discovered during text layout in some circumstances. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit this to cause a denial of service via application crash or execute arbitrary code with the privileges of the user invoking Firefox. (CVE-2014-1581)

Patrick McManus and David Keeler discovered 2 issues that could result in certificate pinning being bypassed in some circumstances. An attacker with a fraudulent certificate could potentially exploit this conduct a man in the middle attack. (CVE-2014-1582, CVE-2014-1584)

Eric Shepherd and Jan-Ivar Bruaroey discovered issues with video sharing via WebRTC in iframes, where video continues to be shared after being stopped and navigating to a new site doesn't turn off the camera. An attacker could potentially exploit this to access the camera without the user being aware. (CVE-2014-1585, CVE-2014-1586)

Boris Zbarsky discovered that webapps could use the Alarm API to read the values of cross-origin references. If a user were tricked in to installing a specially crafter webapp, an attacker could potentially exploit this to bypass same-origin restrictions. (CVE-2014-1583).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

ID	Name	Product	Family	Severity
82632	GLSA-201504-01 : Mozilla Products: Multiple vulnerabilities	Nessus	Gentoo Local Security Checks	critical
80093	openSUSE Security Update : seamonkey (openSUSE-SU-2014:1655-1)	Nessus	SuSE Local Security Checks	high
78818	openSUSE Security Update : firefox / mozilla-nspr / mozilla-nss (openSUSE-SU-2014:1344-1)	Nessus	SuSE Local Security Checks	critical
78817	openSUSE Security Update : firefox / mozilla-nspr / mozilla-nss and seamonkey (openSUSE-SU-2014:1345-1)	Nessus	SuSE Local Security Checks	critical
78813	Fedora 21 : firefox-33.0-1.fc21 (2014-14084)	Nessus	Fedora Local Security Checks	high
78573	Fedora 20 : firefox-33.0-1.fc20 (2014-13042)	Nessus	Fedora Local Security Checks	high
8553	Mozilla Firefox < 33.0 / Firefox ESR < 31.2 Multiple Vulnerabilities	Nessus Network Monitor	Web Clients	high
78496	FreeBSD : mozilla -- multiple vulnerabilities (9c1495ac-8d8c-4789-a0f3-8ca6b476619c)	Nessus	FreeBSD Local Security Checks	high
78473	Firefox < 33.0 Multiple Vulnerabilities	Nessus	Windows	high
78470	Firefox < 33.0 Multiple Vulnerabilities (Mac OS X)	Nessus	MacOS X Local Security Checks	high
78466	Ubuntu 12.04 LTS / 14.04 LTS : firefox vulnerabilities (USN-2372-1)	Nessus	Ubuntu Local Security Checks	high

CVE-2014-1580

Description

References

Details

Risk Information

CVSS v2.0

Vulnerable Software

Configuration 1

Tenable Plugins