openSUSE-SU-2015:0934

http://www.mozilla.org/security/announce/2015/mfsa2015-53.html

http://www.oracle.com/technetwork/topics/security/bulletinapr2016-2952098.html

74611

USN-2602-1

https://bugzilla.mozilla.org/show_bug.cgi?id=988698

GLSA-201605-06

The remote host is affected by the vulnerability described in GLSA-201605-06 (Mozilla Products: Multiple vulnerabilities)

    Multiple vulnerabilities have been discovered in Firefox, NSS, NSPR, and       Thunderbird. Please review the CVE identifiers referenced below for       details.
  Impact :

    A remote attacker could entice a user to view a specially crafted web       page or email, possibly resulting in execution of arbitrary code or a       Denial of Service condition. Furthermore, a remote attacker may be able       to perform Man-in-the-Middle attacks, obtain sensitive information, spoof       the address bar, conduct clickjacking attacks, bypass security       restrictions and protection mechanisms, or have other unspecified       impacts.
  Workaround :

    There is no known workaround at this time.

Versions of Mozilla Firefox earlier than 38.0 (or ESR version 31.7) are unpatched for the following vulnerabilities : 

 - A privilege escalation vulnerability exists in the Inter-process Communications (IPC) implementation due to a failure to validate the identity of a listener process. (MFSA2015-57) 
 - An issue exists in the Mozilla updater in which DLL files in the current working directory or Windows temporary directories will be loaded, allowing the execution of arbitrary code. (CVE-2015-0833, CVE-2015-2720) 
 - Multiple memory corruption issues exist within the browser engine. A remote attacker can exploit these to corrupt memory and execute arbitrary code. (CVE-2015-2708, CVE-2015-2709) 
 - A buffer overflow condition exists in 'SVGTextFrame.cpp' when rendering SVG graphics that are combined with certain CSS properties due to improper validation of user-supplied input. A remote attacker can exploit this to cause a heap-based buffer overflow, resulting in the execution of arbitrary code. (CVE-2015-2710) 
 - A security bypass vulnerability exists due to the referrer policy not being enforced in certain situations when opening links (e.g. using the context menu or a middle-clicks by mouse). A remote attacker can exploit this to bypass intended policy settings. (CVE-2015-2711) 
 - An out-of-bounds read and write issue exists in the 'CheckHeapLengthCondition()' function due to improper JavaScript validation of heap lengths. A remote attacker can exploit this, via a specially crafted web page, to disclose memory contents. (CVE-2015-2712) 
 - A use-after-free error exists due to improper processing of text when vertical text is enabled. A remote attacker can exploit this to dereference already freed memory. (CVE-2015-2713) - A use-after-free error exists in the 'RegisterCurrentThread()' function in 'nsThreadManager.cpp' due to a race condition related to media decoder threads created during the shutdown process. A remote attacker can exploit this to dereference already freed memory. (CVE-2015-2715) 
 - A buffer overflow condition exists in the 'XML_GetBuffer()' function in xmlparse.c due to improper validation of user-supplied input when handling compressed XML content. An attacker can exploit this to cause a buffer overflow, resulting in the execution of arbitrary code. (CVE-2015-2716) 
 - An integer overflow condition exists in the 'parseChunk()' function in 'MPEG4Extractor.cpp' due to improper handling of MP4 video metadata in chunks. A remote attacker can exploit this, via specially crafted media content, to cause a heap-based buffer overflow, resulting in the execution of arbitrary code. (CVE-2015-2717) 
 - A security bypass vulnerability exists in 'WebChannel.jsm' due to improper handling of message traffic. An untrusted page hosting a trusted page within an iframe can intercept webchannel responses for the trusted page. This allows a remote attacker, via a specially crafted web page, to bypass origin restrictions, resulting in the disclosure of sensitive information. (CVE-2015-2718) 
 - Multiple integer overflow conditions exist in the bundled libstagefright component due to improper validation of user-supplied input when processing MPEG4 sample metadata. A remote attacker can exploit this, via specially crafted media content, to execute arbitrary code. (CVE-2015-4496)

The Mozilla Firefox web browser was updated to version 38.0.1 to fix several security and non-security issues. This update also includes a Mozilla Network Security Services (NSS) update to version 3.18.1.

The following vulnerabilities and issues were fixed :

Changes in Mozilla Firefox :

  - update to Firefox 38.0.1 stability and regression fixes

  - Systems with first generation NVidia Optimus graphics     cards may crash on start-up

  - Users who import cookies from Google Chrome can end up     with broken websites

  - Large animated images may fail to play and may stop     other images from loading

  - update to Firefox 38.0 (bnc#930622)

  - New tab-based preferences

  - Ruby annotation support

  - more info:
    https://www.mozilla.org/en-US/firefox/38.0/releasenotes/     security fixes :

  - MFSA 2015-46/CVE-2015-2708/CVE-2015-2709 Miscellaneous     memory safety hazards

  - MFSA 2015-47/VE-2015-0797 (bmo#1080995) Buffer overflow     parsing H.264 video with Linux Gstreamer

  - MFSA 2015-48/CVE-2015-2710 (bmo#1149542) Buffer overflow     with SVG content and CSS

  - MFSA 2015-49/CVE-2015-2711 (bmo#1113431) Referrer policy     ignored when links opened by middle-click and context     menu

  - MFSA 2015-50/CVE-2015-2712 (bmo#1152280) Out-of-bounds     read and write in asm.js validation

  - MFSA 2015-51/CVE-2015-2713 (bmo#1153478) Use-after-free     during text processing with vertical text enabled

  - MFSA 2015-53/CVE-2015-2715 (bmo#988698) Use-after-free     due to Media Decoder Thread creation during shutdown

  - MFSA 2015-54/CVE-2015-2716 (bmo#1140537) Buffer overflow     when parsing compressed XML

  - MFSA 2015-55/CVE-2015-2717 (bmo#1154683) Buffer overflow     and out-of-bounds read while parsing MP4 video metadata

  - MFSA 2015-56/CVE-2015-2718 (bmo#1146724) Untrusted site     hosting trusted page can intercept webchannel responses

  - MFSA 2015-57/CVE-2011-3079 (bmo#1087565) Privilege     escalation through IPC channel messages

Changes in Mozilla NSS :

  - update to 3.18.1

  - Firefox target release 38

  - No new functionality is introduced in this release.
    Notable Changes :

  - The following CA certificate had the Websites and Code     Signing trust bits restored to their original state to     allow more time to develop a better transition strategy     for affected sites :

  - OU = Equifax Secure Certificate Authority

  - The following CA certificate was removed :

  - CN = e-Guven Kok Elektronik Sertifika Hizmet Saglayicisi

  - The following intermediate CA certificate has been added     as actively distrusted because it was mis-used to issue     certificates for domain names the holder did not own or     control :

  - CN=MCSHOLDING TEST, O=MCSHOLDING, C=EG

  - The version number of the updated root CA list has been     set to 2.4

  - update to 3.18

  - Firefox target release 38 New functionality :

  - When importing certificates and keys from a PKCS#12     source, it's now possible to override the nicknames,     prior to importing them into the NSS database, using new     API SEC_PKCS12DecoderRenameCertNicknames.

  - The tstclnt test utility program has new command-line     options

    -C, -D, -b and -R. Use -C one, two or three times to     print information about the certificates received from a     server, and information about the locally found and     trusted issuer certificates, to diagnose server side     configuration issues. It is possible to run tstclnt

The version of Firefox installed on the remote Windows host is prior to 38.0. It is, therefore, affected by the following vulnerabilities :

  - A privilege escalation vulnerability exists in the     Inter-process Communications (IPC) implementation due     to a failure to validate the identity of a listener     process. (CVE-2011-3079)

  - An issue exists in the Mozilla updater in which DLL     files in the current working directory or Windows     temporary directories will be loaded, allowing the     execution of arbitrary code. (CVE-2015-0833 /     CVE-2015-2720)

  - Multiple memory corruption issues exist within the     browser engine. A remote attacker can exploit these to     corrupt memory and execute arbitrary code.
    (CVE-2015-2708, CVE-2015-2709)

  - A buffer overflow condition exists in SVGTextFrame.cpp     when rendering SVG graphics that are combined with     certain CSS properties due to improper validation of     user-supplied input. A remote attacker can exploit this     to cause a heap-based buffer overflow, resulting in the     execution of arbitrary code. (CVE-2015-2710)     
  - A security bypass vulnerability exists due to the     referrer policy not being enforced in certain situations     when opening links (e.g. using the context menu or a     middle-clicks by mouse). A remote attacker can exploit     this to bypass intended policy settings. (CVE-2015-2711)     
  - An out-of-bounds read and write issue exists in the     CheckHeapLengthCondition() function due to improper     JavaScript validation of heap lengths. A remote attacker     can exploit this, via a specially crafted web page, to     disclose memory contents. (CVE-2015-2712)

  - A use-after-free error exists due to improper processing     of text when vertical text is enabled. A remote attacker     can exploit this to dereference already freed memory.
    (CVE-2015-2713)

  - A use-after-free error exists in the     RegisterCurrentThread() function in nsThreadManager.cpp     due to a race condition related to media decoder threads     created during the shutdown process. A remote attacker     can exploit this to dereference already freed memory.
    (CVE-2015-2715)

  - A buffer overflow condition exists in the     XML_GetBuffer() function in xmlparse.c due to improper     validation of user-supplied input when handling     compressed XML content. An attacker can exploit this to     cause a buffer overflow, resulting in the execution of     arbitrary code. (CVE-2015-2716)

  - An integer overflow condition exists in the parseChunk()     function in MPEG4Extractor.cpp due to improper handling     of MP4 video metadata in chunks. A remote attacker can     exploit this, via specially crafted media content, to     cause a heap-based buffer overflow, resulting in the     execution of arbitrary code. (CVE-2015-2717)

  - A security bypass vulnerability exists in WebChannel.jsm     due to improper handling of message traffic. An     untrusted page hosting a trusted page within an iframe     can intercept webchannel responses for the trusted page.
    This allows a remote attacker, via a specially crafted     web page, to bypass origin restrictions, resulting in     the disclosure of sensitive information. (CVE-2015-2718)

  - Multiple integer overflow conditions exist in the     bundled libstagefright component due to improper     validation of user-supplied input when processing MPEG4     sample metadata. A remote attacker can exploit this, via     specially crafted media content, to execute arbitrary     code. (CVE-2015-4496)

The version of Firefox installed on the remote Mac OS X host is prior to 38.0. It is, therefore, affected by the following vulnerabilities :

  - Multiple memory corruption issues exist within the     browser engine. A remote attacker can exploit these to     corrupt memory and execute arbitrary code.
    (CVE-2015-2708, CVE-2015-2709)

  - A buffer overflow condition exists in SVGTextFrame.cpp     when rendering SVG graphics that are combined with     certain CSS properties due to improper validation of     user-supplied input. A remote attacker can exploit this     to cause a heap-based buffer overflow, resulting in the     execution of arbitrary code. (CVE-2015-2710)

  - A security bypass vulnerability exists due to the     referrer policy not being enforced in certain situations     when opening links (e.g. using the context menu or a     middle-clicks by mouse). A remote attacker can exploit     this to bypass intended policy settings. (CVE-2015-2711)

  - An out-of-bounds read and write issue exists in the     CheckHeapLengthCondition() function due to improper     JavaScript validation of heap lengths. A remote attacker     can exploit this, via a specially crafted web page, to     disclose memory contents. (CVE-2015-2712)

  - A use-after-free error exists due to improper processing     of text when vertical text is enabled. A remote attacker     can exploit this to dereference already freed memory.
    (CVE-2015-2713)

  - A use-after-free error exists in the     RegisterCurrentThread() function in nsThreadManager.cpp     due to a race condition related to media decoder threads     created during the shutdown process. A remote attacker     can exploit this to dereference already freed memory.
    (CVE-2015-2715)

  - A buffer overflow condition exists in the     XML_GetBuffer() function in xmlparse.c due to improper     validation of user-supplied input when handling     compressed XML content. An attacker can exploit this to     cause a buffer overflow, resulting in the execution of     arbitrary code. (CVE-2015-2716)

  - An integer overflow condition exists in the parseChunk()     function in MPEG4Extractor.cpp due to improper handling     of MP4 video metadata in chunks. A remote attacker can     exploit this, via specially crafted media content, to     cause a heap-based buffer overflow, resulting in the     execution of arbitrary code. (CVE-2015-2717)

  - A security bypass vulnerability exists in WebChannel.jsm     due to improper handling of message traffic. An     untrusted page hosting a trusted page within an iframe     can intercept webchannel responses for the trusted page.
    This allows a remote attacker, via a specially crafted     web page, to bypass origin restrictions, resulting in     the disclosure of sensitive information. (CVE-2015-2718)

  - Multiple integer overflow conditions exist in the     bundled libstagefright component due to improper     validation of user-supplied input when processing MPEG4     sample metadata. A remote attacker can exploit this, via     specially crafted media content, to execute arbitrary     code. (CVE-2015-4496)

Jesse Ruderman, Mats Palmgren, Byron Campen, Steve Fink, Gary Kwong, Andrew McCreight, Christian Holler, Jon Coppeard, and Milan Sreckovic discovered multiple memory safety issues in Firefox. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit these to cause a denial of service via application crash, or execute arbitrary code with the privileges of the user invoking Firefox. (CVE-2015-2708, CVE-2015-2709)

Atte Kettunen discovered a buffer overflow during the rendering of SVG content with certain CSS properties in some circumstances. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit this to cause a denial of service via application crash, or execute arbitrary code with the privileges of the user invoking Firefox. (CVE-2015-2710)

Alex Verstak discovered that <meta name='referrer'> is ignored in some circumstances. (CVE-2015-2711)

Dougall Johnson discovered an out of bounds read and write in asm.js.
If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit this to obtain sensitive information, cause a denial of service via application crash, or execute arbitrary code with the privileges of the user invoking Firefox. (CVE-2015-2712)

Scott Bell discovered a use-afer-free during the processing of text when vertical text is enabled. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit this to cause a denial of service via application crash, or execute arbitrary code with the privileges of the user invoking Firefox.
(CVE-2015-2713)

Tyson Smith and Jesse Schwartzentruber discovered a use-after-free during shutdown. An attacker could potentially exploit this to cause a denial of service via application crash, or execute arbitrary code with the privileges of the user invoking Firefox. (CVE-2015-2715)

Ucha Gobejishvili discovered a buffer overflow when parsing compressed XML content. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit this to cause a denial of service via application crash, or execute arbitrary code with the privileges of the user invoking Firefox. (CVE-2015-2716)

A buffer overflow and out-of-bounds read were discovered when parsing metadata in MP4 files in some circumstances. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit this to cause a denial of service via application crash, or execute arbitrary code with the privileges of the user invoking Firefox. (CVE-2015-2717)

Mark Hammond discovered that when a trusted page is hosted within an iframe in an untrusted page, the untrusted page can intercept webchannel responses meant for the trusted page in some circumstances.
If a user were tricked in to opening a specially crafted website, an attacker could exploit this to bypass origin restrictions.
(CVE-2015-2718).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The Mozilla Project reports :

MFSA-2015-46 Miscellaneous memory safety hazards (rv:38.0 / rv:31.7)

MFSA-2015-47 Buffer overflow parsing H.264 video with Linux Gstreamer

MFSA-2015-48 Buffer overflow with SVG content and CSS

MFSA-2015-49 Referrer policy ignored when links opened by middle-click and context menu

MFSA-2015-50 Out-of-bounds read and write in asm.js validation

MFSA-2015-51 Use-after-free during text processing with vertical text enabled

MFSA-2015-52 Sensitive URL encoded information written to Android logcat

MFSA-2015-53 Use-after-free due to Media Decoder Thread creation during shutdown

MFSA-2015-54 Buffer overflow when parsing compressed XML

MFSA-2015-55 Buffer overflow and out-of-bounds read while parsing MP4 video metadata

MFSA-2015-56 Untrusted site hosting trusted page can intercept webchannel responses

MFSA-2015-57 Privilege escalation through IPC channel messages

MFSA-2015-58 Mozilla Windows updater can be run outside of application directory

MFSA 2015-93 Integer overflows in libstagefright while processing MP4 video metadata

ID	Name	Product	Family	Severity
91379	GLSA-201605-06 : Mozilla Products: Multiple vulnerabilities (Logjam) (SLOTH)	Nessus	Gentoo Local Security Checks	critical
8865	Mozilla Firefox < 38.0 / Firefox ESR < 31.7 Multiple Vulnerabilities	Nessus Network Monitor	Web Clients	high
83801	openSUSE Security Update : MozillaFirefox (openSUSE-2015-375)	Nessus	SuSE Local Security Checks	critical
83439	Firefox < 38.0 Multiple Vulnerabilities	Nessus	Windows	critical
83437	Firefox < 38.0 Multiple Vulnerabilities (Mac OS X)	Nessus	MacOS X Local Security Checks	high
83434	Ubuntu 12.04 LTS / 14.04 LTS / 14.10 / 15.04 : firefox vulnerabilities (USN-2602-1)	Nessus	Ubuntu Local Security Checks	high
83389	FreeBSD : mozilla -- multiple vulnerabilities (d9b43004-f5fd-4807-b1d7-dbf66455b244)	Nessus	FreeBSD Local Security Checks	critical

CVE-2015-2715

Description

References

Details

Risk Information

CVSS v2.0

Vulnerable Software

Configuration 1

Configuration 2

Tenable Plugins