openSUSE-SU-2015:1389

openSUSE-SU-2015:1390

openSUSE-SU-2016:0876

openSUSE-SU-2016:0894

http://www.mozilla.org/security/announce/2015/mfsa2015-81.html

http://www.oracle.com/technetwork/topics/security/bulletinapr2016-2952098.html

1033247

USN-2702-1

USN-2702-2

USN-2702-3

https://bugzilla.mozilla.org/show_bug.cgi?id=1179484

GLSA-201605-06

The remote host is affected by the vulnerability described in GLSA-201605-06 (Mozilla Products: Multiple vulnerabilities)

    Multiple vulnerabilities have been discovered in Firefox, NSS, NSPR, and       Thunderbird. Please review the CVE identifiers referenced below for       details.
  Impact :

    A remote attacker could entice a user to view a specially crafted web       page or email, possibly resulting in execution of arbitrary code or a       Denial of Service condition. Furthermore, a remote attacker may be able       to perform Man-in-the-Middle attacks, obtain sensitive information, spoof       the address bar, conduct clickjacking attacks, bypass security       restrictions and protection mechanisms, or have other unspecified       impacts.
  Workaround :

    There is no known workaround at this time.

MozillaThunderbird was updated to 38.7.0 to fix the following issues :

  - Update to Thunderbird 38.7.0 (boo#969894)

  - MFSA 2015-81/CVE-2015-4477 (bmo#1179484) Use-after-free     in MediaStream playback

  - MFSA 2015-136/CVE-2015-7207 (bmo#1185256) Same-origin     policy violation using performance.getEntries and     history navigation

  - MFSA 2016-16/CVE-2016-1952 Miscellaneous memory safety     hazards

  - MFSA 2016-17/CVE-2016-1954 (bmo#1243178) Local file     overwriting and potential privilege escalation through     CSP reports

  - MFSA 2016-20/CVE-2016-1957 (bmo#1227052) Memory leak in     libstagefright when deleting an array during MP4     processing

  - MFSA 2016-21/CVE-2016-1958 (bmo#1228754) Displayed page     address can be overridden

  - MFSA 2016-23/CVE-2016-1960/ZDI-CAN-3545 (bmo#1246014)     Use-after-free in HTML5 string parser

  - MFSA 2016-24/CVE-2016-1961/ZDI-CAN-3574 (bmo#1249377)     Use-after-free in SetBody

  - MFSA 2016-25/CVE-2016-1962 (bmo#1240760) Use-after-free     when using multiple WebRTC data channels

  - MFSA 2016-27/CVE-2016-1964 (bmo#1243335) Use-after-free     during XML transformations

  - MFSA 2016-28/CVE-2016-1965 (bmo#1245264) Addressbar     spoofing though history navigation and Location protocol     property

  - MFSA 2016-31/CVE-2016-1966 (bmo#1246054) Memory     corruption with malicious NPAPI plugin

  - MFSA 2016-34/CVE-2016-1974 (bmo#1228103) Out-of-bounds     read in HTML parser following a failed allocation

  - MFSA 2016-37/CVE-2016-1977/CVE-2016-2790/CVE-2016-2791/     CVE-2016-2792/CVE-2016-2793/CVE-2016-2794/CVE-2016-2795/     CVE-2016-2796/CVE-2016-2797/CVE-2016-2798/CVE-2016-2799/     CVE-2016-2800/CVE-2016-2801/CVE-2016-2802 Font     vulnerabilities in the Graphite 2 library

The version of Mozilla Firefox is prior to 40.0 and is affected by multiple vulnerabilities : 

 - Multiple memory corruption issues exist that allow a remote attacker, via a specially crafted web page, to corrupt memory and potentially execute arbitrary code. (CVE-2015-4473) 
 - Multiple memory corruption issues exist that allow a remote attacker, via a specially crafted web page, to corrupt memory and potentially execute arbitrary code. (CVE-2015-4474) 
 - An out-of-bounds read error exists in the 'PlayFromAudioQueue()' function due to improper handling of mismatched sample formats. A remote attacker can exploit this, via a specially crafted MP3 file, to disclose memory contents or execute arbitrary code. (CVE-2015-4475) 
 - A use-after-free error exists in the Web Audio API during MediaStream playback. A remote attacker can exploit this to dereference already freed memory, resulting in the potential execution of arbitrary code. (CVE-2015-4477) 
 - A same-origin policy bypass vulnerability exists due to non-configurable properties being redefined in violation of the ECMAScript 6 standard during JSON parsing. A remote attacker can exploit this, by editing these properties to arbitrary values, to bypass the same-origin policy. (CVE-2015-4478) 
 - Multiple integer overflow conditions exist due to improper validation of user-supplied input when handling 'saio' chunks in MPEG4 video. A remote attacker can exploit this, via a specially crafted MPEG4 file, to execute arbitrary code. (CVE-2015-4479) 
 - An integer overflow condition exists in the bundled libstagefright component when handling H.264 media content. A remote attacker can exploit this, via a specially crafted MPEG4 file, to execute arbitrary code. (CVE-2015-4480) 
 - An arbitrary file overwrite vulnerability exists in the Mozilla Maintenance Service due to a race condition. An attacker can exploit this, via the use of a hard link, to overwrite arbitrary files with log output. (CVE-2015-4481) 
 - An out-of-bounds write error exists due to an array indexing flaw in the 'mar_consume_index()' function when handling index names in MAR files. An attacker can exploit this to execute arbitrary code. (CVE-2015-4482) 
 - A security bypass vulnerability exists due to a flaw in the 'ShouldLoad()' function that occurs during the handling of POST requests to URLs using the 'feed:' URI handler. An attacker can exploit this to bypass the mixed content blocker. (CVE-2015-4483) 
 - A denial of service vulnerability exists when handling JavaScript using shared memory without properly gating access to Atomics and SharedArrayBuffer views. An attacker can exploit this to crash the program, resulting in a denial of service condition. (CVE-2015-4484) 
 - A heap-based buffer overflow condition exists in the  'resize_context_buffers()' function due to improper validation of user-supplied input. A remote attacker can exploit this, via specially crafted WebM content, to cause a heap-based buffer overflow, resulting in the execution of arbitrary code. (CVE-2015-4485) 
 - A heap-based buffer overflow condition exists in the 'decrease_ref_count()' function due to improper validation of user-supplied input. A remote attacker can exploit this, via specially crafted WebM content, to cause a heap-based buffer overflow, resulting in the execution of arbitrary code. (CVE-2015-4486) 
 - A buffer overflow condition exists in the 'ReplacePrep()' function. A remote attacker can exploit this to cause a buffer overflow, resulting in the execution of arbitrary code. (CVE-2015-4487) 
 - A use-after-free error exists in the 'operator=()' function. An attacker can exploit this to dereference already freed memory, resulting in the execution of arbitrary code. (CVE-2015-4488) 
 - A memory corruption issue exists in the 'nsTArray_Impl()' function due to improper validation of user-supplied input during self-assignment. An attacker can exploit this to corrupt memory, resulting in the execution of arbitrary code. (CVE-2015-4489) 
 - A security bypass vulnerability exists due to a discrepancy in the implementation of Content Security Policy and the CSP specification. The specification states that 'blob:', 'data:', and 'filesystem:' URLs should be excluded in case of a wildcard when matching source expressions, but Mozilla's implementation allows these in the case of an asterisk wildcard. A remote attacker can exploit this to bypass restrictions. (CVE-2015-4490) 
 - A use-after-free error exists in the 'XMLHttpRequest::Open()' function due to improper handling of recursive calls. An attacker can exploit this to dereference already freed memory, resulting in the execution of arbitrary code. (CVE-2015-4492) 
 - An integer underflow condition exists in the bundled libstagefright library. An attacker can exploit this to crash the application, resulting in a denial of service condition. (CVE-2015-4493) 
 - A flaw in the same origin policy in which an attacker can inject script code into a non-privileged part of browser's built-in PDF reader, resulting in gaining access to sensitive local files. (CVE-2015-4495)

USN-2702-1 fixed vulnerabilities in Firefox. After upgrading, some users in the US reported that their default search engine switched to Yahoo. This update fixes the problem.

We apologize for the inconvenience.

Gary Kwong, Christian Holler, Byron Campen, Tyson Smith, Bobby Holley, Chris Coulson, and Eric Rahm discovered multiple memory safety issues in Firefox. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit these to cause a denial of service via application crash, or execute arbitrary code with the privileges of the user invoking Firefox. (CVE-2015-4473, CVE-2015-4474)

Aki Helin discovered an out-of-bounds read when playing malformed MP3 content in some circumstances. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit this to obtain sensitive information, cause a denial of service via application crash, or execute arbitrary code with the privileges of the user invoking Firefox. (CVE-2015-4475)

A use-after-free was discovered during MediaStream playback in some circumstances. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit this to cause a denial of service via application crash or execute arbitrary code with the priviliges of the user invoking Firefox. (CVE-2015-4477)

Andre Bargull discovered that non-configurable properties on JavaScript objects could be redefined when parsing JSON.
If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit this to bypass same-origin restrictions. (CVE-2015-4478)

Multiple integer overflows were discovered in libstagefright. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit these to cause a denial of service via application crash, or execute arbitrary code with the privileges of the user invoking Firefox. (CVE-2015-4479, CVE-2015-4480, CVE-2015-4493)

Jukka Jylanki discovered a crash that occurs because JavaScript does not properly gate access to Atomics or SharedArrayBuffers in some circumstances. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit this to cause a denial of service. (CVE-2015-4484)

Abhishek Arya discovered 2 buffer overflows in libvpx when decoding malformed WebM content in some circumstances. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit these to cause a denial of service via application crash, or execute arbitrary code with the privileges of the user invoking Firefox. (CVE-2015-4485, CVE-2015-4486)

Ronald Crane reported 3 security issues. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit these, in combination with another security vulnerability, to cause a denial of service via application crash, or execute arbitrary code with the privileges of the user invoking Firefox.
(CVE-2015-4487, CVE-2015-4488, CVE-2015-4489)

Christoph Kerschbaumer discovered an issue with Mozilla's implementation of Content Security Policy (CSP), which could allow for a more permissive usage in some cirucumstances. An attacker could potentially exploit this to conduct cross-site scripting (XSS) attacks. (CVE-2015-4490)

Gustavo Grieco discovered a heap overflow in gdk-pixbuf. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit this to cause a denial of service via application crash or execute arbitrary code with the priviliges of the user invoking Firefox. (CVE-2015-4491)

Looben Yang discovered a use-after-free when using XMLHttpRequest with shared workers in some circumstances. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit this to cause a denial of service via application crash or execute arbitrary code with the priviliges of the user invoking Firefox. (CVE-2015-4492).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

- update to Firefox 40.0 (bnc#940806)

  - Added protection against unwanted software downloads

  - Suggested Tiles show sites of interest, based on     categories from your recent browsing history

  - Hello allows adding a link to conversations to provide     context on what the conversation will be about

  - New style for add-on manager based on the in-content     preferences style

  - Improved scrolling, graphics, and video playback     performance with off main thread compositing (GNU/Linux     only)

  - Graphic blocklist mechanism improved: Firefox version     ranges can be specified, limiting the number of devices     blocked security fixes :

  - MFSA 2015-79/CVE-2015-4473/CVE-2015-4474 Miscellaneous     memory safety hazards

  - MFSA 2015-80/CVE-2015-4475 (bmo#1175396) Out-of-bounds     read with malformed MP3 file

  - MFSA 2015-81/CVE-2015-4477 (bmo#1179484) Use-after-free     in MediaStream playback

  - MFSA 2015-82/CVE-2015-4478 (bmo#1105914) Redefinition of     non-configurable JavaScript object properties

  - MFSA 2015-83/CVE-2015-4479/CVE-2015-4480/CVE-2015-4493     Overflow issues in libstagefright

  - MFSA 2015-84/CVE-2015-4481 (bmo1171518) Arbitrary file     overwriting through Mozilla Maintenance Service with     hard links (only affected Windows)

  - MFSA 2015-85/CVE-2015-4482 (bmo#1184500) Out-of-bounds     write with Updater and malicious MAR file (does not     affect openSUSE RPM packages which do not ship the     updater)

  - MFSA 2015-86/CVE-2015-4483 (bmo#1148732) Feed protocol     with POST bypasses mixed content protections

  - MFSA 2015-87/CVE-2015-4484 (bmo#1171540) Crash when     using shared memory in JavaScript

  - MFSA 2015-88/CVE-2015-4491 (bmo#1184009) Heap overflow     in gdk-pixbuf when scaling bitmap images

  - MFSA 2015-89/CVE-2015-4485/CVE-2015-4486 (bmo#1177948,     bmo#1178148) Buffer overflows on Libvpx when decoding     WebM video

  - MFSA 2015-90/CVE-2015-4487/CVE-2015-4488/CVE-2015-4489     Vulnerabilities found through code inspection

  - MFSA 2015-91/CVE-2015-4490 (bmo#1086999) Mozilla Content     Security Policy allows for asterisk wildcards in     violation of CSP specification

  - MFSA 2015-92/CVE-2015-4492 (bmo#1185820) Use-after-free     in XMLHttpRequest with shared workers

  - added mozilla-no-stdcxx-check.patch

  - removed obsolete patches

  - mozilla-add-glibcxx_use_cxx11_abi.patch

  - firefox-multilocale-chrome.patch

  - rebased patches

  - requires version 40 of the branding package

  - removed browser/searchplugins/ location as it's not     valid anymore

  - includes security update to Firefox 39.0.3 (bnc#940918)

  - MFSA 2015-78/CVE-2015-4495 (bmo#1179262, bmo#1178058)     Same origin violation and local file stealing via PDF     reader

The version of Firefox installed on the remote Windows host is prior to 40. It is, therefore, affected by the following vulnerabilities :

  - Multiple memory corruption issues exist that allow a     remote attacker, via a specially crafted web page, to     corrupt memory and potentially execute arbitrary code.
    (CVE-2015-4473)

  - Multiple memory corruption issues exist that allow a     remote attacker, via a specially crafted web page, to     corrupt memory and potentially execute arbitrary code.
    (CVE-2015-4474)

  - An out-of-bounds read error exists in the     PlayFromAudioQueue() function due to improper handling     of mismatched sample formats. A remote attacker can     exploit this, via a specially crafted MP3 file, to     disclose memory contents or execute arbitrary code.
    (CVE-2015-4475)

  - A use-after-free error exists in the Web Audio API     during MediaStream playback. A remote attacker can     exploit this to dereference already freed memory,     resulting in the potential execution of arbitrary code.
    (CVE-2015-4477)

  - A same-origin policy bypass vulnerability exists due to     non-configurable properties being redefined in violation     of the ECMAScript 6 standard during JSON parsing. A     remote attacker can exploit this, by editing these     properties to arbitrary values, to bypass the     same-origin policy. (CVE-2015-4478)

  - Multiple integer overflow conditions exist due to     improper validation of user-supplied input when handling     'saio' chunks in MPEG4 video. A remote attacker can     exploit this, via a specially crafted MPEG4 file, to     execute arbitrary code. (CVE-2015-4479)

  - An integer overflow condition exists in the bundled     libstagefright component when handling H.264 media     content. A remote attacker can exploit this, via a     specially crafted MPEG4 file, to execute arbitrary code.
    (CVE-2015-4480)

  - An arbitrary file overwrite vulnerability exists in the     Mozilla Maintenance Service due to a race condition. An     attacker can exploit this, via the use of a hard link,     to overwrite arbitrary files with log output.
    (CVE-2015-4481)

  - An out-of-bounds write error exists due to an array     indexing flaw in the mar_consume_index() function when     handling index names in MAR files. An attacker can     exploit this to execute arbitrary code. (CVE-2015-4482)

  - A security bypass vulnerability exists due to a flaw in     the ShouldLoad() function that occurs during the     handling of POST requests to URLs using the 'feed:' URI     handler. An attacker can exploit this to bypass the     mixed content blocker. (CVE-2015-4483)

  - A denial of service vulnerability exists when handling     JavaScript using shared memory without properly gating     access to Atomics and SharedArrayBuffer views. An     attacker can exploit this to crash the program,     resulting in a denial of service condition.
    (CVE-2015-4484)

  - A heap-based buffer overflow condition exists in the     resize_context_buffers() function due to improper     validation of user-supplied input. A remote attacker can     exploit this, via specially crafted WebM content, to     cause a heap-based buffer overflow, resulting in the     execution of arbitrary code. (CVE-2015-4485)

  - A heap-based buffer overflow condition exists in the     decrease_ref_count() function due to improper validation     of user-supplied input. A remote attacker can exploit     this, via specially crafted WebM content, to cause a     heap-based buffer overflow, resulting in the execution     of arbitrary code. (CVE-2015-4486)

  - A buffer overflow condition exists in the ReplacePrep()     function. A remote attacker can exploit this to cause a     buffer overflow, resulting in the execution of arbitrary     code. (CVE-2015-4487)

  - A use-after-free error exists in the operator=()     function. An attacker can exploit this to dereference     already freed memory, resulting in the execution of     arbitrary code. (CVE-2015-4488)

  - A memory corruption issue exists in the nsTArray_Impl()     function due to improper validation of user-supplied     input during self-assignment. An attacker can exploit     this to corrupt memory, resulting in the execution of     arbitrary code. (CVE-2015-4489)

  - A security bypass vulnerability exists due to a     discrepancy in the implementation of Content Security     Policy and the CSP specification. The specification     states that 'blob:', 'data:', and 'filesystem:' URLs     should be excluded in case of a wildcard when matching     source expressions, but Mozilla's implementation allows     these in the case of an asterisk wildcard. A remote     attacker can exploit this to bypass restrictions.
    (CVE-2015-4490)

  - A use-after-free error exists in the     XMLHttpRequest::Open() function due to improper handling     of recursive calls. An attacker can exploit this to     dereference already freed memory, resulting in the     execution of arbitrary code. (CVE-2015-4492)

  - An integer underflow condition exists in the bundled     libstagefright library. An attacker can exploit this to     crash the application, resulting in a denial of service     condition. (CVE-2015-4493)

The version of Firefox installed on the remote Mac OS X host is prior to 40. It is, therefore, affected by the following vulnerabilities :

  - Multiple memory corruption issues exist that allow a     remote attacker, via a specially crafted web page, to     corrupt memory and potentially execute arbitrary code.
    (CVE-2015-4473)

  - Multiple memory corruption issues exist that allow a     remote attacker, via a specially crafted web page, to     corrupt memory and potentially execute arbitrary code.
    (CVE-2015-4474)

  - An out-of-bounds read error exists in the     PlayFromAudioQueue() function due to improper handling     of mismatched sample formats. A remote attacker can     exploit this, via a specially crafted MP3 file, to     disclose memory contents or execute arbitrary code.
    (CVE-2015-4475)

  - A use-after-free error exists in the Web Audio API     during MediaStream playback. A remote attacker can     exploit this to dereference already freed memory,     resulting in the potential execution of arbitrary code.
    (CVE-2015-4477)

  - A same-origin policy bypass vulnerability exists due to     non-configurable properties being redefined in violation     of the ECMAScript 6 standard during JSON parsing. A     remote attacker can exploit this, by editing these     properties to arbitrary values, to bypass the     same-origin policy. (CVE-2015-4478)

  - Multiple integer overflow conditions exist due to     improper validation of user-supplied input when handling     'saio' chunks in MPEG4 video. A remote attacker can     exploit this, via a specially crafted MPEG4 file, to     execute arbitrary code. (CVE-2015-4479)

  - An integer overflow condition exists in the bundled     libstagefright component when handling H.264 media     content. A remote attacker can exploit this, via a     specially crafted MPEG4 file, to execute arbitrary code.
    (CVE-2015-4480)

  - An out-of-bounds write error exists due to an array     indexing flaw in the mar_consume_index() function when     handling index names in MAR files. An attacker can     exploit this to execute arbitrary code. (CVE-2015-4482)

  - A security bypass vulnerability exists due to a flaw in     the ShouldLoad() function that occurs during the     handling of POST requests to URLs using the 'feed:' URI     handler. An attacker can exploit this to bypass the     mixed content blocker. (CVE-2015-4483)

  - A denial of service vulnerability exists when handling     JavaScript using shared memory without properly gating     access to Atomics and SharedArrayBuffer views. An     attacker can exploit this to crash the program,     resulting in a denial of service condition.
    (CVE-2015-4484)

  - A heap-based buffer overflow condition exists in the     resize_context_buffers() function due to improper     validation of user-supplied input. A remote attacker can     exploit this, via specially crafted WebM content, to     cause a heap-based buffer overflow, resulting in the     execution of arbitrary code. (CVE-2015-4485)

  - A heap-based buffer overflow condition exists in the     decrease_ref_count() function due to improper validation     of user-supplied input. A remote attacker can exploit     this, via specially crafted WebM content, to cause a     heap-based buffer overflow, resulting in the execution     of arbitrary code. (CVE-2015-4486)

  - A buffer overflow condition exists in the ReplacePrep()     function. A remote attacker can exploit this to cause a     buffer overflow, resulting in the execution of arbitrary     code. (CVE-2015-4487)

  - A use-after-free error exists in the operator=()     function. An attacker can exploit this to dereference     already freed memory, resulting in the execution of     arbitrary code. (CVE-2015-4488)

  - A memory corruption issue exists in the nsTArray_Impl()     function due to improper validation of user-supplied     input during self-assignment. An attacker can exploit     this to corrupt memory, resulting in the execution of     arbitrary code. (CVE-2015-4489)

  - A security bypass vulnerability exists due to a     discrepancy in the implementation of Content Security     Policy and the CSP specification. The specification     states that 'blob:', 'data:', and 'filesystem:' URLs     should be excluded in case of a wildcard when matching     source expressions, but Mozilla's implementation allows     these in the case of an asterisk wildcard. A remote     attacker can exploit this to bypass restrictions.
    (CVE-2015-4490)

  - A use-after-free error exists in the     XMLHttpRequest::Open() function due to improper handling     of recursive calls. An attacker can exploit this to     dereference already freed memory, resulting in the     execution of arbitrary code. (CVE-2015-4492)

  - An integer underflow condition exists in the bundled     libstagefright library. An attacker can exploit this to     crash the application, resulting in a denial of service     condition. (CVE-2015-4493)

USN-2702-1 fixed vulnerabilities in Firefox. This update provides the corresponding updates for Ubufox.

Gary Kwong, Christian Holler, Byron Campen, Tyson Smith, Bobby Holley, Chris Coulson, and Eric Rahm discovered multiple memory safety issues in Firefox. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit these to cause a denial of service via application crash, or execute arbitrary code with the privileges of the user invoking Firefox. (CVE-2015-4473, CVE-2015-4474)

Aki Helin discovered an out-of-bounds read when playing malformed MP3 content in some circumstances. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit this to obtain sensitive information, cause a denial of service via application crash, or execute arbitrary code with the privileges of the user invoking Firefox. (CVE-2015-4475)

A use-after-free was discovered during MediaStream playback in some circumstances. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit this to cause a denial of service via application crash or execute arbitrary code with the priviliges of the user invoking Firefox. (CVE-2015-4477)

Andre Bargull discovered that non-configurable properties on JavaScript objects could be redefined when parsing JSON.
If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit this to bypass same-origin restrictions. (CVE-2015-4478)

Multiple integer overflows were discovered in libstagefright. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit these to cause a denial of service via application crash, or execute arbitrary code with the privileges of the user invoking Firefox. (CVE-2015-4479, CVE-2015-4480, CVE-2015-4493)

Jukka Jylanki discovered a crash that occurs because JavaScript does not properly gate access to Atomics or SharedArrayBuffers in some circumstances. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit this to cause a denial of service. (CVE-2015-4484)

Abhishek Arya discovered 2 buffer overflows in libvpx when decoding malformed WebM content in some circumstances. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit these to cause a denial of service via application crash, or execute arbitrary code with the privileges of the user invoking Firefox. (CVE-2015-4485, CVE-2015-4486)

Ronald Crane reported 3 security issues. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit these, in combination with another security vulnerability, to cause a denial of service via application crash, or execute arbitrary code with the privileges of the user invoking Firefox.
(CVE-2015-4487, CVE-2015-4488, CVE-2015-4489)

Christoph Kerschbaumer discovered an issue with Mozilla's implementation of Content Security Policy (CSP), which could allow for a more permissive usage in some cirucumstances. An attacker could potentially exploit this to conduct cross-site scripting (XSS) attacks. (CVE-2015-4490)

Gustavo Grieco discovered a heap overflow in gdk-pixbuf. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit this to cause a denial of service via application crash or execute arbitrary code with the priviliges of the user invoking Firefox. (CVE-2015-4491)

Looben Yang discovered a use-after-free when using XMLHttpRequest with shared workers in some circumstances. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit this to cause a denial of service via application crash or execute arbitrary code with the priviliges of the user invoking Firefox. (CVE-2015-4492).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Gary Kwong, Christian Holler, Byron Campen, Tyson Smith, Bobby Holley, Chris Coulson, and Eric Rahm discovered multiple memory safety issues in Firefox. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit these to cause a denial of service via application crash, or execute arbitrary code with the privileges of the user invoking Firefox. (CVE-2015-4473, CVE-2015-4474)

Aki Helin discovered an out-of-bounds read when playing malformed MP3 content in some circumstances. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit this to obtain sensitive information, cause a denial of service via application crash, or execute arbitrary code with the privileges of the user invoking Firefox. (CVE-2015-4475)

A use-after-free was discovered during MediaStream playback in some circumstances. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit this to cause a denial of service via application crash or execute arbitrary code with the priviliges of the user invoking Firefox. (CVE-2015-4477)

Andre Bargull discovered that non-configurable properties on JavaScript objects could be redefined when parsing JSON. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit this to bypass same-origin restrictions.
(CVE-2015-4478)

Multiple integer overflows were discovered in libstagefright. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit these to cause a denial of service via application crash, or execute arbitrary code with the privileges of the user invoking Firefox. (CVE-2015-4479, CVE-2015-4480, CVE-2015-4493)

Jukka Jylanki discovered a crash that occurs because JavaScript does not properly gate access to Atomics or SharedArrayBuffers in some circumstances. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit this to cause a denial of service. (CVE-2015-4484)

Abhishek Arya discovered 2 buffer overflows in libvpx when decoding malformed WebM content in some circumstances. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit these to cause a denial of service via application crash, or execute arbitrary code with the privileges of the user invoking Firefox. (CVE-2015-4485, CVE-2015-4486)

Ronald Crane reported 3 security issues. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit these, in combination with another security vulnerability, to cause a denial of service via application crash, or execute arbitrary code with the privileges of the user invoking Firefox. (CVE-2015-4487, CVE-2015-4488, CVE-2015-4489)

Christoph Kerschbaumer discovered an issue with Mozilla's implementation of Content Security Policy (CSP), which could allow for a more permissive usage in some cirucumstances. An attacker could potentially exploit this to conduct cross-site scripting (XSS) attacks. (CVE-2015-4490)

Gustavo Grieco discovered a heap overflow in gdk-pixbuf. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit this to cause a denial of service via application crash or execute arbitrary code with the priviliges of the user invoking Firefox. (CVE-2015-4491)

Looben Yang discovered a use-after-free when using XMLHttpRequest with shared workers in some circumstances. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit this to cause a denial of service via application crash or execute arbitrary code with the priviliges of the user invoking Firefox. (CVE-2015-4492).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The Mozilla Project reports :

MFSA 2015-79 Miscellaneous memory safety hazards (rv:40.0 / rv:38.2)

MFSA 2015-80 Out-of-bounds read with malformed MP3 file

MFSA 2015-81 Use-after-free in MediaStream playback

MFSA 2015-82 Redefinition of non-configurable JavaScript object properties

MFSA 2015-83 Overflow issues in libstagefright

MFSA 2015-84 Arbitrary file overwriting through Mozilla Maintenance Service with hard links

MFSA 2015-85 Out-of-bounds write with Updater and malicious MAR file

MFSA 2015-86 Feed protocol with POST bypasses mixed content protections

MFSA 2015-87 Crash when using shared memory in JavaScript

MFSA 2015-88 Heap overflow in gdk-pixbuf when scaling bitmap images

MFSA 2015-90 Vulnerabilities found through code inspection

MFSA 2015-91 Mozilla Content Security Policy allows for asterisk wildcards in violation of CSP specification

MFSA 2015-92 Use-after-free in XMLHttpRequest with shared workers

ID	Name	Product	Family	Severity
91379	GLSA-201605-06 : Mozilla Products: Multiple vulnerabilities (Logjam) (SLOTH)	Nessus	Gentoo Local Security Checks	critical
90240	openSUSE Security Update : MozillaThunderbird (openSUSE-2016-402)	Nessus	SuSE Local Security Checks	critical
90170	openSUSE Security Update : MozillaThunderbird (openSUSE-2016-395)	Nessus	SuSE Local Security Checks	critical
8856	Mozilla Firefox < 40.0 Multiple Vulnerabilities	Nessus Network Monitor	Web Clients	high
85578	Ubuntu 12.04 LTS / 14.04 LTS / 15.04 : firefox regression (USN-2702-3)	Nessus	Ubuntu Local Security Checks	critical
85437	openSUSE Security Update : MozillaFirefox (openSUSE-2015-548)	Nessus	SuSE Local Security Checks	critical
85436	openSUSE Security Update : MozillaFirefox (openSUSE-2015-547)	Nessus	SuSE Local Security Checks	critical
85386	Firefox < 40 Multiple Vulnerabilities	Nessus	Windows	critical
85384	Firefox < 40 Multiple Vulnerabilities (Mac OS X)	Nessus	MacOS X Local Security Checks	critical
85345	Ubuntu 12.04 LTS / 14.04 LTS / 15.04 : ubufox update (USN-2702-2)	Nessus	Ubuntu Local Security Checks	critical
85344	Ubuntu 12.04 LTS / 14.04 LTS / 15.04 : firefox vulnerabilities (USN-2702-1)	Nessus	Ubuntu Local Security Checks	critical
85338	FreeBSD : mozilla -- multiple vulnerabilities (c66a5632-708a-4727-8236-d65b2d5b2739)	Nessus	FreeBSD Local Security Checks	critical

CVE-2015-4477

Description

References

Details

Risk Information

CVSS v2.0

Vulnerable Software

Configuration 1

Configuration 2

Tenable Plugins