openSUSE-SU-2015:1389

openSUSE-SU-2015:1390

openSUSE-SU-2015:1453

openSUSE-SU-2015:1454

http://www.mozilla.org/security/announce/2015/mfsa2015-84.html

http://www.oracle.com/technetwork/topics/security/bulletinapr2016-2952098.html

1033247

1033372

https://bugzilla.mozilla.org/show_bug.cgi?id=1171518

GLSA-201605-06

37925

The remote host is affected by the vulnerability described in GLSA-201605-06 (Mozilla Products: Multiple vulnerabilities)

    Multiple vulnerabilities have been discovered in Firefox, NSS, NSPR, and       Thunderbird. Please review the CVE identifiers referenced below for       details.
  Impact :

    A remote attacker could entice a user to view a specially crafted web       page or email, possibly resulting in execution of arbitrary code or a       Denial of Service condition. Furthermore, a remote attacker may be able       to perform Man-in-the-Middle attacks, obtain sensitive information, spoof       the address bar, conduct clickjacking attacks, bypass security       restrictions and protection mechanisms, or have other unspecified       impacts.
  Workaround :

    There is no known workaround at this time.

The version of Mozilla Firefox is prior to 40.0 and is affected by multiple vulnerabilities : 

 - Multiple memory corruption issues exist that allow a remote attacker, via a specially crafted web page, to corrupt memory and potentially execute arbitrary code. (CVE-2015-4473) 
 - Multiple memory corruption issues exist that allow a remote attacker, via a specially crafted web page, to corrupt memory and potentially execute arbitrary code. (CVE-2015-4474) 
 - An out-of-bounds read error exists in the 'PlayFromAudioQueue()' function due to improper handling of mismatched sample formats. A remote attacker can exploit this, via a specially crafted MP3 file, to disclose memory contents or execute arbitrary code. (CVE-2015-4475) 
 - A use-after-free error exists in the Web Audio API during MediaStream playback. A remote attacker can exploit this to dereference already freed memory, resulting in the potential execution of arbitrary code. (CVE-2015-4477) 
 - A same-origin policy bypass vulnerability exists due to non-configurable properties being redefined in violation of the ECMAScript 6 standard during JSON parsing. A remote attacker can exploit this, by editing these properties to arbitrary values, to bypass the same-origin policy. (CVE-2015-4478) 
 - Multiple integer overflow conditions exist due to improper validation of user-supplied input when handling 'saio' chunks in MPEG4 video. A remote attacker can exploit this, via a specially crafted MPEG4 file, to execute arbitrary code. (CVE-2015-4479) 
 - An integer overflow condition exists in the bundled libstagefright component when handling H.264 media content. A remote attacker can exploit this, via a specially crafted MPEG4 file, to execute arbitrary code. (CVE-2015-4480) 
 - An arbitrary file overwrite vulnerability exists in the Mozilla Maintenance Service due to a race condition. An attacker can exploit this, via the use of a hard link, to overwrite arbitrary files with log output. (CVE-2015-4481) 
 - An out-of-bounds write error exists due to an array indexing flaw in the 'mar_consume_index()' function when handling index names in MAR files. An attacker can exploit this to execute arbitrary code. (CVE-2015-4482) 
 - A security bypass vulnerability exists due to a flaw in the 'ShouldLoad()' function that occurs during the handling of POST requests to URLs using the 'feed:' URI handler. An attacker can exploit this to bypass the mixed content blocker. (CVE-2015-4483) 
 - A denial of service vulnerability exists when handling JavaScript using shared memory without properly gating access to Atomics and SharedArrayBuffer views. An attacker can exploit this to crash the program, resulting in a denial of service condition. (CVE-2015-4484) 
 - A heap-based buffer overflow condition exists in the  'resize_context_buffers()' function due to improper validation of user-supplied input. A remote attacker can exploit this, via specially crafted WebM content, to cause a heap-based buffer overflow, resulting in the execution of arbitrary code. (CVE-2015-4485) 
 - A heap-based buffer overflow condition exists in the 'decrease_ref_count()' function due to improper validation of user-supplied input. A remote attacker can exploit this, via specially crafted WebM content, to cause a heap-based buffer overflow, resulting in the execution of arbitrary code. (CVE-2015-4486) 
 - A buffer overflow condition exists in the 'ReplacePrep()' function. A remote attacker can exploit this to cause a buffer overflow, resulting in the execution of arbitrary code. (CVE-2015-4487) 
 - A use-after-free error exists in the 'operator=()' function. An attacker can exploit this to dereference already freed memory, resulting in the execution of arbitrary code. (CVE-2015-4488) 
 - A memory corruption issue exists in the 'nsTArray_Impl()' function due to improper validation of user-supplied input during self-assignment. An attacker can exploit this to corrupt memory, resulting in the execution of arbitrary code. (CVE-2015-4489) 
 - A security bypass vulnerability exists due to a discrepancy in the implementation of Content Security Policy and the CSP specification. The specification states that 'blob:', 'data:', and 'filesystem:' URLs should be excluded in case of a wildcard when matching source expressions, but Mozilla's implementation allows these in the case of an asterisk wildcard. A remote attacker can exploit this to bypass restrictions. (CVE-2015-4490) 
 - A use-after-free error exists in the 'XMLHttpRequest::Open()' function due to improper handling of recursive calls. An attacker can exploit this to dereference already freed memory, resulting in the execution of arbitrary code. (CVE-2015-4492) 
 - An integer underflow condition exists in the bundled libstagefright library. An attacker can exploit this to crash the application, resulting in a denial of service condition. (CVE-2015-4493) 
 - A flaw in the same origin policy in which an attacker can inject script code into a non-privileged part of browser's built-in PDF reader, resulting in gaining access to sensitive local files. (CVE-2015-4495)

This update to Thunderbird 38.2.0 fixes the following issues (bnc#940806) :

  - MFSA 2015-79/CVE-2015-4473 Miscellaneous memory safety     hazards

  - MFSA 2015-80/CVE-2015-4475 (bmo#1175396) Out-of-bounds     read with malformed MP3 file

  - MFSA 2015-82/CVE-2015-4478 (bmo#1105914) Redefinition of     non-configurable JavaScript object properties

  - MFSA 2015-83/CVE-2015-4479/CVE-2015-4480/CVE-2015-4493     Overflow issues in libstagefright

  - MFSA 2015-84/CVE-2015-4481 (bmo1171518) Arbitrary file     overwriting through Mozilla Maintenance Service with     hard links (only affected Windows)

  - MFSA 2015-85/CVE-2015-4482 (bmo#1184500) Out-of-bounds     write with Updater and malicious MAR file (does not     affect openSUSE RPM packages which do not ship the     updater)

  - MFSA 2015-87/CVE-2015-4484 (bmo#1171540) Crash when     using shared memory in JavaScript

  - MFSA 2015-88/CVE-2015-4491 (bmo#1184009) Heap overflow     in gdk-pixbuf when scaling bitmap images

  - MFSA 2015-89/CVE-2015-4485/CVE-2015-4486 (bmo#1177948,     bmo#1178148) Buffer overflows on Libvpx when decoding     WebM video

  - MFSA 2015-90/CVE-2015-4487/CVE-2015-4488/CVE-2015-4489     Vulnerabilities found through code inspection

  - MFSA 2015-92/CVE-2015-4492 (bmo#1185820) Use-after-free     in XMLHttpRequest with shared workers

- update to Firefox 40.0 (bnc#940806)

  - Added protection against unwanted software downloads

  - Suggested Tiles show sites of interest, based on     categories from your recent browsing history

  - Hello allows adding a link to conversations to provide     context on what the conversation will be about

  - New style for add-on manager based on the in-content     preferences style

  - Improved scrolling, graphics, and video playback     performance with off main thread compositing (GNU/Linux     only)

  - Graphic blocklist mechanism improved: Firefox version     ranges can be specified, limiting the number of devices     blocked security fixes :

  - MFSA 2015-79/CVE-2015-4473/CVE-2015-4474 Miscellaneous     memory safety hazards

  - MFSA 2015-80/CVE-2015-4475 (bmo#1175396) Out-of-bounds     read with malformed MP3 file

  - MFSA 2015-81/CVE-2015-4477 (bmo#1179484) Use-after-free     in MediaStream playback

  - MFSA 2015-82/CVE-2015-4478 (bmo#1105914) Redefinition of     non-configurable JavaScript object properties

  - MFSA 2015-83/CVE-2015-4479/CVE-2015-4480/CVE-2015-4493     Overflow issues in libstagefright

  - MFSA 2015-84/CVE-2015-4481 (bmo1171518) Arbitrary file     overwriting through Mozilla Maintenance Service with     hard links (only affected Windows)

  - MFSA 2015-85/CVE-2015-4482 (bmo#1184500) Out-of-bounds     write with Updater and malicious MAR file (does not     affect openSUSE RPM packages which do not ship the     updater)

  - MFSA 2015-86/CVE-2015-4483 (bmo#1148732) Feed protocol     with POST bypasses mixed content protections

  - MFSA 2015-87/CVE-2015-4484 (bmo#1171540) Crash when     using shared memory in JavaScript

  - MFSA 2015-88/CVE-2015-4491 (bmo#1184009) Heap overflow     in gdk-pixbuf when scaling bitmap images

  - MFSA 2015-89/CVE-2015-4485/CVE-2015-4486 (bmo#1177948,     bmo#1178148) Buffer overflows on Libvpx when decoding     WebM video

  - MFSA 2015-90/CVE-2015-4487/CVE-2015-4488/CVE-2015-4489     Vulnerabilities found through code inspection

  - MFSA 2015-91/CVE-2015-4490 (bmo#1086999) Mozilla Content     Security Policy allows for asterisk wildcards in     violation of CSP specification

  - MFSA 2015-92/CVE-2015-4492 (bmo#1185820) Use-after-free     in XMLHttpRequest with shared workers

  - added mozilla-no-stdcxx-check.patch

  - removed obsolete patches

  - mozilla-add-glibcxx_use_cxx11_abi.patch

  - firefox-multilocale-chrome.patch

  - rebased patches

  - requires version 40 of the branding package

  - removed browser/searchplugins/ location as it's not     valid anymore

  - includes security update to Firefox 39.0.3 (bnc#940918)

  - MFSA 2015-78/CVE-2015-4495 (bmo#1179262, bmo#1178058)     Same origin violation and local file stealing via PDF     reader

The version of Firefox installed on the remote Windows host is prior to 40. It is, therefore, affected by the following vulnerabilities :

  - Multiple memory corruption issues exist that allow a     remote attacker, via a specially crafted web page, to     corrupt memory and potentially execute arbitrary code.
    (CVE-2015-4473)

  - Multiple memory corruption issues exist that allow a     remote attacker, via a specially crafted web page, to     corrupt memory and potentially execute arbitrary code.
    (CVE-2015-4474)

  - An out-of-bounds read error exists in the     PlayFromAudioQueue() function due to improper handling     of mismatched sample formats. A remote attacker can     exploit this, via a specially crafted MP3 file, to     disclose memory contents or execute arbitrary code.
    (CVE-2015-4475)

  - A use-after-free error exists in the Web Audio API     during MediaStream playback. A remote attacker can     exploit this to dereference already freed memory,     resulting in the potential execution of arbitrary code.
    (CVE-2015-4477)

  - A same-origin policy bypass vulnerability exists due to     non-configurable properties being redefined in violation     of the ECMAScript 6 standard during JSON parsing. A     remote attacker can exploit this, by editing these     properties to arbitrary values, to bypass the     same-origin policy. (CVE-2015-4478)

  - Multiple integer overflow conditions exist due to     improper validation of user-supplied input when handling     'saio' chunks in MPEG4 video. A remote attacker can     exploit this, via a specially crafted MPEG4 file, to     execute arbitrary code. (CVE-2015-4479)

  - An integer overflow condition exists in the bundled     libstagefright component when handling H.264 media     content. A remote attacker can exploit this, via a     specially crafted MPEG4 file, to execute arbitrary code.
    (CVE-2015-4480)

  - An arbitrary file overwrite vulnerability exists in the     Mozilla Maintenance Service due to a race condition. An     attacker can exploit this, via the use of a hard link,     to overwrite arbitrary files with log output.
    (CVE-2015-4481)

  - An out-of-bounds write error exists due to an array     indexing flaw in the mar_consume_index() function when     handling index names in MAR files. An attacker can     exploit this to execute arbitrary code. (CVE-2015-4482)

  - A security bypass vulnerability exists due to a flaw in     the ShouldLoad() function that occurs during the     handling of POST requests to URLs using the 'feed:' URI     handler. An attacker can exploit this to bypass the     mixed content blocker. (CVE-2015-4483)

  - A denial of service vulnerability exists when handling     JavaScript using shared memory without properly gating     access to Atomics and SharedArrayBuffer views. An     attacker can exploit this to crash the program,     resulting in a denial of service condition.
    (CVE-2015-4484)

  - A heap-based buffer overflow condition exists in the     resize_context_buffers() function due to improper     validation of user-supplied input. A remote attacker can     exploit this, via specially crafted WebM content, to     cause a heap-based buffer overflow, resulting in the     execution of arbitrary code. (CVE-2015-4485)

  - A heap-based buffer overflow condition exists in the     decrease_ref_count() function due to improper validation     of user-supplied input. A remote attacker can exploit     this, via specially crafted WebM content, to cause a     heap-based buffer overflow, resulting in the execution     of arbitrary code. (CVE-2015-4486)

  - A buffer overflow condition exists in the ReplacePrep()     function. A remote attacker can exploit this to cause a     buffer overflow, resulting in the execution of arbitrary     code. (CVE-2015-4487)

  - A use-after-free error exists in the operator=()     function. An attacker can exploit this to dereference     already freed memory, resulting in the execution of     arbitrary code. (CVE-2015-4488)

  - A memory corruption issue exists in the nsTArray_Impl()     function due to improper validation of user-supplied     input during self-assignment. An attacker can exploit     this to corrupt memory, resulting in the execution of     arbitrary code. (CVE-2015-4489)

  - A security bypass vulnerability exists due to a     discrepancy in the implementation of Content Security     Policy and the CSP specification. The specification     states that 'blob:', 'data:', and 'filesystem:' URLs     should be excluded in case of a wildcard when matching     source expressions, but Mozilla's implementation allows     these in the case of an asterisk wildcard. A remote     attacker can exploit this to bypass restrictions.
    (CVE-2015-4490)

  - A use-after-free error exists in the     XMLHttpRequest::Open() function due to improper handling     of recursive calls. An attacker can exploit this to     dereference already freed memory, resulting in the     execution of arbitrary code. (CVE-2015-4492)

  - An integer underflow condition exists in the bundled     libstagefright library. An attacker can exploit this to     crash the application, resulting in a denial of service     condition. (CVE-2015-4493)

The version of Firefox ESR installed on the remote Windows host is prior to 38.2. It is, therefore, affected by the following vulnerabilities :

  - Multiple memory corruption issues exist that allow a     remote attacker, via a specially crafted web page, to     corrupt memory and potentially execute arbitrary code.
    (CVE-2015-4473)

  - An out-of-bounds read error exists in the     PlayFromAudioQueue() function due to improper handling     of mismatched sample formats. A remote attacker can     exploit this, via a specially crafted MP3 file, to     disclose memory contents or execute arbitrary code.
    (CVE-2015-4475)

  - A same-origin policy bypass vulnerability exists due to     non-configurable properties being redefined in violation     of the ECMAScript 6 standard during JSON parsing. A     remote attacker can exploit this, by editing these     properties to arbitrary values, to bypass the     same-origin policy. (CVE-2015-4478)

  - Multiple integer overflow conditions exist due to     improper validation of user-supplied input when handling     'saio' chunks in MPEG4 video. A remote attacker can     exploit this, via a specially crafted MPEG4 file, to     execute arbitrary code. (CVE-2015-4479)

  - An integer overflow condition exists in the bundled     libstagefright component when handling H.264 media     content. A remote attacker can exploit this, via a     specially crafted MPEG4 file, to execute arbitrary code.
    (CVE-2015-4480)

  - An arbitrary file overwrite vulnerability exists in the     Mozilla Maintenance Service due to a race condition. An     attacker can exploit this, via the use of a hard link,     to overwrite arbitrary files with log output.
    (CVE-2015-4481)

  - An out-of-bounds write error exists due to an array     indexing flaw in the mar_consume_index() function when     handling index names in MAR files. An attacker can     exploit this to execute arbitrary code. (CVE-2015-4482)

  - A denial of service vulnerability exists when handling     JavaScript using shared memory without properly gating     access to Atomics and SharedArrayBuffer views. An     attacker can exploit this to crash the program,     resulting in a denial of service condition.
    (CVE-2015-4484)

  - A heap-based buffer overflow condition exists in the     resize_context_buffers() function due to improper     validation of user-supplied input. A remote attacker can     exploit this, via specially crafted WebM content, to     cause a heap-based buffer overflow, resulting in the     execution of arbitrary code. (CVE-2015-4485)

  - A heap-based buffer overflow condition exists in the     decrease_ref_count() function due to improper validation     of user-supplied input. A remote attacker can exploit     this, via specially crafted WebM content, to cause a     heap-based buffer overflow, resulting in the execution     of arbitrary code. (CVE-2015-4486)

  - A buffer overflow condition exists in the ReplacePrep()     function. A remote attacker can exploit this to cause a     buffer overflow, resulting in the execution of arbitrary     code. (CVE-2015-4487)

  - A use-after-free error exists in the operator=()     function. An attacker can exploit this to dereference     already freed memory, resulting in the execution of     arbitrary code. (CVE-2015-4488)

  - A memory corruption issue exists in the nsTArray_Impl()     function due to improper validation of user-supplied     input during self-assignment. An attacker can exploit     this to corrupt memory, resulting in the execution of     arbitrary code. (CVE-2015-4489)

  - A use-after-free error exists in the     XMLHttpRequest::Open() function due to improper handling     of recursive calls. An attacker can exploit this to     dereference already freed memory, resulting in the     execution of arbitrary code. (CVE-2015-4492)

  - An integer underflow condition exists in the bundled     libstagefright library. An attacker can exploit this to     crash the application, resulting in a denial of service     condition. (CVE-2015-4493)

The Mozilla Project reports :

MFSA 2015-79 Miscellaneous memory safety hazards (rv:40.0 / rv:38.2)

MFSA 2015-80 Out-of-bounds read with malformed MP3 file

MFSA 2015-81 Use-after-free in MediaStream playback

MFSA 2015-82 Redefinition of non-configurable JavaScript object properties

MFSA 2015-83 Overflow issues in libstagefright

MFSA 2015-84 Arbitrary file overwriting through Mozilla Maintenance Service with hard links

MFSA 2015-85 Out-of-bounds write with Updater and malicious MAR file

MFSA 2015-86 Feed protocol with POST bypasses mixed content protections

MFSA 2015-87 Crash when using shared memory in JavaScript

MFSA 2015-88 Heap overflow in gdk-pixbuf when scaling bitmap images

MFSA 2015-90 Vulnerabilities found through code inspection

MFSA 2015-91 Mozilla Content Security Policy allows for asterisk wildcards in violation of CSP specification

MFSA 2015-92 Use-after-free in XMLHttpRequest with shared workers

ID	Name	Product	Family	Severity
91379	GLSA-201605-06 : Mozilla Products: Multiple vulnerabilities (Logjam) (SLOTH)	Nessus	Gentoo Local Security Checks	critical
8856	Mozilla Firefox < 40.0 Multiple Vulnerabilities	Nessus Network Monitor	Web Clients	high
85703	openSUSE Security Update : MozillaThunderbird (openSUSE-2015-559)	Nessus	SuSE Local Security Checks	critical
85702	openSUSE Security Update : MozillaThunderbird (openSUSE-2015-558)	Nessus	SuSE Local Security Checks	critical
85437	openSUSE Security Update : MozillaFirefox (openSUSE-2015-548)	Nessus	SuSE Local Security Checks	critical
85436	openSUSE Security Update : MozillaFirefox (openSUSE-2015-547)	Nessus	SuSE Local Security Checks	critical
85386	Firefox < 40 Multiple Vulnerabilities	Nessus	Windows	critical
85385	Firefox ESR < 38.2 Multiple Vulnerabilities	Nessus	Windows	critical
85338	FreeBSD : mozilla -- multiple vulnerabilities (c66a5632-708a-4727-8236-d65b2d5b2739)	Nessus	FreeBSD Local Security Checks	critical

CVE-2015-4481

Description

References

Details

Risk Information

CVSS v2.0

Vulnerable Software

Configuration 1

Configuration 2

Configuration 3

Tenable Plugins