openSUSE-SU-2015:1658

openSUSE-SU-2015:1681

http://www.mozilla.org/security/announce/2015/mfsa2015-104.html

http://www.oracle.com/technetwork/topics/security/bulletinapr2016-2952098.html

http://www.oracle.com/technetwork/topics/security/linuxbulletinoct2015-2719645.html

76815

1033640

USN-2743-1

USN-2743-2

USN-2743-3

USN-2743-4

https://bugzilla.mozilla.org/show_bug.cgi?id=1200004

USN-2743-1 fixed vulnerabilities in Firefox. After upgrading, some users reported problems with bookmark creation and crashes in some circumstances. This update fixes the problem.

We apologize for the inconvenience.

Andrew Osmond, Olli Pettay, Andrew Sutherland, Christian Holler, David Major, Andrew McCreight, Cameron McCormack, Bob Clary and Randell Jesup discovered multiple memory safety issues in Firefox. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit these to cause a denial of service via application crash, or execute arbitrary code with the privileges of the user invoking Firefox. (CVE-2015-4500, CVE-2015-4501)

Andre Bargull discovered that when a web page creates a scripted proxy for the window with a handler defined a certain way, a reference to the inner window will be passed, rather than that of the outer window. (CVE-2015-4502)

Felix Grobert discovered an out-of-bounds read in the QCMS color management library in some circumstances. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit this to cause a denial of service via application crash, or obtain sensitive information. (CVE-2015-4504)

Khalil Zhani discovered a buffer overflow when parsing VP9 content in some circumstances. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit this to cause a denial of service via application crash, or execute arbitrary code with the privileges of the user invoking Firefox. (CVE-2015-4506)

Spandan Veggalam discovered a crash while using the debugger API in some circumstances. If a user were tricked in to opening a specially crafted website whilst using the debugger, an attacker could potentially exploit this to execute arbitrary code with the privileges of the user invoking Firefox. (CVE-2015-4507)

Juho Nurminen discovered that the URL bar could display the wrong URL in reader mode in some circumstances. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit this to conduct URL spoofing attacks. (CVE-2015-4508)

A use-after-free was discovered when manipulating HTML media content in some circumstances. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit this to cause a denial of service via application crash, or execute arbitrary code with the privileges of the user invoking Firefox. (CVE-2015-4509)

Looben Yang discovered a use-after-free when using a shared worker with IndexedDB in some circumstances. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit this to cause a denial of service via application crash, or execute arbitrary code with the privileges of the user invoking Firefox.
(CVE-2015-4510)

Francisco Alonso discovered an out-of-bounds read during 2D canvas rendering in some circumstances. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit this to obtain sensitive information. (CVE-2015-4512)

Jeff Walden discovered that changes could be made to immutable properties in some circumstances. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit this to execute arbitrary script in a privileged scope. (CVE-2015-4516)

Ronald Crane reported multiple vulnerabilities. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit these to cause a denial of service via application crash, or execute arbitrary code with the privileges of the user invoking Firefox.
(CVE-2015-4517, CVE-2015-4521, CVE-2015-4522, CVE-2015-7174, CVE-2015-7175, CVE-2015-7176, CVE-2015-7177, CVE-2015-7180)

Mario Gomes discovered that dragging and dropping an image after a redirect exposes the redirected URL to scripts. An attacker could potentially exploit this to obtain sensitive information. (CVE-2015-4519)

Ehsan Akhgari discovered 2 issues with CORS preflight requests. An attacker could potentially exploit these to bypass CORS restrictions. (CVE-2015-4520).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

seamonkey was updated to fix 25 security issues.

These security issues were fixed :

  - CVE-2015-4520: Mozilla Firefox before 41.0 and Firefox     ESR 38.x before 38.3 allowed remote attackers to bypass     CORS preflight protection mechanisms by leveraging (1)     duplicate cache-key generation or (2) retrieval of a     value from an incorrect HTTP Access-Control-* response     header (bsc#947003).

  - CVE-2015-4521: The ConvertDialogOptions function in     Mozilla Firefox before 41.0 and Firefox ESR 38.x before     38.3 might allowed remote attackers to cause a denial of     service (memory corruption and application crash) or     possibly have unspecified other impact via unknown     vectors (bsc#947003).

  - CVE-2015-4522: The nsUnicodeToUTF8::GetMaxLength     function in Mozilla Firefox before 41.0 and Firefox ESR     38.x before 38.3 might allowed remote attackers to cause     a denial of service (memory corruption and application     crash) or possibly have unspecified other impact via     unknown vectors, related to an 'overflow (bsc#947003).

  - CVE-2015-4502: js/src/proxy/Proxy.cpp in Mozilla Firefox     before 41.0 mishandled certain receiver arguments, which     allowed remote attackers to bypass intended window     access restrictions via a crafted website (bsc#947003).

  - CVE-2015-4503: The TCP Socket API implementation in     Mozilla Firefox before 41.0 mishandled array boundaries     that were established with a navigator.mozTCPSocket.open     method call and send method calls, which allowed remote     TCP servers to obtain sensitive information from process     memory by reading packet data, as demonstrated by     availability of this API in a Firefox OS application     (bsc#947003).

  - CVE-2015-4500: Multiple unspecified vulnerabilities in     the browser engine in Mozilla Firefox before 41.0 and     Firefox ESR 38.x before 38.3 allowed remote attackers to     cause a denial of service (memory corruption and     application crash) or possibly execute arbitrary code     via unknown vectors (bsc#947003).

  - CVE-2015-4501: Multiple unspecified vulnerabilities in     the browser engine in Mozilla Firefox before 41.0     allowed remote attackers to cause a denial of service     (memory corruption and application crash) or possibly     execute arbitrary code via unknown vectors (bsc#947003).

  - CVE-2015-4506: Buffer overflow in the     vp9_init_context_buffers function in libvpx, as used in     Mozilla Firefox before 41.0 and Firefox ESR 38.x before     38.3, allowed remote attackers to execute arbitrary code     via a crafted VP9 file (bsc#947003).

  - CVE-2015-4507: The SavedStacks class in the JavaScript     implementation in Mozilla Firefox before 41.0, when the     Debugger API is enabled, allowed remote attackers to     cause a denial of service (getSlotRef assertion failure     and application exit) or possibly execute arbitrary code     via a crafted website (bsc#947003).

  - CVE-2015-4504: The lut_inverse_interp16 function in the     QCMS library in Mozilla Firefox before 41.0 allowed     remote attackers to obtain sensitive information or     cause a denial of service (buffer over-read and     application crash) via crafted attributes in the ICC 4     profile of an image (bsc#947003).

  - CVE-2015-4505: updater.exe in Mozilla Firefox before     41.0 and Firefox ESR 38.x before 38.3 on Windows allowed     local users to write to arbitrary files by conducting a     junction attack and waiting for an update operation by     the Mozilla Maintenance Service (bsc#947003).

  - CVE-2015-7180: The ReadbackResultWriterD3D11::Run     function in Mozilla Firefox before 41.0 and Firefox ESR     38.x before 38.3 misinterprets the return value of a     function call, which might allowed remote attackers to     cause a denial of service (memory corruption and     application crash) or possibly have unspecified other     impact via unknown vectors (bsc#947003).

  - CVE-2015-4509: Use-after-free vulnerability in the     HTMLVideoElement interface in Mozilla Firefox before     41.0 and Firefox ESR 38.x before 38.3 allowed remote     attackers to execute arbitrary code via crafted     JavaScript code that modifies the URI table of a media     element, aka ZDI-CAN-3176 (bsc#947003).

  - CVE-2015-7178: The ProgramBinary::linkAttributes     function in libGLES in ANGLE, as used in Mozilla Firefox     before 41.0 and Firefox ESR 38.x before 38.3 on Windows,     mishandles shader access, which allowed remote attackers     to execute arbitrary code or cause a denial of service     (memory corruption and application crash) via crafted     (1) OpenGL or (2) WebGL content (bsc#947003).

  - CVE-2015-7179: The     VertexBufferInterface::reserveVertexSpace function in     libGLES in ANGLE, as used in Mozilla Firefox before 41.0     and Firefox ESR 38.x before 38.3 on Windows, incorrectly     allocates memory for shader attribute arrays, which     allowed remote attackers to execute arbitrary code or     cause a denial of service (buffer overflow and     application crash) via crafted (1) OpenGL or (2) WebGL     content (bsc#947003).

  - CVE-2015-7176: The AnimationThread function in Mozilla     Firefox before 41.0 and Firefox ESR 38.x before 38.3     used an incorrect argument to the sscanf function, which     might allowed remote attackers to cause a denial of     service (stack-based buffer overflow and application     crash) or possibly have unspecified other impact via     unknown vectors (bsc#947003).

  - CVE-2015-7177: The InitTextures function in Mozilla     Firefox before 41.0 and Firefox ESR 38.x before 38.3     might allowed remote attackers to cause a denial of     service (memory corruption and application crash) or     possibly have unspecified other impact via unknown     vectors (bsc#947003).

  - CVE-2015-7174: The nsAttrAndChildArray::GrowBy function     in Mozilla Firefox before 41.0 and Firefox ESR 38.x     before 38.3 might allowed remote attackers to cause a     denial of service (memory corruption and application     crash) or possibly have unspecified other impact via     unknown vectors, related to an 'overflow (bsc#947003).

  - CVE-2015-7175: The XULContentSinkImpl::AddText function     in Mozilla Firefox before 41.0 and Firefox ESR 38.x     before 38.3 might allowed remote attackers to cause a     denial of service (memory corruption and application     crash) or possibly have unspecified other impact via     unknown vectors, related to an 'overflow (bsc#947003).

  - CVE-2015-4511: Heap-based buffer overflow in the     nestegg_track_codec_data function in Mozilla Firefox     before 41.0 and Firefox ESR 38.x before 38.3 allowed     remote attackers to execute arbitrary code via a crafted     header in a WebM video (bsc#947003).

  - CVE-2015-4510: Race condition in the     WorkerPrivate::NotifyFeatures function in Mozilla     Firefox before 41.0 allowed remote attackers to execute     arbitrary code or cause a denial of service     (use-after-free and application crash) by leveraging     improper interaction between shared workers and the     IndexedDB implementation (bsc#947003).

  - CVE-2015-4512: gfx/2d/DataSurfaceHelpers.cpp in Mozilla     Firefox before 41.0 on Linux improperly attempts to use     the Cairo library with 32-bit color-depth surface     creation followed by 16-bit color-depth surface display,     which allowed remote attackers to obtain sensitive     information from process memory or cause a denial of     service (out-of-bounds read) by using a CANVAS element     to trigger 2D rendering (bsc#947003).

  - CVE-2015-4517: NetworkUtils.cpp in Mozilla Firefox     before 41.0 and Firefox ESR 38.x before 38.3 might     allowed remote attackers to cause a denial of service     (memory corruption and application crash) or possibly     have unspecified other impact via unknown vectors     (bsc#947003).

  - CVE-2015-4516: Mozilla Firefox before 41.0 allowed     remote attackers to bypass certain ECMAScript 5 (aka     ES5) API protection mechanisms and modify immutable     properties, and consequently execute arbitrary     JavaScript code with chrome privileges, via a crafted     web page that did not use ES5 APIs (bsc#947003).

  - CVE-2015-4519: Mozilla Firefox before 41.0 and Firefox     ESR 38.x before 38.3 allowed user-assisted remote     attackers to bypass intended access restrictions and     discover a redirect's target URL via crafted JavaScript     code that executes after a drag-and-drop action of an     image into a TEXTBOX element (bsc#947003).

MozillaFirefox was updated to Firefox 41.0 (bnc#947003)

Security issues fixed :

  - MFSA 2015-96/CVE-2015-4500/CVE-2015-4501 Miscellaneous     memory safety hazards

  - MFSA 2015-97/CVE-2015-4503 (bmo#994337) Memory leak in     mozTCPSocket to servers

  - MFSA 2015-98/CVE-2015-4504 (bmo#1132467) Out of bounds     read in QCMS library with ICC V4 profile attributes

  - MFSA 2015-99/CVE-2015-4476 (bmo#1162372) (Android only)     Site attribute spoofing on Android by pasting URL with     unknown scheme

  - MFSA 2015-100/CVE-2015-4505 (bmo#1177861) (Windows only)     Arbitrary file manipulation by local user through     Mozilla updater

  - MFSA 2015-101/CVE-2015-4506 (bmo#1192226) Buffer     overflow in libvpx while parsing vp9 format video

  - MFSA 2015-102/CVE-2015-4507 (bmo#1192401) Crash when     using debugger with SavedStacks in JavaScript

  - MFSA 2015-103/CVE-2015-4508 (bmo#1195976) URL spoofing     in reader mode

  - MFSA 2015-104/CVE-2015-4510 (bmo#1200004) Use-after-free     with shared workers and IndexedDB

  - MFSA 2015-105/CVE-2015-4511 (bmo#1200148) Buffer     overflow while decoding WebM video

  - MFSA 2015-106/CVE-2015-4509 (bmo#1198435) Use-after-free     while manipulating HTML media content

  - MFSA 2015-107/CVE-2015-4512 (bmo#1170390) Out-of-bounds     read during 2D canvas display on Linux 16-bit color     depth systems

  - MFSA 2015-108/CVE-2015-4502 (bmo#1105045) Scripted     proxies can access inner window

  - MFSA 2015-109/CVE-2015-4516 (bmo#904886) JavaScript     immutable property enforcement can be bypassed

  - MFSA 2015-110/CVE-2015-4519 (bmo#1189814) Dragging and     dropping images exposes final URL after redirects

  - MFSA 2015-111/CVE-2015-4520 (bmo#1200856, bmo#1200869)     Errors in the handling of CORS preflight request headers

  - MFSA 2015-112/CVE-2015-4517/CVE-2015-4521/CVE-2015-4522/     CVE-2015-7174/CVE-2015-7175/CVE-2015-7176/CVE-2015-7177/     CVE-2015-7180 Vulnerabilities found through code     inspection

  - MFSA 2015-113/CVE-2015-7178/CVE-2015-7179 (bmo#1189860,     bmo#1190526) (Windows only) Memory safety errors in     libGLES in the ANGLE graphics library

  - MFSA 2015-114 (bmo#1167498, bmo#1153672) (Windows only)     Information disclosure via the High Resolution Time API

The version of Mozilla Firefox is prior to 41.0 and is affected by multiple vulnerabilities : 

 - A flaw exists in ReadbackResultWriterD3D11::Run(). The issue is triggered as user-supplied input is not properly validated when handling return statuses. This may potentially allow a context-dependent attacker to corrupt memory and have an unspecified impact. (CVE-2015-7180) 
 - A flaw exists in InitTextures(). The issue is triggered as user-supplied input is not properly validated. This may potentially allow a context-dependent attacker to corrupt memory and have an unspecified impact. (CVE-2015-7117) 
 - An overflow condition exists in AnimationThread(). The issue is triggered as user-supplied input is not properly validated when handling sscanf arguments. This may allow a context-dependent attacker to cause a stack overflow, resulting in an unspecified impact. (CVE-2015-7176) 
 - An overflow condition exists in XULContentSinkImpl::AddText(). The issue is triggered as user-supplied input is not properly validated. This may allow a context-dependent attacker to cause a buffer overflow, resulting in an unspecified impact. (CVE-2015-7175) 
 - An overflow condition exists in the nsAttrAndChildArray::GrowBy() function in 'dom/base/nsAttrAndChildArray.cpp'. This may allow a context-dependent attacker to cause a buffer overflow and potentially execute arbitrary code. (CVE-2015-7174) 
 - An overflow condition exists in the nsUnicode*::GetMaxLength() functions that is triggered as user-supplied input is not properly validated. This may allow a context-dependent attacker to cause a buffer overflow and potentially execute arbitrary code. (CVE-2015-4522) 
 - A flaw exists in ConvertDialogOptions(). The issue is triggered as user-supplied input is not properly validated. This may potentially allow a context-dependent attacker to corrupt memory and have an unspecified impact. (CVE-2015-4521) 
 - A flaw exists in NetworkUtils.cpp. The issue is triggered as user-supplied input is not properly validated. This may potentially allow a context-dependent attacker to corrupt memory and have an unspecified impact. (CVE-2015-4517) 
 - An out-of-bounds read flaw exists in 'gfx/2d/DataSurfaceHelpers.cpp' that is triggered during the rendering of 2D canvases. This may allow a context-dependent attacker to potentially disclose sensitive memory contents. (CVE-2015-4512) 
 - A flaw exists that is triggered when identical cache keys may be generated for distinct preflight requests on a site. This may potentially allow a subsequent request to bypass intended cross-origin resource sharing (CORS) checks. (CVE-2015-4520) 
 - A flaw exists that is triggered when handling images that have been "dragged and dropped" after a redirect. The redirected URL of the image may be available to scripts, potentially allowing a context-dependent attacker to gain unauthorized access to it. (CVE-2015-4519) 
 - A use-after-free error exists in 'dom/html/HTMLMediaElement.cpp' that is triggered during the handling of HTML media elements. This may allow a context-dependent attacker to dereference already freed memory and potentially execute arbitrary code. (CVE-2015-4509) 
 - nestegg contains an overflow condition. The issue is triggered as user-supplied input is not properly validated when decoding WebM videos. This may allow a context-dependent attacker to cause a buffer overflow, potentially allowing the execution of arbitrary code. (CVE-2015-4511) 
 - A flaw related to scratch register scope handling exists. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code. (CVE-2015-4500) 
 - A flaw exists in the cloneLeftHandSide() function in 'frontend/ParseNode.cpp' that is triggered as user-supplied input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code. (CVE-2015-4500) 
 - A flaw exists that is triggered as user-supplied input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code. (CVE-2015-4500) 
 - A flaw exists in 'memory/mozjemalloc/jemalloc.c' that is triggered as user-supplied input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code. (CVE-2015-4500) 
 - A flaw exists in the stagefright component that is triggered as user-supplied input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code. (CVE-2015-4500) 
 - A flaw exists that is triggered when handling generator function groups, as they have an improper prototype. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code. (CVE-2015-4500) 
 - A flaw exists in the nsXBLService::GetBinding() function in 'dom/xbl/nsXBLService.cpp' that is triggered when loading bindings. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code. (CVE-2015-4500) 
 - A flaw exists in the IndexedDB component that is triggered as user-supplied input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code. (CVE-2015-4500)
 - A use-after-free error exists in 'nsIPresShell' that is triggered when handling a restyling operation during the resizing of a canvas element. This may allow a context-dependent attacker to dereference already freed memory and potentially execute arbitrary code. (CVE-2015-4497)
 - A flaw exists that is triggered when handling add-on installation using 'data:' URLs. With a specially crafted web page, a context-dependent attacker can bypass the install permission prompt for add-ons and install add-ons from malicious sources. (CVE-2015-4498)

USN-2743-1 fixed vulnerabilities in Firefox. Future Firefox updates will require all addons be signed and unity-firefox-extension, webapps-greasemonkey and webaccounts-browser-extension will not go through the signing process. Because these addons currently break search engine installations (LP: #1069793), this update permanently disables the addons by removing them from the system.

We apologize for any inconvenience.

Andrew Osmond, Olli Pettay, Andrew Sutherland, Christian Holler, David Major, Andrew McCreight, Cameron McCormack, Bob Clary and Randell Jesup discovered multiple memory safety issues in Firefox. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit these to cause a denial of service via application crash, or execute arbitrary code with the privileges of the user invoking Firefox. (CVE-2015-4500, CVE-2015-4501)

Andre Bargull discovered that when a web page creates a scripted proxy for the window with a handler defined a certain way, a reference to the inner window will be passed, rather than that of the outer window. (CVE-2015-4502)

Felix Grobert discovered an out-of-bounds read in the QCMS color management library in some circumstances. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit this to cause a denial of service via application crash, or obtain sensitive information. (CVE-2015-4504)

Khalil Zhani discovered a buffer overflow when parsing VP9 content in some circumstances. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit this to cause a denial of service via application crash, or execute arbitrary code with the privileges of the user invoking Firefox. (CVE-2015-4506)

Spandan Veggalam discovered a crash while using the debugger API in some circumstances. If a user were tricked in to opening a specially crafted website whilst using the debugger, an attacker could potentially exploit this to execute arbitrary code with the privileges of the user invoking Firefox. (CVE-2015-4507)

Juho Nurminen discovered that the URL bar could display the wrong URL in reader mode in some circumstances. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit this to conduct URL spoofing attacks. (CVE-2015-4508)

A use-after-free was discovered when manipulating HTML media content in some circumstances. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit this to cause a denial of service via application crash, or execute arbitrary code with the privileges of the user invoking Firefox. (CVE-2015-4509)

Looben Yang discovered a use-after-free when using a shared worker with IndexedDB in some circumstances. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit this to cause a denial of service via application crash, or execute arbitrary code with the privileges of the user invoking Firefox.
(CVE-2015-4510)

Francisco Alonso discovered an out-of-bounds read during 2D canvas rendering in some circumstances. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit this to obtain sensitive information. (CVE-2015-4512)

Jeff Walden discovered that changes could be made to immutable properties in some circumstances. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit this to execute arbitrary script in a privileged scope. (CVE-2015-4516)

Ronald Crane reported multiple vulnerabilities. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit these to cause a denial of service via application crash, or execute arbitrary code with the privileges of the user invoking Firefox.
(CVE-2015-4517, CVE-2015-4521, CVE-2015-4522, CVE-2015-7174, CVE-2015-7175, CVE-2015-7176, CVE-2015-7177, CVE-2015-7180)

Mario Gomes discovered that dragging and dropping an image after a redirect exposes the redirected URL to scripts. An attacker could potentially exploit this to obtain sensitive information. (CVE-2015-4519)

Ehsan Akhgari discovered 2 issues with CORS preflight requests. An attacker could potentially exploit these to bypass CORS restrictions. (CVE-2015-4520).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

USN-2743-1 fixed vulnerabilities in Firefox. This update provides the corresponding update for Ubufox.

Andrew Osmond, Olli Pettay, Andrew Sutherland, Christian Holler, David Major, Andrew McCreight, Cameron McCormack, Bob Clary and Randell Jesup discovered multiple memory safety issues in Firefox. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit these to cause a denial of service via application crash, or execute arbitrary code with the privileges of the user invoking Firefox. (CVE-2015-4500, CVE-2015-4501)

Andre Bargull discovered that when a web page creates a scripted proxy for the window with a handler defined a certain way, a reference to the inner window will be passed, rather than that of the outer window. (CVE-2015-4502)

Felix Grobert discovered an out-of-bounds read in the QCMS color management library in some circumstances. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit this to cause a denial of service via application crash, or obtain sensitive information. (CVE-2015-4504)

Khalil Zhani discovered a buffer overflow when parsing VP9 content in some circumstances. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit this to cause a denial of service via application crash, or execute arbitrary code with the privileges of the user invoking Firefox. (CVE-2015-4506)

Spandan Veggalam discovered a crash while using the debugger API in some circumstances. If a user were tricked in to opening a specially crafted website whilst using the debugger, an attacker could potentially exploit this to execute arbitrary code with the privileges of the user invoking Firefox. (CVE-2015-4507)

Juho Nurminen discovered that the URL bar could display the wrong URL in reader mode in some circumstances. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit this to conduct URL spoofing attacks. (CVE-2015-4508)

A use-after-free was discovered when manipulating HTML media content in some circumstances. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit this to cause a denial of service via application crash, or execute arbitrary code with the privileges of the user invoking Firefox. (CVE-2015-4509)

Looben Yang discovered a use-after-free when using a shared worker with IndexedDB in some circumstances. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit this to cause a denial of service via application crash, or execute arbitrary code with the privileges of the user invoking Firefox.
(CVE-2015-4510)

Francisco Alonso discovered an out-of-bounds read during 2D canvas rendering in some circumstances. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit this to obtain sensitive information. (CVE-2015-4512)

Jeff Walden discovered that changes could be made to immutable properties in some circumstances. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit this to execute arbitrary script in a privileged scope. (CVE-2015-4516)

Ronald Crane reported multiple vulnerabilities. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit these to cause a denial of service via application crash, or execute arbitrary code with the privileges of the user invoking Firefox.
(CVE-2015-4517, CVE-2015-4521, CVE-2015-4522, CVE-2015-7174, CVE-2015-7175, CVE-2015-7176, CVE-2015-7177, CVE-2015-7180)

Mario Gomes discovered that dragging and dropping an image after a redirect exposes the redirected URL to scripts. An attacker could potentially exploit this to obtain sensitive information. (CVE-2015-4519)

Ehsan Akhgari discovered 2 issues with CORS preflight requests. An attacker could potentially exploit these to bypass CORS restrictions. (CVE-2015-4520).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Andrew Osmond, Olli Pettay, Andrew Sutherland, Christian Holler, David Major, Andrew McCreight, Cameron McCormack, Bob Clary and Randell Jesup discovered multiple memory safety issues in Firefox. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit these to cause a denial of service via application crash, or execute arbitrary code with the privileges of the user invoking Firefox. (CVE-2015-4500, CVE-2015-4501)

Andre Bargull discovered that when a web page creates a scripted proxy for the window with a handler defined a certain way, a reference to the inner window will be passed, rather than that of the outer window. (CVE-2015-4502)

Felix Grobert discovered an out-of-bounds read in the QCMS color management library in some circumstances. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit this to cause a denial of service via application crash, or obtain sensitive information. (CVE-2015-4504)

Khalil Zhani discovered a buffer overflow when parsing VP9 content in some circumstances. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit this to cause a denial of service via application crash, or execute arbitrary code with the privileges of the user invoking Firefox. (CVE-2015-4506)

Spandan Veggalam discovered a crash while using the debugger API in some circumstances. If a user were tricked in to opening a specially crafted website whilst using the debugger, an attacker could potentially exploit this to execute arbitrary code with the privileges of the user invoking Firefox. (CVE-2015-4507)

Juho Nurminen discovered that the URL bar could display the wrong URL in reader mode in some circumstances. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit this to conduct URL spoofing attacks. (CVE-2015-4508)

A use-after-free was discovered when manipulating HTML media content in some circumstances. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit this to cause a denial of service via application crash, or execute arbitrary code with the privileges of the user invoking Firefox.
(CVE-2015-4509)

Looben Yang discovered a use-after-free when using a shared worker with IndexedDB in some circumstances. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit this to cause a denial of service via application crash, or execute arbitrary code with the privileges of the user invoking Firefox. (CVE-2015-4510)

Francisco Alonso discovered an out-of-bounds read during 2D canvas rendering in some circumstances. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit this to obtain sensitive information. (CVE-2015-4512)

Jeff Walden discovered that changes could be made to immutable properties in some circumstances. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit this to execute arbitrary script in a privileged scope.
(CVE-2015-4516)

Ronald Crane reported multiple vulnerabilities. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit these to cause a denial of service via application crash, or execute arbitrary code with the privileges of the user invoking Firefox. (CVE-2015-4517, CVE-2015-4521, CVE-2015-4522, CVE-2015-7174, CVE-2015-7175, CVE-2015-7176, CVE-2015-7177, CVE-2015-7180)

Mario Gomes discovered that dragging and dropping an image after a redirect exposes the redirected URL to scripts. An attacker could potentially exploit this to obtain sensitive information.
(CVE-2015-4519)

Ehsan Akhgari discovered 2 issues with CORS preflight requests. An attacker could potentially exploit these to bypass CORS restrictions.
(CVE-2015-4520).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Several flaws were found in the processing of malformed web content. A web page containing malicious content could cause Firefox to crash or, potentially, execute arbitrary code with the privileges of the user running Firefox. (CVE-2015-4500, CVE-2015-4509, CVE-2015-4510)

After installing the update, Firefox must be restarted for the changes to take effect.

The Mozilla Project reports :

MFSA 2015-96 Miscellaneous memory safety hazards (rv:41.0 / rv:38.3)

MFSA 2015-97 Memory leak in mozTCPSocket to servers

MFSA 2015-98 Out of bounds read in QCMS library with ICC V4 profile attributes

MFSA 2015-99 Site attribute spoofing on Android by pasting URL with unknown scheme

MFSA 2015-100 Arbitrary file manipulation by local user through Mozilla updater

MFSA 2015-101 Buffer overflow in libvpx while parsing vp9 format video

MFSA 2015-102 Crash when using debugger with SavedStacks in JavaScript

MFSA 2015-103 URL spoofing in reader mode

MFSA 2015-104 Use-after-free with shared workers and IndexedDB

MFSA 2015-105 Buffer overflow while decoding WebM video

MFSA 2015-106 Use-after-free while manipulating HTML media content

MFSA 2015-107 Out-of-bounds read during 2D canvas display on Linux 16-bit color depth systems

MFSA 2015-108 Scripted proxies can access inner window

MFSA 2015-109 JavaScript immutable property enforcement can be bypassed

MFSA 2015-110 Dragging and dropping images exposes final URL after redirects

MFSA 2015-111 Errors in the handling of CORS preflight request headers

MFSA 2015-112 Vulnerabilities found through code inspection

MFSA 2015-113 Memory safety errors in libGLES in the ANGLE graphics library

MFSA 2015-114 Information disclosure via the High Resolution Time API

The version of Firefox installed on the remote Windows host is prior to 41. It is, therefore, affected by the following vulnerabilities :

  - Multiple unspecified memory corruption issues exist due     to improper validation of user-supplied input. A remote     attacker can exploit these issues to corrupt memory and     execute arbitrary code. (CVE-2015-4500)

  - Multiple unspecified memory corruption issues exist due     to improper validation of user-supplied input. A remote     attacker can exploit these issues to corrupt memory and     execute arbitrary code. (CVE-2015-4501)

  - A flaw exists that allows scripted proxies to access the     inner window. (CVE-2015-4502)

  - An out-of-bounds read issue exists in TCPSocket.js     related to the sending of strings over TCPSocket. A     remote attacker can exploit this disclose memory     contents. (CVE-2015-4503)

  - An out-of-bounds read error exists in the QCMS color     management library that is triggered when manipulating     an image with specific attributes in its ICC V4 profile.
    A remote attacker can exploit this to cause a denial of     service condition or to disclose sensitive information.
    (CVE-2015-4504)

  - A flaw exists in the Mozilla updater that allows a local     attacker to replace arbitrary files on the system,     resulting in the execution of arbitrary code.
    (CVE-2015-4505)

  - A buffer overflow condition exists in the libvpx     component when parsing vp9 format video. A remote     attacker can exploit this, via a specially crafted vp9     format video, to execute arbitrary code. (CVE-2015-4506)

  - A flaw exists in the debugger API that is triggered when     using the debugger with SavedStacks in JavaScript. An     attacker can exploit this to cause a denial of service     condition. (CVE-2015-4507)

  - A flaw exists in reader mode that allows an attacker to     spoof the URL displayed in the address bar.
    (CVE-2015-4508)

  - A user-after-free error exists when manipulating HTML     media elements on a page during script manipulation of     the URI table of these elements. An attacker can exploit     this to cause a denial of service condition.
    (CVE-2015-4509)

  - A use-after-free error exists when using a shared worker     with IndexedDB due to a race condition with the worker.
    A remote attacker can exploit this, via specially     crafted content, to cause a denial of service condition.
    (CVE-2015-4510)

  - A buffer overflow condition exists in the nestegg     library when decoding a WebM format video with     maliciously formatted headers. An attacker can exploit     this to cause a denial of service condition or the     execution of arbitrary code. (CVE-2015-4511)

  - An out-of-bounds read error exists during 2D canvas     rendering due to an issue in the cairo graphics library.
    An attacker can exploit this to read random memory,     resulting in the disclosure of sensitive information.
    (CVE-2015-4512)

  - A security bypass vulnerability exists due to a flaw in     Gecko's implementation of the ECMAScript 5 API. An     attacker can exploit this to run web content in a     privileged context, resulting in the execution of     arbitrary code. (CVE-2015-4516)

  - A memory corruption issue exists in NetworkUtils.cpp. An     attacker can potentially exploit this issue to cause a     denial of service condition or to execute arbitrary     code. (CVE-2015-4517)

  - An information disclosure vulnerability exists due to a     flaw that occurs when a previously loaded image on a     page is dropped into content after a redirect, resulting     in the redirected URL being available to scripts.
    (CVE-2015-4519)

  - Multiple security bypass vulnerabilities exist due to     errors in the handling of CORS preflight request     headers. (CVE-2015-4520)

  - A memory corruption issue exists in the     ConvertDialogOptions() function. An attacker can     potentially exploit this issue to cause a denial of     service condition or to execute arbitrary code.
    (CVE-2015-4521)

  - An overflow condition exists in the GetMaxLength()     function. An attacker can potentially exploit this to     cause a denial of service condition or to execute     arbitrary code. (CVE-2015-4522)

  - An overflow condition exists in the GrowBy() function.
    An attacker can potentially exploit this to cause a     denial of service condition or to execute arbitrary     code. (CVE-2015-7174)

  - An overflow condition exists in the AddText() function.
    An attacker can potentially exploit this to cause a     denial of service condition or to execute arbitrary     code. (CVE-2015-7175)

  - A stack overflow condition exists in the     AnimationThread() function due to a bad sscanf     argument. An attacker can potentially exploit this to     cause a denial of service condition or to execute     arbitrary code. (CVE-2015-7176)

  - A memory corruption issue exists in the InitTextures()     function. An attacker can potentially exploit this issue     to cause a denial of service condition or to execute     arbitrary code. (CVE-2015-7177)

  - An out-of-bounds memory error exists in the     linkAttributes() function when manipulating shaders. An     attacker can potentially exploit this issue to cause a     denial of service condition or to execute arbitrary     code. (CVE-2015-7178)

  - An overflow condition exists in the reserveVertexSpace()     function due to an insufficient allocation of memory for     a shader attribute array. An attacker can potentially     exploit this issue to cause a denial of service     condition or to execute arbitrary code. (CVE-2015-7179)

  - A memory corruption issue exists in     ReadbackResultWriterD3D11::Run due to mishandling of the     return status. An attacker can potentially exploit this     issue to cause a denial of service condition or to     execute arbitrary code. (CVE-2015-7180)

  - An unspecified flaw exists in the nsPerformance::Now()     function in dom/base/nsPerformance.cpp that allows an     attacker to use a side-channel attack to disclose     sensitive information. (CVE-2015-7327)

The version of Firefox installed on the remote Mac OS X host is prior to 41. It is, therefore, affected by the following vulnerabilities :

  - Multiple unspecified memory corruption issues exist due     to improper validation of user-supplied input. A remote     attacker can exploit these issues to corrupt memory and     execute arbitrary code. (CVE-2015-4500)

  - Multiple unspecified memory corruption issues exist due     to improper validation of user-supplied input. A remote     attacker can exploit these issues to corrupt memory and     execute arbitrary code. (CVE-2015-4501)

  - A flaw exists that allows scripted proxies to access the     inner window. (CVE-2015-4502)

  - An out-of-bounds read error exists in the QCMS color     management library that is triggered when manipulating     an image with specific attributes in its ICC V4 profile.
    A remote attacker can exploit this to cause a denial of     service condition or to disclose sensitive information.
    (CVE-2015-4504)

  - A buffer overflow condition exists in the libvpx     component when parsing vp9 format video. A remote     attacker can exploit this, via a specially crafted vp9     format video, to execute arbitrary code. (CVE-2015-4506)

  - A flaw exists in the debugger API that is triggered when     using the debugger with SavedStacks in JavaScript. An     attacker can exploit this to cause a denial of service     condition. (CVE-2015-4507)

  - A flaw exists in reader mode that allows an attacker to     spoof the URL displayed in the address bar.
    (CVE-2015-4508)

  - A user-after-free error exists when manipulating HTML     media elements on a page during script manipulation of     the URI table of these elements. An attacker can exploit     this to cause a denial of service condition.
    (CVE-2015-4509)

  - A use-after-free error exists when using a shared worker     with IndexedDB due to a race condition with the worker.
    A remote attacker can exploit this, via specially     crafted content, to cause a denial of service condition.
    (CVE-2015-4510)

  - A security bypass vulnerability exists due to a flaw in     Gecko's implementation of the ECMAScript 5 API. An     attacker can exploit this to run web content in a     privileged context, resulting in the execution of     arbitrary code. (CVE-2015-4516)

  - A memory corruption issue exists in NetworkUtils.cpp. An     attacker can potentially exploit this issue to cause a     denial of service condition or to execute arbitrary     code. (CVE-2015-4517)

  - An information disclosure vulnerability exists due to a     flaw that occurs when a previously loaded image on a     page is dropped into content after a redirect, resulting     in the redirected URL being available to scripts.
    (CVE-2015-4519)

  - Multiple security bypass vulnerabilities exist due to     errors in the handling of CORS preflight request     headers. (CVE-2015-4520)

  - A memory corruption issue exists in the     ConvertDialogOptions() function. An attacker can     potentially exploit this issue to cause a denial of     service condition or to execute arbitrary code.
    (CVE-2015-4521)

  - An overflow condition exists in the GetMaxLength()     function. An attacker can potentially exploit this to     cause a denial of service condition or to execute     arbitrary code. (CVE-2015-4522)

  - An overflow condition exists in the GrowBy() function.
    An attacker can potentially exploit this to cause a     denial of service condition or to execute arbitrary     code. (CVE-2015-7174)

  - An overflow condition exists in the AddText() function.
    An attacker can potentially exploit this to cause a     denial of service condition or to execute arbitrary     code. (CVE-2015-7175)

  - A stack overflow condition exists in the     AnimationThread() function due to a bad sscanf     argument. An attacker can potentially exploit this to     cause a denial of service condition or to execute     arbitrary code. (CVE-2015-7176)

  - A memory corruption issue exists in the InitTextures()     function. An attacker can potentially exploit this issue     to cause a denial of service condition or to execute     arbitrary code. (CVE-2015-7177)

  - A memory corruption issue exists in     ReadbackResultWriterD3D11::Run due to mishandling of the     return status. An attacker can potentially exploit this     issue to cause a denial of service condition or to     execute arbitrary code. (CVE-2015-7180)

ID	Name	Product	Family	Severity
86291	Ubuntu 12.04 LTS / 14.04 LTS / 15.04 : firefox regression (USN-2743-4)	Nessus	Ubuntu Local Security Checks	high
86282	openSUSE Security Update : seamonkey (openSUSE-2015-632)	Nessus	SuSE Local Security Checks	high
86238	openSUSE Security Update : MozillaFirefox (openSUSE-2015-619)	Nessus	SuSE Local Security Checks	high
8948	Mozilla Firefox < 41.0 Multiple Vulnerabilities	Nessus Network Monitor	Web Clients	high
86144	Ubuntu 14.04 LTS / 15.04 : unity-firefox-extension, webapps-greasemonkey, webaccounts-browser-extension update (USN-2743-3)	Nessus	Ubuntu Local Security Checks	high
86103	Ubuntu 12.04 LTS / 14.04 LTS / 15.04 : ubufox update (USN-2743-2)	Nessus	Ubuntu Local Security Checks	high
86102	Ubuntu 12.04 LTS / 14.04 LTS / 15.04 : firefox vulnerabilities (USN-2743-1)	Nessus	Ubuntu Local Security Checks	high
86100	Scientific Linux Security Update : firefox on SL5.x, SL6.x, SL7.x i386/x86_64 (20150922)	Nessus	Scientific Linux Local Security Checks	high
86079	FreeBSD : mozilla -- multiple vulnerabilities (2d56c7f4-b354-428f-8f48-38150c607a05)	Nessus	FreeBSD Local Security Checks	high
86071	Firefox < 41 Multiple Vulnerabilities	Nessus	Windows	high
86069	Firefox < 41 Multiple Vulnerabilities (Mac OS X)	Nessus	MacOS X Local Security Checks	high

CVE-2015-4510

MEDIUM

Description

References

Details

Risk Information

CVSS v2.0

Vulnerable Software

Configuration 1

Tenable Plugins

high

high

high

high

high

high

high

high

high

high

high