USN-2743-1: Firefox vulnerabilities
22 September 2015
Firefox could be made to crash or run programs as your login if it opened a malicious website.
Releases
Packages
- firefox - Mozilla Open Source web browser
Details
Andrew Osmond, Olli Pettay, Andrew Sutherland, Christian Holler, David
Major, Andrew McCreight, Cameron McCormack, Bob Clary and Randell Jesup
discovered multiple memory safety issues in Firefox. If a user were
tricked in to opening a specially crafted website, an attacker could
potentially exploit these to cause a denial of service via application
crash, or execute arbitrary code with the privileges of the user invoking
Firefox. (CVE-2015-4500, CVE-2015-4501)
André Bargull discovered that when a web page creates a scripted proxy
for the window with a handler defined a certain way, a reference to the
inner window will be passed, rather than that of the outer window.
(CVE-2015-4502)
Felix Gröbert discovered an out-of-bounds read in the QCMS color
management library in some circumstances. If a user were tricked in to
opening a specially crafted website, an attacker could potentially exploit
this to cause a denial of service via application crash, or obtain
sensitive information. (CVE-2015-4504)
Khalil Zhani discovered a buffer overflow when parsing VP9 content in some
circumstances. If a user were tricked in to opening a specially crafted
website, an attacker could potentially exploit this to cause a denial of
service via application crash, or execute arbitrary code with the
privileges of the user invoking Firefox. (CVE-2015-4506)
Spandan Veggalam discovered a crash while using the debugger API in some
circumstances. If a user were tricked in to opening a specially crafted
website whilst using the debugger, an attacker could potentially exploit
this to execute arbitrary code with the privileges of the user invoking
Firefox. (CVE-2015-4507)
Juho Nurminen discovered that the URL bar could display the wrong URL in
reader mode in some circumstances. If a user were tricked in to opening a
specially crafted website, an attacker could potentially exploit this to
conduct URL spoofing attacks. (CVE-2015-4508)
A use-after-free was discovered when manipulating HTML media content in
some circumstances. If a user were tricked in to opening a specially
crafted website, an attacker could potentially exploit this to cause a
denial of service via application crash, or execute arbitrary code with
the privileges of the user invoking Firefox. (CVE-2015-4509)
Looben Yang discovered a use-after-free when using a shared worker with
IndexedDB in some circumstances. If a user were tricked in to opening a
specially crafted website, an attacker could potentially exploit this to
cause a denial of service via application crash, or execute arbitrary code
with the privileges of the user invoking Firefox. (CVE-2015-4510)
Francisco Alonso discovered an out-of-bounds read during 2D canvas
rendering in some circumstances. If a user were tricked in to opening a
specially crafted website, an attacker could potentially exploit this to
obtain sensitive information. (CVE-2015-4512)
Jeff Walden discovered that changes could be made to immutable properties
in some circumstances. If a user were tricked in to opening a specially
crafted website, an attacker could potentially exploit this to execute
arbitrary script in a privileged scope. (CVE-2015-4516)
Ronald Crane reported multiple vulnerabilities. If a user were tricked in
to opening a specially crafted website, an attacker could potentially
exploit these to cause a denial of service via application crash, or
execute arbitrary code with the privileges of the user invoking Firefox.
(CVE-2015-4517, CVE-2015-4521, CVE-2015-4522, CVE-2015-7174,
CVE-2015-7175, CVE-2015-7176, CVE-2015-7177, CVE-2015-7180)
Mario Gomes discovered that dragging and dropping an image after a
redirect exposes the redirected URL to scripts. An attacker could
potentially exploit this to obtain sensitive information. (CVE-2015-4519)
Ehsan Akhgari discovered 2 issues with CORS preflight requests. An
attacker could potentially exploit these to bypass CORS restrictions.
(CVE-2015-4520)
Update instructions
The problem can be corrected by updating your system to the following package versions:
Ubuntu 15.04
Ubuntu 14.04
Ubuntu 12.04
After a standard system update you need to restart Firefox to make
all the necessary changes.
References
Related notices
- USN-2754-1: thunderbird-locale-el, thunderbird-locale-bn, thunderbird-locale-dsb, thunderbird-locale-sr, thunderbird-locale-ka, thunderbird-locale-nb, thunderbird-locale-fi, thunderbird-locale-hy, thunderbird-locale-gd, thunderbird-locale-bn-bd, thunderbird-locale-es-es, thunderbird-gnome-support, thunderbird-locale-it, thunderbird-locale-pa-in, thunderbird-locale-lt, thunderbird-locale-nl, thunderbird-locale-en, thunderbird-locale-ca, thunderbird-locale-ga, thunderbird-locale-ko, thunderbird-locale-id, thunderbird-locale-af, thunderbird-locale-da, thunderbird-locale-sv-se, thunderbird-locale-nn-no, thunderbird-locale-pt, thunderbird-globalmenu, thunderbird-locale-ta-lk, thunderbird, thunderbird-locale-ga-ie, thunderbird-locale-is, thunderbird-locale-zh-hans, thunderbird-locale-en-us, thunderbird-locale-sk, thunderbird-locale-ja, thunderbird-locale-ru, thunderbird-locale-et, thunderbird-locale-es-ar, thunderbird-locale-nb-no, thunderbird-locale-nn, thunderbird-locale-sv, xul-ext-lightning, thunderbird-locale-cs, xul-ext-gdata-provider, thunderbird-locale-br, thunderbird-locale-vi, thunderbird-locale-bg, thunderbird-locale-pt-pt, thunderbird-locale-de, thunderbird-locale-tr, thunderbird-locale-hsb, thunderbird-locale-pt-br, thunderbird-locale-sq, thunderbird-locale-be, thunderbird-mozsymbols, thunderbird-locale-fy-nl, thunderbird-locale-uk, thunderbird-locale-fr, thunderbird-locale-zh-cn, thunderbird-locale-hu, thunderbird-locale-eu, thunderbird-locale-cy, thunderbird-locale-pl, thunderbird-locale-ro, thunderbird-locale-si, thunderbird-locale-zh-tw, thunderbird-dev, thunderbird-locale-pa, thunderbird-locale-mk, thunderbird-testsuite, thunderbird-locale-en-gb, xul-ext-calendar-timezones, thunderbird-locale-rm, thunderbird-locale-he, thunderbird-locale-es, thunderbird-locale-hr, thunderbird-locale-ta, thunderbird-locale-ar, thunderbird-locale-ast, thunderbird-locale-sl, thunderbird-locale-zh-hant, thunderbird-locale-fy, thunderbird-locale-gl