[USN-2785-1] Firefox vulnerabilities

Chris Coulson chris.coulson at canonical.com
Wed Nov 4 23:16:12 UTC 2015


==========================================================================
Ubuntu Security Notice USN-2785-1
November 04, 2015

firefox vulnerabilities
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 15.10
- Ubuntu 15.04
- Ubuntu 14.04 LTS
- Ubuntu 12.04 LTS

Summary:

Firefox could be made to crash or run programs as your login if it
opened a malicious website.

Software Description:
- firefox: Mozilla Open Source web browser

Details:

Christian Holler, David Major, Jesse Ruderman, Tyson Smith, Boris Zbarsky,
Randell Jesup, Olli Pettay, Karl Tomlinson, Jeff Walden, Gary Kwong,
Andrew McCreight, Georg Fritzsche, and Carsten Book discovered multiple
memory safety issues in Firefox. If a user were tricked in to opening a
specially crafted website, an attacker could potentially exploit these to
cause a denial of service via application crash, or execute arbitrary
code with the privileges of the user invoking Firefox. (CVE-2015-4513,
CVE-2015-4514)

Tim Brown discovered that Firefox discloses the hostname during NTLM
authentication in some circumstances. If a user were tricked in to
opening a specially crafted website with NTLM v1 enabled, an attacker
could exploit this to obtain sensitive information. (CVE-2015-4515)

Mario Heiderich and Frederik Braun discovered that CSP could be bypassed
in reader mode in some circumstances. If a user were tricked in to opening
a specially crafted website, an attacker could potentially exploit this to
conduct cross-site scripting (XSS) attacks. (CVE-2015-4518)

Tyson Smith and David Keeler discovered a use-after-poison and buffer
overflow in NSS. If a user were tricked in to opening a specially crafted
website, an attacker could potentially exploit these to cause a denial of
service via application crash, or execute arbitrary code with the
privileges of the user invoking Firefox. (CVE-2015-7181, CVE-2015-7182)

Ryan Sleevi discovered an integer overflow in NSPR. If a user were tricked
in to opening a specially crafted website, an attacker could potentially
exploit this to cause a denial of service via application crash, or
execute arbitrary code with the privileges of the user invoking Firefox.
(CVE-2015-7183)

Jason Hamilton, Peter Arremann and Sylvain Giroux discovered that panels
created via the Addon SDK with { script: false } could still execute
inline script. If a user installed an addon that relied on this as a
security mechanism, an attacker could potentially exploit this to conduct
cross-site scripting (XSS) attacks, depending on the source of the panel
content. (CVE-2015-7187)

Michał Bentkowski discovered that adding white-space to hostnames that are
IP address can bypass same-origin protections. If a user were tricked in
to opening a specially crafted website, an attacker could potentially
exploit this to conduct cross-site scripting (XSS) attacks.
(CVE-2015-7188)

Looben Yang discovered a buffer overflow during script interactions with
the canvas element in some circumstances. If a user were tricked in to
opening a specially crafted website, an attacker could potentially exploit
this to cause a denial of service via application crash, or execute
arbitrary code with the privileges of the user invoking Firefox.
(CVE-2015-7189)

Shinto K Anto discovered that CORS preflight is bypassed when receiving
non-standard Content-Type headers in some circumstances. If a user were
tricked in to opening a specially crafted website, an attacker could
potentially exploit this to bypass same-origin restrictions.
(CVE-2015-7193)

Gustavo Grieco discovered a buffer overflow in libjar in some
circumstances. If a user were tricked in to opening a specially crafted
website, an attacker could potentially exploit this to cause a denial of
service via application crash, or execute arbitrary code with the
privileges of the user invoking Firefox. (CVE-2015-7194)

Frans Rosén discovered that certain escaped characters in the Location
header are parsed incorrectly, resulting in a navigation to the previously
parsed version of a URL. If a user were tricked in to opening a specially
crafted website, an attacker could potentially exploit this to obtain site
specific tokens. (CVE-2015-7195)

Vytautas Staraitis discovered a garbage collection crash when interacting
with Java applets in some circumstances. If a user were tricked in to
opening a specially crafted website with the Java plugin installed, an
attacker could potentially exploit this to execute arbitrary code with the
privileges of the user invoking Firefox. (CVE-2015-7196)

Ehsan Akhgari discovered a mechanism for a web worker to bypass secure
requirements for web sockets. If a user were tricked in to opening a
specially crafted website, an attacker could exploit this to bypass the
mixed content web socket policy. (CVE-2015-7197)

Ronald Crane discovered several vulnerabilities through code-inspection. If
a user were tricked in to opening a specially crafted website, an attacker
could potentially exploit these to cause a denial of service via
application crash, or execute arbitrary code with the privileges of the
user invoking Firefox. (CVE-2015-7198, CVE-2015-7199, CVE-2015-7200)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 15.10:
  firefox                         42.0+build2-0ubuntu0.15.10.1

Ubuntu 15.04:
  firefox                         42.0+build2-0ubuntu0.15.04.1

Ubuntu 14.04 LTS:
  firefox                         42.0+build2-0ubuntu0.14.04.1

Ubuntu 12.04 LTS:
  firefox                         42.0+build2-0ubuntu0.12.04.1

After a standard system update you need to restart Firefox to make
all the necessary changes.

References:
  http://www.ubuntu.com/usn/usn-2785-1
  CVE-2015-4513, CVE-2015-4514, CVE-2015-4515, CVE-2015-4518,
  CVE-2015-7181, CVE-2015-7182, CVE-2015-7183, CVE-2015-7187,
  CVE-2015-7188, CVE-2015-7189, CVE-2015-7193, CVE-2015-7194,
  CVE-2015-7195, CVE-2015-7196, CVE-2015-7197, CVE-2015-7198,
  CVE-2015-7199, CVE-2015-7200

Package Information:
  https://launchpad.net/ubuntu/+source/firefox/42.0+build2-0ubuntu0.15.10.1
  https://launchpad.net/ubuntu/+source/firefox/42.0+build2-0ubuntu0.15.04.1
  https://launchpad.net/ubuntu/+source/firefox/42.0+build2-0ubuntu0.14.04.1
  https://launchpad.net/ubuntu/+source/firefox/42.0+build2-0ubuntu0.12.04.1


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 473 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/ubuntu-security-announce/attachments/20151104/d6d4e0d2/attachment.sig>


More information about the ubuntu-security-announce mailing list