Bug 38541 - Iceweasel: Security issues from 31.8 (4.0)
Iceweasel: Security issues from 31.8 (4.0)
Product: UCS
Classification: Unclassified
Component: Security updates
UCS 4.0
Other Linux
: P5 normal (vote)
: UCS 4.0-3-errata
Assigned To: Felix Botner
Janek Walkenhorst
Depends on: 38523
Blocks: 39388
  Show dependency treegraph
Reported: 2015-05-13 20:51 CEST by Arvid Requate
Modified: 2015-09-23 17:12 CEST (History)
1 user (show)

See Also:
What kind of report is it?: ---
What type of bug is this?: ---
Who will be affected by this bug?: ---
How will those affected feel about the bug?: ---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional): Security
Max CVSS v3 score:
requate: Patch_Available+


Note You need to log in before you can comment on or make changes to this bug.
Description Arvid Requate univentionstaff 2015-05-13 20:51:52 CEST
+++ This bug was initially created as a clone of Bug #38523 +++

Memory safety bugs fixed in Firefox ESR 31.7 and Firefox 38. (CVE-2015-2708)

heap-buffer-overflow (read of size 0xffffffff) when playing a m4v video (CVE-2015-0797)

Heap-buffer-overflow in SVGTextFrame (CVE-2015-2710)

Heap-use-after-free in SetBreaks (CVE-2015-2713)

Buffer overflow xml parser (CVE-2015-2716)
Comment 1 Arvid Requate univentionstaff 2015-05-13 20:53:41 CEST
Fixed version available upstream: Debian Package 31.7.0esr-1~deb7u1
Comment 2 Arvid Requate univentionstaff 2015-07-06 15:33:33 CEST
Additional fixes in 31.8.0esr-1~deb7u1:

* NSS incorrectly permits skipping of ServerKeyExchange (CVE-2015-2721)

* NSS accepts export-length DHE keys with regular DHE cipher suites (CVE-2015-4000)

* Privilege escalation in PDF.js (CVE-2015-2743)

* CairoTextureClientD3D9::BorrowDrawTarget using uninitialized memory (CVE-2015-2734)
* Memory safety bug due to bad test in nsZipArchive.cpp (CVE-2015-2735)
* nsZipArchive::BuildFileList has memory-safety bug (CVE-2015-2736)
* rx::d3d11::SetBufferData using uninitialized memory (CVE-2015-2737)
* YCbCrImageDataDeserializer::ToDataSourceSurface using uninitialized memory (CVE-2015-2738)
* Memory safety problem in ArrayBufferBuilder::append (CVE-2015-2739)
* Overflow in nsXMLHttpRequest::AppendToResponseText causes memory-safety bug (CVE-2015-2740)

* Use After Free in CanonicalizeXPCOMParticipant (CVE-2015-2722)
* Use After Free in CanonicalizeXPCOMParticipant() with dedicated worker (CVE-2015-2733)

* ECC correctness issues (CVE-2015-2730)

* Type Confusion mozilla::dom::indexedDB::IndexedDatabaseManager (CVE-2015-2728)

* Memory safety bugs fixed in Firefox ESR 31.8, Firefox 38.1, and Firefox 39. (CVE-2015-2724)
* Memory safety bugs fixed in Firefox 38.1 and Firefox 39. (CVE-2015-2725)
* Memory safety bugs fixed in Firefox 39. (CVE-2015-2726)
Comment 3 Arvid Requate univentionstaff 2015-08-13 19:53:41 CEST
Additional fixes in 38.2.0esr-1:

* out of bounds read at mozilla::AudioSink (CVE-2015-4475)
* JSON.parse with reviver allows redefining non-configurable properties (CVE-2015-4478)
* MPEG4 saio Chunk Integer Overflow (libstagefright) (CVE-2015-4479)
* crash in [@ stagefright::SampleTable::isValid() ] with h264 mp4 (CVE-2015-4480)
* Out of bounds write in mar_read.c (CVE-2015-4482)
* crash in void js::jit::AssemblerX86Shared::lock_addl<js::jit::Imm32> (CVE-2015-4484)
* Heap-buffer-overflow WRITE in resize_context_buffers (CVE-2015-4485)
* Out of bounds read in decrease_ref_count (CVE-2015-4486)
* Overflow nsTSubstring::ReplacePrep causes memory-safety bugs in string library (CVE-2015-4487)
* StyleAnimationValue::operator= uses objects after delete on self-assignment (CVE-2015-4488)
* Self-assignment in nsTArray_Impl causes memory-safety bug (CVE-2015-4489)
* gdk-pixbuf heap overflow and DoS (CVE-2015-4491)
* Use After Free in XMLHttpRequest::Open() (CVE-2015-4492)
* Stagefright: heap-buffer-overflow crash [@stagefright::ESDS::parseESDescriptor] (CVE-2015-4493)

These don't affect us:
* CVE-2015-4481 (Windows only)
* CVE-2015-4491 (Gnome only)
* CVE-2015-4473 (38.1 and 39 only)
* CVE-2015-4474 (39 only)
Comment 4 Arvid Requate univentionstaff 2015-09-14 16:13:01 CEST
Iceweasel 38.2.1esr-1~deb7u1 fixes these issues:

* use-after-free (& crash) after style flush in CanvasRenderingContext2D (CVE-2015-4497)
* Mozilla Firefox nsIPresShell Use-After-Free Remote Code Execution Vulnerability
* Firefox Addon bypass dialog and spoof vulnerability (CVE-2015-4498)
Comment 5 Felix Botner univentionstaff 2015-09-21 09:47:12 CEST
* added 38.2.1esr-1~deb7u1 to errata4.0-3
* YAML: 2015-09-16-iceweasel.yaml

* modified enable-backport.patch
** fix dpkg-parsechangelog in upstream.mk
** set BACKPORT to wheezy for UCS 4.0
** add -lrt for security/nss/ build
Comment 6 Janek Walkenhorst univentionstaff 2015-09-22 19:11:17 CEST
Advisory: OK
Tests (amd64, i386): OK
Comment 7 Janek Walkenhorst univentionstaff 2015-09-23 17:12:25 CEST