Bug 39387

Summary: Firefox: Security issues from 38.3 (4.0)
Product: UCS Reporter: Arvid Requate <requate>
Component: Security updatesAssignee: Janek Walkenhorst <walkenhorst>
Status: CLOSED FIXED QA Contact: Erik Damrose <damrose>
Severity: normal    
Priority: P5 CC: gohmann, walkenhorst
Version: UCS 4.0Flags: requate: Patch_Available+
Target Milestone: UCS 4.0-3-errata   
Hardware: Other   
OS: Linux   
URL: https://www.mozilla.org/en-US/security/known-vulnerabilities/firefox-esr/
What kind of report is it?: --- What type of bug is this?: ---
Who will be affected by this bug?: --- How will those affected feel about the bug?: ---
User Pain: Enterprise Customer affected?:
School Customer affected?: ISV affected?:
Waiting Support: Flags outvoted (downgraded) after PO Review:
Ticket number: Bug group (optional): Security
Max CVSS v3 score:
Bug Depends on: 38523    
Bug Blocks:    

Description Arvid Requate univentionstaff 2015-09-22 19:07:31 CEST 
Firefox ESR 38.3 fixes these issues:

* Memory-safety bugs in NetworkUtils.cpp generally (CVE-2015-4517)
* Memory-safety bugs in ConvertDialogOptions (CVE-2015-4521)
* Overflow in nsUnicodeToUTF8::GetMaxLength can create memory-safety bugs in callers (CVE-2015-4522)
* Overflow in nsAttrAndChildArray::GrowBy causes memory-safety bug (CVE-2015-7174)
* Overflow in XULContentSinkImpl::AddText causes memory-safety bug (CVE-2015-7175)
* Bad sscanf argument in AnimationThread overruns stack variable (CVE-2015-7176)
* Memory-safety bug in InitTextures (CVE-2015-7177)
* Mishandling return status in ReadbackResultWriterD3D11::Run might cause memory-safety bug (CVE-2015-7180)
* CORS preflight cache poisoning with the credentials flag (CVE-2015-4520)
* CORS preflight cache poisoning with a CORS header being mistaken with another CORS header
* Information leakage: Dragging and dropping image to <textbox> pastes final URL of image after redirects (CVE-2015-4519)
* HTMLVideoElement Use-After-Free Remote Code Execution (CVE-2015-4509)
* Heap-buffer-overflow due to overflow in nestegg_track_codec_data (MFSA-2015-105)
* maliciously crafted vp9 format video could be used to trigger a buffer overflow while parsing the file in vp9_init_context_buffers (CVE-2015-4506)
* memory safety problems and crashes that affect Firefox ESR 38.2 (CVE-2015-4500)
Comment 1 Arvid Requate univentionstaff 2015-09-23 11:44:55 CEST 
MFSA-2015-105 is CVE-2015-4511, so:

* Heap-buffer-overflow due to overflow in nestegg_track_codec_data (CVE-2015-4511)
Comment 2 Janek Walkenhorst univentionstaff 2015-09-25 16:21:49 CEST 
Advisories:
 firefox-de.yaml
 firefox-en.yaml
Comment 3 Felix Botner univentionstaff 2015-10-22 17:10:34 CEST 
OK - amd64/i386
OK - firefox-de firefox-en
OK - YAML
Comment 4 Janek Walkenhorst univentionstaff 2015-10-28 13:40:33 CET 
Advisories have the wrong "bug" field.
Comment 5 Janek Walkenhorst univentionstaff 2015-10-28 13:43:46 CET 
(In reply to Janek Walkenhorst from comment #4)
> Advisories have the wrong "bug" field.
Fixed r64930
Comment 6 Erik Damrose univentionstaff 2015-10-28 13:45:44 CET 
Verified (only rechecked bug number)