Bug 39387 - Firefox: Security issues from 38.3 (4.0)
Firefox: Security issues from 38.3 (4.0)
Status: CLOSED FIXED
Product: UCS
Classification: Unclassified
Component: Security updates
UCS 4.0
Other Linux
: P5 normal (vote)
: UCS 4.0-3-errata
Assigned To: Janek Walkenhorst
Erik Damrose
https://www.mozilla.org/en-US/securit...
:
Depends on: 38523
Blocks:
  Show dependency treegraph
 
Reported: 2015-09-22 19:07 CEST by Arvid Requate
Modified: 2015-10-28 14:00 CET (History)
2 users (show)

See Also:
What kind of report is it?: ---
What type of bug is this?: ---
Who will be affected by this bug?: ---
How will those affected feel about the bug?: ---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional): Security
Max CVSS v3 score:
requate: Patch_Available+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Arvid Requate univentionstaff 2015-09-22 19:07:31 CEST
Firefox ESR 38.3 fixes these issues:

* Memory-safety bugs in NetworkUtils.cpp generally (CVE-2015-4517)
* Memory-safety bugs in ConvertDialogOptions (CVE-2015-4521)
* Overflow in nsUnicodeToUTF8::GetMaxLength can create memory-safety bugs in callers (CVE-2015-4522)
* Overflow in nsAttrAndChildArray::GrowBy causes memory-safety bug (CVE-2015-7174)
* Overflow in XULContentSinkImpl::AddText causes memory-safety bug (CVE-2015-7175)
* Bad sscanf argument in AnimationThread overruns stack variable (CVE-2015-7176)
* Memory-safety bug in InitTextures (CVE-2015-7177)
* Mishandling return status in ReadbackResultWriterD3D11::Run might cause memory-safety bug (CVE-2015-7180)
* CORS preflight cache poisoning with the credentials flag (CVE-2015-4520)
* CORS preflight cache poisoning with a CORS header being mistaken with another CORS header
* Information leakage: Dragging and dropping image to <textbox> pastes final URL of image after redirects (CVE-2015-4519)
* HTMLVideoElement Use-After-Free Remote Code Execution (CVE-2015-4509)
* Heap-buffer-overflow due to overflow in nestegg_track_codec_data (MFSA-2015-105)
* maliciously crafted vp9 format video could be used to trigger a buffer overflow while parsing the file in vp9_init_context_buffers (CVE-2015-4506)
* memory safety problems and crashes that affect Firefox ESR 38.2 (CVE-2015-4500)
Comment 1 Arvid Requate univentionstaff 2015-09-23 11:44:55 CEST
MFSA-2015-105 is CVE-2015-4511, so:

* Heap-buffer-overflow due to overflow in nestegg_track_codec_data (CVE-2015-4511)
Comment 2 Janek Walkenhorst univentionstaff 2015-09-25 16:21:49 CEST
Advisories:
 firefox-de.yaml
 firefox-en.yaml
Comment 3 Felix Botner univentionstaff 2015-10-22 17:10:34 CEST
OK - amd64/i386
OK - firefox-de firefox-en
OK - YAML
Comment 4 Janek Walkenhorst univentionstaff 2015-10-28 13:40:33 CET
Advisories have the wrong "bug" field.
Comment 5 Janek Walkenhorst univentionstaff 2015-10-28 13:43:46 CET
(In reply to Janek Walkenhorst from comment #4)
> Advisories have the wrong "bug" field.
Fixed r64930
Comment 6 Erik Damrose univentionstaff 2015-10-28 13:45:44 CET
Verified (only rechecked bug number)