First Last Prev Next    This bug is not in your last search results.
Bug 39388 - Iceweasel: Security issues from 38.3 (4.0)
Iceweasel: Security issues from 38.3 (4.0)
Status: CLOSED WONTFIX
Product: UCS
Classification: Unclassified
Component: Security updates
UCS 4.0
Other Linux
: P5 normal (vote)
: UCS 4.0-x-errata
Assigned To: Security maintainers
https://www.mozilla.org/en-US/securit...
:
: 39789 40276 (view as bug list)
Depends on: 38541
Blocks:
  Show dependency treegraph
 
Reported: 2015-09-22 19:12 CEST by Arvid Requate
Modified: 2019-04-11 19:25 CEST (History)
1 user (show)

See Also:
What kind of report is it?: ---
What type of bug is this?: ---
Who will be affected by this bug?: ---
How will those affected feel about the bug?: ---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional): Security
Max CVSS v3 score:
requate: Patch_Available+

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Arvid Requate univentionstaff 2015-09-22 19:12:25 CEST 
Iceweasel ESR 38.3 will probably fix these issues (see Bug 39387):


* Memory-safety bugs in NetworkUtils.cpp generally (CVE-2015-4517)
* Memory-safety bugs in ConvertDialogOptions (CVE-2015-4521)
* Overflow in nsUnicodeToUTF8::GetMaxLength can create memory-safety bugs in callers (CVE-2015-4522)
* Overflow in nsAttrAndChildArray::GrowBy causes memory-safety bug (CVE-2015-7174)
* Overflow in XULContentSinkImpl::AddText causes memory-safety bug (CVE-2015-7175)
* Bad sscanf argument in AnimationThread overruns stack variable (CVE-2015-7176)
* Memory-safety bug in InitTextures (CVE-2015-7177)
* Mishandling return status in ReadbackResultWriterD3D11::Run might cause memory-safety bug (CVE-2015-7180)
* CORS preflight cache poisoning with the credentials flag (CVE-2015-4520)
* CORS preflight cache poisoning with a CORS header being mistaken with another CORS header
* Information leakage: Dragging and dropping image to <textbox> pastes final URL of image after redirects (CVE-2015-4519)
* HTMLVideoElement Use-After-Free Remote Code Execution (CVE-2015-4509)
* Heap-buffer-overflow due to overflow in nestegg_track_codec_data (MFSA-2015-105)
* maliciously crafted vp9 format video could be used to trigger a buffer overflow while parsing the file in vp9_init_context_buffers (CVE-2015-4506)
* memory safety problems and crashes that affect Firefox ESR 38.2 (CVE-2015-4500)

+++ This bug was initially created as a clone of Bug #38541 +++

+++ This bug was initially created as a clone of Bug #38523 +++

Memory safety bugs fixed in Firefox ESR 31.7 and Firefox 38. (CVE-2015-2708)

heap-buffer-overflow (read of size 0xffffffff) when playing a m4v video (CVE-2015-0797)

Heap-buffer-overflow in SVGTextFrame (CVE-2015-2710)

Heap-use-after-free in SetBreaks (CVE-2015-2713)

Buffer overflow xml parser (CVE-2015-2716)
Comment 1 Arvid Requate univentionstaff 2015-09-23 11:41:42 CEST 
Released as 38.3.0esr-1
Comment 2 Arvid Requate univentionstaff 2015-09-23 11:44:30 CEST 
MFSA-2015-105 is CVE-2015-4511, so:

* Heap-buffer-overflow due to overflow in nestegg_track_codec_data (CVE-2015-4511)
Comment 3 Arvid Requate univentionstaff 2015-09-24 14:38:43 CEST 
38.3.0esr-1~deb7u1
Comment 4 Arvid Requate univentionstaff 2015-11-18 18:25:36 CET 
DSA package version 38.4.0esr-1~deb7u1 additionally fixes the following security issues:

CVE ID         : CVE-2015-4513 CVE-2015-7181 CVE-2015-7182 CVE-2015-7183
                 CVE-2015-7188 CVE-2015-7189 CVE-2015-7193 CVE-2015-7194
                 CVE-2015-7196 CVE-2015-7197 CVE-2015-7198 CVE-2015-7199
                 CVE-2015-7200


See Bug #39785 for descriptions.
Comment 5 Arvid Requate univentionstaff 2015-11-18 18:25:44 CET 
*** Bug 39789 has been marked as a duplicate of this bug. ***
Comment 6 Arvid Requate univentionstaff 2016-01-28 16:43:48 CET 
Firefox ESR 38.5 fixes these issues:

* cross-origin restriction bypass using data: and view-source: uri scheme (CVE-2015-7214)
* potential underflow in 'covr', unchecked allocation and copy in Metadata::setData (CVE-2015-7222)
* integer underflow in covr MPEG4 processing (no cve? mfsa2015-147)
* 64bit: Overflow in MPEG4Extractor::readMetaData causes memory-safety bug (CVE-2015-7213)
* Underflow in RTPReceiverVideo::ParseRtpPacket causes memory-safety bug and information leak (CVE-2015-7205)
* Memset crash in mozilla::layers::BufferTextureClient::AllocateForSurface (CVE-2015-7212)
* UAF due to DataChannelConnection not Destroy()ed before deletion (CVE-2015-7210)
* Memory safety bugs fixed in Firefox ESR 38.5 and Firefox 43. (CVE-2015-7201)
Comment 7 Arvid Requate univentionstaff 2016-01-28 16:44:13 CET 
Firefox ESR 38.5.2:

* Prevent MD5 Downgrade in TLS 1.2 Signatures (CVE-2015-7575)
Comment 8 Arvid Requate univentionstaff 2016-01-28 16:44:27 CET 
*** Bug 40276 has been marked as a duplicate of this bug. ***
Comment 9 Arvid Requate univentionstaff 2016-01-28 16:48:49 CET 
Iceweasel 38.6.0esr-1~deb7u1 fixes these issues:

* Prevent MD5 Downgrade in TLS 1.2 Signatures (CVE-2015-7575) [again? strange, maybe an updated patch?]
* Memory safety bugs fixed in Firefox ESR 38.6 and Firefox 44. (CVE-2016-1930)
* global-buffer-overflow (write) at BufferSubData (CVE-2016-1935)
Comment 10 Arvid Requate univentionstaff 2016-02-17 16:08:28 CET 
Iceweasel 38.6.1esr-1~deb7u1 fixes this issue:

* Graphite 2 instruction parameter validation bypass (CVE-2016-1523)
Comment 11 Arvid Requate univentionstaff 2016-03-21 13:06:18 CET 
DSA package version 38.7.0esr-1~deb7u1 additionally fixes the following security issues:

* Graphite2 Machine::Code::decoder::analysis::set_ref stack out of bounds bit set (CVE-2016-1977)
* Use of uninitialised memory in [@graphite2::TtfUtil::GetTableInfo] (CVE-2016-2790)
* graphite2: heap-buffer-overflow read in [@graphite2::GlyphCache::glyph] (CVE-2016-2791)
* graphite2: heap-buffer-overflow read in [@graphite2::Slot::getAttr] Slot.cpp:232 (CVE-2016-2792)
* graphite2: heap-buffer-overflow read in CachedCmap.cpp (CVE-2016-2793)
* graphite2: heap-buffer-overflow read in [@graphite2::TtfUtil::CmapSubtable12NextCodepoint] (CVE-2016-2794)
* Use of uninitialised memory in [@graphite2::FileFace::get_table_fn] (CVE-2016-2795)
* graphite2: heap-buffer-overflow write in [@graphite2::vm::Machine::Code::Code] (CVE-2016-2796)
* graphite2: heap-buffer-overflow read in [@graphite2::TtfUtil::CmapSubtable12Lookup] (CVE-2016-2797)
* graphite2: heap-buffer-overflow read in [@graphite2::GlyphCache::Loader::Loader] (CVE-2016-2798)
* graphite2: heap-buffer-overflow write in [@graphite2::Slot::setAttr] (CVE-2016-2799)
* graphite2: heap-buffer-overflow read in [@graphite2::Slot::getAttr] Slot.cpp:234 (CVE-2016-2800)
* graphite2: heap-buffer-overflow read in [@graphite2::TtfUtil::CmapSubtable12Lookup] TtfUtil.cpp:1126 (CVE-2016-2801)
* graphite2: heap-buffer-overflow read in [@graphite2::TtfUtil::CmapSubtable4NextCodepoint] (CVE-2016-2802)
* NSS Heap buffer overflow vulnerability in ASN1 certificate parsing (CVE-2016-1950)
* Lack of status return from nsScannerString::AppendUnicodeTo causes out-of-bounds read in AppendErrorPointer (CVE-2016-1974)
* Exploitable plugin crash (CVE-2016-1966)
* Address bar spoofing using location.protocol and history.back (CVE-2016-1965)
* Write AV near NULL in AtomicBaseIncDec() / Heap UAF (CVE-2016-1964)
* Second datachannel with id crashes in PR_Unlock | mozilla::DataChannelConnection::Close after navigation (CVE-2016-1962)
* ZDI-CAN-3574: nsHTMLDocument SetBody Use-After-Free RCE (CVE-2016-1961)
* ZDI-CAN-3545: Mozilla Firefox nsHtml5TreeBuilder Array Indexing Remote Code Execution Vulnerability (CVE-2016-1960)
* Show about:blank using javascript URI scheme (CVE-2016-1958)
* Stagefright delete array (CVE-2016-1957)
* CSP's report-uri (over-)writes files (CVE-2016-1954)
* Memory safety bugs fixed in Firefox ESR 38.7 and Firefox 45 (CVE-2016-1952)
* performance.getEntries() shows x-domain URLs after a redirect when loading from cache (CVE-2015-7207)
* Cached redirects + History traversal reveal cross-origin URLs
* MediaStream use-after-free (CVE-2015-4477)
Comment 12 Arvid Requate univentionstaff 2016-03-21 13:07:04 CET 
DSA package version 38.7.1esr-1~deb7u1 disables the Graphite font shaping library in Iceweasel.
Comment 13 Arvid Requate univentionstaff 2016-05-03 16:06:11 CEST 
Iceweasel 38.8.0esr-1~deb7u1 fixes these issues:

CVE-2016-2805 CVE-2016-2807 CVE-2016-2808 CVE-2016-2814
Comment 14 Arvid Requate univentionstaff 2016-06-01 19:12:10 CEST 
UCS 4.0 is out of maintenance.
First Last Prev Next    This bug is not in your last search results.