Univention Bugzilla – Bug 39388
Iceweasel: Security issues from 38.3 (4.0)
Last modified: 2019-04-11 19:25:39 CEST
Iceweasel ESR 38.3 will probably fix these issues (see Bug 39387): * Memory-safety bugs in NetworkUtils.cpp generally (CVE-2015-4517) * Memory-safety bugs in ConvertDialogOptions (CVE-2015-4521) * Overflow in nsUnicodeToUTF8::GetMaxLength can create memory-safety bugs in callers (CVE-2015-4522) * Overflow in nsAttrAndChildArray::GrowBy causes memory-safety bug (CVE-2015-7174) * Overflow in XULContentSinkImpl::AddText causes memory-safety bug (CVE-2015-7175) * Bad sscanf argument in AnimationThread overruns stack variable (CVE-2015-7176) * Memory-safety bug in InitTextures (CVE-2015-7177) * Mishandling return status in ReadbackResultWriterD3D11::Run might cause memory-safety bug (CVE-2015-7180) * CORS preflight cache poisoning with the credentials flag (CVE-2015-4520) * CORS preflight cache poisoning with a CORS header being mistaken with another CORS header * Information leakage: Dragging and dropping image to <textbox> pastes final URL of image after redirects (CVE-2015-4519) * HTMLVideoElement Use-After-Free Remote Code Execution (CVE-2015-4509) * Heap-buffer-overflow due to overflow in nestegg_track_codec_data (MFSA-2015-105) * maliciously crafted vp9 format video could be used to trigger a buffer overflow while parsing the file in vp9_init_context_buffers (CVE-2015-4506) * memory safety problems and crashes that affect Firefox ESR 38.2 (CVE-2015-4500) +++ This bug was initially created as a clone of Bug #38541 +++ +++ This bug was initially created as a clone of Bug #38523 +++ Memory safety bugs fixed in Firefox ESR 31.7 and Firefox 38. (CVE-2015-2708) heap-buffer-overflow (read of size 0xffffffff) when playing a m4v video (CVE-2015-0797) Heap-buffer-overflow in SVGTextFrame (CVE-2015-2710) Heap-use-after-free in SetBreaks (CVE-2015-2713) Buffer overflow xml parser (CVE-2015-2716)
Released as 38.3.0esr-1
MFSA-2015-105 is CVE-2015-4511, so: * Heap-buffer-overflow due to overflow in nestegg_track_codec_data (CVE-2015-4511)
38.3.0esr-1~deb7u1
DSA package version 38.4.0esr-1~deb7u1 additionally fixes the following security issues: CVE ID : CVE-2015-4513 CVE-2015-7181 CVE-2015-7182 CVE-2015-7183 CVE-2015-7188 CVE-2015-7189 CVE-2015-7193 CVE-2015-7194 CVE-2015-7196 CVE-2015-7197 CVE-2015-7198 CVE-2015-7199 CVE-2015-7200 See Bug #39785 for descriptions.
*** Bug 39789 has been marked as a duplicate of this bug. ***
Firefox ESR 38.5 fixes these issues: * cross-origin restriction bypass using data: and view-source: uri scheme (CVE-2015-7214) * potential underflow in 'covr', unchecked allocation and copy in Metadata::setData (CVE-2015-7222) * integer underflow in covr MPEG4 processing (no cve? mfsa2015-147) * 64bit: Overflow in MPEG4Extractor::readMetaData causes memory-safety bug (CVE-2015-7213) * Underflow in RTPReceiverVideo::ParseRtpPacket causes memory-safety bug and information leak (CVE-2015-7205) * Memset crash in mozilla::layers::BufferTextureClient::AllocateForSurface (CVE-2015-7212) * UAF due to DataChannelConnection not Destroy()ed before deletion (CVE-2015-7210) * Memory safety bugs fixed in Firefox ESR 38.5 and Firefox 43. (CVE-2015-7201)
Firefox ESR 38.5.2: * Prevent MD5 Downgrade in TLS 1.2 Signatures (CVE-2015-7575)
*** Bug 40276 has been marked as a duplicate of this bug. ***
Iceweasel 38.6.0esr-1~deb7u1 fixes these issues: * Prevent MD5 Downgrade in TLS 1.2 Signatures (CVE-2015-7575) [again? strange, maybe an updated patch?] * Memory safety bugs fixed in Firefox ESR 38.6 and Firefox 44. (CVE-2016-1930) * global-buffer-overflow (write) at BufferSubData (CVE-2016-1935)
Iceweasel 38.6.1esr-1~deb7u1 fixes this issue: * Graphite 2 instruction parameter validation bypass (CVE-2016-1523)
DSA package version 38.7.0esr-1~deb7u1 additionally fixes the following security issues: * Graphite2 Machine::Code::decoder::analysis::set_ref stack out of bounds bit set (CVE-2016-1977) * Use of uninitialised memory in [@graphite2::TtfUtil::GetTableInfo] (CVE-2016-2790) * graphite2: heap-buffer-overflow read in [@graphite2::GlyphCache::glyph] (CVE-2016-2791) * graphite2: heap-buffer-overflow read in [@graphite2::Slot::getAttr] Slot.cpp:232 (CVE-2016-2792) * graphite2: heap-buffer-overflow read in CachedCmap.cpp (CVE-2016-2793) * graphite2: heap-buffer-overflow read in [@graphite2::TtfUtil::CmapSubtable12NextCodepoint] (CVE-2016-2794) * Use of uninitialised memory in [@graphite2::FileFace::get_table_fn] (CVE-2016-2795) * graphite2: heap-buffer-overflow write in [@graphite2::vm::Machine::Code::Code] (CVE-2016-2796) * graphite2: heap-buffer-overflow read in [@graphite2::TtfUtil::CmapSubtable12Lookup] (CVE-2016-2797) * graphite2: heap-buffer-overflow read in [@graphite2::GlyphCache::Loader::Loader] (CVE-2016-2798) * graphite2: heap-buffer-overflow write in [@graphite2::Slot::setAttr] (CVE-2016-2799) * graphite2: heap-buffer-overflow read in [@graphite2::Slot::getAttr] Slot.cpp:234 (CVE-2016-2800) * graphite2: heap-buffer-overflow read in [@graphite2::TtfUtil::CmapSubtable12Lookup] TtfUtil.cpp:1126 (CVE-2016-2801) * graphite2: heap-buffer-overflow read in [@graphite2::TtfUtil::CmapSubtable4NextCodepoint] (CVE-2016-2802) * NSS Heap buffer overflow vulnerability in ASN1 certificate parsing (CVE-2016-1950) * Lack of status return from nsScannerString::AppendUnicodeTo causes out-of-bounds read in AppendErrorPointer (CVE-2016-1974) * Exploitable plugin crash (CVE-2016-1966) * Address bar spoofing using location.protocol and history.back (CVE-2016-1965) * Write AV near NULL in AtomicBaseIncDec() / Heap UAF (CVE-2016-1964) * Second datachannel with id crashes in PR_Unlock | mozilla::DataChannelConnection::Close after navigation (CVE-2016-1962) * ZDI-CAN-3574: nsHTMLDocument SetBody Use-After-Free RCE (CVE-2016-1961) * ZDI-CAN-3545: Mozilla Firefox nsHtml5TreeBuilder Array Indexing Remote Code Execution Vulnerability (CVE-2016-1960) * Show about:blank using javascript URI scheme (CVE-2016-1958) * Stagefright delete array (CVE-2016-1957) * CSP's report-uri (over-)writes files (CVE-2016-1954) * Memory safety bugs fixed in Firefox ESR 38.7 and Firefox 45 (CVE-2016-1952) * performance.getEntries() shows x-domain URLs after a redirect when loading from cache (CVE-2015-7207) * Cached redirects + History traversal reveal cross-origin URLs * MediaStream use-after-free (CVE-2015-4477)
DSA package version 38.7.1esr-1~deb7u1 disables the Graphite font shaping library in Iceweasel.
Iceweasel 38.8.0esr-1~deb7u1 fixes these issues: CVE-2016-2805 CVE-2016-2807 CVE-2016-2808 CVE-2016-2814
UCS 4.0 is out of maintenance.