Andrew Osmond, Olli Pettay, Andrew Sutherland, Christian Holler, David
Major, Andrew McCreight and Cameron McCormack reported memory safety
problems and crashes that affect Firefox ESR 38.2 and Firefox 40. Some
of these bugs showed evidence of memory corruption under certain
circumstances, and Mozilla presume that with enough effort at least some
of these could be exploited to run arbitrary code.
Bob Clary and Randell Jesup reported crash and memory safety problems
that affect Firefox 40. Mozilla developers and community identified and
fixed several memory safety bugs in the browser engine used in Firefox
and other Mozilla-based products. Some of these bugs showed evidence of
memory corruption under certain circumstances, and Mozilla presume that
with enough effort at least some of these could be exploited to run
arbitrary code.
Security researcher André Bargull reported that when a web page creates
a scripted proxy for the window with a handler defined a certain way, a
reference to the inner window will be passed, rather than that of the
outer window in violation of the specification.
Security researcher Felix Gröbert of Google discovered an out of bounds
read in the QCMS color management library while manipulating an image
with specific attributes in its ICC V4 profile. This causes a crash and
could lead to information disclosure.
Security researcher Khalil Zhani reported that a maliciously crafted vp9
format video could be used to trigger a buffer overflow while parsing
the file. This leads to a potentially exploitable crash due to a flaw in
the libvpx library.
Security researcher Spandan Veggalam reported a crash while using the
debugger API with SavedStacks in JavaScript. This crash can only occurs
when the debugger is in use but may be potentially exploitable.
Security researcher Juho Nurminen reported a mechanism to spoof the URL
displayed in the address bar in reader mode by manipulating the loaded
URL. This flaw allows for the URL displayed to be different than that
the web content rendered. This allows for potential spoofing but the
effects are mitigated due to the restrictions reader mode places when
rendering content.
An anonymous researcher reported, via HP’s Zero Day Initiative, a
use-after-free vulnerability with HTML media elements on a page during
script manipulation of the URI table of these elements. This results in
a potentially exploitable crash.
Security researcher Looben Yang discovered a use-after-free
vulnerability when using a shared worker with IndexedDB due to a race
condition with the worker. This results in a potentially exploitable
crash that can be triggered through web content.
Using the Address Sanitizer tool, security researcher Atte Kettunen
discovered a buffer overflow in the nestegg library when decoding a WebM
format video with maliciously formatted headers. This leads to a
potentially exploitable crash.
Security researcher Francisco Alonso of the NowSecure Research Team used
the Address Sanitizer tool to discover an out-of-bounds read issue
during 2D canvas rendering. This was due to an issue in the cairo
graphics library when surfaces are created with 32-bit color depth but
displayed on a 16-bit color depth system, which is unsupported. This
allows an attacker to read an amount of random memory following the heap
for the 16-bit surface leading to information disclosure.
Mozilla developer Jeff Walden reported that in Gecko’s implementation of
ECMAScript 5 API’s enforces non-configurable properties with logic
specific to each API. Scripts that do not go through these APIs can
bypass these protections and make changes to the immutable properties in
violation of security protections. This could potentially allow for web
content to run in a privileged context leading to arbitrary code execution.
Security researcher Mario Gomes reported that when a previously loaded
image on a page is drag and dropped into content after a redirect, the
redirected URL is available to scripts. This is a violation of the Fetch
specification’s defined behavior for "Atomic HTTP redirect handling"
which states that redirected URLs are not exposed to any APIs. This can
allow for information leakage.
Mozilla developer Ehsan Akhgari reported two issues with Cross-origin
resource sharing (CORS) "preflight" requests.
The first issue is that in some circumstances the same cache key can be
generated for two preflight requests on a site. As a result, if a second
request is made that will match the cached key generated by an earlier
request, CORS checks will be bypassed because the system will see the
previously cached request as applicable.
In the second issue, when some Access-Control- headers are missing from
CORS responses, the values from different Access-Control- headers can be
used that present in the same response.
Security researcher Ronald Crane reported eight vulnerabilities
affecting released code that were found through code inspection. These
included several potential memory safety issues resulting from the use
of snprintf, one use of unowned memory, one use of a string without
overflow checks, and five memory safety bugs. These do not all have
clear mechanisms to be exploited through web content but are vulnerable
if a mechanism can be found to trigger them.
access.redhat.com/security/cve/CVE-2015-4500
access.redhat.com/security/cve/CVE-2015-4501
access.redhat.com/security/cve/CVE-2015-4502
access.redhat.com/security/cve/CVE-2015-4504
access.redhat.com/security/cve/CVE-2015-4506
access.redhat.com/security/cve/CVE-2015-4507
access.redhat.com/security/cve/CVE-2015-4508
access.redhat.com/security/cve/CVE-2015-4509
access.redhat.com/security/cve/CVE-2015-4510
access.redhat.com/security/cve/CVE-2015-4511
access.redhat.com/security/cve/CVE-2015-4512
access.redhat.com/security/cve/CVE-2015-4516
access.redhat.com/security/cve/CVE-2015-4517
access.redhat.com/security/cve/CVE-2015-4519
access.redhat.com/security/cve/CVE-2015-4520
access.redhat.com/security/cve/CVE-2015-4521
access.redhat.com/security/cve/CVE-2015-4522
access.redhat.com/security/cve/CVE-2015-7174
access.redhat.com/security/cve/CVE-2015-7175
access.redhat.com/security/cve/CVE-2015-7176
access.redhat.com/security/cve/CVE-2015-7177
access.redhat.com/security/cve/CVE-2015-7180
www.mozilla.org/en-US/security/known-vulnerabilities/firefox/#firefox41