Mozilla developers and community identified and fixed several memory
safety bugs in the browser engine used in Firefox and other
Mozilla-based products. Some of these bugs showed evidence of memory
corruption under certain circumstances, and we presume that with enough
effort at least some of these could be exploited to run arbitrary code.
Security researcher Ronald Crane reported three buffer overflows
affecting released code that were found through code inspection. They do
not all have clear mechanisms to be exploited through web content but
are vulnerable if a mechanism can be found to trigger them.
Security researcher Cajus Pollmeier reported crashing during some
Javascript variable assignments. The issue was caused by an
implementation error with unboxed objects and property storing in the
JavaScript engine. This error could result in a potentially exploitable
crash when triggered by JavaScript content as well as leading to errors
on some websites.
Security researcher Ronald Crane reported an underflow found through
code inspection. This does not all have a clear mechanism to be
exploited through web content but could be vulnerable if a means can be
found to trigger it.
Security researcher cgvwzq reported that it is possible to read
cross-origin URLs following a redirect if perfomance.getEntries() is
used along with an iframe to host a page. Navigating back in history
through script, content is pulled from the browser cache for the
redirected location instead of going to the original location. This is a
same-origin policy violation and could allow for data theft.
Security researcher musicDespiteEverything reported an issue when ASCII
code 11 for vertical tab is stored in a cookie in violation of RFC6265.
This may result in incorrect cookie handling by servers, resulting in
the potential ability to set cookie values and read cookie data from
users in concert with some web servers if the vertical tab character is
mishandled during parsing.
Security researcher Looben Yang reported a use-after-free error in
WebRTC that occurs due to timing issues in WebRTC when closing channels.
WebRTC may still believe is has a datachannel open after another WebRTC
function has closed it. This results in attempts to use the now
destroyed datachannel, leading to a potentially exploitable crash.
Security researcher Abdulrahman Alqabandi reported that when a data: URI
is parsed, the hash (‘#’) symbol is incorrectly handled, allowing for
spoofing attacks. This issue could result in the wrong URI being
displayed as a location, which can mislead users to believe they are on
a different site than the one loaded.
Security researcher Abhishek Arya (Inferno) of the Google Chrome
Security Team used the Address Sanitizer tool to discover an integer
overflow when when allocating textures of extremely larges sizes during
graphics operations. This results in a potentially exploitable crash
when triggered.
Security researcher Ronald Crane reported a vulnerability found through
code inspection. This issue is an integer overflow while processing an
MP4 format video file when an a erroneously-small buffer is allocated
and then overrun, resulting in a potentially exploitable crash.
Security researcher Tsubasa Iinuma reported a mechanism to violate
same-origin policy to content using data: and view-soure: URIs to
confuse protections and bypass restrictions. This resulted in the
ability to read data from cross-site URLs and local files.
Security researcher Masato Kinugawa reported a cross-origin information
leak through the error events in web workers. This violates same-origin
policy and the leaked information could potentially be used by a
malicious party to gather authentication tokens and other data from
third-party websites.
Security researcher Gustavo Grieco reported that on Linux Gnome systems
the dialog for choosing local files uses the operating system’s
gdk-pixbuf library to render thumbnails for image file types. This
library supports various image decoders, and Grieco reported that the
Jasper and TGA decoders were unmaintained and have several known
vulnerabilities. Firefox has disabled the use of those decoders in
gdk-pixbuf.
Security researcher Stuart Larsen reported two issues with HTTP/2
resulting in integer underflows that lead to intentional aborts when the
errors are detected.
In the first issue, if a malformed HTTP2 header frame is received with
only a single byte, an integer underflow can be created in some
circumstances. In the second issue, a malformed HTTP2 PushPromse frame
is received and the length of the decompressed buffer is miscalculated,
leading to another integer underflow. In both of these instances, more
memory is allocated than is allowed, triggering assertions and
intentional aborts (a denial of service) but no exploitable crashes.
Mozilla developer Gerald Squelart fixed an integer underflow in the
libstagefright library initially reported by Joshua Drake to Google. The
issues occurred in MP4 format video file while parsing cover metadata,
leading to a buffer overflow. This results in a potentially exploitable
crash and can be triggered by a malformed MP4 file served by web content.
Mozilla developer Kris Maglione reported a mechanism where WebExtension
APIs could be used to escalate privilege. This could allow arbitrary web
content to execute code with the privileges of a particular WebExtension
when using these API calls. Depending on the privileges of the extension
used, this could result in personal information theft and cross-site
scripting (XSS) attacks, including theft of browser cookies. This is
mitigated by the requirement to have a WebExtension installed that is
vulnerable to this issue.
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7201
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7202
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7203
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7204
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7205
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7207
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7208
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7210
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7211
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7212
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7213
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7214
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7215
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7216
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7217
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7218
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7219
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7220
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7221
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7222
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7223
www.mozilla.org/en-US/security/known-vulnerabilities/firefox/#firefox43