Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 517876 (CVE-2014-1544)

Summary: <www-client/firefox{,-bin}-{24.7,31}, <mail-client/thunderbird{,-bin}-{24.7,31} <dev-libs/nss-3.16.2: multiple vulnerabilities (CVE-2014-{1544,1547,1548,1549,1550,1551,1552,1555,1556,1557,1558,1559,1560,1561})
Product: Gentoo Security Reporter: Alex Xu (Hello71) <alex_y_xu>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: major CC: cornicx, cyberbat83, mozilla
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://www.mozilla.org/security/known-vulnerabilities/firefox.html
Whiteboard: A2 [glsa cleanup]
Package list:
Runtime testing required: ---

Description Alex Xu (Hello71) 2014-07-23 13:13:21 UTC
it's that time of the month again
Comment 1 Yury German Gentoo Infrastructure gentoo-dev Security 2014-07-24 13:48:07 UTC
MFSA 2014-66 IFRAME sandbox same-origin access through redirect
MFSA 2014-65 Certificate parsing broken by non-standard character encoding
MFSA 2014-64 Crash in Skia library when scaling high quality images
MFSA 2014-63 Use-after-free while when manipulating certificates in the trusted cache
MFSA 2014-62 Exploitable WebGL crash with Cesium JavaScript library
MFSA 2014-61 Use-after-free with FireOnStateChange event
MFSA 2014-60 Toolbar dialog customization event spoofing
MFSA 2014-59 Use-after-free in DirectWrite font handling
MFSA 2014-58 Use-after-free in Web Audio due to incorrect control message ordering
MFSA 2014-57 Buffer overflow during Web Audio buffering for playback
MFSA 2014-56 Miscellaneous memory safety hazards (rv:31.0 / rv:24.7)

From URL
2014-56 = CVE-2014-{1547,1548}
2014-57 = CVE-2014-1549
2014-58 = CVE-2014-1550
2014-59 = CVE-2014-1551
2014-60 = CVE-2014-1561
2014-61 = CVE-2014-1555
2014-62 = CVE-2014-1556
2014-63 = CVE-2014-1544
2014-64 = CVE-2014-1557
2014-65 = CVE-2014-{1558,1559,1560}
2014-66 = CVE-2014-1552
Comment 2 GLSAMaker/CVETool Bot gentoo-dev 2014-07-24 13:50:20 UTC
CVE-2014-1561 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1561):
  Mozilla Firefox before 31.0 does not properly restrict use of drag-and-drop
  events to spoof customization events, which allows remote attackers to alter
  the placement of UI icons via crafted JavaScript code that is encountered
  during (1) page, (2) panel, or (3) toolbar customization.

CVE-2014-1560 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1560):
  Mozilla Firefox before 31.0 and Thunderbird before 31.0 allow remote
  attackers to cause a denial of service (X.509 certificate parsing outage)
  via a crafted certificate that does not use ASCII character encoding in a
  required context.

CVE-2014-1559 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1559):
  Mozilla Firefox before 31.0 and Thunderbird before 31.0 allow remote
  attackers to cause a denial of service (X.509 certificate parsing outage)
  via a crafted certificate that does not use UTF-8 character encoding in a
  required context, a different vulnerability than CVE-2014-1558.

CVE-2014-1558 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1558):
  Mozilla Firefox before 31.0 and Thunderbird before 31.0 allow remote
  attackers to cause a denial of service (X.509 certificate parsing outage)
  via a crafted certificate that does not use UTF-8 character encoding in a
  required context, a different vulnerability than CVE-2014-1559.

CVE-2014-1557 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1557):
  The ConvolveHorizontally function in Skia, as used in Mozilla Firefox before
  31.0, Firefox ESR 24.x before 24.7, and Thunderbird before 24.7, does not
  properly handle the discarding of image data during function execution,
  which allows remote attackers to execute arbitrary code by triggering
  prolonged image scaling, as demonstrated by scaling of a high-quality image.

CVE-2014-1556 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1556):
  Mozilla Firefox before 31.0, Firefox ESR 24.x before 24.7, and Thunderbird
  before 24.7 allow remote attackers to execute arbitrary code via crafted
  WebGL content constructed with the Cesium JavaScript library.

CVE-2014-1555 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1555):
  Use-after-free vulnerability in the nsDocLoader::OnProgress function in
  Mozilla Firefox before 31.0, Firefox ESR 24.x before 24.7, and Thunderbird
  before 24.7 allows remote attackers to execute arbitrary code via vectors
  that trigger a FireOnStateChange event.

CVE-2014-1552 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1552):
  Mozilla Firefox before 31.0 and Thunderbird before 31.0 do not properly
  implement the sandbox attribute of the IFRAME element, which allows remote
  attackers to bypass intended restrictions on same-origin content via a
  crafted web site in conjunction with a redirect.

CVE-2014-1551 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1551):
  Use-after-free vulnerability in the FontTableRec destructor in Mozilla
  Firefox before 31.0, Firefox ESR 24.x before 24.7, and Thunderbird before
  24.7 on Windows allows remote attackers to execute arbitrary code via
  crafted use of fonts in MathML content, leading to improper handling of a
  DirectWrite font-face object.

CVE-2014-1550 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1550):
  Use-after-free vulnerability in the MediaInputPort class in Mozilla Firefox
  before 31.0 and Thunderbird before 31.0 allows remote attackers to execute
  arbitrary code or cause a denial of service (heap memory corruption) by
  leveraging incorrect Web Audio control-message ordering.

CVE-2014-1549 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1549):
  The mozilla::dom::AudioBufferSourceNodeEngine::CopyFromInputBuffer function
  in Mozilla Firefox before 31.0 and Thunderbird before 31.0 does not properly
  allocate Web Audio buffer memory, which allows remote attackers to execute
  arbitrary code or cause a denial of service (buffer overflow and application
  crash) via crafted audio content that is improperly handled during playback
  buffering.

CVE-2014-1548 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1548):
  Multiple unspecified vulnerabilities in the browser engine in Mozilla
  Firefox before 31.0 and Thunderbird before 31.0 allow remote attackers to
  cause a denial of service (memory corruption and application crash) or
  possibly execute arbitrary code via unknown vectors.

CVE-2014-1547 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1547):
  Multiple unspecified vulnerabilities in the browser engine in Mozilla
  Firefox before 31.0, Firefox ESR 24.x before 24.7, and Thunderbird before
  24.7 allow remote attackers to cause a denial of service (memory corruption
  and application crash) or possibly execute arbitrary code via unknown
  vectors.

CVE-2014-1544 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1544):
  Use-after-free vulnerability in the CERT_DestroyCertificate function in
  libnss3.so in Mozilla Network Security Services (NSS) 3.x, as used in
  Firefox before 31.0, Firefox ESR 24.x before 24.7, and Thunderbird before
  24.7, allows remote attackers to execute arbitrary code via vectors that
  trigger certain improper removal of an NSSCertificate structure from a trust
  domain.
Comment 3 Alex Xu (Hello71) 2014-07-24 22:33:00 UTC
*** Bug 518040 has been marked as a duplicate of this bug. ***
Comment 4 Ian Stakenvicius gentoo-dev 2014-08-01 17:02:43 UTC
All ebuilds in the tree per subject above.  Arches, please stabilize as follows:

>=dev-libs/nss-3.16.2
Target KEYWORDS="amd64 hppa ppc ppc64 x86"

(note, full stablereq KEYWORDS="alpha amd64 arm hppa ia64 ppc ppc64 sparc x86" but only the Target KEYWORDS are necessary for dependency resolution listed below)

=mail-client/thunderbird-24.7.0
Target KEYWORDS="amd64 ppc ppc64 x86"

=www-client/firefox-24.7.0
Target KEYWORDS="amd64 hppa ppc ppc64 x86"

=www-client/firefox-bin-24.7.0
Target KEYWORDS="amd64 x86"

=mail-client/thunderbird-bin-24.7.0
Target KEYWORDS="amd64 x86"
Comment 5 Ian Stakenvicius gentoo-dev 2014-08-01 17:42:15 UTC
Arches, please stabilize =dev-libs/nspr-4.10.6-r1 as well, as it is a dep of >=nss-3.16.2.  it's ready.
Comment 6 Mikle Kolyada archtester Gentoo Infrastructure gentoo-dev Security 2014-08-01 18:45:21 UTC
amd64 stable
Comment 7 Agostino Sarubbo gentoo-dev 2014-08-04 19:22:24 UTC
x86 stable
Comment 8 Jeroen Roovers gentoo-dev 2014-08-08 10:20:38 UTC
Stable for HPPA.
Comment 9 Agostino Sarubbo gentoo-dev 2014-08-09 09:32:12 UTC
ppc stable
Comment 10 Agostino Sarubbo gentoo-dev 2014-08-10 18:37:48 UTC
ppc64 stable.

Maintainer(s), please cleanup.
Security, please add it to the existing request, or file a new one.
Comment 11 Yury German Gentoo Infrastructure gentoo-dev Security 2014-08-17 06:03:32 UTC
Arches, Thank you for your work
Maintainer(s), please drop the vulnerable version(s).

Added to existing GLSA Request
Comment 12 Yury German Gentoo Infrastructure gentoo-dev Security 2014-12-28 19:01:29 UTC
Merging multiple bugs for www-client/firefox{,-bin}, mail-client/thunderbird{,-bin}, www-client/seamonkey{,-bin) under the latest bug 531408 which is undergoing stabilization with each bug either needing cleanup or some stabilization.

dev-libs/nss - Cleanup as part of bug 531628
Comment 13 GLSAMaker/CVETool Bot gentoo-dev 2015-04-07 10:18:39 UTC
This issue was resolved and addressed in
 GLSA 201504-01 at https://security.gentoo.org/glsa/201504-01
by GLSA coordinator Kristian Fiskerstrand (K_F).