Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 522020 (CVE-2014-1553) - <www-client/firefox{,-bin}-24.8.0,<mail-client/thunderbird{,-bin}-24.8.0: Multiple vulnerabilities (MFSA 2014-{67,68,69,70,72}) (CVE-2014-{1553,1554,1562,1563,1564,1565,1567})
Summary: <www-client/firefox{,-bin}-24.8.0,<mail-client/thunderbird{,-bin}-24.8.0: Mul...
Status: RESOLVED FIXED
Alias: CVE-2014-1553
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal major (vote)
Assignee: Gentoo Security
URL: https://www.mozilla.org/security/anno...
Whiteboard: A2 [glsa glsa]
Keywords:
: 521924 (view as bug list)
Depends on: CVE-2015-0819
Blocks:
  Show dependency tree
 
Reported: 2014-09-03 07:29 UTC by Kristian Fiskerstrand
Modified: 2015-04-07 10:18 UTC (History)
4 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Kristian Fiskerstrand gentoo-dev Security 2014-09-03 07:29:46 UTC
From ${URL}:
Mozilla developers and community identified and fixed several memory safety bugs in the browser engine used in Firefox and other Mozilla-based products. Some of these bugs showed evidence of memory corruption under certain circumstances, and we presume that with enough effort at least some of these could be exploited to run arbitrary code.

In general these flaws cannot be exploited through email in the Thunderbird product because scripting is disabled, but are potentially a risk in browser or browser-like contexts.
References

Jan de Mooij reported a memory safety problem that affects Firefox ESR 24.7, ESR 31 and Firefox 31.

    Memory safety bugs fixed in Firefox ESR 24.8, Firefox ESR 31.1 and Firefox 32. (CVE-2014-1562)

Christian Holler, Jan de Mooij, Karl Tomlinson, Randell Jesup, Gary Kwong, Jesse Ruderman, and JW Wang reported memory safety problems and crashes that affect Firefox ESR 31 and Firefox 31.

    Memory safety bugs fixed in Firefox ESR 31.1 and Firefox 32. (CVE-2014-1553)

Gary Kwong, Christian Holler, and David Weir reported memory safety problems and crashes that affect Firefox 31.

    Memory safety bugs fixed in Firefox 32. (CVE-2014-1554)
Comment 1 Kristian Fiskerstrand gentoo-dev Security 2014-09-03 07:52:19 UTC
Advisory 2014-68: Heap-use-after-free in mozilla::DOMSVGLength::GetTearOff (CVE-2014-1563): 
https://www.mozilla.org/security/announce/2014/mfsa2014-68.html
Security researcher Abhishek Arya (Inferno) of the Google Chrome Security Team used the Address Sanitizer tool to discover a use-after-free during cycle collection. This was found in interactions with the SVG content through the document object model (DOM) with animating SVG content. This leads to a potentially exploitable crash.

In general this flaw cannot be exploited through email in the Thunderbird product because scripting is disabled, but is potentially a risk in browser or browser-like contexts.

#########################################
Advisory 2014-69: Apparent info leak caused by uninitialized memory with malformed GIFs (CVE-2014-1564)
https://www.mozilla.org/security/announce/2014/mfsa2014-69.html

Google security researcher Michal Zalewski discovered that when a malformated GIF image is rendered in certain circumstances, memory is not properly initialized before use. The resulting image then uses this memory during rendering. This could allow for the a script in web content to access this unitialized memory using the <canvas> feature. 

Fixed in: Firefox 32
Firefox ESR 31.1
Thunderbird 31.1

#########################################
Advisory 2014-70: Out-of-bounds Read in mozilla::dom::AudioEventTimeline (CVE-2014-1565)
https://www.mozilla.org/security/announce/2014/mfsa2014-70.html
Security researcher Holger Fuhrmannek discovered an out-of-bounds read during the creation of an audio timeline in Web Audio. This results in a crash and could allow for the reading of random memory values.

In general this flaw cannot be exploited through email in the Thunderbird product because web audio is disabled, but is potentially a risk in browser or browser-like contexts.

Fixed in: Firefox 32
  Firefox ESR 31.1
  Thunderbird 31.1

#########################################
Advistory 2014-71 only applies to firefox for Android, reference included here due to gap in iteration. 

#########################################
Advisory 2014-72: Use-after-free setting text directionality ()
Mozilla Firefox DirectionalityUtils Use-After-Free Remote Code Execution Vulnerability (CVE-2014-1567)
https://www.mozilla.org/security/announce/2014/mfsa2014-72.html

Fixed in: Firefox 32
  Firefox ESR 24.8
  Firefox ESR 31.1
  Thunderbird 31.1
  Thunderbird 24.8
Comment 2 GLSAMaker/CVETool Bot gentoo-dev 2014-09-03 16:55:13 UTC
CVE-2014-1567 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1567):
  Use-after-free vulnerability in DirectionalityUtils.cpp in Mozilla Firefox
  before 32.0, Firefox ESR 24.x before 24.8 and 31.x before 31.1, and
  Thunderbird 24.x before 24.8 and 31.x before 31.1 allows remote attackers to
  execute arbitrary code via text that is improperly handled during the
  interaction between directionality resolution and layout.

CVE-2014-1566 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1566):
  Mozilla Firefox before 31.1 on Android does not properly restrict copying of
  local files onto the SD card during processing of file: URLs, which allows
  attackers to obtain sensitive information from the Firefox profile directory
  via a crafted application.  NOTE: this vulnerability exists because of an
  incomplete fix for CVE-2014-1515.

CVE-2014-1565 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1565):
  The mozilla::dom::AudioEventTimeline function in the Web Audio API
  implementation in Mozilla Firefox before 32.0, Firefox ESR 31.x before 31.1,
  and Thunderbird 31.x before 31.1 does not properly create audio timelines,
  which allows remote attackers to obtain sensitive information from process
  memory or cause a denial of service (out-of-bounds read) via crafted API
  calls.

CVE-2014-1564 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1564):
  Mozilla Firefox before 32.0, Firefox ESR 31.x before 31.1, and Thunderbird
  31.x before 31.1 do not properly initialize memory for GIF rendering, which
  allows remote attackers to obtain sensitive information from process memory
  via crafted web script that interacts with a CANVAS element associated with
  a malformed GIF image.

CVE-2014-1563 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1563):
  Use-after-free vulnerability in the mozilla::DOMSVGLength::GetTearOff
  function in Mozilla Firefox before 32.0, Firefox ESR 31.x before 31.1, and
  Thunderbird 31.x before 31.1 allows remote attackers to execute arbitrary
  code or cause a denial of service (heap memory corruption) via an SVG
  animation with DOM interaction that triggers incorrect cycle collection.

CVE-2014-1562 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1562):
  Unspecified vulnerability in the browser engine in Mozilla Firefox before
  32.0, Firefox ESR 24.x before 24.8 and 31.x before 31.1, and Thunderbird
  24.x before 24.8 and 31.x before 31.1 allows remote attackers to cause a
  denial of service (memory corruption and application crash) or possibly
  execute arbitrary code via unknown vectors.

CVE-2014-1554 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1554):
  Multiple unspecified vulnerabilities in the browser engine in Mozilla
  Firefox before 32.0 allow remote attackers to cause a denial of service
  (memory corruption and application crash) or possibly execute arbitrary code
  via unknown vectors.

CVE-2014-1553 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1553):
  Multiple unspecified vulnerabilities in the browser engine in Mozilla
  Firefox before 32.0, Firefox ESR 31.x before 31.1, and Thunderbird 31.x
  before 31.1 allow remote attackers to cause a denial of service (memory
  corruption and application crash) or possibly execute arbitrary code via
  unknown vectors.
Comment 3 Ian Stakenvicius gentoo-dev 2014-09-03 22:26:01 UTC
Ebuilds for thunderbird{,-bin} and firefox{,-bin} are in the tree now.  Will provide stabilization map tomorrow -- 24.8 is good to go for both, but I need to discuss with mozilla@ if 31.1 should go stable or not, yet.
Comment 4 Ian Stakenvicius gentoo-dev 2014-09-04 15:31:27 UTC
CC'ing arches, please stabilize each for the following keywords:

www-client/firefox-24.8.0 : amd64 hppa ppc ppc64 x86

www-client/firefox-bin-24.8.0 : amd64 x86

mail-client/thunderbird-24.8.0 : amd64 ppc ppc64 x86

mail-client/thunderbird-bin-24.8.0 : amd64 x86
Comment 5 Agostino Sarubbo gentoo-dev 2014-09-05 09:07:07 UTC
amd64 stable
Comment 6 Agostino Sarubbo gentoo-dev 2014-09-05 09:07:41 UTC
x86 stable
Comment 7 Jeroen Roovers gentoo-dev 2014-09-05 09:52:23 UTC
*** Bug 521924 has been marked as a duplicate of this bug. ***
Comment 8 Jeroen Roovers gentoo-dev 2014-09-05 17:36:06 UTC
Stable for HPPA.
Comment 9 Agostino Sarubbo gentoo-dev 2014-09-07 13:27:35 UTC
ppc stable
Comment 10 Agostino Sarubbo gentoo-dev 2014-09-07 13:27:57 UTC
ppc64 stable.

Maintainer(s), please cleanup.
Security, please add it to the existing request, or file a new one.
Comment 11 Kristian Fiskerstrand gentoo-dev Security 2014-09-07 14:20:32 UTC
Arches, thank you for your work. 

Added to existing GLSA request.
Comment 12 Yury German Gentoo Infrastructure gentoo-dev Security 2014-09-15 22:06:33 UTC
Setting A2 [glsa/cleanup] back to STABLE. Looks like arm was not called for the following packages. See Bug #505072 for reference. 

Arches please stable:

=mail-client/thunderbird-24.8.0
=www-client/firefox-24.8.0

Target Keywords : arm (only)
Comment 13 Yury German Gentoo Infrastructure gentoo-dev Security 2014-12-28 18:57:59 UTC
Merging multiple bugs for www-client/firefox{,-bin}, mail-client/thunderbird{,-bin}, www-client/seamonkey{,-bin) under the latest bug 531408 which is undergoing stabilization with each bug either needing cleanup or some stabilization.

dev-libs/nss - Cleanup as part of bug 531628
Comment 14 Yury German Gentoo Infrastructure gentoo-dev Security 2015-04-06 05:40:07 UTC
Added to an existing GLSA Request.
Comment 15 GLSAMaker/CVETool Bot gentoo-dev 2015-04-07 10:18:46 UTC
This issue was resolved and addressed in
 GLSA 201504-01 at https://security.gentoo.org/glsa/201504-01
by GLSA coordinator Kristian Fiskerstrand (K_F).