From ${URL}: Mozilla developers and community identified and fixed several memory safety bugs in the browser engine used in Firefox and other Mozilla-based products. Some of these bugs showed evidence of memory corruption under certain circumstances, and we presume that with enough effort at least some of these could be exploited to run arbitrary code. In general these flaws cannot be exploited through email in the Thunderbird product because scripting is disabled, but are potentially a risk in browser or browser-like contexts. References Jan de Mooij reported a memory safety problem that affects Firefox ESR 24.7, ESR 31 and Firefox 31. Memory safety bugs fixed in Firefox ESR 24.8, Firefox ESR 31.1 and Firefox 32. (CVE-2014-1562) Christian Holler, Jan de Mooij, Karl Tomlinson, Randell Jesup, Gary Kwong, Jesse Ruderman, and JW Wang reported memory safety problems and crashes that affect Firefox ESR 31 and Firefox 31. Memory safety bugs fixed in Firefox ESR 31.1 and Firefox 32. (CVE-2014-1553) Gary Kwong, Christian Holler, and David Weir reported memory safety problems and crashes that affect Firefox 31. Memory safety bugs fixed in Firefox 32. (CVE-2014-1554)
Advisory 2014-68: Heap-use-after-free in mozilla::DOMSVGLength::GetTearOff (CVE-2014-1563): https://www.mozilla.org/security/announce/2014/mfsa2014-68.html Security researcher Abhishek Arya (Inferno) of the Google Chrome Security Team used the Address Sanitizer tool to discover a use-after-free during cycle collection. This was found in interactions with the SVG content through the document object model (DOM) with animating SVG content. This leads to a potentially exploitable crash. In general this flaw cannot be exploited through email in the Thunderbird product because scripting is disabled, but is potentially a risk in browser or browser-like contexts. ######################################### Advisory 2014-69: Apparent info leak caused by uninitialized memory with malformed GIFs (CVE-2014-1564) https://www.mozilla.org/security/announce/2014/mfsa2014-69.html Google security researcher Michal Zalewski discovered that when a malformated GIF image is rendered in certain circumstances, memory is not properly initialized before use. The resulting image then uses this memory during rendering. This could allow for the a script in web content to access this unitialized memory using the <canvas> feature. Fixed in: Firefox 32 Firefox ESR 31.1 Thunderbird 31.1 ######################################### Advisory 2014-70: Out-of-bounds Read in mozilla::dom::AudioEventTimeline (CVE-2014-1565) https://www.mozilla.org/security/announce/2014/mfsa2014-70.html Security researcher Holger Fuhrmannek discovered an out-of-bounds read during the creation of an audio timeline in Web Audio. This results in a crash and could allow for the reading of random memory values. In general this flaw cannot be exploited through email in the Thunderbird product because web audio is disabled, but is potentially a risk in browser or browser-like contexts. Fixed in: Firefox 32 Firefox ESR 31.1 Thunderbird 31.1 ######################################### Advistory 2014-71 only applies to firefox for Android, reference included here due to gap in iteration. ######################################### Advisory 2014-72: Use-after-free setting text directionality () Mozilla Firefox DirectionalityUtils Use-After-Free Remote Code Execution Vulnerability (CVE-2014-1567) https://www.mozilla.org/security/announce/2014/mfsa2014-72.html Fixed in: Firefox 32 Firefox ESR 24.8 Firefox ESR 31.1 Thunderbird 31.1 Thunderbird 24.8
CVE-2014-1567 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1567): Use-after-free vulnerability in DirectionalityUtils.cpp in Mozilla Firefox before 32.0, Firefox ESR 24.x before 24.8 and 31.x before 31.1, and Thunderbird 24.x before 24.8 and 31.x before 31.1 allows remote attackers to execute arbitrary code via text that is improperly handled during the interaction between directionality resolution and layout. CVE-2014-1566 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1566): Mozilla Firefox before 31.1 on Android does not properly restrict copying of local files onto the SD card during processing of file: URLs, which allows attackers to obtain sensitive information from the Firefox profile directory via a crafted application. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-1515. CVE-2014-1565 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1565): The mozilla::dom::AudioEventTimeline function in the Web Audio API implementation in Mozilla Firefox before 32.0, Firefox ESR 31.x before 31.1, and Thunderbird 31.x before 31.1 does not properly create audio timelines, which allows remote attackers to obtain sensitive information from process memory or cause a denial of service (out-of-bounds read) via crafted API calls. CVE-2014-1564 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1564): Mozilla Firefox before 32.0, Firefox ESR 31.x before 31.1, and Thunderbird 31.x before 31.1 do not properly initialize memory for GIF rendering, which allows remote attackers to obtain sensitive information from process memory via crafted web script that interacts with a CANVAS element associated with a malformed GIF image. CVE-2014-1563 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1563): Use-after-free vulnerability in the mozilla::DOMSVGLength::GetTearOff function in Mozilla Firefox before 32.0, Firefox ESR 31.x before 31.1, and Thunderbird 31.x before 31.1 allows remote attackers to execute arbitrary code or cause a denial of service (heap memory corruption) via an SVG animation with DOM interaction that triggers incorrect cycle collection. CVE-2014-1562 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1562): Unspecified vulnerability in the browser engine in Mozilla Firefox before 32.0, Firefox ESR 24.x before 24.8 and 31.x before 31.1, and Thunderbird 24.x before 24.8 and 31.x before 31.1 allows remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unknown vectors. CVE-2014-1554 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1554): Multiple unspecified vulnerabilities in the browser engine in Mozilla Firefox before 32.0 allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unknown vectors. CVE-2014-1553 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1553): Multiple unspecified vulnerabilities in the browser engine in Mozilla Firefox before 32.0, Firefox ESR 31.x before 31.1, and Thunderbird 31.x before 31.1 allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unknown vectors.
Ebuilds for thunderbird{,-bin} and firefox{,-bin} are in the tree now. Will provide stabilization map tomorrow -- 24.8 is good to go for both, but I need to discuss with mozilla@ if 31.1 should go stable or not, yet.
CC'ing arches, please stabilize each for the following keywords: www-client/firefox-24.8.0 : amd64 hppa ppc ppc64 x86 www-client/firefox-bin-24.8.0 : amd64 x86 mail-client/thunderbird-24.8.0 : amd64 ppc ppc64 x86 mail-client/thunderbird-bin-24.8.0 : amd64 x86
amd64 stable
x86 stable
*** Bug 521924 has been marked as a duplicate of this bug. ***
Stable for HPPA.
ppc stable
ppc64 stable. Maintainer(s), please cleanup. Security, please add it to the existing request, or file a new one.
Arches, thank you for your work. Added to existing GLSA request.
Setting A2 [glsa/cleanup] back to STABLE. Looks like arm was not called for the following packages. See Bug #505072 for reference. Arches please stable: =mail-client/thunderbird-24.8.0 =www-client/firefox-24.8.0 Target Keywords : arm (only)
Merging multiple bugs for www-client/firefox{,-bin}, mail-client/thunderbird{,-bin}, www-client/seamonkey{,-bin) under the latest bug 531408 which is undergoing stabilization with each bug either needing cleanup or some stabilization. dev-libs/nss - Cleanup as part of bug 531628
Added to an existing GLSA Request.
This issue was resolved and addressed in GLSA 201504-01 at https://security.gentoo.org/glsa/201504-01 by GLSA coordinator Kristian Fiskerstrand (K_F).