Arch Linux Security Advisory ASA-201501-6
========================================
Severity: Critical
Date    : 2015-01-14
CVE-ID  : CVE-2014-8634 CVE-2014-8635 CVE-2014-8636 CVE-2014-8637
CVE-2014-8638 CVE-2014-8639 CVE-2014-8640 CVE-2014-8641 CVE-2014-8642
Package : firefox
Type    : multiple issues
Remote  : Yes
Link    : https://wiki.archlinux.org/title/CVE

Summary
======
The package firefox before version 35.0-1 is vulnerable to multiple
issues, including but not limited to remote code execution.

Resolution
=========
Upgrade to 35.0-1.

# pacman -Syu "firefox>=35.0-1"

The problem has been fixed upstream in version 35.0.

Workaround
=========
None.

Description
==========
- CVE-2014-8634 (arbitrary remote code execution)

Christian Holler and Patrick McManus reported memory safety problems and
crashes that affect Firefox ESR 31.3 and Firefox 34.

- CVE-2014-8635 (arbitrary remote code execution)

Christoph Diehl, Christian Holler, Gary Kwong, Jesse Ruderman, Byron
Campen, Terrence Cole, and Nils Ohlmeier reported memory safety problems
and crashes that affect Firefox 34.

- CVE-2014-8636 (arbitrary javascript code execution, privilege escalation)

Mozilla developer Bobby Holley reported that Document Object Model (DOM)
objects with some specific properties can bypass XrayWrappers. This can
allow web content to confuse privileged code, potentially enabling
privilege escalation.

- CVE-2014-8637 (information leakage)

Google security researcher Michal Zalewski reported that when a
malformed bitmap image is rendered by the bitmap decoder within a
 element, memory may not always be properly initialized. The
resulting image then uses this uninitialized memory during rendering,
allowing data to potentially leak to web content.

- CVE-2014-8638 (XSRF)

Security researcher Muneaki Nishimura reported that
navigator.sendBeacon() does not follow the cross-origin resource sharing
(CORS) specification. This results in the request from sendBeacon()
lacking an origin header in violation of the W3C Beacon specification
and not being treated as a CORS request. This allows for a potential
Cross-site request forgery (XSRF) attack from malicious websites.

- CVE-2014-8639 (cookie injection)

Security researcher Xiaofeng Zheng of the Blue Lotus Team at Tsinghua
University reported reported that a Web Proxy returning a 407 Proxy
Authentication response with a Set-Cookie header could inject cookies
into the originally requested domain. This could be used for
session-fixation attacks. This attack only allows cookies to be written
but does not allow them to be read.

- CVE-2014-8640 (denial of service)

Security researcher Holger Fuhrmannek used the used the Address
Sanitizer tool to discover a crash in Web Audio while manipulating
timelines. This allowed for the a small block of memory with an
uninitialized pointer to be read. The crash is not exploitable.

- CVE-2014-8641 (remote code execution)

Security researcher Mitchell Harper discovered a read-after-free in
WebRTC due to the way tracks are handled. This results in a either a
potentially exploitable crash or incorrect WebRTC behavior.

- CVE-2014-8642 (OCSP bypass)

Brian Smith reported that delegated Online Certificate Status Protocol
(OCSP) responder certificates fail to recognize the id-pkix-ocsp-nocheck
extension. If this extension is present in a delegated OCSP response
signing certificate, it will be discarded if it is signed by such a
certificate. This could result in a user connecting to a site with a
revoked certificate.

Impact
=====
An attacker controlling a malicious website or in position of
man-in-the-middle may be able to access sensitive information, exploit
existing sessions, crash the browser, or remotely execute arbitrary code.

References
=========
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-8634
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-8635
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-8636
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-8637
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-8638
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-8639
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-8640
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-8641
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-8642
https://www.mozilla.org/en-US/security/known-vulnerabilities/firefox/

ArchLinux: 201501-6: firefox: multiple issues

January 14, 2015

Summary

- CVE-2014-8634 (arbitrary remote code execution) Christian Holler and Patrick McManus reported memory safety problems and crashes that affect Firefox ESR 31.3 and Firefox 34.
- CVE-2014-8635 (arbitrary remote code execution)
Christoph Diehl, Christian Holler, Gary Kwong, Jesse Ruderman, Byron Campen, Terrence Cole, and Nils Ohlmeier reported memory safety problems and crashes that affect Firefox 34.
- CVE-2014-8636 (arbitrary javascript code execution, privilege escalation)
Mozilla developer Bobby Holley reported that Document Object Model (DOM) objects with some specific properties can bypass XrayWrappers. This can allow web content to confuse privileged code, potentially enabling privilege escalation.
- CVE-2014-8637 (information leakage)
Google security researcher Michal Zalewski reported that when a malformed bitmap image is rendered by the bitmap decoder within a element, memory may not always be properly initialized. The resulting image then uses this uninitialized memory during rendering, allowing data to potentially leak to web content.
- CVE-2014-8638 (XSRF)
Security researcher Muneaki Nishimura reported that navigator.sendBeacon() does not follow the cross-origin resource sharing (CORS) specification. This results in the request from sendBeacon() lacking an origin header in violation of the W3C Beacon specification and not being treated as a CORS request. This allows for a potential Cross-site request forgery (XSRF) attack from malicious websites.
- CVE-2014-8639 (cookie injection)
Security researcher Xiaofeng Zheng of the Blue Lotus Team at Tsinghua University reported reported that a Web Proxy returning a 407 Proxy Authentication response with a Set-Cookie header could inject cookies into the originally requested domain. This could be used for session-fixation attacks. This attack only allows cookies to be written but does not allow them to be read.
- CVE-2014-8640 (denial of service)
Security researcher Holger Fuhrmannek used the used the Address Sanitizer tool to discover a crash in Web Audio while manipulating timelines. This allowed for the a small block of memory with an uninitialized pointer to be read. The crash is not exploitable.
- CVE-2014-8641 (remote code execution)
Security researcher Mitchell Harper discovered a read-after-free in WebRTC due to the way tracks are handled. This results in a either a potentially exploitable crash or incorrect WebRTC behavior.
- CVE-2014-8642 (OCSP bypass)
Brian Smith reported that delegated Online Certificate Status Protocol (OCSP) responder certificates fail to recognize the id-pkix-ocsp-nocheck extension. If this extension is present in a delegated OCSP response signing certificate, it will be discarded if it is signed by such a certificate. This could result in a user connecting to a site with a revoked certificate.

Resolution

Upgrade to 35.0-1. # pacman -Syu "firefox>=35.0-1"
The problem has been fixed upstream in version 35.0.

References

https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-8634 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-8635 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-8636 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-8637 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-8638 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-8639 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-8640 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-8641 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-8642 https://www.mozilla.org/en-US/security/known-vulnerabilities/firefox/

Severity
CVE-2014-8638 CVE-2014-8639 CVE-2014-8640 CVE-2014-8641 CVE-2014-8642
Package : firefox
Type : multiple issues
Remote : Yes
Link : https://wiki.archlinux.org/title/CVE

Workaround

None.

Related News

Parrot OS 6.3: Elevating Security with Enhanced Features & Tools
3 - 5 min read
Parrot OS 6.3 has just arrived , bringing crucial updates that security admins should note. This latest version of the popular secure Linux
Linux Kernel 6.14 Released: Top Security Features You Need to Know
3 - 6 min read
With the release of Linux kernel 6.14 , admins and Linux users have many new features and enhancements to look forward to - especially in the realm
Don
2 - 4 min read
Google recently issued a crucial Chrome update that those using a version of the browser prior to version 132.0.6834.110 should implement
Intel Brings Next-Level Security to Linux with Partner Security Engine
3 - 6 min read
Intel recently introduced a game-changer in hardware security with its new Partner Security Engine integrated into the Core Ultra Series 2. This
A Tiny Linux Kernel Tweak with Massive Implications for Datacenter Efficiency
3 - 6 min read
In a groundbreaking development, security researchers have introduced a small but mighty tweak to the Linux kernel that promises to cut data center
Best Practices for Securing Linux Systems Against Malicious Bots
3 - 6 min read
Linux systems have long been an indispensable asset to businesses and individuals alike. From running servers and cloud infrastructure to powering
Securing Open-Source Projects with Automated Testing on Linux
4 - 7 min read
Open-source project security testing focuses on many components, ensuring there are no safety vulnerabilities. These components include physical
KaOS Linux 2025.01: Merging Security with Practicality
3 - 6 min read
As the realm of Linux distribution expands, security admins find themselves faced with choosing a system that fits operational needs and upholds

Get the Latest News & Insights

Sign up to get the latest security news affecting Linux and open source delivered straight to your inbox.

© 2024 Guardian Digital, Inc All Rights Reserved