Avis du CERT RENATER

Par défaut, cette page vous affichera les derniers messages envoyés par le CERT RENATER à la communauté. Vous pouvez affiner par année ou par type de message. Si aucun critère n'est précisé, seuls les derniers messages sont affichés
Date : Wed, 15 Oct 2014 20:17:48 +0200
Type : VULN
Sujet : CERT-Renater : 2014/VULN226 (Mozilla : Multiple vulnerabilities fixed in Firefox, Thunderbird)
====================================================================
                           CERT-Renater

               Note d'Information No. 2014/VULN226
_____________________________________________________________________

DATE                : 15/10/2014

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running Firefox versions prior to 33,
                                           ESR 31.2,
                      	Thunderbird versions prior to 31.2.

======================================================================
https://www.mozilla.org/security/announce/2014/mfsa2014-74.html
https://www.mozilla.org/security/announce/2014/mfsa2014-75.html
https://www.mozilla.org/security/announce/2014/mfsa2014-76.html
https://www.mozilla.org/security/announce/2014/mfsa2014-77.html
https://www.mozilla.org/security/announce/2014/mfsa2014-78.html
https://www.mozilla.org/security/announce/2014/mfsa2014-79.html
https://www.mozilla.org/security/announce/2014/mfsa2014-80.html
https://www.mozilla.org/security/announce/2014/mfsa2014-81.html
https://www.mozilla.org/security/announce/2014/mfsa2014-82.html
______________________________________________________________________

Mozilla Foundation Security Advisory 2014-74

Title:     Miscellaneous memory safety hazards (rv:33.0 / rv:31.2)
Impact:    Critical
Announced: October 14, 2014
Reporter:  Mozilla Developers
Products:  Firefox, Thunderbird

Fixed in:  Firefox 33
           Firefox ESR 31.2
           Thunderbird 31.2

Description

Mozilla developers and community identified and fixed several memory
safety bugs in the browser engine used in Firefox and other
Mozilla-based products. Some of these bugs showed evidence of memory
corruption under certain circumstances, and we presume that with enough
effort at least some of these could be exploited to run arbitrary code.

In general these flaws cannot be exploited through email in the
Thunderbird product because scripting is disabled, but are potentially
a risk in browser or browser-like contexts.


References

Bobby Holley, Christian Holler, David Bolter, Byron Campen, and Jon
Coppeard reported memory safety problems and crashes that affect
Firefox ESR 31.1 and Firefox 32.

    Memory safety bugs fixed in Firefox ESR 31.2 and Firefox 33
(CVE-2014-1574)

Carsten Book, Christian Holler, Martijn Wargers, Shih-Chiang Chien,
Terrence Cole, Eric Rahm , and Jeff Walden reported memory safety
problems and crashes that affect Firefox 32.

    Memory safety bugs fixed in Firefox 33. (CVE-2014-1575)

______________________________________________________________________

Mozilla Foundation Security Advisory 2014-75

Title:     Buffer overflow during CSS manipulation
Impact:    High
Announced: October 14, 2014
Reporter:  Atte Kettunen
Products:  Firefox, Thunderbird

Fixed in:  Firefox 33
           Firefox ESR 31.2
           Thunderbird 31.2

Description

Using the Address Sanitizer tool, security researcher Atte Kettunen
from OUSPG discovered a buffer overflow when making capitalization
style changes during CSS parsing. This can cause a crash that is
potentially exploitable.


References

    Heap-buffer-overflow in nsTransformedTextRun (CVE-2014-1576)

______________________________________________________________________

Mozilla Foundation Security Advisory 2014-76

Title:     Web Audio memory corruption issues with custom waveforms
Impact:    High
Announced: October 14, 2014
Reporter:  Holger Fuhrmannek
Products:  Firefox, Thunderbird

Fixed in:  Firefox 33
           Firefox ESR 31.2
           Thunderbird 31.2


Description

Security researcher Holger Fuhrmannek used the used the Address
Sanitizer tool to discover an out-of-bounds read issue with Web Audio
when interacting with custom waveforms with invalid values. This
results in a crash and could allow for the reading of random memory
which may contain sensitive data, or of memory addresses that could be
used in combination with another bug.

In general this flaw cannot be exploited through email in the
Thunderbird product because scripting is disabled, but is potentially a
risk in browser or browser-like contexts.


References

    Out-of-Bounds Read in
mozilla::dom::OscillatorNodeEngine::ComputeCustom with negative
frequency (CVE-2014-1577)

______________________________________________________________________

Mozilla Foundation Security Advisory 2014-77

Title:     Out-of-bounds write with WebM video
Impact:    Critical
Announced: October 14, 2014
Reporter:  Abhishek Arya
Products:  Firefox, Thunderbird

Fixed in:  Firefox 33
           Firefox ESR 31.2
           Thunderbird 31.2


Description

Using the Address Sanitizer tool, security researcher Abhishek Arya
(Inferno) of the Google Chrome Security Team found an out-of-bounds
write when buffering WebM format video containing frames with invalid
tile sizes. This can lead to a potentially exploitable crash during
WebM video playback.

In general this flaw cannot be exploited through email in the
Thunderbird product because scripting is disabled, but is potentially a
risk in browser or browser-like contexts.


References

    OOB write in get_tile (CVE-2014-1578)

______________________________________________________________________

Mozilla Foundation Security Advisory 2014-78

Title:     Further uninitialized memory use during GIF rendering
Impact:    High
Announced: October 14, 2014
Reporter:  Michal Zalewski
Products:  Firefox

Fixed in:  Firefox 33


Description

Google security researcher Michal Zalewski reported that when a
malformed GIF image is repeatedly rendered within a  element,
memory may not always be properly initialized. The resulting series of
images then uses this uninitialized memory during rendering, allowing
data to potentially leak to web content.


References

    Apparent use of uninitialized memory when rendering truncated GIFs
to  (CVE-2014-1580)

______________________________________________________________________

Mozilla Foundation Security Advisory 2014-79

Title:     Use-after-free interacting with text directionality
Impact:    Critical
Announced: October 14, 2014
Reporter:  regenrecht
Products:  Firefox, Thunderbird

Fixed in:  Firefox 33
           Firefox ESR 31.2
           Thunderbird 31.2

Description

Security researcher regenrecht reported, via TippingPoint's Zero Day
Initiative, a use-after-free during text layout when interacting with
text direction. This results in a crash which can lead to arbitrary
code execution.

In general this flaw cannot be exploited through email in the
Thunderbird product because scripting is disabled, but is potentially a
risk in browser or browser-like contexts.

References

    DirectionalityUtils Use-After-Free (CVE-2014-1581)

______________________________________________________________________

Mozilla Foundation Security Advisory 2014-80

Title:     Key pinning bypasses
Impact:    Moderate
Announced: October 14, 2014
Reporter:  Patrick McManus, David Keeler
Products:  Firefox

Fixed in: Firefox 33


Description

Mozilla developer Patrick McManus reported a method to use SPDY or
HTTP/2 connection coalescing to bypass key pinning on different sites
that resolve to the same IP address.This could allow the use of a
fraudulent certificate when a saved pin for that subdomain should have
prevented the connection. This leads to possible man-in-the-middle
attacks if an attacker has control of the DNS connection and the
ability to obtain a fraudulent certificate that browsers would accept
in the absence of the pin.

Mozilla security engineer David Keeler discovered that when there are
specific problems verifying the issuer of an SSL certificate, the
checks necessary for key pinning would not be run. As a result, the
user is then presented with the "Untrusted Connection" error page,
which they can use to bypass the key pinning process on a site that
should be pinned. This error message is always shown to the user and
cannot be used to silently bypass key pinning on affected sites.

Key pinning was first introduced in Firefox 32 and currently only
covers a small number of built-in sites.


References

    Spdy/Http-2 Coalescing Key Pinning Bypass (CVE-2014-1582)
    Issuer verification failure (CVE-2014-1584)

______________________________________________________________________

Mozilla Foundation Security Advisory 2014-81

Title:     Inconsistent video sharing within iframe
Impact:    Moderate
Announced: October 14, 2014
Reporter:  Eric Shepherd, Jan-Ivar Bruaroey
Products:  Firefox, Thunderbird

Fixed in:  Firefox 33
           Firefox ESR 31.2
           Thunderbird 31.2


Description

Mozilla developers Eric Shepherd and Jan-Ivar Bruaroey reported issues
with privacy and video sharing using WebRTC. Once video sharing has
started within a WebRTC session running within an