Vous êtes ici: index » cert » avis

Avis du CERT RENATER

Par défaut, cette page vous affichera les derniers messages envoyés par le CERT RENATER à la communauté. Vous pouvez affiner par année ou par type de message. Si aucun critère n'est précisé, seuls les derniers messages sont affichés

Date : Fri, 25 Sep 2015 11:54:54 +0200
Type : VULN
Sujet : CERT-Renater : 2015/VULN204 (Mozilla : Multiple vulnerabilities fixed in Mozilla Firefox)
===================================================================
                              CERT-Renater

                  Note d'Information No. 2015/VULN204
_____________________________________________________________________

DATE                : 25/09/2015

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running Mozilla Firefox versions prior to
                                          41, ESR 38.3.

======================================================================
https://www.mozilla.org/en-US/security/advisories/mfsa2015-96/
https://www.mozilla.org/en-US/security/advisories/mfsa2015-97/
https://www.mozilla.org/en-US/security/advisories/mfsa2015-98/
https://www.mozilla.org/en-US/security/advisories/mfsa2015-99/
https://www.mozilla.org/en-US/security/advisories/mfsa2015-100/
https://www.mozilla.org/en-US/security/advisories/mfsa2015-101/
https://www.mozilla.org/en-US/security/advisories/mfsa2015-102/
https://www.mozilla.org/en-US/security/advisories/mfsa2015-103/
https://www.mozilla.org/en-US/security/advisories/mfsa2015-104/
https://www.mozilla.org/en-US/security/advisories/mfsa2015-105/
https://www.mozilla.org/en-US/security/advisories/mfsa2015-106/
https://www.mozilla.org/en-US/security/advisories/mfsa2015-107/
https://www.mozilla.org/en-US/security/advisories/mfsa2015-108/
https://www.mozilla.org/en-US/security/advisories/mfsa2015-109/
https://www.mozilla.org/en-US/security/advisories/mfsa2015-110/
https://www.mozilla.org/en-US/security/advisories/mfsa2015-111/
https://www.mozilla.org/en-US/security/advisories/mfsa2015-112/
https://www.mozilla.org/en-US/security/advisories/mfsa2015-113/
https://www.mozilla.org/en-US/security/advisories/mfsa2015-114/
_____________________________________________________________________


Mozilla Foundation Security Advisory 2015-96
Miscellaneous memory safety hazards (rv:41.0 / rv:38.3)

Announced    September 22, 2015
Reporter    Mozilla Developers
Impact    Critical
Products    Firefox, Firefox ESR
Fixed in
         Firefox 41
         Firefox ESR 38.3

Description

Mozilla developers and community identified and fixed several memory
safety bugs in the browser engine used in Firefox and other
Mozilla-based products. Some of these bugs showed evidence of memory
corruption under certain circumstances, and we presume that with enough
effort at least some of these could be exploited to run arbitrary code.


References

Andrew Osmond, Olli Pettay, Andrew Sutherland, Christian Holler, David
Major, Andrew McCreight and Cameron McCormack reported memory safety
problems and crashes that affect Firefox ESR 38.2 and Firefox 40.

     Memory safety bugs fixed in Firefox ESR 38.3 and Firefox 41. 
(CVE-2015-4500)

Bob Clary and Randell Jesup reported crash and memory safety problems
that affect Firefox 40.

     Memory safety bugs fixed in Firefox 41. (CVE-2015-4501)


_____________________________________________________________________


Mozilla Foundation Security Advisory 2015-97
Memory leak in mozTCPSocket to servers

Announced    September 22, 2015
Reporter    David Chan
Impact    Moderate
Products    Firefox
Fixed in
         Firefox 41


Description

Security researcher David Chan reported that Mozilla's mozTCPSocket
implementation could leak data past the end of an array, allowing for
the potential exposure of memory or private data to malicious servers.

This feature is used by Firefox OS and is disabled by default in
Firefox on other operating systems.


References

     mozTCPSocket leaks client memory to server (CVE-2015-4503)


_____________________________________________________________________


Mozilla Foundation Security Advisory 2015-98
Out of bounds read in QCMS library with ICC V4 profile attributes

Announced    September 22, 2015
Reporter    Felix Gröbert
Impact    Moderate
Products    Firefox
Fixed in
         Firefox 41


Description

Security researcher Felix Gröbert of Google discovered an out of bounds
read in the QCMS color management library while manipulating an image
with specific attributes in its ICC V4 profile. This causes a crash and
could lead to information disclosure.


References

     stack buffer overread in lut_inverse_interp16 (CVE-2015-4504)

_____________________________________________________________________


Mozilla Foundation Security Advisory 2015-99
Site attribute spoofing on Android by pasting URL with unknown scheme

Announced    September 22, 2015
Reporter    Jordi Chancel
Impact    Moderate
Products    Firefox
Fixed in
         Firefox 41


Description

Security researcher Jordi Chancel reported that on Firefox for Android,
when a URL is pasted with an unknown protocol, such as secure: or
httpz:, the pasted URL is shown in the addressbar but no navigation
occurs. Other addressbar attributes present before this pasted URL is
entered will continue to be rendered. This could lead to potential
spoofing by a malicious site.

This issue only affects Firefox for Android and does not affect Firefox
on OS X, Linux, or Windows operating systems.


References

     Custom URI schemes in the location bar can lead to URL & SSL
spoofing (CVE-2015-4476)

_____________________________________________________________________


Mozilla Foundation Security Advisory 2015-100
Arbitrary file manipulation by local user through Mozilla updater

Announced    September 22, 2015
Reporter    Holger Fuhrmannek
Impact    High
Products    Firefox, Firefox ESR
Fixed in
         Firefox 41
         Firefox ESR 38.3


Description

Security researcher Holger Fuhrmannek reported that when the Mozilla
updater is run, the updater can be manipulated to load the updated
files from a working directory under user control in concert with
junctions. When the updates are run by the Mozilla Maintenance Service
on Windows, these malicious files can be run with elevated privileges
and be used to replace arbitrary files on the system. This could allow
for arbitrary code execution by a malicious user with local system
access but does not allow for exploitation by web content.

This issue is specific to Windows and does not affect Linux or OS X
systems.


References

     Arbitrary file manipulation through updater.exe (CVE-2015-4505)

_____________________________________________________________________


Mozilla Foundation Security Advisory 2015-101
Buffer overflow in libvpx while parsing vp9 format video

Announced    September 22, 2015
Reporter    Khalil Zhani
Impact    Moderate
Products    Firefox, Firefox ESR
Fixed in
         Firefox 41
         Firefox ESR 38.3


Description

Security researcher Khalil Zhani reported that a maliciously crafted
vp9 format video could be used to trigger a buffer overflow while
parsing the file. This leads to a potentially exploitable crash due to
a flaw in the libvpx library.


References

     vp9_init_context_buffers (CVE-2015-4506)


_____________________________________________________________________


Mozilla Foundation Security Advisory 2015-102
Crash when using debugger with SavedStacks in JavaScript

Announced    September 22, 2015
Reporter    Spandan Veggalam
Impact    Moderate
Products    Firefox
Fixed in
         Firefox 41


Description

Security researcher Spandan Veggalam reported a crash while using the
debugger API with SavedStacks in JavaScript. This crash can only occurs
when the debugger is in use but may be potentially exploitable.


References

     Crash due to Assertion failure: getSlotRef(EVAL).isUndefined() 
(CVE-2015-4507)

_____________________________________________________________________


Mozilla Foundation Security Advisory 2015-103
URL spoofing in reader mode

Announced    September 22, 2015
Reporter    Juho Nurminen
Impact    Low
Products    Firefox
Fixed in
         Firefox 41


Description

Security researcher Juho Nurminen reported a mechanism to spoof the URL
displayed in the addressbar in reader mode by manipulating the loaded
URL. This flaw allows for the URL displayed to be different than that
the web content rendered. This allows for potential spoofing but the
effects are mitigated due to the restrictions reader mode places when
rendering content.


References

     URL spoofing in reader mode (CVE-2015-4508)

_____________________________________________________________________


Mozilla Foundation Security Advisory 2015-104
Use-after-free with shared workers and IndexedDB

Announced    September 22, 2015
Reporter    Looben Yang
Impact    Critical
Products    Firefox
Fixed in
         Firefox 41


Description

Security researcher Looben Yang discovered a use-after-free
vulnerability when using a shared worker with IndexedDB due to a race
condition with the worker. This results in a potentially exploitable
crash that can be triggered through web content.


References

     IDB - Use After Free in WorkerPrivate::NotifyFeatures (CVE-2015-4510)

_____________________________________________________________________


Mozilla Foundation Security Advisory 2015-105
Buffer overflow while decoding WebM video

Announced    September 22, 2015
Reporter    Atte Kettunen
Impact    High
Products    Firefox, Firefox ESR
Fixed in
         Firefox 41
         Firefox ESR 38.3


Description

Using the Address Sanitizer tool, security researcher Atte Kettunen
discovered a buffer overflow in the nestegg library when decoding a
WebM format video with maliciously formatted headers. This leads to a
potentially exploitable crash.


References

     Heap-buffer-overflow due to overflow in nestegg_track_codec_data 
(CVE-2015-4511)

_____________________________________________________________________


Mozilla Foundation Security Advisory 2015-106
Use-after-free while manipulating HTML media content

Announced    September 22, 2015
Reporter    Anonymous
Impact    Critical
Products    Firefox, Firefox ESR
Fixed in
         Firefox 41
         Firefox ESR 38.3


Description

An anonymous researcher reported, via HP's Zero Day Initiative, a
use-after-free vulnerability with HTML media elements on a page during
script manipulation of the URI table of these elements. This results in
a potentially exploitable crash.


References

     HTMLVideoElement Use-After-Free Remote Code Execution 
(ZDI-CAN-3176) (CVE-2015-4509)

_____________________________________________________________________


Mozilla Foundation Security Advisory 2015-107
Out-of-bounds read during 2D canvas display on Linux 16-bit color depth
systems

Announced    September 22, 2015
Reporter    Francisco Alonso
Impact    Moderate
Products    Firefox
Fixed in
         Firefox 41


Description

Security researcher Francisco Alonso of the NowSecure Research Team
used the Address Sanitizer tool to discover an out-of-bounds read issue
during 2D canvas rendering. This was due to an issue in the cairo
graphics library when surfaces are created with 32-bit color depth but
displayed on a 16-bit color depth system, which is unsupported. This
allows an attacker to read an amount of random memory following the
heap for the 16-bit surface leading to information disclosure.

This issue is specific to Linux in certain configurations and does not
affect Windows or OS X systems.


References

     AddressSanitizer READ of size 1364 gfx/2d/DataSurfaceHelpers.cpp 
(CVE-2015-4512)

_____________________________________________________________________


Mozilla Foundation Security Advisory 2015-108
Scripted proxies can access inner window

Announced    September 22, 2015
Reporter    André Bargull
Impact    Moderate
Products    Firefox
Fixed in
         Firefox 41


Description

Security researcher André Bargull reported that when a web page creates
a scripted proxy for the window with a handler defined a certain way, a
reference to the inner window will be passed, rather than that of the
outer window in violation of the specification.


References

     Receiver passed to proxy get hook is not outerized when proxy is on 
the window's proto chain (CVE-2015-4502)

_____________________________________________________________________


Mozilla Foundation Security Advisory 2015-109
JavaScript immutable property enforcement can be bypassed

Announced    September 22, 2015
Reporter    Jeff Walden
Impact    High
Products    Firefox
Fixed in
         Firefox 41


Description

Mozilla developer Jeff Walden reported that in Gecko's implementation
of ECMAScript 5 API's enforces non-configurable propertieswith logic
specific to each API. Scripts that do not go through these APIs can
bypass these protections and make changes to the immutable properties
in violation of security protections. This could potentially allow for
web content to run in a privileged context leading to arbitrary code
execution.


References

     All property definition must enforce ES5's invariants regarding 
configurability, writability, etc. (CVE-2015-4516)

_____________________________________________________________________


Mozilla Foundation Security Advisory 2015-110
Dragging and dropping images exposes final URL after redirects

Announced    September 22, 2015
Reporter    Mario Gomes
Impact    Moderate
Products    Firefox, Firefox ESR
Fixed in
         Firefox 41
         Firefox ESR 38.3


Description

Security researcher Mario Gomes reported that when a previously loaded
image on a page is drag and dropped into content after a redirect, the
redirected URL is available to scripts. This is a violation of the
Fetch specification's defined behavior for "Atomic HTTP redirect
handling" which states that redirected URLs are not exposed to any
APIs. This can allow for information leakage.


References

     Dragging and dropping image to  pastes final URL of image 
after redirects (CVE-2015-4519)

_____________________________________________________________________


Mozilla Foundation Security Advisory 2015-110
Dragging and dropping images exposes final URL after redirects

Announced    September 22, 2015
Reporter    Mario Gomes
Impact    Moderate
Products    Firefox, Firefox ESR
Fixed in
         Firefox 41
         Firefox ESR 38.3


Description

Security researcher Mario Gomes reported that when a previously loaded
image on a page is drag and dropped into content after a redirect, the
redirected URL is available to scripts. This is a violation of the
Fetch specification's defined behavior for "Atomic HTTP redirect
handling" which states that redirected URLs are not exposed to any
APIs. This can allow for information leakage.


References

     Dragging and dropping image to  pastes final URL of image 
after redirects (CVE-2015-4519)

_____________________________________________________________________


Mozilla Foundation Security Advisory 2015-112
Vulnerabilities found through code inspection

Announced    September 22, 2015
Reporter    Ronald Crane
Impact    High
Products    Firefox, Firefox ESR
Fixed in
         Firefox 41
         Firefox ESR 38.3


Description

Security researcher Ronald Crane reported eight vulnerabilities
affecting released code that were found through code inspection. These
included several potential memory safety issues resulting from the use
of snprintf, one use of unowned memory, one use of a string without
overflow checks, and five memory safety bugs. These do not all have
clear mechanisms to be exploited through web content but are vulnerable
if a mechanism can be found to trigger them.


References

     Memory-safety bugs in NetworkUtils.cpp generally (CVE-2015-4517)
     Memory-safety bugs in ConvertDialogOptions (CVE-2015-4521)
     Overflow in nsUnicodeToUTF8::GetMaxLength can create memory-safety
       bugs in callers (CVE-2015-4522)
     Overflow in nsAttrAndChildArray::GrowBy causes memory-safety bug
       (CVE-2015-7174)
     Overflow in XULContentSinkImpl::AddText causes memory-safety bug
       (CVE-2015-7175)
     Bad sscanf argument in AnimationThread overruns stack variable
       (CVE-2015-7176)
     Memory-safety bug in InitTextures (CVE-2015-7177)
     Mishandling return status in ReadbackResultWriterD3D11::Run might
        cause memory-safety bug (CVE-2015-7180)

_____________________________________________________________________


Mozilla Foundation Security Advisory 2015-113
Memory safety errors in libGLES in the ANGLE graphics library

Announced    September 22, 2015
Reporter    Ronald Crane
Impact    Critical
Products    Firefox, Firefox ESR
Fixed in
         Firefox 41
         Firefox ESR 38.3


Description

Security researcher Ronald Crane reported two issues in the libGLES
portions of the ANGLE graphics library, used for WebGL and OpenGL
content on Windows systems. The first of these is a missing bounds
check leading to memory safety errors when manipulating shaders which
could result in the writing to unowned memory. The second issue also
affects shaders when insufficient memory is allocated for a shader
attribute array, leading to a buffer overflow. Both of these issues can
lead to a potentially exploitable crash.


These issues are specific to Windows and does not affect Linux or OS X
systems.


References

     Missing bounds check causes memory-safety bug in
       ProgramBinary::linkAttributes (CVE-2015-7178)
     Overflow in VertexBufferInterface::reserveVertexSpace causes
       memory-safety bug (CVE-2015-7179)


_____________________________________________________________________


Mozilla Foundation Security Advisory 2015-114
Information disclosure via the High Resolution Time API

Announced    September 22, 2015
Reporter    Yossef Oren et al, Amit Klein
Impact    Moderate
Products    Firefox
Fixed in
         Firefox 41


Description

Security researchers Yossef Oren, Vasileios P. Kemerlis, Simha
Sethumadhavan, Angelos D. Keromytis of Columbia University's Network
Security Lab reported a method of using the High Resolution Time API
for side channel attacks. This attack uses JavaScript loaded through a
hostile web page to track access to the last-level cache over a period
of time as a user engages in other browser activity. This attack takes
advantage of the performance.now() API's use of single nanosecond
resolution for timing.

Security researcher Amit Klein independently reported use of the
performance.now() API on Windows systems to extract the Windows counter
frequency as an avenue for side channel attacks.

Both of these flaws allow for the disclosure of private information,
user fingerprinting, and data leakage. They have been addressed by
reducing the resolution of the performance.now() API to 5 microseconds
to remove the precision in resolution available to attackers.

The Windows counter frequency issue does not affect Linux or OS X
systems.


References

     "Spy in the Sandbox" - Security issue related to High Resolution 
Time API
         The Spy in the Sandbox -- Practical Cache Attacks in Javascript
     Fingerprinting individuals via performance.now()


=========================================================
Serveur de référence du CERT-Renater
https://services.renater.fr/ssi/
==========================================================
+ CERT-RENATER          | tel : 01-53-94-20-44           +
+ 23 - 25 Rue Daviel    | fax : 01-53-94-20-41           +
+ 75013 Paris           | email: cert@support.renater.fr +
==========================================================

[An attachment of type application/pkcs7-signature was included here]