Bug 17337

Summary: Firefox 38.5
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: critical    
Priority: Normal CC: sysadmin-bugs, tarazed25, westel
Version: 5Keywords: validated_update
Target Milestone: ---   
Hardware: i586   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/668127/
Whiteboard: advisory MGA5-32-OK MGA5-64-OK
Source RPM: nspr, nss, firefox, firefox-l10n CVE:
Status comment:

Description David Walser 2015-12-15 19:06:35 CET 
Upstream has released version 38.5 today (December 15):
https://www.mozilla.org/en-US/firefox/38.5.0/releasenotes/

Details are not available yet.

This update will also include updates for nspr and nss.

It is building right now for Mageia 5.  Assuming it builds successfully, testing can begin.  Advisory and details will come later.  Package list below.

Updated packages in core/updates_testing:
========================
libnspr4-4.11-1.mga5
libnspr-devel-4.11-1.mga5
nss-3.21.0-1.mga5
nss-doc-3.21.0-1.mga5
libnss3-3.21.0-1.mga5
libnss-devel-3.21.0-1.mga5
libnss-static-devel-3.21.0-1.mga5
firefox-38.5.0-1.mga5
firefox-devel-38.5.0-1.mga5
firefox-af-38.5.0-1.mga5
firefox-an-38.5.0-1.mga5
firefox-ar-38.5.0-1.mga5
firefox-as-38.5.0-1.mga5
firefox-ast-38.5.0-1.mga5
firefox-az-38.5.0-1.mga5
firefox-be-38.5.0-1.mga5
firefox-bg-38.5.0-1.mga5
firefox-bn_IN-38.5.0-1.mga5
firefox-bn_BD-38.5.0-1.mga5
firefox-br-38.5.0-1.mga5
firefox-bs-38.5.0-1.mga5
firefox-ca-38.5.0-1.mga5
firefox-cs-38.5.0-1.mga5
firefox-cy-38.5.0-1.mga5
firefox-da-38.5.0-1.mga5
firefox-de-38.5.0-1.mga5
firefox-el-38.5.0-1.mga5
firefox-en_GB-38.5.0-1.mga5
firefox-en_US-38.5.0-1.mga5
firefox-en_ZA-38.5.0-1.mga5
firefox-eo-38.5.0-1.mga5
firefox-es_AR-38.5.0-1.mga5
firefox-es_CL-38.5.0-1.mga5
firefox-es_ES-38.5.0-1.mga5
firefox-es_MX-38.5.0-1.mga5
firefox-et-38.5.0-1.mga5
firefox-eu-38.5.0-1.mga5
firefox-fa-38.5.0-1.mga5
firefox-ff-38.5.0-1.mga5
firefox-fi-38.5.0-1.mga5
firefox-fr-38.5.0-1.mga5
firefox-fy_NL-38.5.0-1.mga5
firefox-ga_IE-38.5.0-1.mga5
firefox-gd-38.5.0-1.mga5
firefox-gl-38.5.0-1.mga5
firefox-gu_IN-38.5.0-1.mga5
firefox-he-38.5.0-1.mga5
firefox-hi_IN-38.5.0-1.mga5
firefox-hr-38.5.0-1.mga5
firefox-hsb-38.5.0-1.mga5
firefox-hu-38.5.0-1.mga5
firefox-hy_AM-38.5.0-1.mga5
firefox-id-38.5.0-1.mga5
firefox-is-38.5.0-1.mga5
firefox-it-38.5.0-1.mga5
firefox-ja-38.5.0-1.mga5
firefox-kk-38.5.0-1.mga5
firefox-km-38.5.0-1.mga5
firefox-kn-38.5.0-1.mga5
firefox-ko-38.5.0-1.mga5
firefox-lij-38.5.0-1.mga5
firefox-lt-38.5.0-1.mga5
firefox-lv-38.5.0-1.mga5
firefox-mai-38.5.0-1.mga5
firefox-mk-38.5.0-1.mga5
firefox-ml-38.5.0-1.mga5
firefox-mr-38.5.0-1.mga5
firefox-ms-38.5.0-1.mga5
firefox-nb_NO-38.5.0-1.mga5
firefox-nl-38.5.0-1.mga5
firefox-nn_NO-38.5.0-1.mga5
firefox-or-38.5.0-1.mga5
firefox-pa_IN-38.5.0-1.mga5
firefox-pl-38.5.0-1.mga5
firefox-pt_BR-38.5.0-1.mga5
firefox-pt_PT-38.5.0-1.mga5
firefox-ro-38.5.0-1.mga5
firefox-ru-38.5.0-1.mga5
firefox-si-38.5.0-1.mga5
firefox-sk-38.5.0-1.mga5
firefox-sl-38.5.0-1.mga5
firefox-sq-38.5.0-1.mga5
firefox-sr-38.5.0-1.mga5
firefox-sv_SE-38.5.0-1.mga5
firefox-ta-38.5.0-1.mga5
firefox-te-38.5.0-1.mga5
firefox-th-38.5.0-1.mga5
firefox-tr-38.5.0-1.mga5
firefox-uk-38.5.0-1.mga5
firefox-uz-38.5.0-1.mga5
firefox-vi-38.5.0-1.mga5
firefox-xh-38.5.0-1.mga5
firefox-zh_CN-38.5.0-1.mga5
firefox-zh_TW-38.5.0-1.mga5

from SRPMS:
nspr-4.11-1.mga5.src.rpm
nss-3.21.0-1.mga5.src.rpm
firefox-38.5.0-1.mga5.src.rpm
firefox-l10n-38.5.0-1.mga5.src.rpm

Reproducible: 

Steps to Reproduce:
Comment 1 David Walser 2015-12-15 19:46:57 CET 
Working fine on Mageia 5 i586.  Will post advisory when it's available.

Whiteboard: (none) => MGA5-32-OK

Comment 3 Len Lawrence 2015-12-16 01:47:05 CET 
mga5  x86_64  Mate

Upgraded from Firefox 38.4.
Installed the firefox-uk, en-GB versions and dependencies.  All working fine, general browsing, Youtube, search and access to local ports like 631.

CC: (none) => tarazed25

Len Lawrence 2015-12-16 01:47:23 CET

Whiteboard: MGA5-32-OK => MGA5-32-OK MGA5-64-OK

Comment 4 Ben McMonagle 2015-12-16 08:47:54 CET 
mga5 i586 KDE, upgrade from firefox-0:38.4.0-1

 installed:
  firefox                        38.5.0       1.mga5        i586    
  firefox-en_GB                  38.5.0       1.mga5        noarch  
  libnspr4                       4.11         1.mga5        i586    
  libnss3                        3.21.0       1.mga5        i586    

youtube playback -ok *flash-player-plugin not installed*
browsing -ok

installed flash-player-plugin
browsed sites that require flash -ok 

un-installed flash-player-plugin

CC: (none) => westel

Comment 5 David Walser 2015-12-16 14:48:00 CET 
Ubuntu has issued an advisory for this on December 15:
http://www.ubuntu.com/usn/usn-2833-1/

Going with their CVE descriptions for now.  If we don't get this pushed by time RedHat posts their advisory, I'll update this at that time.

Advisory:
========================

Updated firefox packages fix security vulnerabilities:

Multiple memory safety issues in Firefox were discovered. If a user were
tricked in to opening a specially crafted website, an attacker could
potentially exploit these to cause a denial of service via application
crash, or execute arbitrary code with the privileges of the user invoking
Firefox (CVE-2015-7201).

Ronald Crane discovered a buffer overflow through code inspection. If a
user were tricked in to opening a specially crafted website, an attacker
could potentially exploit this to cause a denial of service via
application crash, or execute arbitrary code with the privileges of the
user invoking Firefox (CVE-2015-7205).

Looben Yang discovered a use-after-free in WebRTC when closing channels in
some circumstances. If a user were tricked in to opening a specially
crafted website, an attacker could potentially exploit this to cause a
denial of service via application crash, or execute arbitrary code with
the privileges of the user invoking Firefox (CVE-2015-7210).

Abhishek Arya discovered an integer overflow when allocating large
textures. If a user were tricked in to opening a specially crafted
website, an attacker could potentially exploit this to cause a denial of
service via application crash, or execute arbitrary code with the
privileges of the user invoking Firefox (CVE-2015-7212).

Ronald Crane dicovered an integer overflow when processing MP4 format
video in some circumstances. If a user were tricked in to opening a
specially crafted website, an attacker could potentially exploit this to
cause a denial of service via application crash, or execute arbitrary code
with the privileges of the user invoking Firefox (CVE-2015-7213).

Tsubasa Iinuma discovered a way to bypass same-origin restrictions using
data: and view-source: URLs. If a user were tricked in to opening a
specially crafted website, an attacker could potentially exploit this to
obtain sensitive information and read local files (CVE-2015-7214).

Gerald Squelart discovered an integer underflow in the libstagefright
library when parsing MP4 format video in some circumstances. If a user
were tricked in to opening a specially crafted website, an attacker could
potentially exploit this to cause a denial of service via application
crash, or execute arbitrary code with the privileges of the user invoking
Firefox (CVE-2015-7222).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7201
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7205
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7210
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7212
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7213
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7214
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7222
https://www.mozilla.org/en-US/security/advisories/mfsa2015-134/
https://www.mozilla.org/en-US/security/advisories/mfsa2015-138/
https://www.mozilla.org/en-US/security/advisories/mfsa2015-139/
https://www.mozilla.org/en-US/security/advisories/mfsa2015-145/
https://www.mozilla.org/en-US/security/advisories/mfsa2015-146/
https://www.mozilla.org/en-US/security/advisories/mfsa2015-147/
https://www.mozilla.org/en-US/security/advisories/mfsa2015-149/
https://www.mozilla.org/en-US/security/known-vulnerabilities/firefox-esr/
http://www.ubuntu.com/usn/usn-2833-1/
Comment 6 claire robinson 2015-12-16 16:04:08 CET 
Validating. Advisory uploaded.

Please push to 5 updates

Thanks

Keywords: (none) => validated_update
Whiteboard: MGA5-32-OK MGA5-64-OK => advisory MGA5-32-OK MGA5-64-OK
CC: (none) => sysadmin-bugs

Comment 7 David Walser 2015-12-16 19:29:08 CET 
The more concise RedHat advisory, if someone wouldn't mind changing it in SVN.

Advisory:
========================

Updated firefox packages fix security vulnerabilities:

Several flaws were found in the processing of malformed web content. A web
page containing malicious content could cause Firefox to crash or,
potentially, execute arbitrary code with the privileges of the user running
Firefox (CVE-2015-7201, CVE-2015-7205, CVE-2015-7210, CVE-2015-7212,
CVE-2015-7213, CVE-2015-7222).

A flaw was found in the way Firefox handled content using the 'data:' and
'view-source:' URIs. An attacker could use this flaw to bypass the
same-origin policy and read data from cross-site URLs and local files
(CVE-2015-7214).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7201
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7205
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7210
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7212
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7213
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7214
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7222
https://www.mozilla.org/en-US/security/advisories/mfsa2015-134/
https://www.mozilla.org/en-US/security/advisories/mfsa2015-138/
https://www.mozilla.org/en-US/security/advisories/mfsa2015-139/
https://www.mozilla.org/en-US/security/advisories/mfsa2015-145/
https://www.mozilla.org/en-US/security/advisories/mfsa2015-146/
https://www.mozilla.org/en-US/security/advisories/mfsa2015-147/
https://www.mozilla.org/en-US/security/advisories/mfsa2015-149/
https://www.mozilla.org/en-US/security/known-vulnerabilities/firefox-esr/
https://rhn.redhat.com/errata/RHSA-2015-2657.html
David Walser 2015-12-16 19:31:01 CET

URL: (none) => http://lwn.net/Vulnerabilities/668127/

Comment 8 Mageia Robot 2015-12-16 22:02:03 CET 
An update for this issue has been pushed to Mageia Updates repository.

http://advisories.mageia.org/MGASA-2015-0477.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED

Comment 11 David Walser 2016-03-14 19:38:56 CET 
(In reply to David Walser from comment #10)
> It also fixed CVE-2016-1978:
> https://www.mozilla.org/en-US/security/advisories/mfsa2016-15/

LWN reference:
http://lwn.net/Vulnerabilities/680044/