Firefox 43 and ESR38.5 advisories

announce/2015/mfsa2015-134.md

@@ -0,0 +1,44 @@
+---
+announced: December 15, 2015
+fixed_in:
+- Firefox 43
+- Firefox ESR 38.5
+impact: Critical
+reporter: Mozilla Developers
+title: Miscellaneous memory safety hazards (rv:43.0 / rv:38.5)
+---
+
+<h3>Description</h3>
+
+<p>Mozilla developers and community identified and fixed several memory safety
+bugs in the browser engine used in Firefox and other Mozilla-based products.
+Some of these bugs showed evidence of memory corruption under certain
+circumstances, and we presume that with enough effort at least some of these
+could be exploited to run arbitrary code.</p>
+
+<h3>References</h3>
+
+<p>Andrei Vaida, Jesse Ruderman, and Bob Clary reported memory safety problems and crashes
+that affect Firefox ESR 38.4 and Firefox 42.</p>
+
+<ul>
+  <li><a
+href="https://bugzilla.mozilla.org/buglist.cgi?bug_id=1203135,1225250,1224100">
+          Memory safety bugs fixed in Firefox ESR 38.5 and Firefox 43.</a> (<a
+href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7201"
+class="ex-ref">CVE-2015-7201</a>)</li>
+</ul>
+
+<p>Christian Holler, Jesse Ruderman, Eric Rahm, Robert Kaiser, Harald Kirschner, and
+Michael Henretty reported crash and memory safety problems that affect Firefox 42.</p>
+
+<ul>
+  <li><a
+href="https://bugzilla.mozilla.org/buglist.cgi?bug_id=1193757,1193999,1194002,1194006,
+1207571,1212305,1207571,1221421,1221904,1188105,1208059,1219330,1197012,1200580">
+          Memory safety bugs fixed in Firefox 43.</a> (<a
+href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7202"
+class="ex-ref">CVE-2015-7202</a>)</li>
+</ul>
+
+

announce/2015/mfsa2015-135.md

@@ -0,0 +1,25 @@
+---
+announced: December 15, 2015
+fixed_in:
+- Firefox 43
+impact: High
+reporter: Cajus Pollmeier
+title: Crash with JavaScript variable assignment with unboxed objects
+---
+
+<h3>Description</h3>
+
+<p>Security researcher <strong>Cajus Pollmeier</strong> reported that Firefox 41 was crashing during some Javascript variable assignments. The issue was caused by an implementation error with unboxed objects and property storing in the JavaScript engine. This error could result in a potentially exploitable crash when triggered by JavaScript content as well as leading to errors on some websites.</p>
+
+<p class="note">This crash was caused by a change to the JavaScript engine was first shipped in Firefox 41. Earlier versions of Firefox are unaffected by this problem, including Firefox ESR 38.</p>
+
+<h3>References</h3>
+
+<ul>
+  <li><a href="https://bugzilla.mozilla.org/show_bug.cgi?id=1216130">
+       Simple var assignments can trigger "can't convert undefined to object"
+exception</a>
+(<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7204"
+class="ex-ref">CVE-2015-7204</a>)</li>
+</ul>
+

announce/2015/mfsa2015-136.md

@@ -0,0 +1,31 @@
+---
+announced: December 15, 2015
+fixed_in:
+- Firefox 43
+impact: High
+reporter: cgvwzq
+title: Same-origin policy violation using perfomance.getEntries and history navigation
+---
+
+<h3>Description</h3>
+
+<p>Security researcher <strong>cgvwzq</strong> reported that it is possible to read
+cross-origin URLs following a redirect if <code>perfomance.getEntries()</code> is used
+along with an iframe to host a page. Navigating back in history through script, content is
+pulled from the browser cache for the redirected location instead of going to the original
+location. This is a same-origin policy violation and could allow for data theft. 
+</p>
+
+<p class="note">This issue affects other browsers as well and is not limited to Mozilla products.</p>
+
+<h3>References</h3>
+
+<ul>
+  <li><a href="https://bugzilla.mozilla.org/show_bug.cgi?id=1185256">
+       performance.getEntries() shows x-domain URLs after a redirect when loading from
+cache</a>
+(<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7207"
+class="ex-ref">CVE-2015-7207</a>)</li>
+  <li><a href="https://github.com/w3c/resource-timing/issues/29">Cached redirects + History traversal reveal cross-origin URLs</a></li>
+</ul>
+

announce/2015/mfsa2015-137.md

@@ -0,0 +1,27 @@
+---
+announced: December 15, 2015
+fixed_in:
+- Firefox 43
+impact: Moderate
+reporter: musicDespiteEverything
+title: Firefox allows for control characters to be set in cookies
+---
+
+<h3>Description</h3>
+
+<p>Security researcher <strong>musicDespiteEverything</strong> reported an issue when ASCII code 11 for vertical tab is stored in a cookie in violation of <a
+href="http://tools.ietf.org/html/rfc6265#section-4.1.1">RFC6265</a>. This may result in
+incorrect cookie handling by servers, resulting in the potential ability to set cookie
+values and read cookie data from users in concert with some web servers if the vertical
+tab character is mishandled during parsing.
+</p>
+
+<h3>References</h3>
+
+<ul>
+  <li><a href="https://bugzilla.mozilla.org/show_bug.cgi?id=1191423">
+       allowing vertical tab in cookies leads to cookie injection on some servers</a>
+(<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7208"
+class="ex-ref">CVE-2015-7208</a>)</li>
+</ul>
+

announce/2015/mfsa2015-138.md

@@ -0,0 +1,28 @@
+---
+announced: December 15, 2015
+fixed_in:
+- Firefox 43
+- Firefox ESR 38.5
+impact: Critical
+reporter: Looben Yang
+title: Use-after-free in WebRTC when datachannel is used after being destroyed
+---
+
+<h3>Description</h3>
+
+<p>Security researcher <strong>Looben Yang</strong> reported a use-after-free error in
+WebRTC that occurs due to timing issues in WebRTC when closing channels. WebRTC may still
+believe is has a datachannel open after another WebRTC function has closed it. This
+results in attempts to use the now destroyed datachannel, leading to a potentially
+exploitable crash.
+</p>
+
+<h3>References</h3>
+
+<ul>
+  <li><a href="https://bugzilla.mozilla.org/show_bug.cgi?id=1218326">
+       UAF due to DataChannelConnection not Destroy()ed before deletion</a>
+(<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7210"
+class="ex-ref">CVE-2015-7210</a>)</li>
+</ul>
+

announce/2015/mfsa2015-139.md

@@ -0,0 +1,29 @@
+---
+announced: December 15, 2015
+fixed_in:
+- Firefox 43
+- Firefox ESR 38.5
+impact: High
+reporter: Abhishek Arya
+title: Integer overflow allocating extremely large textures
+---
+
+<h3>Description</h3>
+
+<p>Security researcher <strong>Abhishek Arya</strong> (Inferno) of the Google
+Chrome Security Team used the Address Sanitizer tool to discover an integer overflow when
+when allocating textures of extremely larges sizes during graphics operations. This
+results in a potentially exploitable crash when triggered.
+</p>
+
+<h3>References</h3>
+
+<ul>
+  <li><a href="https://bugzilla.mozilla.org/show_bug.cgi?id=1222809">
+       Memset crash in mozilla::layers::BufferTextureClient::AllocateForSurface</a>
+(<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7212"
+class="ex-ref">CVE-2015-7212</a>)</li>
+</ul>
+
+
+

announce/2015/mfsa2015-140.md

@@ -0,0 +1,33 @@
+---
+announced: December 15, 2015
+fixed_in:
+- Firefox 43
+impact: High
+reporter: Masato Kinugawa
+title: Cross-origin information leak through web workers error events
+---
+
+<h3>Description</h3>
+
+<p>Security researcher <strong>Masato Kinugawa</strong> reported a cross-origin
+information leak through the error events in web workers. This violates same-origin policy
+and the leaked information could potentially be used by a malicious party to gather
+authentication tokens and other data from third-party websites. 
+</p>
+
+<p class="note">This issue affects other browsers as well and is not limited to Mozilla
+products.</p>
+
+<h3>References</h3>
+
+<ul>
+  <li><a href="https://bugzilla.mozilla.org/show_bug.cgi?id=1160890">
+        Cross-origin information disclosure with error message of Web Workers</a>
+(<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7215"
+class="ex-ref">CVE-2015-7215</a>)</li>
+  <li><a href="https://github.com/whatwg/html/pull/166">Throw NetworkError for
+cross-origin importScripts() exceptions</a></li>
+</ul>
+
+
+

announce/2015/mfsa2015-141.md

@@ -0,0 +1,27 @@
+---
+announced: December 15, 2015
+fixed_in:
+- Firefox 43
+impact: Low
+reporter: Abdulrahman Alqabandi
+title: Hash in data URI is incorrectly parsed
+---
+
+<h3>Description</h3>
+
+<p>Security researcher <strong>Abdulrahman Alqabandi</strong> reported that when a
+<code>data:</code> URI is parsed, the hash ('#') symbol is incorrectly handled, allowing
+for spoofing attacks. This issue could result in the wrong URI being displayed as a
+location, which can mislead users to believe they are on a different site than the one
+loaded.
+</p>
+
+<h3>References</h3>
+
+<ul>
+  <li><a href="https://bugzilla.mozilla.org/show_bug.cgi?id=1221444">
+       Partial URL spoofing using the data URI scheme</a>
+(<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7211"
+class="ex-ref">CVE-2015-7211</a>)</li>
+</ul>
+

announce/2015/mfsa2015-142.md

@@ -0,0 +1,37 @@
+---
+announced: December 15, 2015
+fixed_in:
+- Firefox 43
+impact: Low
+reporter: Stuart Larsen
+title: DOS due to malformed frames in HTTP/2
+---
+
+<h3>Description</h3>
+
+<p>Security researcher <strong>Stuart Larsen</strong> reported two issues with HTTP/2
+resulting in integer underflows that lead to intentional aborts when the errors are
+detected.
+</p>
+
+<p>In the first issue, if a malformed HTTP2 header frame is received with only a single
+byte, an integer underflow can be created in some circumstances. In the second issue, a
+malformed HTTP2 PushPromse frame is received and the length of the decompressed buffer is
+miscalculated, leading to another integer underflow. In both of these instances, more
+memory is allocated than is allowed, triggering assertions and intentional aborts (a
+denial of service) but no exploitable crashes.
+</p>
+
+<h3>References</h3>
+
+<ul>
+  <li><a href="https://bugzilla.mozilla.org/show_bug.cgi?id=1194818">
+      Firefox HTTP2 Malformed Header Frame DoS</a>
+(<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7218"
+class="ex-ref">CVE-2015-7218</a>)</li>
+  <li><a href="https://bugzilla.mozilla.org/show_bug.cgi?id=1194820">
+       Firefox HTTP2 Malformed PushPromise Underflow DoS</a>
+(<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7219"
+class="ex-ref">CVE-2015-7219</a>)</li>
+</ul>
+

announce/2015/mfsa2015-143.md

@@ -0,0 +1,30 @@
+---
+announced: December 15, 2015
+fixed_in:
+- Firefox 43
+impact: Moderate
+reporter: Gustavo Grieco
+title: Linux file chooser crashes on malformed images due to flaws in Jasper library
+---
+
+<h3>Description</h3>
+
+<p>Security researcher <strong>Gustavo Grieco</strong> reported that on Linux Gnome systems the dialog for choosing local files uses the operating system's <code>gdk-pixbuf</code> library to render thumbnails for image file types. This library supports various image decoders, and Grieco reported that the Jasper and TGA decoders
+were unmaintained and have several known vulnerabilities. Firefox has disabled the use of those decoders in <code>gdk-pixbuf</code>.
+
+<p class="note">This issue only affects Linux systems running Gnome. Windows,
+OS X, and Android operating systems are unaffected.</p>
+
+<h3>References</h3>
+
+<ul>
+  <li><a href="https://bugzilla.mozilla.org/show_bug.cgi?id=1197059">
+       Firefox in Linux is using Jasper which is unmaintained and vulnerable</a>
+(<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7216"
+class="ex-ref">CVE-2015-7216</a>)</li>
+  <li><a href="https://bugzilla.mozilla.org/show_bug.cgi?id=1203078">
+        Heap overflow and DoS with TGA files in gdk-pixbuf affecting Firefox</a>
+(<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7217"
+class="ex-ref">CVE-2015-7217</a>)</li>
+</ul>
+

announce/2015/mfsa2015-144.md

@@ -0,0 +1,33 @@
+---
+announced: December 15, 2015
+fixed_in:
+- Firefox 43
+impact: Moderate
+reporter: Ronald Crane
+title: Buffer overflows found through code inspection
+---
+
+<h3>Description</h3>
+
+<p>Security researcher <strong>Ronald Crane</strong> reported three buffer overflows
+affecting released code that were found through code inspection. They do not all have
+clear mechanisms to be exploited through web content but are vulnerable if a mechanism can
+be found to trigger them.</p>
+
+<h3>References</h3>
+
+<ul>
+  <li><a href="https://bugzilla.mozilla.org/show_bug.cgi?id=1201183">
+       Buffer overflow on OOM in DirectWriteFontInfo::LoadFontFamilyData</a>
+(<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7203"
+class="ex-ref">CVE-2015-7203</a>)</li>
+  <li><a href="https://bugzilla.mozilla.org/show_bug.cgi?id=1178033">
+       Overflow in XDRBuffer::grow can cause memory-safety bug</a>
+(<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7220"
+class="ex-ref">CVE-2015-7220</a>)</li>
+  <li><a href="https://bugzilla.mozilla.org/show_bug.cgi?id=1199400">
+       Overflow in nsDeque::GrowCapacity can cause memory-safety bug</a>
+(<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7221"
+class="ex-ref">CVE-2015-7221</a>)</li>
+</ul>
+

announce/2015/mfsa2015-145.md

@@ -0,0 +1,26 @@
+---
+announced: December 15, 2015
+fixed_in:
+- Firefox 43
+- Firefox ESR 38.5
+impact: High
+reporter: Ronald Crane
+title: Underflow through code inspection
+---
+
+<h3>Description</h3>
+
+<p>Security researcher <strong>Ronald Crane</strong> reported an underflow found through
+code inspection. This does not all have a clear mechanism to be exploited through web
+content but could be vulnerable if a means can be found to trigger it.</p>
+
+<h3>References</h3>
+
+<ul>
+  <li><a href="https://bugzilla.mozilla.org/show_bug.cgi?id=1220493">
+       Underflow in RTPReceiverVideo::ParseRtpPacket causes memory-safety bug and
+information leak</a>
+(<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7205"
+class="ex-ref">CVE-2015-7205</a>)</li>
+</ul>
+

announce/2015/mfsa2015-146.md

@@ -0,0 +1,30 @@
+---
+announced: December 15, 2015
+fixed_in:
+- Firefox 43
+- Firefox ESR 38.5
+impact: High
+reporter: Ronald Crane
+title: Integer overflow in MP4 playback in 64-bit versions
+---
+
+<h3>Description</h3>
+
+<p>Security researcher <strong>Ronald Crane</strong> reported a vulnerability found
+through code inspection. This issue is an integer overflow while processing an MP4 format
+video file when an a erroneously-small buffer is allocated and then overrun, resulting in
+a potentially exploitable crash.
+</p>
+
+<p class="note">This issue only affects 64-bit versions with 32-bit versions being
+unaffected.</p>
+
+<h3>References</h3>
+
+<ul>
+  <li><a href="https://bugzilla.mozilla.org/show_bug.cgi?id=1206211">
+       Overflow in MPEG4Extractor::readMetaData causes memory-safety bug</a>
+(<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7213"
+class="ex-ref">CVE-2015-7213</a>)</li>
+</ul>
+

announce/2015/mfsa2015-147.md

@@ -0,0 +1,32 @@
+---
+announced: December 15, 2015
+fixed_in:
+- Firefox 43
+- Firefox ESR 38.5
+impact: High
+reporter: Gerald Squelart
+title: Integer underflow and buffer overflow processing MP4 metadata in libstagefright
+---
+
+<h3>Description</h3>
+
+<p>Mozilla developer <strong>Gerald Squelart</strong> fixed an integer underflow in the
+libstagefright library initially reported by Joshua Drake to Google. The issues occurred
+in MP4 format video file while parsing cover metadata, leading  to a buffer overflow. This
+results in a potentially exploitable crash and can be triggered by a malformed MP4
+file served by web content.
+</p>
+
+<h3>References</h3>
+
+<ul>
+  <li><a href="https://bugzilla.mozilla.org/show_bug.cgi?id=1216748">
+       potential underflow in 'covr', unchecked allocation&copy in Metadata::setData</a>
+(<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7222"
+class="ex-ref">CVE-2015-7222</a>)</li>
+   <li><a
+href="https://android.googlesource.com/platform/frameworks/av/+/
+c87faed60483afb2466e03892bda80b72e5822c7%5E!/#F0">Fix integer underflow in covr MPEG4
+processing</a></li>
+</ul>
+

announce/2015/mfsa2015-148.md

@@ -0,0 +1,27 @@
+---
+announced: December 15, 2015
+fixed_in:
+- Firefox 43
+impact: Critical
+reporter: Kris Maglione
+title: Privilege escalation vulnerabilities in WebExtension APIs
+---
+
+<h3>Description</h3>
+
+<p>Mozilla developer <strong>Kris Maglione</strong> reported a mechanism where
+WebExtension APIs could be used to escalate privilege. This could allow arbitrary web
+content to execute code with the privileges of a particular WebExtension when using these
+API calls. Depending on the privileges of the extension used, this could result in
+personal information theft and cross-site scripting (XSS) attacks, including theft of browser cookies. This is mitigated by the requirement to have a WebExtension installed that is vulnerable to this issue.
+</p>
+
+<h3>References</h3>
+
+<ul>
+  <li><a href="https://bugzilla.mozilla.org/show_bug.cgi?id=1226423">
+       Privilege escalation vulnerabilities in WebExtension APIs</a>
+(<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7223"
+class="ex-ref">CVE-2015-7223</a>)</li>
+</ul>
+

announce/2015/mfsa2015-149.md

@@ -0,0 +1,26 @@
+---
+announced: December 15, 2015
+fixed_in:
+- Firefox 43
+- Firefox ESR 38.5
+impact: Critical
+reporter: Tsubasa Iinuma
+title: Cross-site reading attack through data and view-source URIs
+---
+
+<h3>Description</h3>
+
+<p>Security researcher <strong>Tsubasa Iinuma</strong> reported a mechanism to violate
+same-origin policy to content using <code>data:</code> and <code>view-soure:</code> URIs
+to confuse protections and bypass restrictions. This resulted in the ability to read data from cross-site URLs and local files.
+</p>
+
+<h3>References</h3>
+
+<ul>
+  <li><a href="https://bugzilla.mozilla.org/show_bug.cgi?id=1228950">
+       cross-origin restriction bypass using data: and view-source: uri scheme</a>
+(<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7214"
+class="ex-ref">CVE-2015-7214</a>)</li>
+</ul>
+