Hash: SHA1

                         AUSCERT Security Bulletin

       Mozilla has released Firefox version 38, Firefox ESR version
                         31.7 and Thunderbird 31.7
                                13 May 2015


        AusCERT Security Bulletin Summary

Product:              Mozilla Firefox
                      Mozilla Firefox ESR
                      Mozilla Thunderbird ESR
Operating System:     UNIX variants (UNIX, Linux, OSX)
Impact/Access:        Execute Arbitrary Code/Commands -- Remote with User Interaction
                      Increased Privileges            -- Remote with User Interaction
                      Denial of Service               -- Remote with User Interaction
                      Access Confidential Data        -- Remote with User Interaction
                      Reduced Security                -- Remote with User Interaction
Resolution:           Patch/Upgrade
CVE Names:            CVE-2015-2720 CVE-2015-2718 CVE-2015-2717
                      CVE-2015-2716 CVE-2015-2715 CVE-2015-2714
                      CVE-2015-2713 CVE-2015-2712 CVE-2015-2711
                      CVE-2015-2710 CVE-2015-2709 CVE-2015-2708
                      CVE-2015-0833 CVE-2015-0797 CVE-2011-3079
Member content until: Friday, June 12 2015
Reference:            ASB-2015.0018


        Mozilla has released Firefox version 38, Firefox ESR version 31.7 
        and Thunderbird 31.7 to correct multiple vulnerabilities. [1 - 13]


        The vendor has provided the following details regarding these 
        CVE-2015-2708, CVE-2015-2709: "Mozilla developers and community 
        identified and fixed several memory safety bugs in the browser 
        engine used in Firefox and other Mozilla-based products. Some of 
        these bugs showed evidence of memory corruption under certain 
        circumstances, and we presume that with enough effort at least some
        of these could be exploited to run arbitrary code.
        In general these flaws cannot be exploited through email in the 
        Thunderbird product because scripting is disabled, but are 
        potentially a risk in browser or browser-like contexts." [1]
        CVE-2015-0797: "Security researcher Aki Helin used the Address 
        Sanitizer tool to find a buffer overflow during video playback on 
        Linux systems. This was due to a problem in older versions of the 
        Gstreamer plugin during the parsing of H.264 formatted video. This 
        issue could be used to induce a possibly exploitable crash.
        This issue does not affect the current 1.0 version of Gstreamer and
        does not affect Windows or OS X systems." [2]
        CVE-2015-2710: "Using the Address Sanitizer tool, security 
        researcher Atte Kettunen found a buffer overflow during the 
        rendering of SVG format graphics when combined with specific CSS 
        properties on a page. This results in a potentially exploitable 
        In general this flaw cannot be exploited through email in the 
        Thunderbird product because scripting is disabled, but is 
        potentially a risk in browser or browser-like contexts." [3]
        CVE-2015-2711: "Security researcher Alex Verstak reported that <meta
        name="referrer"> is ignored when a link is opened through the 
        context menu or a middle-click by mouse. This means that, in some 
        situations, the referrer policy is ignored when opening links in new
        tabs and may cause some pages to open without an HTTP Referer header
        being set according to the author's intended policy." [4]
        CVE-2015-2712: "Security researcher Dougall Johnson reported an 
        out-of-bounds read and write in asm.js during JavaScript validation
        due to an error in how heap lengths are defined. This results in a 
        potentially exploitable crash and could allow for the reading of 
        random memory which may contain sensitive data." [5]
        CVE-2015-2713: "Security researcher Scott Bell used the Address 
        Sanitizer tool to discover a use-after-free error during the 
        processing of text when vertical text is enabled. This leads to a 
        potentially exploitable crash." [6]
        CVE-2015-2714: "Security researcher Muneaki Nishimura reported that
        Firefox for Android would write potentially sensitive data to the 
        Android logcat that was encoded as part of logged URL strings. On 
        Android 4.0 or earlier systems, logcat data is available to any 
        application having READ_LOGS permission, leading to potential 
        privacy violations." [7]
        CVE-2015-2715: "Security researchers Tyson Smith and Jesse 
        Schwartzentruber reported a use-after-free during the shutdown 
        process. This was caused by a race condition when media decoder 
        threads are created during the shutdown process in some 
        circumstances. This leads to a potentially exploitable crash when 
        triggered." [8]
        CVE-2015-2716: "Security researcher Ucha Gobejishvili used the 
        Address Sanitizer tool to find a buffer overflow while parsing 
        compressed XML content. This was due to an error in how buffer space
        is created and modified when handling large amounts of XML data. 
        This results in a potentially exploitable crash.
        In general this flaw cannot be exploited through email in the 
        Thunderbird product because scripting is disabled, but is 
        potentially a risk in browser or browser-like contexts." [9]
        CVE-2015-2717: "Security researcher laf.intel reported a buffer 
        overflow and out-of-bounds read in the libstagefright library while
        parsing invalid metadata in MP4 video files. This can lead to a 
        potentially exploitable crash." [10]
        CVE-2015-2718: "Mozilla developer Mark Hammond reported a flaw in 
        how WebChannel.jsm handles message traffic. He found that when a 
        trusted page is hosted within an <iframe> on an untrusted 
        third-party untrusted framing page, the untrusted page could 
        intercept webchannel responses meant for the trusted page, bypassing
        origin restrictions." [11]
        CVE-2011-3079: "Mozilla Developer Jed Davis and Mozilla security 
        engineer Christoph Diehl reported that Mozilla had inherited a 
        Inter-process Communication (IPC) vulnerability when IPC was 
        introduced into Mozilla products through third-party code. This 
        could allow for privilege escalation through IPC channels due to 
        lack of message validation in the listener process.
        This issue only affects systems running Windows, leaving Linux and 
        OS X unaffected." [12]
        CVE-2015-2720, CVE-2015-0833: "Security researcher Holger Fuhrmannek
        previously reported CVE-2015-0833, which was fixed in MFSA2015- 12.
        That flaw allowed for the updater to load binary DLL format files 
        from the local working directory or from the Windows temporary 
        directories. During the fixing of CVE-2015-0833, the need to ensure
        that updates use the updater.exe from the application directory was
        identified to mitigate the potential for further similar 
        vulnerabilities. This change to updater.exe for Windows systems has
        been made in this release.
        This issue is specific to Windows and does not affect Linux or OS X
        systems." [13]


        Mozilla recommends updating to the latest versions of Firefox, 
        Firefox ESR and Thunderbird ESR to correct these issues. [1 - 13]


        [1] Mozilla Foundation Security Advisory 2015-46

        [2] Mozilla Foundation Security Advisory 2015-47

        [3] Mozilla Foundation Security Advisory 2015-48

        [4] Mozilla Foundation Security Advisory 2015-49

        [5] Mozilla Foundation Security Advisory 2015-50

        [6] Mozilla Foundation Security Advisory 2015-51

        [7] Mozilla Foundation Security Advisory 2015-52

        [8] Mozilla Foundation Security Advisory 2015-53

        [9] Mozilla Foundation Security Advisory 2015-54

        [10] Mozilla Foundation Security Advisory 2015-55

        [11] Mozilla Foundation Security Advisory 2015-56

        [12] Mozilla Foundation Security Advisory 2015-57

        [13] Mozilla Foundation Security Advisory 2015-58

AusCERT has made every effort to ensure that the information contained
in this document is accurate.  However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.

Australian Computer Emergency Response Team
The University of Queensland
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours 
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
Comment: http://www.auscert.org.au/render.html?it=1967