[blfs-book] [BLFS Trac] #6794: firefox-39.0.3

Fri, 07 Aug 2015 04:03:05 -0700 

#6794: firefox-39.0.3
-------------------------+-------------------------
 Reporter:  fo           |      Owner:  blfs-book@…
     Type:  enhancement  |     Status:  new
 Priority:  high         |  Milestone:  7.8
Component:  BOOK         |    Version:  SVN
 Severity:  normal       |   Keywords:
-------------------------+-------------------------
 
[https://ftp.mozilla.org/pub/firefox/releases/39.0.3/source/firefox-39.0.3.source.tar.bz2]

 [https://ftp.mozilla.org/pub/firefox/releases/39.0.3/MD5SUMS]

 md5sum: 6ef31cbd34d9905a0648104d916269cb

 == Vulnerability ==

   • It's possible to read local files or perform privilege escalation
     by using a native setter (CVE-2015-4495)

     [https://bugzilla.mozilla.org/show_bug.cgi?id=1178058]

     [http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4495]

   • Remove PlayPreview registration from PDF Viewer

     [https://bugzilla.mozilla.org/show_bug.cgi?id=1179262]

 [https://www.mozilla.org/en-US/security/advisories/mfsa2015-78/]

 {{{
 Same origin violation and local file stealing via PDF reader

 Announced    August 6, 2015
 Reporter     Cody Crews
 Impact       Critical
 Products     Firefox, Firefox ESR
 Fixed in     • Firefox 39.0.3
              • Firefox ESR 38.1.1

 Description

 Security researcher Cody Crews reported on a way to violate the same
 origin policy and inject script into a non-privileged part of the
 built-in PDF Viewer. This would allow an attacker to read and steal
 sensitive local files on the victim's computer.

 Mozilla has received reports that an exploit based on this vulnerability
 has been found in the wild.

 References

   • It's possible to read local files or perform privilege escalation
     by using a native setter (CVE-2015-4495)
   • Remove PlayPreview registration from PDF Viewer
 }}}

 [https://www.mozilla.org/en-US/security/known-
 vulnerabilities/firefox/#firefox39.0.3]

 {{{
 Fixed in Firefox 39.0.3

   • Critical
     2015-78 Same origin violation and local file stealing via PDF reader
 }}}

 [https://www.mozilla.org/en-US/firefox/39.0.3/releasenotes/]

 {{{
 What’s New

     Reference: Release notes for Firefox 39.0

   • Fixed Various security fixes
 }}}

--
Ticket URL: <http://wiki.linuxfromscratch.org/blfs/ticket/6794>
BLFS Trac <http://wiki.linuxfromscratch.org/blfs>
Beyond Linux From Scratch
-- 
http://lists.linuxfromscratch.org/listinfo/blfs-book
FAQ: http://www.linuxfromscratch.org/blfs/faq.html
Unsubscribe: See the above information page

Reply via email to