Home / mailings [USN-2243-1] Firefox vulnerabilities
Posted on 11 June 2014
Ubuntu Security==========================
==========================
========================
Ubuntu Security Notice USN-2243-1
June 11, 2014
firefox vulnerabilities
==========================
==========================
========================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 14.04 LTS
- Ubuntu 13.10
- Ubuntu 12.04 LTS
Summary:
Firefox could be made to crash or run programs as your login if it
opened a malicious website.
Software Description:
- firefox: Mozilla Open Source web browser
Details:
Gary Kwong, Christoph Diehl, Christian Holler, Hannes Verschore, Jan de
Mooij, Ryan VanderMeulen, Jeff Walden, Kyle Huey, Jesse Ruderman, Gregor
Wagner, Benoit Jacob and Karl Tomlinson discovered multiple memory safety=
issues in Firefox. If a user were tricked in to opening a specially
crafted website, an attacker could potentially exploit these to cause a
denial of service via application crash, or execute arbitrary code with
the privileges of the user invoking Firefox. (CVE-2014-1533,
CVE-2014-1534)
Abhishek Arya discovered multiple use-after-free and out-of-bounds read
issues in Firefox. An attacker could potentially exploit these to cause
a denial of service via application crash or execute arbitrary code with
the priviliges of the user invoking Firefox. (CVE-2014-1536,
CVE-2014-1537, CVE-2014-1538)
Tyson Smith and Jesse Schwartzentruber discovered a use-after-free in the=
event listener manager. An attacker could potentially exploit this to
cause a denial of service via application crash or execute arbitrary code=
with the priviliges of the user invoking Firefox. (CVE-2014-1540)
A use-after-free was discovered in the SMIL animation controller. An
attacker could potentially exploit this to cause a denial of service via
application crash or execute arbitrary code with the priviliges of the
user invoking Firefox. (CVE-2014-1541)
Holger Fuhrmannek discovered a buffer overflow in Web Audio. An attacker
could potentially exploit this to cause a denial of service via
application crash or execute arbitrary code with the priviliges of the
user invoking Firefox. (CVE-2014-1542)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 14.04 LTS:
firefox 30.0+build1-0ubuntu0.14.04.3
Ubuntu 13.10:
firefox 30.0+build1-0ubuntu0.13.10.3
Ubuntu 12.04 LTS:
firefox 30.0+build1-0ubuntu0.12.04.3
After a standard system update you need to restart Firefox to make
all the necessary changes.
References:
http://www.ubuntu.com/usn/usn-2243-1
CVE-2014-1533, CVE-2014-1534, CVE-2014-1536, CVE-2014-1537,
CVE-2014-1538, CVE-2014-1540, CVE-2014-1541, CVE-2014-1542,
https://launchpad.net/bugs/1326690
Package Information:
https://launchpad.net/ubuntu/+source/firefox/30.0+build1-0ubuntu0.14.04=
=2E3
https://launchpad.net/ubuntu/+source/firefox/30.0+build1-0ubuntu0.13.10=
=2E3
https://launchpad.net/ubuntu/+source/firefox/30.0+build1-0ubuntu0.12.04=
=2E3
