Advisories ยป MGASA-2014-0518

Updated iceape package fixes security vulnerabilities

Publication date: 09 Dec 2014
Modification date: 09 Dec 2014
Type: security
Affected Mageia releases : 4
CVE: CVE-2014-1587 , CVE-2014-1588 , CVE-2014-1589 , CVE-2014-1590 , CVE-2014-1591 , CVE-2014-1592 , CVE-2014-1593 , CVE-2014-1594 , CVE-2014-8631 , CVE-2014-8632

Description

When the oxygen-gtk was active and iceape tried to draw a menu (for 
example after a mouse down event on the menu bar), a segmentation 
fault was triggered causing iceape to crash. The oxygen-gtk theme 
engine contains a solution for this problem, this is now enabled for 
iceape. (MGA #12978)

Mozilla developers and community identified and fixed several memory 
safety bugs in the browser engine used in Firefox and other 
Mozilla-based products. Some of these bugs showed evidence of memory 
corruption under certain circumstances, and we presume that with 
enough effort at least some of these could be exploited to run 
arbitrary code. (CVE-2014-1587, CVE-2014-1588)

A method was found to trigger chrome level XML Binding Language (XBL) 
bindings through web content. This was possible because some chrome 
accessible CSS stylesheets had their primary namespace improperly 
declared. When this occurred, it was possible to use these stylesheets 
to manipulate XBL bindings, allowing web content to bypass security 
restrictions. This issue was limited to a specific set of stylesheets. 
(CVE-2014-1589)

In Iceape (seamonkey) before version 2.31, passing a JavaScript object 
to XMLHttpRequest that mimics an input stream will result in a crash. 
This crash is not exploitable and can only be used for denial of 
service attacks. (CVE-2014-1590)

Content Security Policy (CSP) violation reports triggered by a 
redirect did not remove path information as required by the CSP 
specification in Iceape (seamonkey) 2.30. This potentially reveals 
information about the redirect that would not otherwise be known to 
the original site. This could be used by a malicious site to obtain 
sensitive information such as usernames or single-sign-on tokens 
encoded within the target URLs. (CVE-2014-1591)

In Iceape (seamonkey) before version 2.31, a use-after-free could be 
created by triggering the creation of a second root element while 
parsing HTML written to a document created with document.open(). This 
leads to a potentially exploitable crash. (CVE-2014-1592)

A buffer overflow during the parsing of media content was found using 
the Address Sanitizer tool. This leads to a potentially exploitable 
crash. (CVE-2014-1593)

A bad casting from the BasicThebesLayer to BasicContainerLayer 
resulted in undefined behavior. This behavior is potentially 
exploitable with some compilers but no clear mechanism to trigger it 
through web content was identified. (CVE-2014-1594)

When chrome objects are protected by Chrome Object Wrappers (COW) and 
are passed as native interfaces, if this is done with some methods, 
normally protected objects may be accessible to native methods exposed 
to web content. (CVE-2014-8631)

When XrayWrappers filter object properties and validation of the 
object initially occurs, one set of object properties will appear to 
be available. Later, when the XrayWrappers are removed, a more 
expansive set of properties is available. These are then stored 
without further validation, making these properties available and 
bypassing security protections that would normally protect them from 
access. (CVE-2014-8632)

References

SRPMS

4/core