Firefox: various vulnerabilities
Upgrade to 38.3
- Memory safety bugs fixed in Firefox ESR 38.3 and Firefox 41. (CVE-2015-4500)
- Missing bounds check causes memory-safety bug in ProgramBinary::linkAttributes (CVE-2015-7178)
- Overflow in VertexBufferInterface::reserveVertexSpace causes memory-safety bug (CVE-2015-7179)
- Memory-safety bugs in NetworkUtils.cpp generally (CVE-2015-4517)
- Memory-safety bugs in ConvertDialogOptions (CVE-2015-4521)
- Overflow in nsUnicodeToUTF8::GetMaxLength can create memory-safety bugs in callers (CVE-2015-4522)
- Overflow in nsAttrAndChildArray::GrowBy causes memory-safety bug (CVE-2015-7174)
- Overflow in XULContentSinkImpl::AddText causes memory-safety bug (CVE-2015-7175)
- Bad sscanf argument in AnimationThread overruns stack variable (CVE-2015-7176)
- Memory-safety bug in InitTextures (CVE-2015-7177)
- Mishandling return status in ReadbackResultWriterD3D11::Run might cause memory-safety bug (CVE-2015-7180)
- CORS preflight cache poisoning with the credentials flag (CVE-2015-4520)
- CORS preflight cache poisoning with a CORS header being mistaken with another CORS header
- Dragging and dropping image to pastes final URL of image after redirects (CVE-2015-4519)
- HTMLVideoElement Use-After-Free Remote Code Execution (ZDI-CAN-3176) (CVE-2015-4509)
- Heap-buffer-overflow due to overflow in nestegg_track_codec_data (CVE-2015-4511)
- vp9_init_context_buffers (CVE-2015-4506)
- Arbitrary file manipulation through updater.exe (CVE-2015-4505)
38.2.1
- use-after-free (& crash) after style flush in CanvasRenderingContext2D (CVE-2015-4497)
- Firefox Addon bypass dialog and spoof vulnerability (CVE-2015-4498)
- Mozilla Firefox nsIPresShell Use-After-Free Remote Code Execution Vulnerability
38.2
- Use After Free in XMLHttpRequest::Open() (CVE-2015-4492)
- Overflow nsTSubstring::ReplacePrep causes memory-safety bugs in string library (CVE-2015-4487)
- StyleAnimationValue::operator= uses objects after delete on self-assignment (CVE-2015-4488)
- Self-assignment in nsTArray_Impl causes memory-safety bug (CVE-2015-4489)
- Heap-buffer-overflow WRITE in resize_context_buffers (CVE-2015-4485)
- Out of bounds read in decrease_ref_count (CVE-2015-4486)
- gdk-pixbuf heap overflow and DoS affecting Firefox (CVE-2015-4491)
- crash in void js::jit::AssemblerX86Shared::lock_addljs::jit::Imm32 (CVE-2015-4484)
- Out of bounds write in mar_read.c (CVE-2015-4482)
- MPEG4 saio Chunk Integer Overflow (libstagefright) (CVE-2015-4479)
- int oveflow in libstagefright during mp4 parsing
- crash in [@ stagefright::SampleTable::isValid() ] with h264 mp4 (CVE-2015-4480)
- Stagefright: heap-buffer-overflow crash [@stagefright::ESDS::parseESDescriptor] (CVE-2015-4493)
- JSON.parse with reviver allows redefining non-configurable properties (CVE-2015-4478)
- Memory safety bugs fixed in Firefox ESR 38.2 and Firefox 40. (CVE-2015-4473)
(from redmine: issue id 4665, created on 2015-09-29, closed on 2017-09-05)
- Relations:
- child #4666 (closed)
- child #4667 (closed)
- child #4668 (closed)
- child #4669 (closed)
- child #4676 (closed)