Mozilla Foundation Security Advisory 2015-112
Vulnerabilities found through code inspection
- Announced
- September 22, 2015
- Reporter
- Ronald Crane
- Impact
- High
- Products
- Firefox, Firefox ESR, Firefox OS, SeaMonkey, Thunderbird
- Fixed in
-
- Firefox 41
- Firefox ESR 38.3
- Firefox OS 2.5
- SeaMonkey 2.38
- Thunderbird 38.3
Description
Security researcher Ronald Crane reported eight
vulnerabilities affecting released code that were found through code inspection. These
included several potential memory safety issues resulting from the use of
snprintf, one use of unowned memory, one use of a string without overflow
checks, and five memory safety bugs. These do not all have clear mechanisms to be
exploited through web content but are vulnerable if a mechanism can be found to trigger
them.
In general this flaw cannot be exploited through email in the Thunderbird product because scripting is disabled, but is potentially a risk in browser or browser-like contexts.
References
- Memory-safety bugs in NetworkUtils.cpp generally (CVE-2015-4517)
- Memory-safety bugs in ConvertDialogOptions (CVE-2015-4521)
- Overflow in nsUnicodeToUTF8::GetMaxLength can create memory-safety bugs in callers (CVE-2015-4522)
- Overflow in nsAttrAndChildArray::GrowBy causes memory-safety bug (CVE-2015-7174)
- Overflow in XULContentSinkImpl::AddText causes memory-safety bug (CVE-2015-7175)
- Bad sscanf argument in AnimationThread overruns stack variable (CVE-2015-7176)
- Memory-safety bug in InitTextures (CVE-2015-7177)
- Mishandling return status in ReadbackResultWriterD3D11::Run might cause memory-safety bug (CVE-2015-7180)