ID CVE-2015-7213
Summary Integer overflow in the MPEG4Extractor::readMetaData function in MPEG4Extractor.cpp in libstagefright in Mozilla Firefox before 43.0 and Firefox ESR 38.x before 38.5 on 64-bit platforms allows remote attackers to execute arbitrary code via a crafted MP4 video file that triggers a buffer overflow.
References
Vulnerable Configurations
  • openSUSE Leap 42.1
    cpe:2.3:o:opensuse:leap:42.1
  • OpenSUSE 13.1
    cpe:2.3:o:opensuse:opensuse:13.1
  • OpenSUSE 13.2
    cpe:2.3:o:opensuse:opensuse:13.2
  • Fedora 22
    cpe:2.3:o:fedoraproject:fedora:22
  • Fedora Project Fedora 23
    cpe:2.3:o:fedoraproject:fedora:23
  • Mozilla Firefox ESR 38.0 (64 bit)
    cpe:2.3:a:mozilla:firefox_esr:38.0:-:-:-:-:-:x64
  • Mozilla Firefox ESR 38.0.1 (64 bit)
    cpe:2.3:a:mozilla:firefox_esr:38.0.1:-:-:-:-:-:x64
  • Mozilla Firefox ESR 38.0.5 (64 bit)
    cpe:2.3:a:mozilla:firefox_esr:38.0.5:-:-:-:-:-:x64
  • Mozilla Firefox ESR 38.1.0 (64 bit)
    cpe:2.3:a:mozilla:firefox_esr:38.1.0:-:-:-:-:-:x64
  • Mozilla Firefox ESR 38.1.1 (64 bit)
    cpe:2.3:a:mozilla:firefox_esr:38.1.1:-:-:-:-:-:x64
  • Mozilla Firefox ESR 38.2.0 (64 bit)
    cpe:2.3:a:mozilla:firefox_esr:38.2.0:-:-:-:-:-:x64
  • Mozilla Firefox ESR 38.2.1 (64 bit)
    cpe:2.3:a:mozilla:firefox_esr:38.2.1:-:-:-:-:-:x64
  • Mozilla Firefox ESR 38.3.0 (64 bit)
    cpe:2.3:a:mozilla:firefox_esr:38.3.0:-:-:-:-:-:x64
  • Mozilla Firefox ESR 38.4.0 (64 bit)
    cpe:2.3:a:mozilla:firefox_esr:38.4.0:-:-:-:-:-:x64
  • Mozilla Firefox 42.0 (64 bit)
    cpe:2.3:a:mozilla:firefox:42.0:-:-:-:-:-:x64
CVSS
Base: 6.8 (as of 12-07-2016 - 13:25)
Impact:
Exploitability:
CWE CWE-189
CAPEC
Access
VectorComplexityAuthentication
NETWORK MEDIUM NONE
Impact
ConfidentialityIntegrityAvailability
PARTIAL PARTIAL PARTIAL
nessus via4
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2015-7AB3D3AFCF.NASL
    description Update to latest upstream - Firefox 43 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2016-03-13
    plugin id 89295
    published 2016-03-04
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=89295
    title Fedora 22 : firefox-43.0-1.fc22 (2015-7ab3d3afcf)
  • NASL family SuSE Local Security Checks
    NASL id OPENSUSE-2015-942.NASL
    description This update for MozillaFirefox fixes the following security issues : - MFSA 2015-134/CVE-2015-7201/CVE-2015-7202 Miscellaneous memory safety hazards - MFSA 2015-135/CVE-2015-7204 (bmo#1216130) Crash with JavaScript variable assignment with unboxed objects - MFSA 2015-136/CVE-2015-7207 (bmo#1185256) Same-origin policy violation using perfomance.getEntries and history navigation - MFSA 2015-137/CVE-2015-7208 (bmo#1191423) Firefox allows for control characters to be set in cookies - MFSA 2015-138/CVE-2015-7210 (bmo#1218326) Use-after-free in WebRTC when datachannel is used after being destroyed - MFSA 2015-139/CVE-2015-7212 (bmo#1222809) Integer overflow allocating extremely large textures - MFSA 2015-140/CVE-2015-7215 (bmo#1160890) Cross-origin information leak through web workers error events - MFSA 2015-141/CVE-2015-7211 (bmo#1221444) Hash in data URI is incorrectly parsed - MFSA 2015-142/CVE-2015-7218/CVE-2015-7219 (bmo#1194818, bmo#1194820) DOS due to malformed frames in HTTP/2 - MFSA 2015-143/CVE-2015-7216/CVE-2015-7217 (bmo#1197059, bmo#1203078) Linux file chooser crashes on malformed images due to flaws in Jasper library - MFSA 2015-144/CVE-2015-7203/CVE-2015-7220/CVE-2015-7221 (bmo#1201183, bmo#1178033, bmo#1199400) Buffer overflows found through code inspection - MFSA 2015-145/CVE-2015-7205 (bmo#1220493) Underflow through code inspection - MFSA 2015-146/CVE-2015-7213 (bmo#1206211) Integer overflow in MP4 playback in 64-bit versions - MFSA 2015-147/CVE-2015-7222 (bmo#1216748) Integer underflow and buffer overflow processing MP4 metadata in libstagefright - MFSA 2015-148/CVE-2015-7223 (bmo#1226423) Privilege escalation vulnerabilities in WebExtension APIs - MFSA 2015-149/CVE-2015-7214 (bmo#1228950) Cross-site reading attack through data and view-source URIs
    last seen 2019-02-21
    modified 2016-03-13
    plugin id 87620
    published 2015-12-29
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=87620
    title openSUSE Security Update : MozillaFirefox (openSUSE-2015-942)
  • NASL family MacOS X Local Security Checks
    NASL id MACOSX_FIREFOX_43.NASL
    description The version of Firefox installed on the remote Mac OS X host is prior to 43. It is, therefore, affected by the following vulnerabilities : - Multiple unspecified memory corruption issues exist due to improper validation of user-supplied input. A remote attacker can exploit these issues by convincing a user to visit a specially crafted web page, resulting in the execution of arbitrary code. (CVE-2015-7201) - Multiple unspecified memory corruption issues exist due to improper validation of user-supplied input. A remote attacker can exploit these issues by convincing a user to visit a specially crafted web page, resulting in the execution of arbitrary code. (CVE-2015-7202) - An overflow condition exists in the LoadFontFamilyData() function due to improper validation of user-supplied input. A remote attacker can exploit this to cause a buffer overflow, resulting in the execution of arbitrary code. (CVE-2015-7203) - A flaw exists in the PropertyWriteNeedsTypeBarrier() function due to improper handling of unboxed objects during JavaScript variable assignments. A remote attacker can exploit this to execute arbitrary code. (CVE-2015-7204) - A flaw exists in the RtpHeaderParser::Parse() function due to improper handling of RTP headers. An unauthenticated, remote attacker can exploit this, via specially crafted RTP headers, to execute arbitrary code. (CVE-2015-7205) - A same-origin bypass vulnerability exists that is triggered after a redirect when the function is used alongside an iframe to host a page. An attacker can exploit this to gain access to cross-origin URL information. (CVE-2015-7207) - The SetCookieInternal() function improperly allows control characters (e.g. ASCII code 11) to be inserted into cookies. An attacker can exploit this to inject cookies. (CVE-2015-7208) - A use-after-free error exists due to improper prevention of datachannel operations on closed PeerConnections. An attacker can exploit this to dereference already freed memory, resulting in the execution of arbitrary code. (CVE-2015-7210) - A flaw exists in the ParseURI() function due to improper handling of a hash (#) character in the data: URI. An attacker can exploit this to spoof the URL bar. (CVE-2015-7211) - An integer overflow condition exists in the readMetaData() function due to improper validation of user-supplied input when handling a specially crafted MP4 file. An attacker can exploit this to execute arbitrary code. (CVE-2015-7213) - A same-origin bypass vulnerability exists due to improper handling of 'data:' and 'view-source:' URIs. An attacker can exploit this to read data from cross-site URLs and local files. (CVE-2015-7214) - An information disclosure vulnerability exists due to improper handling of error events in web workers. An attacker can exploit this to gain access to sensitive cross-origin information. (CVE-2015-7215) - Multiple integer underflow conditions exist due to improper validation of user-supplied input when handling HTTP2 frames. An attacker can exploit these to crash the application, resulting in a denial of service. (CVE-2015-7218, CVE-2015-7219) - An overflow condition exists in the XDRBuffer::grow() function due to improper validation of user-supplied input. An attacker can exploit this to cause a buffer overflow, resulting in the execution of arbitrary code. (CVE-2015-7220) - An overflow condition exists in the GrowCapacity() function due to improper validation of user-supplied input. An attacker can exploit this to cause a buffer overflow, resulting in the execution of arbitrary code. (CVE-2015-7221) - An integer underflow condition exists in the bundled version of libstagefright in the parseChunk() function that is triggered when handling 'covr' chunks. An unauthenticated, remote attacker can exploit this, via specially crafted media content, to crash the application or execute arbitrary code. (CVE-2015-7222) - A privilege escalation vulnerability exists in the Extension.jsm script due to a failure to restrict WebExtension APIs from being injected into documents without WebExtension principals. An attacker can exploit this to conduct a cross-site scripting attack, resulting in the execution of arbitrary script code in a user's browser session. (CVE-2015-7223)
    last seen 2019-02-21
    modified 2018-07-14
    plugin id 87474
    published 2015-12-17
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=87474
    title Firefox < 43 Multiple Vulnerabilities (Mac OS X)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_SU-2015-2334-1.NASL
    description Mozilla Firefox was updated to version 38.5.0 esr to fix the following issues : Following security issues were fixed : - MFSA 2015-134/CVE-2015-7201/CVE-2015-7202 Miscellaneous memory safety hazards (rv:43.0 / rv:38.5) - MFSA 2015-138/CVE-2015-7210 Use-after-free in WebRTC when datachannel is used after being destroyed - MFSA 2015-139/CVE-2015-7212 Integer overflow allocating extremely large textures - MFSA 2015-145/CVE-2015-7205 Underflow through code inspection - MFSA 2015-146/CVE-2015-7213 Integer overflow in MP4 playback in 64-bit versions - MFSA 2015-147/CVE-2015-7222 Integer underflow and buffer overflow processing MP4 metadata in libstagefright - MFSA 2015-149/CVE-2015-7214 Cross-site reading attack through data and view-source URIs Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-11-29
    plugin id 87647
    published 2015-12-29
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=87647
    title SUSE SLED11 / SLES11 Security Update : MozillaFirefox (SUSE-SU-2015:2334-1)
  • NASL family CentOS Local Security Checks
    NASL id CENTOS_RHSA-2016-0001.NASL
    description An updated thunderbird package that fixes multiple security issues is now available for Red Hat Enterprise Linux 5, 6, and 7. Red Hat Product Security has rated this update as having Important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. Mozilla Thunderbird is a standalone mail and newsgroup client. Several flaws were found in the processing of malformed web content. A web page containing malicious content could cause Thunderbird to crash or, potentially, execute arbitrary code with the privileges of the user running Thunderbird. (CVE-2015-7201, CVE-2015-7205, CVE-2015-7212, CVE-2015-7213) A flaw was found in the way Thunderbird handled content using the 'data:' and 'view-source:' URIs. An attacker could use this flaw to bypass the same-origin policy and read data from cross-site URLs and local files. (CVE-2015-7214) Red Hat would like to thank the Mozilla project for reporting these issues. Upstream acknowledges Andrei Vaida, Jesse Ruderman, Bob Clary, Abhishek Arya, Ronald Crane, and Tsubasa Iinuma as the original reporters of these issues. For technical details regarding these flaws, refer to the Mozilla security advisories for Thunderbird 38.5.0. You can find a link to the Mozilla advisories in the References section of this erratum. All Thunderbird users should upgrade to this updated package, which contains Thunderbird version 38.5.0, which corrects these issues. After installing the update, Thunderbird must be restarted for the changes to take effect.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 87770
    published 2016-01-07
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=87770
    title CentOS 5 / 6 / 7 : thunderbird (CESA-2016:0001)
  • NASL family SuSE Local Security Checks
    NASL id OPENSUSE-2016-126.NASL
    description SeaMonkey was updated to 2.40 (boo#959277) to fix security issues and bugs. The following vulnerabilities were fixed : - CVE-2015-7575: MD5 signatures accepted within TLS 1.2 ServerKeyExchange in server signature - CVE-2015-7201/CVE-2015-7202: Miscellaneous memory safety hazards - CVE-2015-7204: Crash with JavaScript variable assignment with unboxed objects - CVE-2015-7207: Same-origin policy violation using perfomance.getEntries and history navigation - CVE-2015-7208: Firefox allows for control characters to be set in cookies - CVE-2015-7210: Use-after-free in WebRTC when datachannel is used after being destroyed - CVE-2015-7212: Integer overflow allocating extremely large textures - CVE-2015-7215: Cross-origin information leak through web workers error events - CVE-2015-7211: Hash in data URI is incorrectly parsed - CVE-2015-7218/CVE-2015-7219: DOS due to malformed frames in HTTP/2 - CVE-2015-7216/CVE-2015-7217: Linux file chooser crashes on malformed images due to flaws in Jasper library - CVE-2015-7203/CVE-2015-7220/CVE-2015-7221: Buffer overflows found through code inspection - CVE-2015-7205: Underflow through code inspection - CVE-2015-7213: Integer overflow in MP4 playback in 64-bit versions - CVE-2015-7222: Integer underflow and buffer overflow processing MP4 metadata in libstagefright - CVE-2015-7223: Privilege escalation vulnerabilities in WebExtension APIs - CVE-2015-7214: Cross-site reading attack through data and view-source URIs
    last seen 2019-02-21
    modified 2016-10-13
    plugin id 88547
    published 2016-02-03
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=88547
    title openSUSE Security Update : seamonkey (openSUSE-2016-126) (SLOTH)
  • NASL family FreeBSD Local Security Checks
    NASL id FREEBSD_PKG_2C2D1C391396459A91F5CA03EE7C64C6.NASL
    description The Mozilla Project reports : MFSA 2015-134 Miscellaneous memory safety hazards (rv:43.0 / rv:38.5) MFSA 2015-135 Crash with JavaScript variable assignment with unboxed objects MFSA 2015-136 Same-origin policy violation using perfomance.getEntries and history navigation MFSA 2015-137 Firefox allows for control characters to be set in cookies MFSA 2015-138 Use-after-free in WebRTC when datachannel is used after being destroyed MFSA 2015-139 Integer overflow allocating extremely large textures MFSA 2015-140 Cross-origin information leak through web workers error events MFSA 2015-141 Hash in data URI is incorrectly parsed MFSA 2015-142 DOS due to malformed frames in HTTP/2 MFSA 2015-143 Linux file chooser crashes on malformed images due to flaws in Jasper library MFSA 2015-144 Buffer overflows found through code inspection MFSA 2015-145 Underflow through code inspection MFSA 2015-146 Integer overflow in MP4 playback in 64-bit versions MFSA 2015-147 Integer underflow and buffer overflow processing MP4 metadata in libstagefright MFSA 2015-148 Privilege escalation vulnerabilities in WebExtension APIs MFSA 2015-149 Cross-site reading attack through data and view-source URIs
    last seen 2019-02-21
    modified 2018-11-21
    plugin id 87385
    published 2015-12-16
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=87385
    title FreeBSD : mozilla -- multiple vulnerabilities (2c2d1c39-1396-459a-91f5-ca03ee7c64c6)
  • NASL family SuSE Local Security Checks
    NASL id OPENSUSE-2016-129.NASL
    description This update for SeaMonkey fixes the following issues : - update to SeaMonkey 2.40 (bnc#959277) - requires NSS 3.20.2 to fix MFSA 2015-150/CVE-2015-7575 (bmo#1158489) MD5 signatures accepted within TLS 1.2 ServerKeyExchange in server signature - MFSA 2015-134/CVE-2015-7201/CVE-2015-7202 Miscellaneous memory safety hazards - MFSA 2015-135/CVE-2015-7204 (bmo#1216130) Crash with JavaScript variable assignment with unboxed objects - MFSA 2015-136/CVE-2015-7207 (bmo#1185256) Same-origin policy violation using perfomance.getEntries and history navigation - MFSA 2015-137/CVE-2015-7208 (bmo#1191423) Firefox allows for control characters to be set in cookies - MFSA 2015-138/CVE-2015-7210 (bmo#1218326) Use-after-free in WebRTC when datachannel is used after being destroyed - MFSA 2015-139/CVE-2015-7212 (bmo#1222809) Integer overflow allocating extremely large textures - MFSA 2015-140/CVE-2015-7215 (bmo#1160890) Cross-origin information leak through web workers error events - MFSA 2015-141/CVE-2015-7211 (bmo#1221444) Hash in data URI is incorrectly parsed - MFSA 2015-142/CVE-2015-7218/CVE-2015-7219 (bmo#1194818, bmo#1194820) DOS due to malformed frames in HTTP/2 - MFSA 2015-143/CVE-2015-7216/CVE-2015-7217 (bmo#1197059, bmo#1203078) Linux file chooser crashes on malformed images due to flaws in Jasper library - MFSA 2015-144/CVE-2015-7203/CVE-2015-7220/CVE-2015-7221 (bmo#1201183, bmo#1178033, bmo#1199400)
    last seen 2019-02-21
    modified 2016-10-13
    plugin id 88550
    published 2016-02-03
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=88550
    title openSUSE Security Update : SeaMonkey (openSUSE-2016-129) (SLOTH)
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2015-51B1105902.NASL
    description Update to latest upstream - Firefox 43 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2016-03-13
    plugin id 89241
    published 2016-03-04
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=89241
    title Fedora 23 : firefox-43.0-1.fc23 (2015-51b1105902)
  • NASL family Windows
    NASL id MOZILLA_FIREFOX_43.NASL
    description The version of Firefox installed on the remote Windows host is prior to 43. It is, therefore, affected by the following vulnerabilities : - Multiple unspecified memory corruption issues exist due to improper validation of user-supplied input. A remote attacker can exploit these issues by convincing a user to visit a specially crafted web page, resulting in the execution of arbitrary code. (CVE-2015-7201) - Multiple unspecified memory corruption issues exist due to improper validation of user-supplied input. A remote attacker can exploit these issues by convincing a user to visit a specially crafted web page, resulting in the execution of arbitrary code. (CVE-2015-7202) - An overflow condition exists in the LoadFontFamilyData() function due to improper validation of user-supplied input. A remote attacker can exploit this to cause a buffer overflow, resulting in the execution of arbitrary code. (CVE-2015-7203) - A flaw exists in the PropertyWriteNeedsTypeBarrier() function due to improper handling of unboxed objects during JavaScript variable assignments. A remote attacker can exploit this to execute arbitrary code. (CVE-2015-7204) - A flaw exists in the RtpHeaderParser::Parse() function due to improper handling of RTP headers. An unauthenticated, remote attacker can exploit this, via specially crafted RTP headers, to execute arbitrary code. (CVE-2015-7205) - A same-origin bypass vulnerability exists that is triggered after a redirect when the function is used alongside an iframe to host a page. An attacker can exploit this to gain access to cross-origin URL information. (CVE-2015-7207) - The SetCookieInternal() function improperly allows control characters (e.g. ASCII code 11) to be inserted into cookies. An attacker can exploit this to inject cookies. (CVE-2015-7208) - A use-after-free error exists due to improper prevention of datachannel operations on closed PeerConnections. An attacker can exploit this to dereference already freed memory, resulting in the execution of arbitrary code. (CVE-2015-7210) - A flaw exists in the ParseURI() function due to improper handling of a hash (#) character in the data: URI. An attacker can exploit this to spoof the URL bar. (CVE-2015-7211) - An overflow condition exists in the AllocateForSurface() function due to improper validation of user-supplied input when handling texture allocation in graphics operations. An attacker can exploit this to execute arbitrary code. (CVE-2015-7212) - An integer overflow condition exists in the readMetaData() function due to improper validation of user-supplied input when handling a specially crafted MP4 file. An attacker can exploit this to execute arbitrary code. (CVE-2015-7213) - A same-origin bypass vulnerability exists due to improper handling of 'data:' and 'view-source:' URIs. An attacker can exploit this to read data from cross-site URLs and local files. (CVE-2015-7214) - An information disclosure vulnerability exists due to improper handling of error events in web workers. An attacker can exploit this to gain access to sensitive cross-origin information. (CVE-2015-7215) - Multiple integer underflow conditions exist due to improper validation of user-supplied input when handling HTTP2 frames. An attacker can exploit these to crash the application, resulting in a denial of service. (CVE-2015-7218, CVE-2015-7219) - An overflow condition exists in the XDRBuffer::grow() function due to improper validation of user-supplied input. An attacker can exploit this to cause a buffer overflow, resulting in the execution of arbitrary code. (CVE-2015-7220) - An overflow condition exists in the GrowCapacity() function due to improper validation of user-supplied input. An attacker can exploit this to cause a buffer overflow, resulting in the execution of arbitrary code. (CVE-2015-7221) - An integer underflow condition exists in the bundled version of libstagefright in the parseChunk() function that is triggered when handling 'covr' chunks. An unauthenticated, remote attacker can exploit this, via specially crafted media content, to crash the application or execute arbitrary code. (CVE-2015-7222) - A privilege escalation vulnerability exists in the Extension.jsm script due to a failure to restrict WebExtension APIs from being injected into documents without WebExtension principals. An attacker can exploit this to conduct a cross-site scripting attack, resulting in the execution of arbitrary script code in a user's browser session. (CVE-2015-7223)
    last seen 2019-02-21
    modified 2018-07-16
    plugin id 87476
    published 2015-12-17
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=87476
    title Firefox < 43 Multiple Vulnerabilities
  • NASL family Ubuntu Local Security Checks
    NASL id UBUNTU_USN-2833-1.NASL
    description