913103 – (CVE-2014-8637) VUL-0: CVE-2014-8637: MozillaFirefox: Mozilla Firefox before 35.0 and SeaMonkey before 2.32 do not properly initializememory for BMP imag...

Bug 913103 (CVE-2014-8637) - VUL-0: CVE-2014-8637: MozillaFirefox: Mozilla Firefox before 35.0 and SeaMonkey before 2.32 do not properly initializememory for BMP imag...

Summary: VUL-0: CVE-2014-8637: MozillaFirefox: Mozilla Firefox before 35.0 and SeaMonk...

Status:	RESOLVED FIXED

Alias:	CVE-2014-8637

Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents (show other bugs)
Version:	unspecified
Hardware:	Other Other

Priority:	P3 - Medium Severity: Normal
Target Milestone:	---
Deadline:	2015-01-22
Assignee:	Petr Cerny
QA Contact:	Security Team bot

URL:	https://smash.suse.de/issue/112363/
Whiteboard:	maint:released:sle10-sp3:60233 maint:...
Keywords:

Depends on:	910669
Blocks:
	Show dependency tree / graph

Clone This Bug

Reported:	2015-01-14 15:18 UTC by Victor Pereira
Modified:	2015-02-02 14:19 UTC (History)
CC List:	1 user (show)

See Also:
Found By:	Security Response Team
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Victor Pereira 2015-01-14 15:18:55 UTC

CVE-2014-8637

Mozilla Firefox before 35.0 and SeaMonkey before 2.32 do not properly initialize
memory for BMP images, which allows remote attackers to obtain sensitive
information from process memory via a crafted web page that triggers the
rendering of malformed BMP data within a CANVAS element.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-8637
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8637
https://bugzilla.mozilla.org/show_bug.cgi?id=1094536
http://www.mozilla.org/security/announce/2014/mfsa2015-02.html

Comment 1 Swamp Workflow Management 2015-01-14 23:03:01 UTC

bugbot adjusting priority

Comment 2 Swamp Workflow Management 2015-01-15 10:15:19 UTC

An update workflow for this issue was started.
This issue was rated as important.
Please submit fixed packages until 2015-01-22.
When done, reassign the bug to security-team@suse.de.
https://swamp.suse.de/webswamp/wf/60231

Comment 3 Swamp Workflow Management 2015-01-31 00:10:38 UTC

SUSE-SU-2015:0180-1: An update that solves 8 vulnerabilities and has one errata is now available.

Category: security (important)
Bug References: 910647,910669,913064,913066,913067,913068,913102,913103,913104
CVE References: CVE-2014-1569,CVE-2014-8634,CVE-2014-8636,CVE-2014-8637,CVE-2014-8638,CVE-2014-8639,CVE-2014-8640,CVE-2014-8641
Sources used:
SUSE Linux Enterprise Software Development Kit 11 SP3 (src):    MozillaFirefox-31.4.0esr-0.8.7, mozilla-nss-3.17.3-0.8.11
SUSE Linux Enterprise Server 11 SP3 for VMware (src):    MozillaFirefox-31.4.0esr-0.8.7, mozilla-nss-3.17.3-0.8.11
SUSE Linux Enterprise Server 11 SP3 (src):    MozillaFirefox-31.4.0esr-0.8.7, mozilla-nss-3.17.3-0.8.11
SUSE Linux Enterprise Desktop 11 SP3 (src):    MozillaFirefox-31.4.0esr-0.8.7, mozilla-nss-3.17.3-0.8.11

Comment 4 Marcus Meissner 2015-02-02 14:19:19 UTC

released