LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Slackware (https://www.linuxquestions.org/questions/slackware-14/)
-   -   [Slackware security] vulnerabilities outstanding 20140101 (https://www.linuxquestions.org/questions/slackware-14/%5Bslackware-security%5D-vulnerabilities-outstanding-20140101-a-4175489800/)

mancha 08-07-2015 01:26 AM

Update 20150807 UTC

  1. Mozilla Firefox

    A flaw was discovered in Firefox that permits the violation of same origin policy and injection of script into a non-privileged part
    of the built-in PDF viewer. This allows an attacker to read and steal sensitive local files on a victim's computer. (CVE-2015-4495)

    Mozilla has received numerous reports of active exploitation in the wild.

    Recommendation: Slackware users should upgrade to Firefox 39.0.3, asap.

    Note: Slackware 14.1 ships FF ESR 31 which has EOL'd in favor of FF ESR 38. Slackware 14.1 users who wish to remain on the
    ESR track should upgrade to ESR 38.1.1 to address this flaw. Alternatively, they can use ruario's script (see earlier posts for
    instructions) to install Mozilla's build of 39.0.3.

--mancha

j_v 08-07-2015 06:11 AM

I've just built and upgraded to 38.1.1esr. Be aware that there are changes in how this firefox handles profiles. I highly recommend backing up the .mozilla folder before starting the newly installed firefox. I've already needed the back up for restoring some of my preferences.

mancha 08-07-2015 12:44 PM

Update

Regarding the Firefox flaw (CVE-2015-4495) I report above, Mozilla published a blog entry that briefly describes one exploit found in
the wild that uses this vulnerability to steal files from Windows and Linux systems and uploads them to what appears to be a machine
in Ukraine.

They recommend changing passwords/keys in certain files targeted by that particular exploit. I would err on the side of caution and
expand the recommendation to include all password/keys accessible by the Firefox process.

--mancha

ponce 08-07-2015 01:09 PM

thanks for the heads-up, mancha: a reason more to keep using adblock and noscript extensions.

j_v 08-07-2015 03:11 PM

It's weird, that CVE number comes up as reserved at http://cve.mitre.org/cgi-bin/cvename...=CVE-2015-4495.
But a search for the exploit here https://web.nvd.nist.gov/view/vuln/s...execution=e2s1
brings up https://web.nvd.nist.gov/view/vuln/d...=CVE-2015-2743.

Is this perhaps the syntax change that mitre.org is describing?

slalik 08-07-2015 04:00 PM

CVE-2015-4495 is very impressive :-(. Does it mean that Firefox users must update all certificates, ssh, gpg keys etc.?

cwizardone 08-08-2015 12:23 AM

Quote:

Originally Posted by mancha (Post 5402509)
Update

Regarding the Firefox flaw (CVE-2015-4495) I report above, Mozilla published a blog entry that briefly describes one exploit found in
the wild that uses this vulnerability to steal files from Windows and Linux systems and uploads them to what appears to be a machine
in Ukraine.

They recommend changing passwords/keys in certain files targeted by that particular exploit. I would err on the side of caution and
expand the recommendation to include all password/keys accessible by the Firefox process.

--mancha

Mancha,
Where does that leave users of SeaMonkey, which hasn't been updated since March?
Thanks.

MadMaverick9 08-08-2015 12:49 AM

Uh ... just disable the builtin pdf viewer in firefox?!?!?!?!

Set "pdfjs.disabled" to true in "about:config".

mupdf and evince do not have javascript builtin.

From the mupdf slackbuild:
Code:

MUJS="${MUJS:-no}"

MadMaverick9 08-08-2015 01:01 AM

Quote:

Originally Posted by cwizardone (Post 5402755)
Mancha,
Where does that leave users of SeaMonkey, which hasn't been updated since March?
Thanks.

From reading this [@mozillazine.org] it seems that Seamonkey does not have the pdf viewer built in. It needs to be explicitly installed.

drgibbon 08-08-2015 03:17 AM

Quote:

Originally Posted by ponce (Post 5402521)
thanks for the heads-up, mancha: a reason more to keep using adblock and noscript extensions.

You could also firejail the Firefox process, and when run with the default profile
Code:

firejail --profile=/etc/firejail/firefox.profile --caps firefox
it blocks process access to the user's config directories for gpg, kwallet, gnome keyring, and a few other things. You can add your own directories to block, and although it uses a blacklist system, it works. Firejail tutorial for Firefox here.

1337_powerslacker 08-08-2015 09:47 AM

Quote:

Originally Posted by drgibbon (Post 5402790)
You could also firejail the Firefox process, and when run with the default profile
Code:

firejail --profile=/etc/firejail/firefox.profile --caps firefox
it blocks process access to the user's config directories for gpg, kwallet, gnome keyring, and a few other things. You can add your own directories to block, and although it uses a blacklist system, it works. Firejail tutorial for Firefox here.

drgibbon, thanks for the heads-up about firejail! It is most useful in this day and age where every application and its cousin has to have some kind of access to the Internet. :)

j_v 08-08-2015 12:29 PM

Just as a heads up, firejail is available at SBo http://slackbuilds.org/repository/14.1/system/firejail/
I'm going to try it after I post this.

EDIT: the version in the SlackBuild is a bit old, but substituting the newer version (0.9.28) in the script, it builds without errors.

POST EDIT: running a simple instance of
Code:

firejail firefox
right now. I need to read up more about and utilize firejail's options, but initial impression is that it doesn't break anything yet and I hardly notice it there. Thanks for the pointer to this, drgibbon.

LAST EDIT: I noticed that if you try to start firefox jailed by firejail and you already have an instance of firefox running unjailed, firejail will close and the new firefox is attaching (this is a guess) to the existing firefox process. If you ensure that the first firefox is firejail'd, then it seems that new firefox windows get immediated jailed (another guess, will try to debug to be sure). The dev for firejail seems to be very active and very responsive, so I am encouraged about this.

j_v 08-08-2015 01:57 PM

Updates for ca-certificates, mozilla-nss, mozilla-firefox have been released for both 14.1 and current.

slalik 08-08-2015 02:33 PM

What is better approach, firejail or running firefox under a different user like "Skype with a grain of salt"?

drgibbon 08-08-2015 07:59 PM

Quote:

Originally Posted by j_v (Post 5402939)
POST EDIT: running a simple instance of
Code:

firejail firefox
right now.

For some reason that didn't work for me, I had to explicitly load the Firefox profile from the command line as above. I tested it by adding:
Code:

blacklist {HOME}/documents
to /etc/firejail/firefox.profile and it was only when supplying the profile to the firejail call that access to ~/documents was denied (by Ctrl-O and browsing to ~/documents in Firefox), but YMMV.


All times are GMT -5. The time now is 03:13 AM.