Author Topic: [sec] firefox, firefox-kde: local file stealing via PDF reader  (Read 2082 times)

0 Members and 1 Guest are viewing this topic.

Offline Kirek

  • Core Team
  • *****
  • Posts: 1209
  • Branch: unstable
  • Desktop: Plasma 5
  • GPU Card: Intel HD4000 + Nvidia 620M / Geforxe GTX 970
  • GPU driver: nonfree
  • Kernel: Latest
  • Skill: Intermediate
Quote
Arch Linux Security Advisory ASA-201508-1
=========================================

Severity: Critical
Date    : 2015-08-07
CVE-ID  : CVE-2015-4495
Package : firefox
Type    : information leakage
Remote  : Yes
Link    : https://wiki.archlinux.org/index.php/CVE

Summary
=======

The package firefox before version 39.0.3-1 is vulnerable to local file
stealing.

Resolution
==========

Upgrade to 39.0.3-1.

# pacman -Syu "firefox>=39.0.3-1"

The problem has been fixed upstream in version 39.0.3.

Workaround
==========

This issue can be mitigated by disabling the built-in PDF viewer, PDF.js.

This can be done by typing about:config in the address bar, pressing
Enter, looking for the pdfjs.disabled value and setting it to True by
right-clicking on the line and left-clicking "Toggle". Note that
accessing the about:config page might trigger a "This might void your
warranty!" warning, easily dismissed by clicking on the "I'll be
careful, I promise!" button.

Description
===========

Security researcher Cody Crews reported on a way to violate the same
origin policy and inject script into a non-privileged part of the
built-in PDF Viewer. This would allow an attacker to read and steal
sensitive local files on the victim's computer.

Mozilla has received reports that an exploit based on this vulnerability
has been found in the wild.

Impact
======

A remote attacker can craft a malicious web page stealing arbitrary
files from the host running firefox.
Mozilla reports that this flaw is already exploited in the wild. At
least one exploit is targeting Linux and reads /etc/passwd, then in all
the user directories it can access looks for .bash_history,
.mysql_history, .pgsql_history, .ssh configuration files and keys,
configuration files for remina, Filezilla, and Psi+, text files with
“pass” and “access” in the names, and any shell scripts.

References
==========

https://blog.mozilla.org/security/2015/08/06/firefox-exploit-found-in-the-wild/
https://www.mozilla.org/en-US/security/advisories/mfsa2015-78/
https://access.redhat.com/security/cve/CVE-2015-4495
https://access.redhat.com/articles/1563163

firefox version will be 39.0.3-0.1 until the next stable update.

Offline telephone

  • Jr. Mitglied
  • **
  • Posts: 90
  • Desktop: Xfce
  • Skill: Advanced

Offline whm1974

  • Jr. Mitglied
  • **
  • Posts: 52
  • I'm new. Be nice!
  • Skill: Intermediate
Re: [sec] firefox, firefox-kde: local file stealing via PDF reader
« Reply #2 on: 25. December 2015, 21:36:30 »
Has this issue been fixed?

Offline scachemaille

  • Held Mitglied
  • *****
  • Posts: 528
  • I'm new. Be nice!
  • Branch: Unstable
  • Desktop: Plasma 5
  • GPU Card: nVidia GT 330M
  • GPU driver: Nouveau
  • Kernel: 4.8_x64
  • Skill: Intermediate
Re: [sec] firefox, firefox-kde: local file stealing via PDF reader
« Reply #3 on: 25. December 2015, 22:11:18 »
Has this issue been fixed?
they clearly say it's fixed since version 39.0.3.
we have now the version 43.0.1 so yes it's fixed

Offline CyberWolf2k14

  • Held Mitglied
  • *****
  • Posts: 1184
  • Computers make very fast, very accurate mistakes.
  • Branch: Stable-sysd229-LightDM
  • Desktop: MATE/Cinnamon/GNOME
  • GPU Card: nVidia GeForce GT740
  • GPU driver: nVidia-NF-364.19
  • Kernel: 4.4.9x64 / 4.2.8.9x64 / 4.1.23x64
  • Skill: Intermediate
Re: [sec] firefox, firefox-kde: local file stealing via PDF reader
« Reply #4 on: 26. December 2015, 00:43:04 »
they clearly say it's fixed since version 39.0.3.
we have now the version 43.0.1 so yes it's fixed
So speaketh the force endowed Penguin of Power.  ;)
PowerSpec Quad core Intel Core i5-4690K w/ 16GB RAM
Dual Boot = Win 7 Ult x64 and Manjaro 15.12 x64
===================================================
"A computer lets you make more mistakes faster than any invention in human history...
with the possible exceptions of handguns and tequila".

Offline Fatboy

  • Sr. Mitglied
  • ****
  • Posts: 323
  • "Spiral out. Keep going..."
  • Branch: stable
  • Desktop: Xfce, KDE plasma 5
  • GPU Card: nVidia GeForce 210
  • GPU driver: 340.xx
  • Kernel: Manjaro Kernel 4.4 LTS
  • Skill: Intermediate
Re: [sec] firefox, firefox-kde: local file stealing via PDF reader
« Reply #5 on: 22. April 2016, 15:03:09 »
The internet seems to be a more dangerous place than swimming in a pool of great white sharks. Gawd Dangit! haha
This truly augments my paranoia :/
"I'm reaching for the random or whatever will bewilder me. Whatever will bewilder me."

Offline jonathon

  • Core Team
  • *****
  • Posts: 2104
  • Technologist - Teacher - Tea drinker
  • Branch: Unstable
  • Desktop: MATE 1.14
  • GPU Card: Nvidia GTX680M
  • GPU driver: Bumblebee nvidia+intel
  • Kernel: 4.6.0-*-MANJARO x86_64
  • Skill: Advanced
Re: [sec] firefox, firefox-kde: local file stealing via PDF reader
« Reply #6 on: 22. April 2016, 15:13:11 »
Why bump old security advisories?
--
MSI GT70: Core i7-3630QM, 16GB, Nvidia GTX680M, Intel 2230, Manjaro-MATE-amd64-EFI
Lenovo X230: Core i5-3320M, 4GB, Intel HD4000, Intel 6205, Manjaro-MATE-amd64
Dell Studio 1749: Core i5 540, 8GB, ATi HD5650, Intel WLAN, Manjaro-Xfce-amd64
Let's go in the garden; you'll find something waiting.