Bug 1195621 (CVE-2015-0828)

Summary:	CVE-2015-0828 Mozilla: Double-free when using non-default memory allocators with a zero-length XHR (MFSA 2015-18)
Product:	[Other] Security Response	Reporter:	Huzaifa S. Sidhpurwala <huzaifas>
Component:	vulnerability	Assignee:	Red Hat Product Security <security-response-team>
Status:	CLOSED NOTABUG	QA Contact:
Severity:	medium	Docs Contact:
Priority:	medium
Version:	unspecified	CC:	jrusnack, security-response-team
Target Milestone:	---	Keywords:	Security
Target Release:	---
Hardware:	All
OS:	Linux
Whiteboard:
Fixed In Version:		Doc Type:	Bug Fix
Doc Text:		Story Points:	---
Clone Of:		Environment:
Last Closed:	2015-02-24 18:59:01 UTC	Type:	---
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:
Bug Depends On:
Bug Blocks:	1193790

Description Huzaifa S. Sidhpurwala 2015-02-24 08:09:23 UTC

Security researcher Abhishek Arya (Inferno) of the Google Chrome Security Team and Mozilla security developer Gary Kwong used the Address Sanitizer tool to discover a double-free error when sending a zero-length XmlHttpRequest (XHR). This was due to errors in memory allocation when using different memory allocator libraries than jemalloc used by Mozilla builds. When those other memory allocators are used to for build compilation, this could cause a potentially exploitable crash during some XHR actions.

This vulnerability does not happen in Firefox as built by Mozilla, but can occur when Firefox is built using a memory allocator that follows older pre-standard behaviors. 


External Reference:

https://www.mozilla.org/en-US/security/advisories/mfsa2015-18


Acknowledgements:

Red Hat would like to thank the Mozilla project for reporting this issue. Upstream acknowledges Abhishek Arya as the original reporter.

Statement:

This issue does not affect the version of firefox and thunderbird as shipped with Red Hat Enterprise Linux 5, 6 and 7.