Bug 1236964 (CVE-2015-2743)

Summary: CVE-2015-2743 Mozilla: Privilege escalation through internal workers (MFSA 2015-69)
Product: [Other] Security Response Reporter: Huzaifa S. Sidhpurwala <huzaifas>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: jhorak, jrusnack, security-response-team, stransky
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Fixed In Version: Doc Type: Bug Fix
Doc Text:
A flaw was discovered in Mozilla's PDF.js PDF file viewer. When combined with another vulnerability, it could allow execution of arbitrary code with the privileges of the user running Firefox.
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-07-06 04:27:53 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On:    
Bug Blocks: 1235754    

Description Huzaifa S. Sidhpurwala 2015-06-30 05:19:33 UTC
Mozilla community member Jonas Jenwald reported broken behavior in Mozilla's PDF.js PDF file viewer which led to the discovery that internal Workers were incorrectly executed with high privilege. If this flaw were combined with a separate vulnerability allowing for same-origin policy violation, it could be used to run arbitrary code. 

External Reference:



Red Hat would like to thank the Mozilla project for reporting this issue. Upstream acknowledges Jonas Jenwald as the original reporter.

Comment 1 errata-xmlrpc 2015-07-03 05:13:34 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7
  Red Hat Enterprise Linux 6
  Red Hat Enterprise Linux 5

Via RHSA-2015:1207 https://rhn.redhat.com/errata/RHSA-2015-1207.html

Comment 2 Huzaifa S. Sidhpurwala 2015-07-06 04:27:53 UTC

This issue does not affect the version of thunderbird package, as shipped with Red Hat Enterprise Linux 5, 6 and 7.