Sec-Advisory-Undecided B2G 2.2
- Resolution: FIXED
- Classification: Client Software, Components
- Keywords: sec-critical, sec-high
- Whiteboard: [b2g-adv-main2.2
- status-b2g-v2.2: affected, verified, fixed
- Whiteboard: (does not contain the string) [b2g-adv-main2.2-]
- Whiteboard: (does not contain the string) [b2g-adv-main2.2+]
- Whiteboard: (does not match regular expression) \[adv-[a-zA-Z0-9_.]*\+]
47 bugs found.
| ID | Product | Comp | Status▲ | Summary | status-firefox37 | status-b2g-v2.2 | status-b2g-v2.1 | Whiteboard | Keywords |
|---|---|---|---|---|---|---|---|---|---|
| 1141749 | Core | WebRTC: Signaling | RESO | Prevent SSRC collisions in local tracks | fixed | fixed | unaffected | [post-critsmash-triage] | sec-high |
| 1123492 | Core | Audio/Video | RESO |
Track |
fixed | fixed | unaffected | csectype-uaf, sec-high | |
| 1090142 | Core | DOM: Workers | RESO |
Use After Free in Web |
--- | fixed | unaffected | [reporter-external] | csectype-uaf, regression, sec-critical |
| 1112307 | Core | DOM: Core & HTML | RESO |
Web |
fixed | fixed | unaffected | sec-high | |
| 1123021 | Core | DOM: Workers | RESO |
Use After Free in Web |
fixed | fixed | unaffected | csectype-uaf, sec-critical | |
| 1210413 | Core | DOM: Security | RESO |
anonymous CORS sends cookies to cross-origin redirects in |
--- | affected | affected | [b2g-adv-main2.5?] | sec-high |
| 1081703 | Core | Storage: IndexedDB | RESO |
crash in mozilla::dom::indexed |
--- | fixed | unaffected | [2.2-Daily-Testing] | crash, csectype-uaf, regression, sec-critical |
| 1122750 | Core | DOM: Core & HTML | RESO |
Crash [@ mozilla::detail::Atomic |
fixed | fixed | unaffected | [b2g-crash][caf-crash 442][caf priority: p1][CR 782853][adv-main36-] | crash, regression, sec-high |
| 1084280 | Core | JavaScript Engine | RESO | Regexp freeze | --- | fixed | fixed | Fx 32-35 requires non-default pref to be vulnerable | regression, sec-critical, testcase |
| 1092388 | Core | DOM: Core & HTML | RESO |
ns |
--- | fixed | fixed | [adv-main35-][adv-esr31.4-][embargo until bug 1110614 fixed] | csectype-priv-escalation, regression, sec-high |
| 1127198 | Core | CSS Parsing and Comp | RESO |
Clear |
fixed | fixed | unaffected | csectype-bounds, sec-high | |
| 1099414 | Core | WebRTC: Networking | RESO |
memory management issues in n |
disabled | fixed | fixed | [b2g-adv-main2.2?] | csectype-uaf, sec-high |
| 1113005 | Core | XPCOM | RESO |
Heap-buffer-overflow in ns |
fixed | fixed | unaffected | csectype-bounds, regression, sec-critical | |
| 1094930 | Core | DOM: Core & HTML | RESO |
compartment mismatch in ns |
--- | fixed | --- | sec-high | |
| 1101576 | Core | JavaScript Engine: J | RESO |
Assertion failure: Integer input should be equal or highe |
--- | fixed | unaffected | [jsbugmon:] | assertion, regression, sec-high, testcase |
| 1064670 | NSS | Libraries | RESO |
ASN |
fixed | fixed | affected | [adv-main36-] sec-low/moderate after fix in bug 1064636, we don't know of any other exploitable paths | sec-critical |
| 1111065 | Core | IPC | RESO | Inadequate robustness of Chromium IPC Pickle code | fixed | fixed | fixed | [adv-main37-][post-critsmash-triage] | csectype-bounds, csectype-uninitialized, sec-high |
| 1111079 | Core | IPC | RESO | Chromium IPC channel bug: use-after-free in IPC::Channel:... | fixed | fixed | fixed | [adv-main37-][post-critsmash-triage] | csectype-uaf, sec-high |
| 1070990 | Core | DOM: Core & HTML | RESO |
B2G crash in JSAuto |
--- | fixed | unaffected | [b2g-crash] | crash, csectype-uaf, regression, sec-critical |
| 1097253 | Core | JavaScript Engine | RESO |
SIGBUS due to unaligned Typed |
--- | fixed | unaffected | regression, sec-high | |
| 1149605 | Core | Audio/Video | RESO |
Security Vulnerability in Stage |
wontfix | fixed | fixed | [Android and B2G] Embargo until July 8, 2015 (needs a fix in Firefox 39) [adv-main38-] | sec-critical |
| 1184871 | Core | Audio/Video: Playbac | RESO |
Stagefright: heap-use-after-free crash [@stagefright::ESD |
--- | fixed | wontfix | [b2g-adv-main2.5+][fixed by 1186718] | crash, csectype-uaf, sec-critical, testcase |
| 1148328 | Core | Networking: HTTP | RESO | Server certificate verification bypass with Alt-Svc | verified | fixed | unaffected | csectype-sop, sec-critical | |
| 1147188 | Core | Storage: IndexedDB | RESO |
Security checks in Indexed |
wontfix | fixed | --- | [adv-main39-] | sec-high |
| 1076983 | Core | Security: PSM | RESO |
Padding oracle attack on SSL 3 |
--- | fixed | fixed | [adv-main34-][adv-esr31.3-] | relnote, sec-high |
| 1072877 | Core | Graphics: Layers | RESO |
IPC: heap-buffer-overflow crash [@mozilla::layers::Tile |
--- | fixed | fixed | [fuzzblocker] | crash, csectype-bounds, sec-critical, testcase |
| 1064320 | Core | Security | RESO |
NSC |
--- | fixed | fixed | csectype-uninitialized, sec-high | |
| 1183901 | Core | DOM: Core & HTML | RESO |
Distributed |
--- | fixed | wontfix | [adv-main42-] | sec-high |
| 1184065 | Core | DOM: Core & HTML | RESO |
Destination |
--- | fixed | wontfix | [post-critsmash-triage] | sec-high |
| 1163583 | Core | Layout | RESO |
Heap-buffer-overflow in ns |
--- | fixed | unaffected | [systemsfe] | csectype-bounds, regression, sec-critical, testcase |
| 1082734 | Core | DOM: Core & HTML | VERI |
Saving window |
--- | fixed | fixed | csectype-disclosure, regression, sec-high | |
| 1089328 | Core | DOM: Workers | VERI |
Use-After-Free in Worker |
--- | fixed | unaffected | [reporter-external] | csectype-uaf, regression, sec-critical |
| 1089665 | Core | JavaScript Engine | VERI |
Assertion failure: (*dictp)->in |
--- | fixed | unaffected | [reporter-external] | regression, sec-high |
| 1096016 | Core | JavaScript Engine | VERI |
Crash [@ compartment] or Crash [@ Object |
--- | fixed | unaffected | [jsbugmon:update] | crash, regression, sec-high, testcase |
| 1096023 | Core | JavaScript Engine | VERI |
Assertion failure: offset < length(), at jsscript |
--- | fixed | unaffected | [jsbugmon:update] | assertion, regression, sec-critical, testcase |
| 1066089 | Core | CSS Parsing and Comp | VERI |
Heap-use-after-free in mozilla::Custom |
--- | fixed | unaffected | crash, csectype-uaf, regression, sec-critical, testcase | |
| 1124563 | Core | JavaScript Engine | VERI |
Assertion failure: obj->last |
fixed | fixed | unaffected | [jsbugmon:update][adv-main36-] | assertion, csectype-uaf, regression, sec-high, testcase |
| 1085464 | Core | JavaScript Engine: J | VERI |
Crash [@ js::Generator |
--- | fixed | unaffected | [jsbugmon:update] | assertion, crash, regression, sec-critical, testcase |
| 1076918 | Core | CSS Parsing and Comp | VERI |
Heap-buffer-overflow in ns |
--- | fixed | unaffected | crash, csectype-bounds, regression, sec-high, testcase | |
| 1164766 | Core | Graphics: Canvas2D | VERI |
use-after-free (& crash) after style flush in Canvas |
--- | fixed | wontfix | [QA: when verifying fix, please test all testcases on duplicate bug 1175278] ZDI will disclose October 2015 (Firefox 41)[b2g-adv-main2.5+] | crash, csectype-uaf, regression, reproducible, sec-critical, testcase |
| 1063653 | Core | JavaScript Engine: J | VERI |
Crash [@ js::jit::LRecover |
--- | fixed | fixed | [fuzzblocker][jsbugmon:update] | crash, regression, sec-high, testcase |
| 1073350 | Core | WebRTC | VERI |
Web |
--- | fixed | fixed | crash, csectype-bounds, sec-high, testcase | |
| 1077274 | Core | WebRTC: Audio/Video | VERI | Dead object dereference if <video> GC'd before page closes | --- | fixed | fixed | csectype-uaf, regression, sec-critical | |
| 1082986 | Core | Graphics: Layers | VERI |
Exploitable crash in mozilla::layers::Image |
--- | fixed | unaffected | crash, csectype-uaf, regression, sec-critical | |
| 1145255 | Core | JavaScript Engine | VERI |
Incorrect asm |
verified | fixed | fixed | [post-critsmash-triage][adv-main37-][adv-esr31.6-][jsbugmon:update,testComment=13,origRev=2e2222a40262] 32-bit | crash, csectype-bounds, regression, sec-critical, testcase |
| 1077991 | Core | JavaScript Engine | VERI |
Crash [@ Get |
--- | fixed | unaffected | [jsbugmon:update] | crash, regression, sec-high, testcase |
| 1075336 | Core | CSS Parsing and Comp | VERI |
Heap-use-after-free in mozilla::Custom |
--- | fixed | fixed | [adv-main33-] | crash, csectype-uaf, regression, sec-critical, testcase |
|
REST |
CSV |
Feed |
iCalendar
Change Columns |
Edit Search |