firefox-39.0.3

[Fernando de Oliveira]

​https://ftp.mozilla.org/pub/firefox/releases/39.0.3/source/firefox-39.0.3.source.tar.bz2

​https://ftp.mozilla.org/pub/firefox/releases/39.0.3/MD5SUMS

md5sum: 6ef31cbd34d9905a0648104d916269cb

Vulnerability

• It's possible to read local files or perform privilege escalation by using a native setter (CVE-2015-4495)

​https://bugzilla.mozilla.org/show_bug.cgi?id=1178058

​http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4495

• Remove PlayPreview registration from PDF Viewer

​https://bugzilla.mozilla.org/show_bug.cgi?id=1179262

​https://www.mozilla.org/en-US/security/advisories/mfsa2015-78/

Same origin violation and local file stealing via PDF reader

Announced    August 6, 2015
Reporter     Cody Crews
Impact       Critical
Products     Firefox, Firefox ESR
Fixed in     • Firefox 39.0.3
             • Firefox ESR 38.1.1

Description

Security researcher Cody Crews reported on a way to violate the same
origin policy and inject script into a non-privileged part of the
built-in PDF Viewer. This would allow an attacker to read and steal
sensitive local files on the victim's computer.

Mozilla has received reports that an exploit based on this vulnerability
has been found in the wild.

References

  • It's possible to read local files or perform privilege escalation
    by using a native setter (CVE-2015-4495)
  • Remove PlayPreview registration from PDF Viewer

​https://www.mozilla.org/en-US/security/known-vulnerabilities/firefox/#firefox39.0.3

Fixed in Firefox 39.0.3

  • Critical
    2015-78 Same origin violation and local file stealing via PDF reader

​https://www.mozilla.org/en-US/firefox/39.0.3/releasenotes/

What’s New

    Reference: Release notes for Firefox 39.0

  • Fixed Various security fixes

[Fernando de Oliveira]

• Update to tcsh-6.19.00.
• Update to fribidi-0.19.7.
• Update to subversion-1.9.0.
• Update to mariadb-10.0.21.
• Update to firefox-39.0.3.
• SDL-1.2.15: Move "--disable-sdl-dlopen" to option.

Fixed at r16332.