Bug 925396 (CVE-2015-0811)

Summary: VUL-0: CVE-2015-0811: MozillaFirefox: Out of bounds read in QCMS library (MFSA 2015-34)
Product: [Novell Products] SUSE Security Incidents Reporter: Andreas Stieger <astieger>
Component: IncidentsAssignee: Security Team bot <security-team>
Status: RESOLVED DUPLICATE QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P5 - None CC: pcerny, smash_bz
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: openSUSE 13.2   
Whiteboard:
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---
Bug Depends on:    
Bug Blocks: 925368    

Description Andreas Stieger 2015-04-01 10:32:54 UTC 
https://www.mozilla.org/en-US/security/advisories/mfsa2015-34/

Out of bounds read in QCMS library

Announced:     March 31, 2015
Reporter:     Felix Gröbert
Impact:     Moderate
Products:     Firefox
Fixed in: Firefox 37

Description

Security researcher Felix Gröbert of Google used the Address Sanitizer tool to discover an out of bounds read in the QCMS color management library while transforming images with certain parameters. This could lead to information disclosure.
References


References:
https://www.mozilla.org/en-US/security/advisories/mfsa2015-34/
https://bugzilla.mozilla.org/show_bug.cgi?id=1132468
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0811
Comment 1 Andreas Stieger 2015-04-01 15:04:49 UTC 
Update for openSUSE 13.1 and 13.2 is running, assigning openSUSE only bugs back to security team.
Comment 2 Andreas Stieger 2015-04-02 08:44:05 UTC 
merge into parent

*** This bug has been marked as a duplicate of bug 925368 ***
Comment 3 Swamp Workflow Management 2015-04-08 09:05:51 UTC 
openSUSE-SU-2015:0677-1: An update that fixes 15 vulnerabilities is now available.

Category: security (important)
Bug References: 925368,925392,925393,925394,925395,925396,925397,925398,925399,925400,925401,925402,926166
CVE References: CVE-2015-0799,CVE-2015-0801,CVE-2015-0802,CVE-2015-0803,CVE-2015-0804,CVE-2015-0805,CVE-2015-0806,CVE-2015-0807,CVE-2015-0808,CVE-2015-0811,CVE-2015-0812,CVE-2015-0813,CVE-2015-0814,CVE-2015-0815,CVE-2015-0816
Sources used:
openSUSE 13.2 (src):    MozillaFirefox-37.0.1-23.1, MozillaThunderbird-31.6.0-15.3, mozilla-nspr-4.10.8-6.1
openSUSE 13.1 (src):    MozillaFirefox-37.0.1-68.1, MozillaThunderbird-31.6.0-70.50.2, mozilla-nspr-4.10.8-22.1