USN-2424-1

See a problem?
Please try reporting it to the source first.
Source
https://ubuntu.com/security/notices/USN-2424-1
Import Source
https://github.com/canonical/ubuntu-security-notices/blob/main/osv/usn/USN-2424-1.json
JSON Data
https://api.osv.dev/v1/vulns/USN-2424-1
Upstream
Related
Published
2014-12-02T20:24:01Z
Modified
2026-02-10T04:40:51Z
Summary
firefox vulnerabilities
Details

Gary Kwong, Randell Jesup, Nils Ohlmeier, Jesse Ruderman, Max Jonas Werner, Christian Holler, Jon Coppeard, Eric Rahm, Byron Campen, Eric Rescorla, and Xidorn Quan discovered multiple memory safety issues in Firefox. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit these to cause a denial of service via application crash, or execute arbitrary code with the privileges of the user invoking Firefox. (CVE-2014-1587, CVE-2014-1588)

Cody Crews discovered a way to trigger chrome-level XBL bindings from web content in some circumstances. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit this to bypass security restrictions. (CVE-2014-1589)

Joe Vennix discovered a crash when using XMLHttpRequest in some circumstances. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit this to cause a denial of service. (CVE-2014-1590)

Muneaki Nishimura discovered that CSP violation reports did not remove path information in some circumstances. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit this to obtain sensitive information. (CVE-2014-1591)

Berend-Jan Wever discovered a use-after-free during HTML parsing. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit this to cause a denial of service via application crash or execute arbitrary code with the privileges of the user invoking Firefox. (CVE-2014-1592)

Abhishek Arya discovered a buffer overflow when parsing media content. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit this to cause a denial of service via application crash or execute arbitrary code with the privileges of the user invoking Firefox. (CVE-2014-1593)

Byoungyoung Lee, Chengyu Song, and Taesoo Kim discovered a bad cast in the compositor. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit this to cause undefined behaviour, a denial of service via application crash or execute abitrary code with the privileges of the user invoking Firefox. (CVE-2014-1594)

References

Affected packages

Ubuntu:14.04:LTS / firefox

Package

Name
firefox
Purl
pkg:deb/ubuntu/firefox@34.0+build2-0ubuntu0.14.04.1?arch=source&distro=trusty

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
34.0+build2-0ubuntu0.14.04.1

Affected versions

24.*
24.0+build1-0ubuntu1
25.*
25.0+build3-0ubuntu0.13.10.1
28.*
28.0~b2+build1-0ubuntu2
28.0+build1-0ubuntu1
28.0+build2-0ubuntu1
28.0+build2-0ubuntu2
29.*
29.0+build1-0ubuntu0.14.04.2
30.*
30.0+build1-0ubuntu0.14.04.3
31.*
31.0+build1-0ubuntu0.14.04.1
32.*
32.0+build1-0ubuntu0.14.04.1
32.0.3+build1-0ubuntu0.14.04.1
33.*
33.0+build2-0ubuntu0.14.04.1

Ecosystem specific 

{
    "binaries": [
        {
            "binary_version": "34.0+build2-0ubuntu0.14.04.1",
            "binary_name": "firefox"
        },
        {
            "binary_version": "34.0+build2-0ubuntu0.14.04.1",
            "binary_name": "firefox-dev"
        },
        {
            "binary_version": "34.0+build2-0ubuntu0.14.04.1",
            "binary_name": "firefox-globalmenu"
        },
        {
            "binary_version": "34.0+build2-0ubuntu0.14.04.1",
            "binary_name": "firefox-mozsymbols"
        },
        {
            "binary_version": "34.0+build2-0ubuntu0.14.04.1",
            "binary_name": "firefox-testsuite"
        }
    ],
    "availability": "No subscription required"
}

Database specific

cves_map 
{
    "cves": [
        {
            "severity": [
                {
                    "score": "medium",
                    "type": "Ubuntu"
                }
            ],
            "id": "CVE-2014-1587"
        },
        {
            "severity": [
                {
                    "score": "medium",
                    "type": "Ubuntu"
                }
            ],
            "id": "CVE-2014-1588"
        },
        {
            "severity": [
                {
                    "score": "medium",
                    "type": "Ubuntu"
                }
            ],
            "id": "CVE-2014-1589"
        },
        {
            "severity": [
                {
                    "score": "medium",
                    "type": "Ubuntu"
                }
            ],
            "id": "CVE-2014-1590"
        },
        {
            "severity": [
                {
                    "score": "medium",
                    "type": "Ubuntu"
                }
            ],
            "id": "CVE-2014-1591"
        },
        {
            "severity": [
                {
                    "score": "medium",
                    "type": "Ubuntu"
                }
            ],
            "id": "CVE-2014-1592"
        },
        {
            "severity": [
                {
                    "score": "medium",
                    "type": "Ubuntu"
                }
            ],
            "id": "CVE-2014-1593"
        },
        {
            "severity": [
                {
                    "score": "medium",
                    "type": "Ubuntu"
                }
            ],
            "id": "CVE-2014-1594"
        }
    ],
    "ecosystem": "Ubuntu:14.04:LTS"
}
source 
"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/usn/USN-2424-1.json"