CVE-2015-4493: Buffer Overflow
First published: Sun Aug 16 2015(Updated: )
Heap-based buffer overflow in the stagefright::ESDS::parseESDescriptor function in libstagefright in Mozilla Firefox before 40.0 and Firefox ESR 38.x before 38.2 allows remote attackers to execute arbitrary code via an invalid size field in an esds chunk in MPEG-4 video data, a related issue to CVE-2015-1539.
Credit: security@mozilla.org security@mozilla.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Oracle Solaris and Zettabyte File System (ZFS) | =11.3 | |
| Firefox | <=39.0.3 | |
| Firefox | =38.0 | |
| Firefox | =38.0.1 | |
| Firefox | =38.0.5 | |
| Firefox | =38.1.0 | |
| Ubuntu | =12.04 | |
| Ubuntu | =14.04 | |
| Ubuntu | =15.04 | |
| openSUSE | =13.1 | |
| openSUSE | =13.2 | |
| Firefox ESR | =38.0 | |
| Firefox ESR | =38.0.1 | |
| Firefox ESR | =38.0.5 | |
| Firefox ESR | =38.1.0 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://lists.opensuse.org/opensuse-security-announce/2015-08/msg00014.html
- http://lists.opensuse.org/opensuse-security-announce/2015-08/msg00015.html
- http://lists.opensuse.org/opensuse-updates/2015-08/msg00030.html
- http://lists.opensuse.org/opensuse-updates/2015-08/msg00031.html
- http://rhn.redhat.com/errata/RHSA-2015-1586.html
- http://www.debian.org/security/2015/dsa-3333
- http://www.mozilla.org/security/announce/2015/mfsa2015-83.html
- http://www.oracle.com/technetwork/topics/security/bulletinapr2016-2952098.html
- http://www.securitytracker.com/id/1033247
- http://www.ubuntu.com/usn/USN-2702-1
- http://www.ubuntu.com/usn/USN-2702-2
- http://www.ubuntu.com/usn/USN-2702-3
- https://bugzilla.mozilla.org/show_bug.cgi?id=1186718
- https://hg.mozilla.org/mozilla-central/rev/a674c7019cb5
- https://security.gentoo.org/glsa/201605-06
Frequently Asked Questions
What is the severity of CVE-2015-4493?
CVE-2015-4493 is considered critical due to its potential to allow remote code execution.
How do I fix CVE-2015-4493?
To fix CVE-2015-4493, update Mozilla Firefox to version 40.0 or later, or Firefox ESR to version 38.2 or later.
What versions of Firefox are affected by CVE-2015-4493?
CVE-2015-4493 affects Firefox versions prior to 40.0 and Firefox ESR versions prior to 38.2.
Can CVE-2015-4493 be exploited remotely?
Yes, CVE-2015-4493 can be exploited remotely through crafted MPEG-4 video data.
What types of systems are vulnerable to CVE-2015-4493?
CVE-2015-4493 primarily affects users on Firefox and Firefox ESR running on various operating systems including Oracle Solaris and Ubuntu.
- agent/type
- agent/severity
- agent/references
- agent/description
- collector/mitre-cve
- source/MITRE
- agent/event
- agent/first-publish-date
- agent/author
- agent/last-modified-date
- agent/source
- agent/weakness
- collector/nvd-api
- source/NVD
- agent/software-canonical-lookup
- agent/software-canonical-lookup-request
- agent/tags
- agent/softwarecombine
- collector/nvd-index
- vendor/oracle
- canonical/oracle solaris and zettabyte file system (zfs)
- version/oracle solaris and zettabyte file system (zfs)/11.3
- vendor/mozilla
- canonical/firefox
- version/firefox/39.0.3
- version/firefox/38.0
- version/firefox/38.0.1
- version/firefox/38.0.5
- version/firefox/38.1.0
- vendor/canonical
- canonical/ubuntu
- version/ubuntu/12.04
- version/ubuntu/14.04
- version/ubuntu/15.04
- vendor/opensuse
- canonical/opensuse
- version/opensuse/13.1
- version/opensuse/13.2
- canonical/firefox esr
- version/firefox esr/38.0
- version/firefox esr/38.0.1
- version/firefox esr/38.0.5
- version/firefox esr/38.1.0