firefox: multiple issues

• CVE-2014-8634 (arbitrary remote code execution)

Christian Holler and Patrick McManus reported memory safety problems and
crashes that affect Firefox ESR 31.3 and Firefox 34.

• CVE-2014-8635 (arbitrary remote code execution)

Christoph Diehl, Christian Holler, Gary Kwong, Jesse Ruderman, Byron
Campen, Terrence Cole, and Nils Ohlmeier reported memory safety problems
and crashes that affect Firefox 34.

• CVE-2014-8636 (arbitrary javascript code execution, privilege escalation)

Mozilla developer Bobby Holley reported that Document Object Model (DOM)
objects with some specific properties can bypass XrayWrappers. This can
allow web content to confuse privileged code, potentially enabling
privilege escalation.

• CVE-2014-8637 (information leakage)

Google security researcher Michal Zalewski reported that when a
malformed bitmap image is rendered by the bitmap decoder within a
<canvas> element, memory may not always be properly initialized. The
resulting image then uses this uninitialized memory during rendering,
allowing data to potentially leak to web content.

• CVE-2014-8638 (XSRF)

Security researcher Muneaki Nishimura reported that
navigator.sendBeacon() does not follow the cross-origin resource sharing
(CORS) specification. This results in the request from sendBeacon()
lacking an origin header in violation of the W3C Beacon specification
and not being treated as a CORS request. This allows for a potential
Cross-site request forgery (XSRF) attack from malicious websites.

• CVE-2014-8639 (cookie injection)

Security researcher Xiaofeng Zheng of the Blue Lotus Team at Tsinghua
University reported reported that a Web Proxy returning a 407 Proxy
Authentication response with a Set-Cookie header could inject cookies
into the originally requested domain. This could be used for
session-fixation attacks. This attack only allows cookies to be written
but does not allow them to be read.

• CVE-2014-8640 (denial of service)

Security researcher Holger Fuhrmannek used the used the Address
Sanitizer tool to discover a crash in Web Audio while manipulating
timelines. This allowed for the a small block of memory with an
uninitialized pointer to be read. The crash is not exploitable.

• CVE-2014-8641 (remote code execution)

Security researcher Mitchell Harper discovered a read-after-free in
WebRTC due to the way tracks are handled. This results in a either a
potentially exploitable crash or incorrect WebRTC behavior.

• CVE-2014-8642 (OCSP bypass)

Brian Smith reported that delegated Online Certificate Status Protocol
(OCSP) responder certificates fail to recognize the id-pkix-ocsp-nocheck
extension. If this extension is present in a delegated OCSP response
signing certificate, it will be discarded if it is signed by such a
certificate. This could result in a user connecting to a site with a
revoked certificate.