Firefox OS < 2.2 Multiple Vulnerabilities

Versions of Firefox OS prior to 2.2 are outdated and thus unpatched for the following vulnerabilities :

• A logic error in ‘apps/system/js/usb_storage.js’ that is triggered during the handling of USB mass storage. This may allow a local attacker with access to the USB host to gain access to USB media volumes that are locked with a passcode after a reboot or certain unspecified screen saver state changes. (CVE-2015-5960)
• A flaw exists in the SharedBufferManagerParent::RecvAllocateGrallocBuffer() function in ‘gfx/layers/ipc/SharedBufferManagerParent.cpp’. This may allow an attacker to corrupt memory and cause a denial of service or potentially execute arbitrary code. (CVE-2015-5960)
• A flaw exists in the ‘FxAccounts signup dialog’ that is triggered as input passed via the COPPA error screen is not properly sanitized before being passed to the B2G root process. This may allow a remote attacker to inject arbitrary web content into the B2G root process. (CVE-2015-5961)
• A flaw exists in ‘dom/messages/SystemMessagePermissionsChecker.jsm’ within the WiFi-related system message, as the system fails to restrict system messages to applications with the ‘wifi-manage’ permissions. With an unprivileged application, a local attacker can gain access to limited information from system messages. (CVE-2015-4494)
• A use-after-free error affects the StyleAnimationValue::operator=() function in ‘layout/style/StyleAnimationValue.cpp’. This may allow a context-dependent attacker to dereference already freed memory and potentially execute arbitrary code. (CVE-2015-4488)
• An unspecified flaw exists in the nsTArray_Impl() function. The issue is triggered as user-supplied input is not properly validated during self-assignment. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code. (CVE-2015-4489)
• An overflow condition affects the nsTSubstring::ReplacePrep() function. This may allow a context-dependent attacker to cause a buffer overflow, potentially allowing the execution of arbitrary code. (CVE-2015-4487)
• Gaia contains a flaw in the search app within ‘apps/search/js/providers/provider.js’ that is triggered during the handling of a specially crafted search link. When the link is opened in the browser and the browser is re-opened or a new tab is opened, a context-dependent attacker can potentially inject HTML content. (CVE-2015-2744)
• Gaia contains a flaw in ‘apps/system/js/card.js’ that is triggered when handling titles. When the link is opened in the browser and the HOME button is pressed or the Show Windows function is used, a context-dependent attacker can potentially inject HTML content. (CVE-2015-2745)
• A flaw affects the nsDocShell::LoadURI() function in ‘docshell/base/nsDocShell.cpp’ that is triggered when converting an expanded principal into inheriting the current principal. This may allow a context-dependent attacker to bypass the same-origin policy and disclose the contents of local files. (CVE-2015-4495)