CVE-2015-4493

Heap-based buffer overflow in the stagefright::ESDS::parseESDescriptor function in libstagefright in Mozilla Firefox before 40.0 and Firefox ESR 38.x before 38.2 allows remote attackers to execute arbitrary code via an invalid size field in an esds chunk in MPEG-4 video data, a related issue to CVE-2015-1539.

Published: Aug 16, 2015
Updated: Apr 13, 2023
CVE: CVE-2015-4493
Severity: High
Exploit:

CVSS v2:

Severity: High
Score: 9.3
AV:N/AC:M/Au:N/C:C/I:C/A:C

CWEs:

CWE-119

Affected Software
References

Software	From	Fixed in
oracle / solaris	11.3	11.3.x
mozilla / firefox_esr	38.0	38.0.x
mozilla / firefox_esr	38.1.0	38.1.0.x
mozilla / firefox	-	39.0.3.x
mozilla / firefox_esr	38.0.5	38.0.5.x
mozilla / firefox_esr	38.0.1	38.0.1.x
canonical / ubuntu_linux	12.04	12.04.x
canonical / ubuntu_linux	14.04	14.04.x
canonical / ubuntu_linux	15.04	15.04.x
opensuse / opensuse	13.1	13.1.x
opensuse / opensuse	13.2	13.2.x

http://lists.opensuse.org/opensuse-security-announce/2015-08/msg00014.html
http://lists.opensuse.org/opensuse-security-announce/2015-08/msg00015.html
http://lists.opensuse.org/opensuse-updates/2015-08/msg00030.html
http://lists.opensuse.org/opensuse-updates/2015-08/msg00031.html
http://rhn.redhat.com/errata/RHSA-2015-1586.html
http://www.debian.org/security/2015/dsa-3333
http://www.mozilla.org/security/announce/2015/mfsa2015-83.html
http://www.oracle.com/technetwork/topics/security/bulletinapr2016-2952098.html
http://www.securitytracker.com/id/1033247
http://www.ubuntu.com/usn/USN-2702-1
http://www.ubuntu.com/usn/USN-2702-2
http://www.ubuntu.com/usn/USN-2702-3
https://bugzilla.mozilla.org/show_bug.cgi?id=1186718
https://hg.mozilla.org/mozilla-central/rev/a674c7019cb5
https://security.gentoo.org/glsa/201605-06

Vulnerability Database

290,020

CVE-2015-4493