CVE-2014-1509

Name of the Vulnerable Software and Affected Versions Mozilla Firefox versions prior to 28.0 Mozilla Firefox ESR versions prior to 24.4 Mozilla Thunderbird versions prior to 24.4 Mozilla SeaMonkey versions prior to 2.25

Description The issue is related to a buffer overflow in the cairo truetype index to ucs4 function in the cairo class. This allows remote attackers to execute arbitrary code via a crafted extension that renders fonts in a PDF document. The vulnerability can be exploited by specially formed extensions, handling fonts in PDF documents, allowing remote attackers to execute arbitrary code.

Recommendations For Mozilla Firefox versions prior to 28.0, update to version 28.0 or later. For Mozilla Firefox ESR versions prior to 24.4, update to version 24.4 or later. For Mozilla Thunderbird versions prior to 24.4, update to version 24.4 or later. For Mozilla SeaMonkey versions prior to 2.25, update to version 2.25 or later. As a temporary workaround, consider disabling the handling of fonts in PDF documents until a patch is available. Restrict access to the vulnerable cairo truetype index to ucs4 function in the cairo class to minimize the risk of exploitation. Avoid using specially crafted extensions that render fonts in PDF documents until the issue is resolved.