Red Hat Product Security has been made aware of a security vulnerability in the Mozilla Firefox web browser. Specially crafted malicious web pages could read local files. This flaw has been assigned CVE-2015-4495 and is rated as having a Important impact. Red Hat would like to thank the Mozilla project for reporting this issue.
A flaw was found in Mozilla Firefox, which could allow an attacker to access local files with the permissions of the user running Firefox.
The flaw was discovered in Mozilla Firefox's PDF file viewer (PDF.js). An attacker could create a malicious web page that, when viewed by a victim, could steal arbitrary files (including private SSH keys, the
/etc/passwd file, and other potentially sensitive files) from the system running Firefox.
It is known that this flaw is being publicly exploited, and an exploit exists that specially targets Linux systems. All Red Hat products that use the Mozilla Firefox browser are affected by this issue.
Note: SELinux does not mitigate this issue. See Why doesn't SELinux confine desktop applications for details.
See the security advisories below that fix this issue:
|Red Hat Enterprise Linux 5||RHSA-2015:1581-1|
|Red Hat Enterprise Linux 6||RHSA-2015:1581-1|
|Red Hat Enterprise Linux 7||RHSA-2015:1581-1|
To eliminate the possibility of exploitation, install the updated
firefox packages that have been made available through the advisory listed in the above table and then restart the application.
To install the updates, use the yum package manager as follows:
To only update the
firefox package and its dependencies, use:
yum update firefox
This flaw requires PDF.js to be enabled in Firefox. PDF.js can be disabled as follows:
about:configin the Firefox address bar
- Search for the
- Set the