Description
Mozilla Firefox before 34.0, Firefox ESR 31.x before 31.3, and Thunderbird before 31.3 on Apple OS X 10.10 omit a CoreGraphics disable-logging action that is needed by jemalloc-based applications, which allows local users to obtain sensitive information by reading /tmp files, as demonstrated by credential information.
References (6)
Core 6
Core References
Issue Tracking x_refsource_confirm
https://bugzilla.mozilla.org/show_bug.cgi?id=1092855
Vendor Advisory x_refsource_confirm
http://www.oracle.com/technetwork/topics/security/bulletinapr2016-2952098.html
Vendor Advisory x_refsource_confirm
http://www.mozilla.org/security/announce/2014/mfsa2014-90.html
Various Sources x_refsource_misc
http://www.reddit.com/r/netsec/comments/2ocxac/apple_coregraphics_framework_on_os_x_1010_is/
Mailing List vendor-advisory
x_refsource_apple
http://lists.apple.com/archives/security-announce/2015/Jan/msg00003.html
Vendor Advisory x_refsource_confirm
http://support.apple.com/HT204244
Scores
EPSS
0.0008
EPSS Percentile
24.6%
Details
CWE
CWE-199
Status
published
Products (6)
mozilla/firefox
31.0
mozilla/firefox
31.1.0
mozilla/firefox
31.1.1
mozilla/firefox
< 33.0
mozilla/firefox_esr
31.2
mozilla/thunderbird
< 31.2
Published
Dec 11, 2014
Tracked Since
Feb 18, 2026