[security-announce] openSUSE-SU-2011:1077-1: important: seamonkey: Update to Mozilla Seamonkey 2.4

[news 28]

openSUSE Security Update: seamonkey: Update to Mozilla Seamonkey 2.4

______________________________________________________________________________

 

Announcement ID: openSUSE-SU-2011:1077-1

Rating: important

References: #720264

Cross-References: CVE-2011-2372 CVE-2011-2995 CVE-2011-2997

CVE-2011-2999 CVE-2011-3000 CVE-2011-3001

CVE-2011-3002 CVE-2011-3003 CVE-2011-3004

CVE-2011-3005 CVE-2011-3232

Affected Products:

openSUSE 11.4

openSUSE 11.3

______________________________________________________________________________

 

An update that fixes 11 vulnerabilities is now available.

It includes two new package versions.

 

Description:

 

Mozilla Seamonkey was updated to version 2.4, fixing

various bugs and security issues.

 

MFSA 2011-36: Mozilla developers identified and fixed

several memory safety bugs in the browser engine used in

Firefox and other Mozilla-based products. Some of these

bugs showed evidence of memory corruption under certain

circumstances, and we presume that with enough effort at

least some of these could be exploited to run arbitrary

code.

 

In general these flaws cannot be exploited through email in

the Thunderbird and SeaMonkey products because scripting is

disabled, but are potentially a risk in browser or

browser-like contexts in those products.

 

Benjamin Smedberg, Bob Clary, and Jesse Ruderman reported

memory safety problems that affected Firefox 3.6 and

Firefox 6. (CVE-2011-2995)

 

Bob Clary, Andrew McCreight, Andreas Gal, Gary Kwong, Igor

Bukanov, Jason Orendorff, Jesse Ruderman, and Marcia Knous

reported memory safety problems that affected Firefox 6,

fixed in Firefox 7. (CVE-2011-2997)

 

 

 

MFSA 2011-38: Mozilla developer Boris Zbarsky reported that

a frame named "location" could shadow the window.location

object unless a script in a page grabbed a reference to the

true object before the frame was created. Because some

plugins use the value of window.location to determine the

page origin this could fool the plugin into granting the

plugin content access to another site or the local file

system in violation of the Same Origin Policy. This flaw

allows circumvention of the fix added for MFSA 2010-10.

(CVE-2011-2999)

 

MFSA 2011-39: Ian Graham of Citrix Online reported that

when multiple Location headers were present in a redirect

response Mozilla behavior differed from other browsers:

Mozilla would use the second Location header while Chrome

and Internet Explorer would use the first. Two copies of

this header with different values could be a symptom of a

CRLF injection attack against a vulnerable server. Most

commonly it is the Location header itself that is

vulnerable to the response splitting and therefore the copy

preferred by Mozilla is more likely to be the malicious

one. It is possible, however, that the first copy was the

injected one depending on the nature of the server

vulnerability.

 

The Mozilla browser engine has been changed to treat two

copies of this header with different values as an error

condition. The same has been done with the headers

Content-Length and Content-Disposition. (CVE-2011-3000)

 

MFSA 2011-40: Mariusz Mlynski reported that if you could

convince a user to hold down the Enter key--as part of a

game or test, perhaps--a malicious page could pop up a

download dialog where the held key would then activate the

default Open action. For some file types this would be

merely annoying (the equivalent of a pop-up) but other file

types have powerful scripting capabilities. And this would

provide an avenue for an attacker to exploit a

vulnerability in applications not normally exposed to

potentially hostile internet content.

 

Mariusz also reported a similar flaw with manual plugin

installation using the PLUGINSPAGE attribute. It was

possible to create an internal error that suppressed a

confirmation dialog, such that holding enter would lead to

the installation of an arbitrary add-on. (This variant did

not affect Firefox 3.6)

 

Holding enter allows arbitrary code execution due to

Download Manager (CVE-2011-2372)

 

Holding enter allows arbitrary extension installation

(CVE-2011-3001)

 

MFSA 2011-41: Michael Jordon of Context IS reported that in

the ANGLE library used by WebGL the return value from

GrowAtomTable() was not checked for errors. If an attacker

could cause requests that exceeded the available memeory

those would fail and potentially lead to a buffer overrun

as subsequent code wrote into the non-allocated space.

(CVE-2011-3002)

 

Ben Hawkes of the Google Security Team reported a WebGL

test case that demonstrated an out of bounds write after an

allocation failed. (CVE-2011-3003)

 

MFSA 2011-42: Security researcher Aki Helin reported a

potentially exploitable crash in the YARR regular

expression library used by JavaScript. (CVE-2011-3232)

 

 

MFSA 2011-43: David Rees reported that the

JSSubScriptLoader (a feature used by some add-ons) was

"unwrapping" XPCNativeWrappers when they were used as the

scope parameter to loadSubScript(). Without the protection

of the wrappers the add-on could be vulnerable to privilege

escalation attacks from malicious web content. Whether any

given add-on were vulnerable would depend on how the add-on

used the feature and whether it interacted directly with

web content, but we did find at least one vulnerable add-on

and presumer there are more. (CVE-2011-3004)

 

The unwrapping behavior was a change introduced during

Firefox 4 development. Firefox 3.6 and earlier versions are

not affected.

 

 

MFSA 2011-44: sczimmer reported that Firefox crashed when

loading a particular .ogg file. This was due to a

use-after-free condition and could potentially be exploited

to install malware. (CVE-2011-3005)

 

This vulnerability does not affect Firefox 3.6 or earlier.

 

 

MFSA 2011-45: University of California, Davis researchers

Liang Cai and Hao Chen presented a paper at the 2011 USENIX

HotSec workshop on inferring keystrokes from device motion

data on mobile devices. Web pages can now receive data

similar to the apps studied in that paper and likely

present a similar risk. We have decided to limit motion

data events to the currently-active tab to prevent the

possibility of background tabs attempting to decipher

keystrokes the user is entering into the foreground tab.

 

 

Patch Instructions:

 

To install this openSUSE Security Update use YaST online_update.

Alternatively you can run the command listed for your product:

 

- openSUSE 11.4:

 

zypper in -t patch MozillaFirefox-5208 seamonkey-5210

 

- openSUSE 11.3:

 

zypper in -t patch seamonkey-5210

 

To bring your system up-to-date, use "zypper patch".

 

 

Package List:

 

- openSUSE 11.4 (i586 x86_64) [New Version: 2.4 and 7.0]:

 

MozillaFirefox-7.0-1.2.1

MozillaFirefox-branding-upstream-7.0-1.2.1

MozillaFirefox-buildsymbols-7.0-1.2.1

MozillaFirefox-devel-7.0-1.2.1

MozillaFirefox-translations-common-7.0-1.2.1

MozillaFirefox-translations-other-7.0-1.2.1

seamonkey-2.4-1.2.1

seamonkey-dom-inspector-2.4-1.2.1

seamonkey-irc-2.4-1.2.1

seamonkey-translations-common-2.4-1.2.1

seamonkey-translations-other-2.4-1.2.1

seamonkey-venkman-2.4-1.2.1

 

- openSUSE 11.3 (i586 x86_64) [New Version: 2.4]:

 

seamonkey-2.4-1.2.1

seamonkey-dom-inspector-2.4-1.2.1

seamonkey-irc-2.4-1.2.1

seamonkey-translations-common-2.4-1.2.1

seamonkey-translations-other-2.4-1.2.1

seamonkey-venkman-2.4-1.2.1

 

 

References:

 

http://support.novell.com/security/cve/CVE-2011-2372.html

http://support.novell.com/security/cve/CVE-2011-2995.html

http://support.novell.com/security/cve/CVE-2011-2997.html

http://support.novell.com/security/cve/CVE-2011-2999.html

http://support.novell.com/security/cve/CVE-2011-3000.html

http://support.novell.com/security/cve/CVE-2011-3001.html

http://support.novell.com/security/cve/CVE-2011-3002.html

http://support.novell.com/security/cve/CVE-2011-3003.html

http://support.novell.com/security/cve/CVE-2011-3004.html

http://support.novell.com/security/cve/CVE-2011-3005.html

http://support.novell.com/security/cve/CVE-2011-3232.html

https://bugzilla.novell.com/720264

 

--

To unsubscribe, e-mail: opensuse-security-announce+unsubscribe ( -at -) opensuse.org

For additional commands, e-mail: opensuse-security-announce+help ( -at -) opensuse.org