Jump to content
Compatible Support Forums
Sign in to follow this  
news

[security-announce] openSUSE-SU-2012:0899-1: critical: MozillaFirefox to 14.0.1

Recommended Posts

openSUSE Security Update: MozillaFirefox to 14.0.1

______________________________________________________________________________

 

Announcement ID: openSUSE-SU-2012:0899-1

Rating: critical

References: #771583

Cross-References: CVE-2012-1948 CVE-2012-1949 CVE-2012-1950

CVE-2012-1951 CVE-2012-1952 CVE-2012-1953

CVE-2012-1954 CVE-2012-1955 CVE-2012-1957

CVE-2012-1958 CVE-2012-1959 CVE-2012-1961

CVE-2012-1962 CVE-2012-1963 CVE-2012-1964

CVE-2012-1965 CVE-2012-1966 CVE-2012-1967

 

Affected Products:

openSUSE 12.1

openSUSE 11.4

______________________________________________________________________________

 

An update that fixes 18 vulnerabilities is now available.

 

Description:

 

MozillaFirefox was updated to 14.0.1 to fix various bugs

and security issues.

 

 

Following security issues were fixed: MFSA 2012-42: Mozilla

developers identified and fixed several memory safety bugs

in the browser engine used in Firefox and other

Mozilla-based products. Some of these bugs showed evidence

of memory corruption under certain circumstances, and we

presume that with enough effort at least some of these

could be exploited to run arbitrary code.

 

CVE-2012-1949: Brian Smith, Gary Kwong, Christian Holler,

Jesse Ruderman, Christoph Diehl, Chris Jones, Brad Lassey,

and Kyle Huey reported memory safety problems and crashes

that affect Firefox 13.

 

CVE-2012-1948: Benoit Jacob, Jesse Ruderman, Christian

Holler, and Bill McCloskey reported memory safety problems

and crashes that affect Firefox ESR 10 and Firefox 13.

 

 

MFSA 2012-43 / CVE-2012-1950: Security researcher Mario

Gomes andresearch firm Code Audit Labs reported a mechanism

to short-circuit page loads through drag and drop to the

addressbar by canceling the page load. This causes the

address of the previously site entered to be displayed in

the addressbar instead of the currently loaded page. This

could lead to potential phishing attacks on users.

 

MFSA 2012-44 Google security researcher Abhishek Arya used

the Address Sanitizer tool to uncover four issues: two

use-after-free problems, one out of bounds read bug, and a

bad cast. The first use-after-free problem is caused when

an array of nsSMILTimeValueSpec objects is destroyed but

attempts are made to call into objects in this array later.

The second use-after-free problem is in

nsDocument::AdoptNode when it adopts into an empty document

and then adopts into another document, emptying the first

one. The heap buffer overflow is in ElementAnimations when

data is read off of end of an array and then pointers are

dereferenced. The bad cast happens when

nsTableFrame::InsertFrames is called with frames in

aFrameList that are a mix of row group frames and column

group frames. AppendFrames is not able to handle this mix.

 

All four of these issues are potentially exploitable.

CVE-2012-1951: Heap-use-after-free in

nsSMILTimeValueSpec::IsEventBased CVE-2012-1954:

Heap-use-after-free in nsDocument::AdoptNode CVE-2012-1953:

Out of bounds read in ElementAnimations::EnsureStyleRuleFor

CVE-2012-1952: Bad cast in nsTableFrame::InsertFrames

 

 

MFSA 2012-45 / CVE-2012-1955: Security researcher Mariusz

Mlynski reported an issue with spoofing of the location

property. In this issue, calls to history.forward and

history.back are used to navigate to a site while

displaying the previous site in the addressbar but changing

the baseURI to the newer site. This can be used for

phishing by allowing the user input form or other data on

the newer, attacking, site while appearing to be on the

older, displayed site.

 

MFSA 2012-46 / CVE-2012-1966: Mozilla security researcher

moz_bug_r_a4 reported a cross-site scripting (XSS) attack

through the context menu using a data: URL. In this issue,

context menu functionality ("View Image", "Show only this

frame", and "View background image") are disallowed in a

javascript: URL but allowed in a data: URL, allowing for

XSS. This can lead to arbitrary code execution.

 

MFSA 2012-47 / CVE-2012-1957: Security researcher Mario

Heiderich reported that javascript could be executed in the

HTML feed-view using tag within the RSS

. This problem is due to tags not

being filtered out during parsing and can lead to a

potential cross-site scripting (XSS) attack. The flaw

existed in a parser utility class and could affect other

parts of the browser or add-ons which rely on that class to

sanitize untrusted input.

 

 

MFSA 2012-48 / CVE-2012-1958: Security researcher Arthur

Gerkis used the Address Sanitizer tool to find a

use-after-free in nsGlobalWindow::PageHidden when

mFocusedContent is released and oldFocusedContent is used

afterwards. This use-after-free could possibly allow for

remote code execution.

 

 

MFSA 2012-49 / CVE-2012-1959: Mozilla developer Bobby

Holley found that same-compartment security wrappers (SCSW)

can be bypassed by passing them to another compartment.

Cross-compartment wrappers often do not go through SCSW,

but have a filtering policy built into them. When an object

is wrapped cross-compartment, the SCSW is stripped off and,

when the object is read read back, it is not known that

SCSW was previously present, resulting in a bypassing of

SCSW. This could result in untrusted content having access

to the XBL that implements browser functionality.

 

MFSA 2012-50 / CVE-2012-1960: Google developer Tony Payne

reported an out of bounds (OOB) read in QCMS, Mozilla’s

color management library. With a carefully crafted color

profile portions of a user's memory could be incorporated

into a transformed image and possibly deciphered.

 

 

MFSA 2012-51 / CVE-2012-1961: Bugzilla developer Frédéric

Buclin reported that the "X-Frame-Options header is ignored

when the value is duplicated, for example X-Frame-Options:

SAMEORIGIN, SAMEORIGIN. This duplication occurs for unknown

reasons on some websites and when it occurs results in

Mozilla browsers not being protected against possible

clickjacking attacks on those pages.

 

 

MFSA 2012-52 / CVE-2012-1962: Security researcher Bill

Keese reported a memory corruption. This is caused by

JSDependentString::undepend changing a dependent string

into a fixed string when there are additional dependent

strings relying on the same base. When the undepend occurs

during conversion, the base data is freed, leaving other

dependent strings with dangling pointers. This can lead to

a potentially exploitable crash.

 

 

MFSA 2012-53 / CVE-2012-1963: Security researcher

Karthikeyan Bhargavan of Prosecco at INRIA reported Content

Security Policy (CSP) 1.0 implementation errors. CSP

violation reports generated by Firefox and sent to the

"report-uri" location include sensitive data within the

"blocked-uri" parameter. These include fragment components

and query strings even if the "blocked-uri" parameter has a

different origin than the protected resource. This can be

used to retrieve a user's OAuth 2.0 access tokens and

OpenID credentials by malicious sites.

 

MFSA 2012-54 / CVE-2012-1964: Security Researcher Matt

McCutchen reported that a clickjacking attack using the

certificate warning page. A man-in-the-middle (MITM)

attacker can use an iframe to display its own certificate

error warning page (about:certerror) with the "Add

Exception" button of a real warning page from a malicious

site. This can mislead users to adding a certificate

exception for a different site than the perceived one. This

can lead to compromised communications with the user

perceived site through the MITM attack once the certificate

exception has been added.

 

 

MFSA 2012-55 / CVE-2012-1965: Security researchers Mario

Gomes and Soroush Dalili reported that since Mozilla allows

the pseudo-protocol feed: to prefix any valid URL, it is

possible to construct feed:javascript: URLs that will

execute scripts in some contexts. On some sites it may be

possible to use this to evade output filtering that would

otherwise strip javascript: URLs and thus contribute to

cross-site scripting (XSS) problems on these sites.

 

MFSA 2012-56 / CVE-2012-1967: Mozilla security researcher

moz_bug_r_a4 reported a arbitrary code execution attack

using a javascript: URL. The Gecko engine features a

JavaScript sandbox utility that allows the browser or

add-ons to safely execute script in the context of a web

page. In certain cases, javascript: URLs are executed in

such a sandbox with insufficient context that can allow

those scripts to escape from the sandbox and run with

elevated privilege. This can lead to arbitrary code

execution.

 

 

Patch Instructions:

 

To install this openSUSE Security Update use YaST online_update.

Alternatively you can run the command listed for your product:

 

- openSUSE 12.1:

 

zypper in -t patch openSUSE-2012-410

 

- openSUSE 11.4:

 

zypper in -t patch openSUSE-2012-410

 

To bring your system up-to-date, use "zypper patch".

 

 

Package List:

 

- openSUSE 12.1 (i586 x86_64):

 

MozillaFirefox-14.0.1-2.33.1

MozillaFirefox-branding-upstream-14.0.1-2.33.1

MozillaFirefox-buildsymbols-14.0.1-2.33.1

MozillaFirefox-debuginfo-14.0.1-2.33.1

MozillaFirefox-debugsource-14.0.1-2.33.1

MozillaFirefox-devel-14.0.1-2.33.1

MozillaFirefox-translations-common-14.0.1-2.33.1

MozillaFirefox-translations-other-14.0.1-2.33.1

 

- openSUSE 11.4 (i586 x86_64):

 

MozillaFirefox-14.0.1-28.1

MozillaFirefox-branding-upstream-14.0.1-28.1

MozillaFirefox-buildsymbols-14.0.1-28.1

MozillaFirefox-debuginfo-14.0.1-28.1

MozillaFirefox-debugsource-14.0.1-28.1

MozillaFirefox-devel-14.0.1-28.1

MozillaFirefox-translations-common-14.0.1-28.1

MozillaFirefox-translations-other-14.0.1-28.1

 

 

References:

 

http://support.novell.com/security/cve/CVE-2012-1948.html

http://support.novell.com/security/cve/CVE-2012-1949.html

http://support.novell.com/security/cve/CVE-2012-1950.html

http://support.novell.com/security/cve/CVE-2012-1951.html

http://support.novell.com/security/cve/CVE-2012-1952.html

http://support.novell.com/security/cve/CVE-2012-1953.html

http://support.novell.com/security/cve/CVE-2012-1954.html

http://support.novell.com/security/cve/CVE-2012-1955.html

http://support.novell.com/security/cve/CVE-2012-1957.html

http://support.novell.com/security/cve/CVE-2012-1958.html

http://support.novell.com/security/cve/CVE-2012-1959.html

http://support.novell.com/security/cve/CVE-2012-1961.html

http://support.novell.com/security/cve/CVE-2012-1962.html

http://support.novell.com/security/cve/CVE-2012-1963.html

http://support.novell.com/security/cve/CVE-2012-1964.html

http://support.novell.com/security/cve/CVE-2012-1965.html

http://support.novell.com/security/cve/CVE-2012-1966.html

http://support.novell.com/security/cve/CVE-2012-1967.html

https://bugzilla.novell.com/771583

 

--

To unsubscribe, e-mail: opensuse-security-announce+unsubscribe ( -at -) opensuse.org

For additional commands, e-mail: opensuse-security-announce+help ( -at -) opensuse.org

 

 

 

Share this post


Link to post

Please sign in to comment

You will be able to leave a comment after signing in



Sign In Now
Sign in to follow this  

×