Jump to content
Compatible Support Forums
Sign in to follow this  
Followers 0
news

[security-announce] SUSE-SU-2012:1351-1: important: Security update for Mozilla Firefox

By news, in Upcoming News

Recommended Posts

news    28

news
Posted

SUSE Security Update: Security update for Mozilla Firefox

______________________________________________________________________________

 

Announcement ID: SUSE-SU-2012:1351-1

Rating: important

References: #783533

Cross-References: CVE-2012-3977 CVE-2012-3982 CVE-2012-3983

CVE-2012-3984 CVE-2012-3985 CVE-2012-3986

CVE-2012-3987 CVE-2012-3988 CVE-2012-3989

CVE-2012-3990 CVE-2012-3991 CVE-2012-3992

CVE-2012-3993 CVE-2012-3994 CVE-2012-3995

CVE-2012-4179 CVE-2012-4180 CVE-2012-4181

CVE-2012-4182 CVE-2012-4183 CVE-2012-4184

CVE-2012-4185 CVE-2012-4186 CVE-2012-4187

CVE-2012-4188 CVE-2012-4192 CVE-2012-4193

 

Affected Products:

SUSE Linux Enterprise Server 11 SP2 for VMware

SUSE Linux Enterprise Server 11 SP2

SUSE Linux Enterprise Server 10 SP4

SUSE Linux Enterprise Desktop 11 SP2

SUSE Linux Enterprise Desktop 10 SP4

SLE SDK 10 SP4

______________________________________________________________________________

 

An update that fixes 27 vulnerabilities is now available.

It includes two new package versions.

 

Description:

 

 

MozillaFirefox was updated to the 10.0.9ESR security

release which fixes bugs and security issues:

 

*

 

MFSA 2012-73 / CVE-2012-3977: Security researchers

Thai Duong and Juliano Rizzo reported that SPDY's request

header compression leads to information leakage, which can

allow the extraction of private data such as session

cookies, even over an encrypted SSL connection. (This does

not affect Firefox 10 as it does not feature the SPDY

extension. It was silently fixed for Firefox 15.)

 

*

 

MFSA 2012-74: Mozilla developers identified and fixed

several memory safety bugs in the browser engine used in

Firefox and other Mozilla-based products. Some of these

bugs showed evidence of memory corruption under certain

circumstances, and we presume that with enough effort at

least some of these could be exploited to run arbitrary

code.

 

In general these flaws cannot be exploited through

email in the Thunderbird and SeaMonkey products because

scripting is disabled, but are potentially a risk in

browser or browser-like contexts in those products.

 

*

 

CVE-2012-3983: Henrik Skupin, Jesse Ruderman and

moz_bug_r_a4 reported memory safety problems and crashes

that affect Firefox 15.

 

*

 

CVE-2012-3982: Christian Holler and Jesse Ruderman

reported memory safety problems and crashes that affect

Firefox ESR 10 and Firefox 15.

 

*

 

MFSA 2012-75 / CVE-2012-3984: Security researcher

David Bloom of Cue discovered that "select" elements are

always-on-top chromeless windows and that navigation away

from a page with an active "select" menu does not remove

this window.When another menu is opened programmatically on

a new page, the original "select" menu can be retained and

arbitrary HTML content within it rendered, allowing an

attacker to cover arbitrary portions of the new page

through absolute positioning/scrolling, leading to spoofing

attacks. Security researcher Jordi Chancel found a

variation that would allow for click-jacking attacks was

well.

 

In general these flaws cannot be exploited through

email in the Thunderbird and SeaMonkey products because

scripting is disabled, but are potentially a risk in

browser or browser-like contexts in those products.

References

 

Navigation away from a page with an active "select"

dropdown menu can be used for URL spoofing, other evil

 

Firefox 10.0.1 : Navigation away from a page with

multiple active "select" dropdown menu can be used for

Spoofing And ClickJacking with XPI using window.open and

geolocalisation

 

*

 

MFSA 2012-76 / CVE-2012-3985: Security researcher

Collin Jackson reported a violation of the HTML5

specifications for document.domain behavior. Specified

behavior requires pages to only have access to windows in a

new document.domain but the observed violation allowed

pages to retain access to windows from the page's initial

origin in addition to the new document.domain. This could

potentially lead to cross-site scripting (XSS) attacks.

 

*

 

MFSA 2012-77 / CVE-2012-3986: Mozilla developer

Johnny Stenback discovered that several methods of a

feature used for testing (DOMWindowUtils) are not protected

by existing security checks, allowing these methods to be

called through script by web pages. This was addressed by

adding the existing security checks to these methods.

 

*

 

MFSA 2012-78 / CVE-2012-3987: Security researcher

Warren He reported that when a page is transitioned into

Reader Mode in Firefox for Android, the resulting page has

chrome privileges and its content is not thoroughly

sanitized. A successful attack requires user enabling of

reader mode for a malicious page, which could then perform

an attack similar to cross-site scripting (XSS) to gain the

privileges allowed to Firefox on an Android device. This

has been fixed by changing the Reader Mode page into an

unprivileged page.

 

This vulnerability only affects Firefox for Android.

 

*

 

MFSA 2012-79 / CVE-2012-3988: Security researcher

Soroush Dalili reported that a combination of invoking full

screen mode and navigating backwards in history could, in

some circumstances, cause a hang or crash due to a timing

dependent use-after-free pointer reference. This crash may

be potentially exploitable.

 

*

 

MFSA 2012-80 / CVE-2012-3989: Mozilla community

member Ms2ger reported a crash due to an invalid cast when

using the instanceof operator on certain types of

JavaScript objects. This can lead to a potentially

exploitable crash.

 

*

 

MFSA 2012-81 / CVE-2012-3991: Mozilla community

member Alice White reported that when the GetProperty

function is invoked through JSAPI, security checking can be

bypassed when getting cross-origin properties. This

potentially allowed for arbitrary code execution.

 

*

 

MFSA 2012-82 / CVE-2012-3994: Security researcher

Mariusz Mlynski reported that the location property can be

accessed by binary plugins through top.location and top can

be shadowed by Object.defineProperty as well. This can

allow for possible cross-site scripting (XSS) attacks

through plugins.

 

*

 

MFSA 2012-83: Security researcher Mariusz Mlynski

reported that when InstallTrigger fails, it throws an error

wrapped in a Chrome Object Wrapper (COW) that fails to

specify exposed properties. These can then be added to the

resulting object by an attacker, allowing access to chrome

privileged functions through script.

 

While investigating this issue, Mozilla security

researcher moz_bug_r_a4 found that COW did not disallow

accessing of properties from a standard prototype in some

situations, even when the original issue had been fixed.

 

These issues could allow for a cross-site scripting

(XSS) attack or arbitrary code execution.

 

*

 

CVE-2012-3993: XrayWrapper pollution via unsafe COW

 

*

 

CVE-2012-4184: ChromeObjectWrapper is not implemented

as intended

 

*

 

MFSA 2012-84 / CVE-2012-3992: Security researcher

Mariusz Mlynski reported an issue with spoofing of the

location property. In this issue, writes to location.hash

can be used in concert with scripted history navigation to

cause a specific website to be loaded into the history

object. The baseURI can then be changed to this stored

site, allowing an attacker to inject a script or intercept

posted data posted to a location specified with a relative

path.

 

*

 

MFSA 2012-85: Security researcher Abhishek Arya

(Inferno) of the Google Chrome Security Team discovered a

series of use-after-free, buffer overflow, and out of

bounds read issues using the Address Sanitizer tool in

shipped software. These issues are potentially exploitable,

allowing for remote code execution. We would also like to

thank Abhishek for reporting two additional use-after-free

flaws introduced during Firefox 16 development and fixed

before general release.

 

*

 

CVE-2012-3995: Out of bounds read in

IsCSSWordSpacingSpace

 

*

 

CVE-2012-4179: Heap-use-after-free in

nsHTMLCSSUtils::CreateCSSPropertyTxn

 

*

 

CVE-2012-4180: Heap-buffer-overflow in

nsHTMLEditor::IsPrevCharInNodeWhitespace

 

*

 

CVE-2012-4181: Heap-use-after-free in

nsSMILAnimationController::DoSample

 

*

 

CVE-2012-4182: Heap-use-after-free in

nsTextEditRules::WillInsert

 

*

 

CVE-2012-4183: Heap-use-after-free in

DOMSVGTests::GetRequiredFeatures

 

*

 

MFSA 2012-86: Security researcher Atte Kettunen from

OUSPG reported several heap memory corruption issues found

using the Address Sanitizer tool. These issues are

potentially exploitable, allowing for remote code execution.

 

*

 

CVE-2012-4185: Global-buffer-overflow in

nsCharTraits::length

 

*

 

CVE-2012-4186: Heap-buffer-overflow in

nsWaveReader::DecodeAudioData

 

*

 

CVE-2012-4187: Crash with ASSERTION: insPos too small

 

*

 

CVE-2012-4188: Heap-buffer-overflow in Convolve3x3

 

*

 

MFSA 2012-87 / CVE-2012-3990: Security researcher

miaubiz used the Address Sanitizer tool to discover a

use-after-free in the IME State Manager code. This could

lead to a potentially exploitable crash.

 

*

 

MFSA 2012-89 / CVE-2012-4192 / CVE-2012-4193: Mozilla

security researcher moz_bug_r_a4 reported a regression

where security wrappers are unwrapped without doing a

security check in defaultValue(). This can allow for

improper access access to the Location object. In versions

15 and earlier of affected products, there was also the

potential for arbitrary code execution.

 

Security Issue reference:

 

* CVE-2012-3977

 

* CVE-2012-3982

 

* CVE-2012-3983

 

* CVE-2012-3984

 

* CVE-2012-3985

 

* CVE-2012-3986

 

* CVE-2012-3987

 

* CVE-2012-3988

 

* CVE-2012-3989

 

* CVE-2012-3990

 

* CVE-2012-3991

 

* CVE-2012-3992

 

* CVE-2012-3993

 

* CVE-2012-3994

 

* CVE-2012-3995

 

* CVE-2012-4179

 

* CVE-2012-4180

 

* CVE-2012-4181

 

* CVE-2012-4182

 

* CVE-2012-4183

 

* CVE-2012-4184

 

* CVE-2012-4185

 

* CVE-2012-4186

 

* CVE-2012-4187

 

* CVE-2012-4188

 

* CVE-2012-4192

 

* CVE-2012-4193

 

 

 

Patch Instructions:

 

To install this SUSE Security Update use YaST online_update.

Alternatively you can run the command listed for your product:

 

- SUSE Linux Enterprise Server 11 SP2 for VMware:

 

zypper in -t patch slessp2-firefox-201210-6951

 

- SUSE Linux Enterprise Server 11 SP2:

 

zypper in -t patch slessp2-firefox-201210-6951

 

- SUSE Linux Enterprise Desktop 11 SP2:

 

zypper in -t patch sledsp2-firefox-201210-6951

 

To bring your system up-to-date, use "zypper patch".

 

 

Package List:

 

- SUSE Linux Enterprise Server 11 SP2 for VMware (i586 x86_64) [New Version: 10.0.9]:

 

MozillaFirefox-10.0.9-0.3.1

MozillaFirefox-translations-10.0.9-0.3.1

 

- SUSE Linux Enterprise Server 11 SP2 (i586 ia64 ppc64 s390x x86_64) [New Version: 10.0.9]:

 

MozillaFirefox-10.0.9-0.3.1

MozillaFirefox-branding-SLED-7-0.6.7.85

MozillaFirefox-translations-10.0.9-0.3.1

 

- SUSE Linux Enterprise Server 10 SP4 (i586 ia64 ppc s390x) [New Version: 7]:

 

MozillaFirefox-10.0.9-0.5.1

MozillaFirefox-branding-SLED-7-0.8.35

MozillaFirefox-translations-10.0.9-0.5.1

 

- SUSE Linux Enterprise Desktop 11 SP2 (i586 x86_64) [New Version: 10.0.9]:

 

MozillaFirefox-10.0.9-0.3.1

MozillaFirefox-branding-SLED-7-0.6.7.85

MozillaFirefox-translations-10.0.9-0.3.1

 

- SUSE Linux Enterprise Desktop 10 SP4 (i586) [New Version: 7]:

 

MozillaFirefox-10.0.9-0.5.1

MozillaFirefox-branding-SLED-7-0.8.35

MozillaFirefox-translations-10.0.9-0.5.1

 

- SLE SDK 10 SP4 (i586 ia64 ppc s390x):

 

MozillaFirefox-branding-upstream-10.0.9-0.5.1

 

 

References:

 

http://support.novell.com/security/cve/CVE-2012-3977.html

http://support.novell.com/security/cve/CVE-2012-3982.html

http://support.novell.com/security/cve/CVE-2012-3983.html

http://support.novell.com/security/cve/CVE-2012-3984.html

http://support.novell.com/security/cve/CVE-2012-3985.html

http://support.novell.com/security/cve/CVE-2012-3986.html

http://support.novell.com/security/cve/CVE-2012-3987.html

http://support.novell.com/security/cve/CVE-2012-3988.html

http://support.novell.com/security/cve/CVE-2012-3989.html

http://support.novell.com/security/cve/CVE-2012-3990.html

http://support.novell.com/security/cve/CVE-2012-3991.html

http://support.novell.com/security/cve/CVE-2012-3992.html

http://support.novell.com/security/cve/CVE-2012-3993.html

http://support.novell.com/security/cve/CVE-2012-3994.html

http://support.novell.com/security/cve/CVE-2012-3995.html

http://support.novell.com/security/cve/CVE-2012-4179.html

http://support.novell.com/security/cve/CVE-2012-4180.html

http://support.novell.com/security/cve/CVE-2012-4181.html

http://support.novell.com/security/cve/CVE-2012-4182.html

http://support.novell.com/security/cve/CVE-2012-4183.html

http://support.novell.com/security/cve/CVE-2012-4184.html

http://support.novell.com/security/cve/CVE-2012-4185.html

http://support.novell.com/security/cve/CVE-2012-4186.html

http://support.novell.com/security/cve/CVE-2012-4187.html

http://support.novell.com/security/cve/CVE-2012-4188.html

http://support.novell.com/security/cve/CVE-2012-4192.html

http://support.novell.com/security/cve/CVE-2012-4193.html

https://bugzilla.novell.com/783533

http://download.novell.com/patch/finder/?keywords=9df8424f201589e4fca1abdc2e0b1023

http://download.novell.com/patch/finder/?keywords=b54051bb7b93d9b879c04f373ce0061d

 

--

To unsubscribe, e-mail: opensuse-security-announce+unsubscribe ( -at -) opensuse.org

For additional commands, e-mail: opensuse-security-announce+help ( -at -) opensuse.org

 

 

 

Share this post

Link to post

Please sign in to comment

You will be able to leave a comment after signing in



Sign In Now
Sign in to follow this  
Followers 0
Go To Topic Listing Upcoming News
×