[security-announce] SUSE-SU-2012:1592-1: important: Security update for Mozilla Firefox

[news 28]

SUSE Security Update: Security update for Mozilla Firefox

______________________________________________________________________________

 

Announcement ID: SUSE-SU-2012:1592-1

Rating: important

References: #790140

Affected Products:

SUSE Linux Enterprise Software Development Kit 11 SP2

SUSE Linux Enterprise Server 11 SP2 for VMware

SUSE Linux Enterprise Server 11 SP2

SUSE Linux Enterprise Server 10 SP4

SUSE Linux Enterprise Desktop 11 SP2

SUSE Linux Enterprise Desktop 10 SP4

SLE SDK 10 SP4

______________________________________________________________________________

 

An update that contains security fixes can now be

installed. It includes two new package versions.

 

Description:

 

 

Mozilla Firefox has been updated to the 10.0.11 ESR

security release, which fixes various bugs and security

issues.

 

*

 

MFSA 2012-106: Security researcher miaubiz used the

Address Sanitizer tool to discover a series critically

rated of use-after-free, buffer overflow, and memory

corruption issues in shipped software. These issues are

potentially exploitable, allowing for remote code

execution. We would also like to thank miaubiz for

reporting two additional use-after-free and memory

corruption issues introduced during Firefox development

that have been fixed before general release.

 

In general these flaws cannot be exploited through

email in the Thunderbird and SeaMonkey products because

scripting is disabled, but are potentially a risk in

browser or browser-like contexts in those products.

References

 

The following issues have been fixed in Firefox 17

and ESR 10.0.11:

 

o use-after-free when loading html file on osx

(CVE-2012-5830) o Mesa crashes on certain texImage2D calls

involving level>0 (CVE-2012-5833) o integer overflow,

invalid write w/webgl bufferdata (CVE-2012-5835)

 

The following issues have been fixed in Firefox 17:

 

o crash in copyTexImage2D with image dimensions

too large for given level (CVE-2012-5838)

*

 

MFSA 2012-105: Security researcher Abhishek Arya

(Inferno) of the Google Chrome Security Team discovered a

series critically rated of use-after-free and buffer

overflow issues using the Address Sanitizer tool in shipped

software. These issues are potentially exploitable,

allowing for remote code execution. We would also like to

thank Abhishek for reporting five additional

use-after-free, out of bounds read, and buffer overflow

flaws introduced during Firefox development that have been

fixed before general release.

 

In general these flaws cannot be exploited through

email in the Thunderbird and SeaMonkey products because

scripting is disabled, but are potentially a risk in

browser or browser-like contexts in those products.

References

 

The following issues have been fixed in Firefox 17

and ESR 10.0.11:

 

o Heap-use-after-free in

nsTextEditorState::PrepareEditor (CVE-2012-4214) o

Heap-use-after-free in

nsPlaintextEditor::FireClipboardEvent (CVE-2012-4215) o

Heap-use-after-free in gfxFont::GetFontEntry

(CVE-2012-4216) o Heap-buffer-overflow in

nsWindow::OnExposeEvent (CVE-2012-5829) o

heap-buffer-overflow in

gfxShapedWord::CompressedGlyph::IsClusterStart o

CVE-2012-5839 o Heap-use-after-free in

nsTextEditorState::PrepareEditor (CVE-2012-5840)

 

The following issues have been fixed in Firefox 17:

 

o Heap-use-after-free in XPCWrappedNative::Mark

(CVE-2012-4212) o Heap-use-after-free in

nsEditor::FindNextLeafNode (CVE-2012-4213) o

Heap-use-after-free in nsViewManager::ProcessPendingUpdates

(CVE-2012-4217) o Heap-use-after-free

BuildTextRunsScanner::BreakSink::SetBreaks (CVE-2012-4218)

*

 

MFSA 2012-104 / CVE-2012-4210: Security researcher

Mariusz Mlynski reported that when a maliciously crafted

stylesheet is inspected in the Style Inspector, HTML and

CSS can run in a chrome privileged context without being

properly sanitized first. This can lead to arbitrary code

execution.

 

*

 

MFSA 2012-103 / CVE-2012-4209: Security researcher

Mariusz Mlynski reported that the location property can be

accessed by binary plugins through top.location with a

frame whose name attribute's value is set to "top". This

can allow for possible cross-site scripting (XSS) attacks

through plugins.

 

In general these flaws cannot be exploited through

email in the Thunderbird and SeaMonkey products because

scripting is disabled, but are potentially a risk in

browser or browser-like contexts in those products.

 

*

 

MFSA 2012-102 / CVE-2012-5837: Security researcher

Masato Kinugawa reported that when script is entered into

the Developer Toolbar, it runs in a chrome privileged

context. This allows for arbitrary code execution or

cross-site scripting (XSS) if a user can be convinced to

paste malicious code into the Developer Toolbar.

 

*

 

MFSA 2012-101 / CVE-2012-4207: Security researcher

Masato Kinugawa found when HZ-GB-2312 charset encoding is

used for text, the "~" character will destroy another

character near the chunk delimiter. This can lead to a

cross-site scripting (XSS) attack in pages encoded in

HZ-GB-2312.

 

*

 

MFSA 2012-100 / CVE-2012-5841: Mozilla developer

Bobby Holley reported that security wrappers filter at the

time of property access, but once a function is returned,

the caller can use this function without further security

checks. This affects cross-origin wrappers, allowing for

write actions on objects when only read actions should be

properly allowed. This can lead to cross-site scripting

(XSS) attacks.

 

In general these flaws cannot be exploited through

email in the Thunderbird and SeaMonkey products because

scripting is disabled, but are potentially a risk in

browser or browser-like contexts in those products.

 

*

 

MFSA 2012-99 / CVE-2012-4208: Mozilla developer Peter

Van der Beken discovered that same-origin XrayWrappers

expose chrome-only properties even when not in a chrome

compartment. This can allow web content to get properties

of DOM objects that are intended to be chrome-only.

 

In general these flaws cannot be exploited through

email in the Thunderbird and SeaMonkey products because

scripting is disabled, but are potentially a risk in

browser or browser-like contexts in those products.

 

*

 

MFSA 2012-98 / CVE-2012-4206: Security researcher

Robert Kugler reported that when a specifically named DLL

file on a Windows computer is placed in the default

downloads directory with the Firefox installer, the Firefox

installer will load this DLL when it is launched. In

circumstances where the installer is run by an

administrator privileged account, this allows for the

downloaded DLL file to be run with administrator

privileges. This can lead to arbitrary code execution from

a privileged account.

 

*

 

MFSA 2012-97 / CVE-2012-4205: Mozilla developer Gabor

Krizsanits discovered that XMLHttpRequest objects created

within sandboxes have the system principal instead of the

sandbox principal. This can lead to cross-site request

forgery (CSRF) or information theft via an add-on running

untrusted code in a sandbox.

 

*

 

MFSA 2012-96 / CVE-2012-4204: Security researcher

Scott Bell of Security-Assessment.com used the Address

Sanitizer tool to discover a memory corruption in

str_unescape in the Javascript engine. This could

potentially lead to arbitrary code execution.

 

In general these flaws cannot be exploited through

email in the Thunderbird and SeaMonkey products because

scripting is disabled, but are potentially a risk in

browser or browser-like contexts in those products.

 

*

 

MFSA 2012-95 / CVE-2012-4203: Security researcher

kakzz.ng ( -at -) gmail.com reported that if a javascript: URL is

selected from the list of Firefox "new tab" page, the

script will inherit the privileges of the privileged "new

tab" page. This allows for the execution of locally

installed programs if a user can be convinced to save a

bookmark of a malicious javascript: URL.

 

*

 

MFSA 2012-94 / CVE-2012-5836: Security researcher

Jonathan Stephens discovered that combining SVG text on a

path with the setting of CSS properties could lead to a

potentially exploitable crash.

 

*

 

MFSA 2012-93 / CVE-2012-4201: Mozilla security

researcher moz_bug_r_a4 reported that if code executed by

the evalInSandbox function sets location.href, it can get

the wrong subject principal for the URL check, ignoring the

sandbox's Javascript context and gaining the context of

evalInSandbox object. This can lead to malicious web

content being able to perform a cross-site scripting (XSS)

attack or stealing a copy of a local file if the user has

installed an add-on vulnerable to this attack.

 

*

 

MFSA 2012-92 / CVE-2012-4202: Security researcher

Atte Kettunen from OUSPG used the Address Sanitizer tool to

discover a buffer overflow while rendering GIF format

images. This issue is potentially exploitable and could

lead to arbitrary code execution.

 

*

 

MFSA 2012-91: Mozilla developers identified and fixed

several memory safety bugs in the browser engine used in

Firefox and other Mozilla-based products. Some of these

bugs showed evidence of memory corruption under certain

circumstances, and we presume that with enough effort at

least some of these could be exploited to run arbitrary

code.

 

In general these flaws cannot be exploited through

email in the Thunderbird and SeaMonkey products because

scripting is disabled, but are potentially a risk in

browser or browser-like contexts in those products.

References

 

Gary Kwong, Jesse Ruderman, Christian Holler, Bob

Clary, Kyle Huey, Ed Morley, Chris Lord, Boris Zbarsky,

Julian Seward, and Bill McCloskey reported memory safety

problems and crashes that affect Firefox 16. (CVE-2012-5843)

 

Jesse Ruderman, Andrew McCreight, Bob Clary, and Kyle

Huey reported memory safety problems and crashes that

affect Firefox ESR 10 and Firefox 16. (CVE-2012-5842)

 

 

Patch Instructions:

 

To install this SUSE Security Update use YaST online_update.

Alternatively you can run the command listed for your product:

 

- SUSE Linux Enterprise Software Development Kit 11 SP2:

 

zypper in -t patch sdksp2-firefox-20121121-7093

 

- SUSE Linux Enterprise Server 11 SP2 for VMware:

 

zypper in -t patch slessp2-firefox-20121121-7093

 

- SUSE Linux Enterprise Server 11 SP2:

 

zypper in -t patch slessp2-firefox-20121121-7093

 

- SUSE Linux Enterprise Desktop 11 SP2:

 

zypper in -t patch sledsp2-firefox-20121121-7093

 

To bring your system up-to-date, use "zypper patch".

 

 

Package List:

 

- SUSE Linux Enterprise Software Development Kit 11 SP2 (i586 ia64 ppc64 s390x x86_64) [New Version: 3.14]:

 

mozilla-nss-devel-3.14-0.3.1

 

- SUSE Linux Enterprise Server 11 SP2 for VMware (i586 x86_64) [New Version: 10.0.11 and 3.14]:

 

MozillaFirefox-10.0.11-0.3.1

MozillaFirefox-translations-10.0.11-0.3.1

libfreebl3-3.14-0.3.1

mozilla-nss-3.14-0.3.1

mozilla-nss-tools-3.14-0.3.1

 

- SUSE Linux Enterprise Server 11 SP2 for VMware (x86_64) [New Version: 3.14]:

 

libfreebl3-32bit-3.14-0.3.1

mozilla-nss-32bit-3.14-0.3.1

 

- SUSE Linux Enterprise Server 11 SP2 (i586 ia64 ppc64 s390x x86_64) [New Version: 10.0.11 and 3.14]:

 

MozillaFirefox-10.0.11-0.3.1

MozillaFirefox-translations-10.0.11-0.3.1

libfreebl3-3.14-0.3.1

mozilla-nss-3.14-0.3.1

mozilla-nss-tools-3.14-0.3.1

 

- SUSE Linux Enterprise Server 11 SP2 (ppc64 s390x x86_64) [New Version: 3.14]:

 

libfreebl3-32bit-3.14-0.3.1

mozilla-nss-32bit-3.14-0.3.1

 

- SUSE Linux Enterprise Server 11 SP2 (ia64) [New Version: 3.14]:

 

libfreebl3-x86-3.14-0.3.1

mozilla-nss-x86-3.14-0.3.1

 

- SUSE Linux Enterprise Server 10 SP4 (i586 ia64 ppc s390x x86_64) [New Version: 3.14]:

 

mozilla-nss-3.14-0.6.1

mozilla-nss-devel-3.14-0.6.1

mozilla-nss-tools-3.14-0.6.1

 

- SUSE Linux Enterprise Server 10 SP4 (i586 ia64 ppc s390x):

 

MozillaFirefox-10.0.11-0.5.1

MozillaFirefox-translations-10.0.11-0.5.1

 

- SUSE Linux Enterprise Server 10 SP4 (s390x x86_64) [New Version: 3.14]:

 

mozilla-nss-32bit-3.14-0.6.1

 

- SUSE Linux Enterprise Server 10 SP4 (ia64) [New Version: 3.14]:

 

mozilla-nss-x86-3.14-0.6.1

 

- SUSE Linux Enterprise Server 10 SP4 (ppc) [New Version: 3.14]:

 

mozilla-nss-64bit-3.14-0.6.1

 

- SUSE Linux Enterprise Desktop 11 SP2 (i586 x86_64) [New Version: 10.0.11 and 3.14]:

 

MozillaFirefox-10.0.11-0.3.1

MozillaFirefox-translations-10.0.11-0.3.1

libfreebl3-3.14-0.3.1

mozilla-nss-3.14-0.3.1

mozilla-nss-tools-3.14-0.3.1

 

- SUSE Linux Enterprise Desktop 11 SP2 (x86_64) [New Version: 3.14]:

 

libfreebl3-32bit-3.14-0.3.1

mozilla-nss-32bit-3.14-0.3.1

 

- SUSE Linux Enterprise Desktop 10 SP4 (i586 x86_64) [New Version: 3.14]:

 

mozilla-nss-3.14-0.6.1

mozilla-nss-devel-3.14-0.6.1

mozilla-nss-tools-3.14-0.6.1

 

- SUSE Linux Enterprise Desktop 10 SP4 (x86_64) [New Version: 3.14]:

 

mozilla-nss-32bit-3.14-0.6.1

 

- SUSE Linux Enterprise Desktop 10 SP4 (i586):

 

MozillaFirefox-10.0.11-0.5.1

MozillaFirefox-translations-10.0.11-0.5.1

 

- SLE SDK 10 SP4 (i586 ia64 ppc s390x x86_64) [New Version: 3.14]:

 

mozilla-nss-tools-3.14-0.6.1

 

- SLE SDK 10 SP4 (i586 ia64 ppc s390x):

 

MozillaFirefox-branding-upstream-10.0.11-0.5.1

 

 

References:

 

https://bugzilla.novell.com/790140

http://download.novell.com/patch/finder/?keywords=8f4e08deca5960ae494ddceeb6c10708

http://download.novell.com/patch/finder/?keywords=be7a175297dfe6897d72c7cf8ca67245

 

--

To unsubscribe, e-mail: opensuse-security-announce+unsubscribe ( -at -) opensuse.org

For additional commands, e-mail: opensuse-security-announce+help ( -at -) opensuse.org