Jump to content
Compatible Support Forums
Sign in to follow this  
Followers 0
news

[USN-2052-1] Firefox vulnerabilities

By news, in Upcoming News

Recommended Posts

news    28

news
Posted

==========================================================================

Ubuntu Security Notice USN-2052-1

December 11, 2013

 

firefox vulnerabilities

==========================================================================

 

A security issue affects these releases of Ubuntu and its derivatives:

 

- Ubuntu 13.10

- Ubuntu 13.04

- Ubuntu 12.10

- Ubuntu 12.04 LTS

 

Summary:

 

Firefox could be made to crash or run programs as your login if it

opened a malicious website.

 

Software Description:

- firefox: Mozilla Open Source web browser

 

Details:

 

Ben Turner, Bobby Holley, Jesse Ruderman, Christian Holler and Christoph

Diehl discovered multiple memory safety issues in Firefox. If a user were

tricked in to opening a specially crafted website, an attacker could

potentially exploit these to cause a denial of service via application

crash, or execute arbitrary code with the privileges of the user invoking

Firefox. (CVE-2013-5609, CVE-2013-5610)

 

Myk Melez discovered that the doorhanger notification for web app

installation could persist between page navigations. An attacker could

potentially exploit this to conduct clickjacking attacks. (CVE-2013-5611)

 

Masato Kinugawa discovered that pages with missing character set encoding

information can inherit character encodings across navigations from

another domain. An attacker could potentially exploit this to conduct

cross-site scripting attacks. (CVE-2013-5612)

 

Daniel Veditz discovered that a sandboxed iframe could use an object

element to bypass its own restrictions. (CVE-2013-5614)

 

Tyson Smith and Jesse Schwartzentruber discovered a use-after-free in

event listeners. An attacker could potentially exploit this to cause a

denial of service via application crash, or execute arbitrary code with

the privileges of the user invoking Firefox. (CVE-2013-5616)

 

A use-after-free was discovered in the table editing interface. An

attacker could potentially exploit this to cause a denial of service via

application crash, or execute arbitrary code with the privileges of the

user invoking Firefox. (CVE-2013-5618)

 

Dan Gohman discovered that binary search algorithms in Spidermonkey

used arithmetic prone to overflow in several places. However, this

is issue not believed to be exploitable. (CVE-2013-5619)

 

Tyson Smith and Jesse Schwartzentruber discovered a crash when inserting

an ordered list in to a document using script. An attacker could

potentially exploit this to execute arbitrary code with the privileges

of the user invoking Firefox. (CVE-2013-6671)

 

Vincent Lefevre discovered that web content could access clipboard data

under certain circumstances, resulting in information disclosure.

(CVE-2013-6672)

 

Sijie Xia discovered that trust settings for built-in EV root certificates

were ignored under certain circumstances, removing the ability for a user

to manually untrust certificates from specific authorities.

(CVE-2013-6673)

 

Tyson Smith, Jesse Schwartzentruber and Atte Kettunen discovered a

use-after-free in functions for synthetic mouse movement handling. An

attacker could potentially exploit this to cause a denial of service via

application crash, or execute arbitrary code with the privileges of the

user invoking Firefox. (CVE-2013-5613)

 

Eric Faust discovered that GetElementIC typed array stubs can be generated

outside observed typesets. An attacker could possibly exploit this to

cause undefined behaviour with a potential security impact.

(CVE-2013-5615)

 

Michal Zalewski discovered several issues with JPEG image handling. An

attacker could potentially exploit these to obtain sensitive information.

(CVE-2013-6629, CVE-2013-6630)

 

Update instructions:

 

The problem can be corrected by up[censored] your system to the following

package versions:

 

Ubuntu 13.10:

firefox 26.0+build2-0ubuntu0.13.10.2

 

Ubuntu 13.04:

firefox 26.0+build2-0ubuntu0.13.04.2

 

Ubuntu 12.10:

firefox 26.0+build2-0ubuntu0.12.10.2

 

Ubuntu 12.04 LTS:

firefox 26.0+build2-0ubuntu0.12.04.2

 

After a standard system update you need to restart Firefox to make

all the necessary changes.

 

References:

http://www.ubuntu.com/usn/usn-2052-1

CVE-2013-5609, CVE-2013-5610, CVE-2013-5611, CVE-2013-5612,

CVE-2013-5613, CVE-2013-5614, CVE-2013-5615, CVE-2013-5616,

CVE-2013-5618, CVE-2013-5619, CVE-2013-6629, CVE-2013-6630,

CVE-2013-6671, CVE-2013-6672, CVE-2013-6673,https://launchpad.net/bugs/1258513

 

Package Information:

https://launchpad.net/ubuntu/+source/firefox/26.0+build2-0ubuntu0.13.10.2

https://launchpad.net/ubuntu/+source/firefox/26.0+build2-0ubuntu0.13.04.2

https://launchpad.net/ubuntu/+source/firefox/26.0+build2-0ubuntu0.12.10.2

https://launchpad.net/ubuntu/+source/firefox/26.0+build2-0ubuntu0.12.04.2

 

 

--

 

Share this post

Link to post

Please sign in to comment

You will be able to leave a comment after signing in



Sign In Now
Sign in to follow this  
Followers 0
Go To Topic Listing Upcoming News
×