Security update for Mozilla Firefox

SUSE Security Update: Security update for Mozilla Firefox
Announcement ID: SUSE-SU-2012:0895-1
Rating: important
References: #712248 #771583
Affected Products:
  • SUSE Linux Enterprise Server 10 SP4
  • SUSE Linux Enterprise Desktop 10 SP4
  • SLE SDK 10 SP4

  • An update that fixes 18 vulnerabilities is now available. It includes one version update.

    Description:


    MozillaFirefox have been updated to the 10.0.6ESR security
    release fixing various bugs and several security issues,
    some critical.

    The ollowing security issues have been fixed:

    *

    MFSA 2012-42: Mozilla developers identified and fixed
    several memory safety bugs in the browser engine used in
    Firefox and other Mozilla-based products. Some of these
    bugs showed evidence of memory corruption under certain
    circumstances, and we presume that with enough effort at
    least some of these could be exploited to run arbitrary
    code.

    *

    CVE-2012-1948: Benoit Jacob, Jesse Ruderman,
    Christian Holler, and Bill McCloskey reported memory safety
    problems and crashes that affect Firefox ESR 10 and Firefox
    13.

    *

    MFSA 2012-43 / CVE-2012-1950: Security researcher
    Mario Gomes andresearch firm Code Audit Labs reported a
    mechanism to short-circuit page loads through drag and drop
    to the addressbar by canceling the page load. This causes
    the address of the previously site entered to be displayed
    in the addressbar instead of the currently loaded page.
    This could lead to potential phishing attacks on users.

    *

    MFSA 2012-44 Google security researcher Abhishek Arya
    used the Address Sanitizer tool to uncover four issues: two
    use-after-free problems, one out of bounds read bug, and a
    bad cast. The first use-afte.r-free problem is caused when
    an array of nsSMILTimeValueSpec objects is destroyed but
    attempts are made to call into objects in this array later.
    The second use-after-free problem is in
    nsDocument::AdoptNode when it adopts into an empty document
    and then adopts into another document, emptying the first
    one. The heap buffer overflow is in ElementAnimations when
    data is read off of end of an array and then pointers are
    dereferenced. The bad cast happens when
    nsTableFrame::InsertFrames is called with frames in
    aFrameList that are a mix of row group frames and column
    group frames. AppendFrames is not able to handle this mix.

    All four of these issues are potentially exploitable.

    o CVE-2012-1951: Heap-use-after-free in
    nsSMILTimeValueSpec::IsEventBased o CVE-2012-1954:
    Heap-use-after-free in nsDocument::AdoptNode o
    CVE-2012-1953: Out of bounds read in
    ElementAnimations::EnsureStyleRuleFor o CVE-2012-1952: Bad
    cast in nsTableFrame::InsertFrames
    *

    MFSA 2012-45 / CVE-2012-1955: Security researcher
    Mariusz Mlynski reported an issue with spoofing of the
    location property. In this issue, calls to history.forward
    and history.back are used to navigate to a site while
    displaying the previous site in the addressbar but changing
    the baseURI to the newer site. This can be used for
    phishing by allowing the user input form or other data on
    the newer, attacking, site while appearing to be on the
    older, displayed site.

    *

    MFSA 2012-46 / CVE-2012-1966: Mozilla security
    researcher moz_bug_r_a4 reported a cross-site scripting
    (XSS) attack through the context menu using a data: URL. In
    this issue, context menu functionality ("View Image", "Show
    only this frame", and "View background image") are
    disallowed in a javascript: URL but allowed in a data: URL,
    allowing for XSS. This can lead to arbitrary code execution.

    *

    MFSA 2012-47 / CVE-2012-1957: Security researcher
    Mario Heiderich reported that javascript could be executed
    in the HTML feed-view using tag within the RSS . This
    problem is due to tags not being filtered out during
    parsing and can lead to a potential cross-site scripting
    (XSS) attack. The flaw existed in a parser utility class
    and could affect other parts of the browser or add-ons
    which rely on that class to sanitize untrusted input.

    *

    MFSA 2012-48 / CVE-2012-1958: Security researcher
    Arthur Gerkis used the Address Sanitizer tool to find a
    use-after-free in nsGlobalWindow::PageHidden when
    mFocusedContent is released and oldFocusedContent is used
    afterwards. This use-after-free could possibly allow for
    remote code execution.

    *

    MFSA 2012-49 / CVE-2012-1959: Mozilla developer Bobby
    Holley found that same-compartment security wrappers (SCSW)
    can be bypassed by passing them to another compartment.
    Cross-compartment wrappers often do not go through SCSW,
    but have a filtering policy built into them. When an object
    is wrapped cross-compartment, the SCSW is stripped off and,
    when the object is read read back, it is not known that
    SCSW was previously present, resulting in a bypassing of
    SCSW. This could result in untrusted content having access
    to the XBL that implements browser functionality.

    *

    MFSA 2012-50 / CVE-2012-1960: Google developer Tony
    Payne reported an out of bounds (OOB) read in QCMS,
    Mozilla's color management library. With a carefully
    crafted color profile portions of a user's memory could be
    incorporated into a transformed image and possibly
    deciphered.

    *

    MFSA 2012-51 / CVE-2012-1961: Bugzilla developer
    Frederic Buclin reported that the "X-Frame-Options header
    is ignored when the value is duplicated, for example
    X-Frame-Options: SAMEORIGIN, SAMEORIGIN. This duplication
    occurs for unknown reasons on some websites and when it
    occurs results in Mozilla browsers not being protected
    against possible clickjacking attacks on those pages.

    *

    MFSA 2012-52 / CVE-2012-1962: Security researcher
    Bill Keese reported a memory corruption. This is caused by
    JSDependentString::undepend changing a dependent string
    into a fixed string when there are additional dependent
    strings relying on the same base. When the undepend occurs
    during conversion, the base data is freed, leaving other
    dependent strings with dangling pointers. This can lead to
    a potentially exploitable crash.

    *

    MFSA 2012-53 / CVE-2012-1963: Security researcher
    Karthikeyan Bhargavan of Prosecco at INRIA reported Content
    Security Policy (CSP) 1.0 implementation errors. CSP
    violation reports generated by Firefox and sent to the
    "report-uri" location include sensitive data within the
    "blocked-uri" parameter. These include fragment components
    and query strings even if the "blocked-uri" parameter has a
    different origin than the protected resource. This can be
    used to retrieve a user's OAuth 2.0 access tokens and
    OpenID credentials by malicious sites.

    *

    MFSA 2012-54 / CVE-2012-1964: Security Researcher
    Matt McCutchen reported that a clickjacking attack using
    the certificate warning page. A man-in-the-middle (MITM)
    attacker can use an iframe to display its own certificate
    error warning page (about:certerror) with the "Add
    Exception" button of a real warning page from a malicious
    site. This can mislead users to adding a certificate
    exception for a different site than the perceived one. This
    can lead to compromised communications with the user
    perceived site through the MITM attack once the certificate
    exception has been added.

    *

    MFSA 2012-55 / CVE-2012-1965: Security researchers
    Mario Gomes and Soroush Dalili reported that since Mozilla
    allows the pseudo-protocol feed: to prefix any valid URL,
    it is possible to construct feed:javascript: URLs that will
    execute scripts in some contexts. On some sites it may be
    possible to use this to evade output filtering that would
    otherwise strip javascript: URLs and thus contribute to
    cross-site scripting (XSS) problems on these sites.

    *

    MFSA 2012-56 / CVE-2012-1967: Mozilla security
    researcher moz_bug_r_a4 reported a arbitrary code execution
    attack using a javascript: URL. The Gecko engine features a
    JavaScript sandbox utility that allows the browser or
    add-ons to safely execute script in the context of a web
    page. In certain cases, javascript: URLs are executed in
    such a sandbox with insufficient context that can allow
    those scripts to escape from the sandbox and run with
    elevated privilege. This can lead to arbitrary code
    execution.

    Security Issue references:

    * CVE-2012-1967
    >
    * CVE-2012-1948
    >
    * CVE-2012-1949
    >
    * CVE-2012-1951
    >
    * CVE-2012-1952
    >
    * CVE-2012-1953
    >
    * CVE-2012-1954
    >
    * CVE-2012-1966
    >
    * CVE-2012-1958
    >
    * CVE-2012-1959
    >
    * CVE-2012-1962
    >
    * CVE-2012-1950
    >
    * CVE-2012-1955
    >
    * CVE-2012-1957
    >
    * CVE-2012-1961
    >
    * CVE-2012-1963
    >
    * CVE-2012-1964
    >
    * CVE-2012-1965
    >

    Package List:

    • SUSE Linux Enterprise Server 10 SP4 (i586 ia64 ppc s390x x86_64):
    • firefox3-gtk2-2.10.6-0.12.1
    • SUSE Linux Enterprise Server 10 SP4 (i586 ia64 ppc s390x) [New Version: 7]:
    • MozillaFirefox-10.0.6-0.6.1
    • MozillaFirefox-branding-SLED-7-0.8.25
    • MozillaFirefox-translations-10.0.6-0.6.1
    • SUSE Linux Enterprise Server 10 SP4 (s390x x86_64):
    • firefox3-gtk2-32bit-2.10.6-0.12.1
    • SUSE Linux Enterprise Desktop 10 SP4 (i586 x86_64):
    • firefox3-gtk2-2.10.6-0.12.1
    • SUSE Linux Enterprise Desktop 10 SP4 (x86_64):
    • firefox3-gtk2-32bit-2.10.6-0.12.1
    • SUSE Linux Enterprise Desktop 10 SP4 (i586) [New Version: 7]:
    • MozillaFirefox-10.0.6-0.6.1
    • MozillaFirefox-branding-SLED-7-0.8.25
    • MozillaFirefox-translations-10.0.6-0.6.1
    • SLE SDK 10 SP4 (i586 ia64 ppc s390x x86_64):
    • firefox3-gtk2-devel-2.10.6-0.12.1
    • firefox3-gtk2-doc-2.10.6-0.12.1
    • SLE SDK 10 SP4 (i586 ia64 ppc s390x):
    • MozillaFirefox-branding-upstream-10.0.6-0.6.1

    References:

  • http://support.novell.com/security/cve/CVE-2012-1948.html
  • http://support.novell.com/security/cve/CVE-2012-1949.html
  • http://support.novell.com/security/cve/CVE-2012-1950.html
  • http://support.novell.com/security/cve/CVE-2012-1951.html
  • http://support.novell.com/security/cve/CVE-2012-1952.html
  • http://support.novell.com/security/cve/CVE-2012-1953.html
  • http://support.novell.com/security/cve/CVE-2012-1954.html
  • http://support.novell.com/security/cve/CVE-2012-1955.html
  • http://support.novell.com/security/cve/CVE-2012-1957.html
  • http://support.novell.com/security/cve/CVE-2012-1958.html
  • http://support.novell.com/security/cve/CVE-2012-1959.html
  • http://support.novell.com/security/cve/CVE-2012-1961.html
  • http://support.novell.com/security/cve/CVE-2012-1962.html
  • http://support.novell.com/security/cve/CVE-2012-1963.html
  • http://support.novell.com/security/cve/CVE-2012-1964.html
  • http://support.novell.com/security/cve/CVE-2012-1965.html
  • http://support.novell.com/security/cve/CVE-2012-1966.html
  • http://support.novell.com/security/cve/CVE-2012-1967.html
  • https://bugzilla.novell.com/712248
  • https://bugzilla.novell.com/771583
  • http://download.suse.com/patch/finder/?keywords=96da6f10cbe978aeccb3ac8d9d6b7ef8