Security update for Mozilla Firefox
SUSE Security Update: Security update for Mozilla Firefox
MozillaFirefox was updated to the 10.0.9ESR security
release which fixes bugs and security issues:
*
MFSA 2012-73 / CVE-2012-3977: Security researchers
Thai Duong and Juliano Rizzo reported that SPDY's request
header compression leads to information leakage, which can
allow the extraction of private data such as session
cookies, even over an encrypted SSL connection. (This does
not affect Firefox 10 as it does not feature the SPDY
extension. It was silently fixed for Firefox 15.)
*
MFSA 2012-74: Mozilla developers identified and fixed
several memory safety bugs in the browser engine used in
Firefox and other Mozilla-based products. Some of these
bugs showed evidence of memory corruption under certain
circumstances, and we presume that with enough effort at
least some of these could be exploited to run arbitrary
code.
In general these flaws cannot be exploited through
email in the Thunderbird and SeaMonkey products because
scripting is disabled, but are potentially a risk in
browser or browser-like contexts in those products.
*
CVE-2012-3983: Henrik Skupin, Jesse Ruderman and
moz_bug_r_a4 reported memory safety problems and crashes
that affect Firefox 15.
*
CVE-2012-3982: Christian Holler and Jesse Ruderman
reported memory safety problems and crashes that affect
Firefox ESR 10 and Firefox 15.
*
MFSA 2012-75 / CVE-2012-3984: Security researcher
David Bloom of Cue discovered that "select" elements are
always-on-top chromeless windows and that navigation away
from a page with an active "select" menu does not remove
this window.When another menu is opened programmatically on
a new page, the original "select" menu can be retained and
arbitrary HTML content within it rendered, allowing an
attacker to cover arbitrary portions of the new page
through absolute positioning/scrolling, leading to spoofing
attacks. Security researcher Jordi Chancel found a
variation that would allow for click-jacking attacks was
well.
In general these flaws cannot be exploited through
email in the Thunderbird and SeaMonkey products because
scripting is disabled, but are potentially a risk in
browser or browser-like contexts in those products.
References
Navigation away from a page with an active "select"
dropdown menu can be used for URL spoofing, other evil
Firefox 10.0.1 : Navigation away from a page with
multiple active "select" dropdown menu can be used for
Spoofing And ClickJacking with XPI using window.open and
geolocalisation
*
MFSA 2012-76 / CVE-2012-3985: Security researcher
Collin Jackson reported a violation of the HTML5
specifications for document.domain behavior. Specified
behavior requires pages to only have access to windows in a
new document.domain but the observed violation allowed
pages to retain access to windows from the page's initial
origin in addition to the new document.domain. This could
potentially lead to cross-site scripting (XSS) attacks.
*
MFSA 2012-77 / CVE-2012-3986: Mozilla developer
Johnny Stenback discovered that several methods of a
feature used for testing (DOMWindowUtils) are not protected
by existing security checks, allowing these methods to be
called through script by web pages. This was addressed by
adding the existing security checks to these methods.
*
MFSA 2012-78 / CVE-2012-3987: Security researcher
Warren He reported that when a page is transitioned into
Reader Mode in Firefox for Android, the resulting page has
chrome privileges and its content is not thoroughly
sanitized. A successful attack requires user enabling of
reader mode for a malicious page, which could then perform
an attack similar to cross-site scripting (XSS) to gain the
privileges allowed to Firefox on an Android device. This
has been fixed by changing the Reader Mode page into an
unprivileged page.
This vulnerability only affects Firefox for Android.
*
MFSA 2012-79 / CVE-2012-3988: Security researcher
Soroush Dalili reported that a combination of invoking full
screen mode and navigating backwards in history could, in
some circumstances, cause a hang or crash due to a timing
dependent use-after-free pointer reference. This crash may
be potentially exploitable.
*
MFSA 2012-80 / CVE-2012-3989: Mozilla community
member Ms2ger reported a crash due to an invalid cast when
using the instanceof operator on certain types of
JavaScript objects. This can lead to a potentially
exploitable crash.
*
MFSA 2012-81 / CVE-2012-3991: Mozilla community
member Alice White reported that when the GetProperty
function is invoked through JSAPI, security checking can be
bypassed when getting cross-origin properties. This
potentially allowed for arbitrary code execution.
*
MFSA 2012-82 / CVE-2012-3994: Security researcher
Mariusz Mlynski reported that the location property can be
accessed by binary plugins through top.location and top can
be shadowed by Object.defineProperty as well. This can
allow for possible cross-site scripting (XSS) attacks
through plugins.
*
MFSA 2012-83: Security researcher Mariusz Mlynski
reported that when InstallTrigger fails, it throws an error
wrapped in a Chrome Object Wrapper (COW) that fails to
specify exposed properties. These can then be added to the
resulting object by an attacker, allowing access to chrome
privileged functions through script.
While investigating this issue, Mozilla security
researcher moz_bug_r_a4 found that COW did not disallow
accessing of properties from a standard prototype in some
situations, even when the original issue had been fixed.
These issues could allow for a cross-site scripting
(XSS) attack or arbitrary code execution.
*
CVE-2012-3993: XrayWrapper pollution via unsafe COW
*
CVE-2012-4184: ChromeObjectWrapper is not implemented
as intended
*
MFSA 2012-84 / CVE-2012-3992: Security researcher
Mariusz Mlynski reported an issue with spoofing of the
location property. In this issue, writes to location.hash
can be used in concert with scripted history navigation to
cause a specific website to be loaded into the history
object. The baseURI can then be changed to this stored
site, allowing an attacker to inject a script or intercept
posted data posted to a location specified with a relative
path.
*
MFSA 2012-85: Security researcher Abhishek Arya
(Inferno) of the Google Chrome Security Team discovered a
series of use-after-free, buffer overflow, and out of
bounds read issues using the Address Sanitizer tool in
shipped software. These issues are potentially exploitable,
allowing for remote code execution. We would also like to
thank Abhishek for reporting two additional use-after-free
flaws introduced during Firefox 16 development and fixed
before general release.
*
CVE-2012-3995: Out of bounds read in
IsCSSWordSpacingSpace
*
CVE-2012-4179: Heap-use-after-free in
nsHTMLCSSUtils::CreateCSSPropertyTxn
*
CVE-2012-4180: Heap-buffer-overflow in
nsHTMLEditor::IsPrevCharInNodeWhitespace
*
CVE-2012-4181: Heap-use-after-free in
nsSMILAnimationController::DoSample
*
CVE-2012-4182: Heap-use-after-free in
nsTextEditRules::WillInsert
*
CVE-2012-4183: Heap-use-after-free in
DOMSVGTests::GetRequiredFeatures
*
MFSA 2012-86: Security researcher Atte Kettunen from
OUSPG reported several heap memory corruption issues found
using the Address Sanitizer tool. These issues are
potentially exploitable, allowing for remote code execution.
*
CVE-2012-4185: Global-buffer-overflow in
nsCharTraits::length
*
CVE-2012-4186: Heap-buffer-overflow in
nsWaveReader::DecodeAudioData
*
CVE-2012-4187: Crash with ASSERTION: insPos too small
*
CVE-2012-4188: Heap-buffer-overflow in Convolve3x3
*
MFSA 2012-87 / CVE-2012-3990: Security researcher
miaubiz used the Address Sanitizer tool to discover a
use-after-free in the IME State Manager code. This could
lead to a potentially exploitable crash.
*
MFSA 2012-89 / CVE-2012-4192 / CVE-2012-4193: Mozilla
security researcher moz_bug_r_a4 reported a regression
where security wrappers are unwrapped without doing a
security check in defaultValue(). This can allow for
improper access access to the Location object. In versions
15 and earlier of affected products, there was also the
potential for arbitrary code execution.
Security Issue reference:
* CVE-2012-3977
>
* CVE-2012-3982
>
* CVE-2012-3983
>
* CVE-2012-3984
>
* CVE-2012-3985
>
* CVE-2012-3986
>
* CVE-2012-3987
>
* CVE-2012-3988
>
* CVE-2012-3989
>
* CVE-2012-3990
>
* CVE-2012-3991
>
* CVE-2012-3992
>
* CVE-2012-3993
>
* CVE-2012-3994
>
* CVE-2012-3995
>
* CVE-2012-4179
>
* CVE-2012-4180
>
* CVE-2012-4181
>
* CVE-2012-4182
>
* CVE-2012-4183
>
* CVE-2012-4184
>
* CVE-2012-4185
>
* CVE-2012-4186
>
* CVE-2012-4187
>
* CVE-2012-4188
>
* CVE-2012-4192
>
* CVE-2012-4193
>
| Announcement ID: | SUSE-SU-2012:1351-1 |
| Rating: | important |
| References: | #783533 |
| Affected Products: |
An update that fixes 27 vulnerabilities is now available. It includes two new package versions.
Description:
MozillaFirefox was updated to the 10.0.9ESR security
release which fixes bugs and security issues:
*
MFSA 2012-73 / CVE-2012-3977: Security researchers
Thai Duong and Juliano Rizzo reported that SPDY's request
header compression leads to information leakage, which can
allow the extraction of private data such as session
cookies, even over an encrypted SSL connection. (This does
not affect Firefox 10 as it does not feature the SPDY
extension. It was silently fixed for Firefox 15.)
*
MFSA 2012-74: Mozilla developers identified and fixed
several memory safety bugs in the browser engine used in
Firefox and other Mozilla-based products. Some of these
bugs showed evidence of memory corruption under certain
circumstances, and we presume that with enough effort at
least some of these could be exploited to run arbitrary
code.
In general these flaws cannot be exploited through
email in the Thunderbird and SeaMonkey products because
scripting is disabled, but are potentially a risk in
browser or browser-like contexts in those products.
*
CVE-2012-3983: Henrik Skupin, Jesse Ruderman and
moz_bug_r_a4 reported memory safety problems and crashes
that affect Firefox 15.
*
CVE-2012-3982: Christian Holler and Jesse Ruderman
reported memory safety problems and crashes that affect
Firefox ESR 10 and Firefox 15.
*
MFSA 2012-75 / CVE-2012-3984: Security researcher
David Bloom of Cue discovered that "select" elements are
always-on-top chromeless windows and that navigation away
from a page with an active "select" menu does not remove
this window.When another menu is opened programmatically on
a new page, the original "select" menu can be retained and
arbitrary HTML content within it rendered, allowing an
attacker to cover arbitrary portions of the new page
through absolute positioning/scrolling, leading to spoofing
attacks. Security researcher Jordi Chancel found a
variation that would allow for click-jacking attacks was
well.
In general these flaws cannot be exploited through
email in the Thunderbird and SeaMonkey products because
scripting is disabled, but are potentially a risk in
browser or browser-like contexts in those products.
References
Navigation away from a page with an active "select"
dropdown menu can be used for URL spoofing, other evil
Firefox 10.0.1 : Navigation away from a page with
multiple active "select" dropdown menu can be used for
Spoofing And ClickJacking with XPI using window.open and
geolocalisation
*
MFSA 2012-76 / CVE-2012-3985: Security researcher
Collin Jackson reported a violation of the HTML5
specifications for document.domain behavior. Specified
behavior requires pages to only have access to windows in a
new document.domain but the observed violation allowed
pages to retain access to windows from the page's initial
origin in addition to the new document.domain. This could
potentially lead to cross-site scripting (XSS) attacks.
*
MFSA 2012-77 / CVE-2012-3986: Mozilla developer
Johnny Stenback discovered that several methods of a
feature used for testing (DOMWindowUtils) are not protected
by existing security checks, allowing these methods to be
called through script by web pages. This was addressed by
adding the existing security checks to these methods.
*
MFSA 2012-78 / CVE-2012-3987: Security researcher
Warren He reported that when a page is transitioned into
Reader Mode in Firefox for Android, the resulting page has
chrome privileges and its content is not thoroughly
sanitized. A successful attack requires user enabling of
reader mode for a malicious page, which could then perform
an attack similar to cross-site scripting (XSS) to gain the
privileges allowed to Firefox on an Android device. This
has been fixed by changing the Reader Mode page into an
unprivileged page.
This vulnerability only affects Firefox for Android.
*
MFSA 2012-79 / CVE-2012-3988: Security researcher
Soroush Dalili reported that a combination of invoking full
screen mode and navigating backwards in history could, in
some circumstances, cause a hang or crash due to a timing
dependent use-after-free pointer reference. This crash may
be potentially exploitable.
*
MFSA 2012-80 / CVE-2012-3989: Mozilla community
member Ms2ger reported a crash due to an invalid cast when
using the instanceof operator on certain types of
JavaScript objects. This can lead to a potentially
exploitable crash.
*
MFSA 2012-81 / CVE-2012-3991: Mozilla community
member Alice White reported that when the GetProperty
function is invoked through JSAPI, security checking can be
bypassed when getting cross-origin properties. This
potentially allowed for arbitrary code execution.
*
MFSA 2012-82 / CVE-2012-3994: Security researcher
Mariusz Mlynski reported that the location property can be
accessed by binary plugins through top.location and top can
be shadowed by Object.defineProperty as well. This can
allow for possible cross-site scripting (XSS) attacks
through plugins.
*
MFSA 2012-83: Security researcher Mariusz Mlynski
reported that when InstallTrigger fails, it throws an error
wrapped in a Chrome Object Wrapper (COW) that fails to
specify exposed properties. These can then be added to the
resulting object by an attacker, allowing access to chrome
privileged functions through script.
While investigating this issue, Mozilla security
researcher moz_bug_r_a4 found that COW did not disallow
accessing of properties from a standard prototype in some
situations, even when the original issue had been fixed.
These issues could allow for a cross-site scripting
(XSS) attack or arbitrary code execution.
*
CVE-2012-3993: XrayWrapper pollution via unsafe COW
*
CVE-2012-4184: ChromeObjectWrapper is not implemented
as intended
*
MFSA 2012-84 / CVE-2012-3992: Security researcher
Mariusz Mlynski reported an issue with spoofing of the
location property. In this issue, writes to location.hash
can be used in concert with scripted history navigation to
cause a specific website to be loaded into the history
object. The baseURI can then be changed to this stored
site, allowing an attacker to inject a script or intercept
posted data posted to a location specified with a relative
path.
*
MFSA 2012-85: Security researcher Abhishek Arya
(Inferno) of the Google Chrome Security Team discovered a
series of use-after-free, buffer overflow, and out of
bounds read issues using the Address Sanitizer tool in
shipped software. These issues are potentially exploitable,
allowing for remote code execution. We would also like to
thank Abhishek for reporting two additional use-after-free
flaws introduced during Firefox 16 development and fixed
before general release.
*
CVE-2012-3995: Out of bounds read in
IsCSSWordSpacingSpace
*
CVE-2012-4179: Heap-use-after-free in
nsHTMLCSSUtils::CreateCSSPropertyTxn
*
CVE-2012-4180: Heap-buffer-overflow in
nsHTMLEditor::IsPrevCharInNodeWhitespace
*
CVE-2012-4181: Heap-use-after-free in
nsSMILAnimationController::DoSample
*
CVE-2012-4182: Heap-use-after-free in
nsTextEditRules::WillInsert
*
CVE-2012-4183: Heap-use-after-free in
DOMSVGTests::GetRequiredFeatures
*
MFSA 2012-86: Security researcher Atte Kettunen from
OUSPG reported several heap memory corruption issues found
using the Address Sanitizer tool. These issues are
potentially exploitable, allowing for remote code execution.
*
CVE-2012-4185: Global-buffer-overflow in
nsCharTraits::length
*
CVE-2012-4186: Heap-buffer-overflow in
nsWaveReader::DecodeAudioData
*
CVE-2012-4187: Crash with ASSERTION: insPos too small
*
CVE-2012-4188: Heap-buffer-overflow in Convolve3x3
*
MFSA 2012-87 / CVE-2012-3990: Security researcher
miaubiz used the Address Sanitizer tool to discover a
use-after-free in the IME State Manager code. This could
lead to a potentially exploitable crash.
*
MFSA 2012-89 / CVE-2012-4192 / CVE-2012-4193: Mozilla
security researcher moz_bug_r_a4 reported a regression
where security wrappers are unwrapped without doing a
security check in defaultValue(). This can allow for
improper access access to the Location object. In versions
15 and earlier of affected products, there was also the
potential for arbitrary code execution.
Security Issue reference:
* CVE-2012-3977
* CVE-2012-3982
* CVE-2012-3983
* CVE-2012-3984
* CVE-2012-3985
* CVE-2012-3986
* CVE-2012-3987
* CVE-2012-3988
* CVE-2012-3989
* CVE-2012-3990
* CVE-2012-3991
* CVE-2012-3992
* CVE-2012-3993
* CVE-2012-3994
* CVE-2012-3995
* CVE-2012-4179
* CVE-2012-4180
* CVE-2012-4181
* CVE-2012-4182
* CVE-2012-4183
* CVE-2012-4184
* CVE-2012-4185
* CVE-2012-4186
* CVE-2012-4187
* CVE-2012-4188
* CVE-2012-4192
* CVE-2012-4193
Patch Instructions:
To install this SUSE Security Update use YaST online_update.
Alternatively you can run the command listed for your product:
- SUSE Linux Enterprise Server 11 SP2 for VMware:
zypper in -t patch slessp2-firefox-201210-6951 - SUSE Linux Enterprise Server 11 SP2:
zypper in -t patch slessp2-firefox-201210-6951 - SUSE Linux Enterprise Desktop 11 SP2:
zypper in -t patch sledsp2-firefox-201210-6951
To bring your system up-to-date, use "zypper patch".
Package List:
- SUSE Linux Enterprise Server 11 SP2 for VMware (i586 x86_64) [New Version: 10.0.9]:
- MozillaFirefox-10.0.9-0.3.1
- MozillaFirefox-translations-10.0.9-0.3.1
- SUSE Linux Enterprise Server 11 SP2 (i586 ia64 ppc64 s390x x86_64) [New Version: 10.0.9]:
- MozillaFirefox-10.0.9-0.3.1
- MozillaFirefox-branding-SLED-7-0.6.7.85
- MozillaFirefox-translations-10.0.9-0.3.1
- SUSE Linux Enterprise Server 10 SP4 (i586 ia64 ppc s390x) [New Version: 7]:
- MozillaFirefox-10.0.9-0.5.1
- MozillaFirefox-branding-SLED-7-0.8.35
- MozillaFirefox-translations-10.0.9-0.5.1
- SUSE Linux Enterprise Desktop 11 SP2 (i586 x86_64) [New Version: 10.0.9]:
- MozillaFirefox-10.0.9-0.3.1
- MozillaFirefox-branding-SLED-7-0.6.7.85
- MozillaFirefox-translations-10.0.9-0.3.1
- SUSE Linux Enterprise Desktop 10 SP4 (i586) [New Version: 7]:
- MozillaFirefox-10.0.9-0.5.1
- MozillaFirefox-branding-SLED-7-0.8.35
- MozillaFirefox-translations-10.0.9-0.5.1
- SLE SDK 10 SP4 (i586 ia64 ppc s390x):
- MozillaFirefox-branding-upstream-10.0.9-0.5.1
References:
- http://support.novell.com/security/cve/CVE-2012-3977.html
- http://support.novell.com/security/cve/CVE-2012-3982.html
- http://support.novell.com/security/cve/CVE-2012-3983.html
- http://support.novell.com/security/cve/CVE-2012-3984.html
- http://support.novell.com/security/cve/CVE-2012-3985.html
- http://support.novell.com/security/cve/CVE-2012-3986.html
- http://support.novell.com/security/cve/CVE-2012-3987.html
- http://support.novell.com/security/cve/CVE-2012-3988.html
- http://support.novell.com/security/cve/CVE-2012-3989.html
- http://support.novell.com/security/cve/CVE-2012-3990.html
- http://support.novell.com/security/cve/CVE-2012-3991.html
- http://support.novell.com/security/cve/CVE-2012-3992.html
- http://support.novell.com/security/cve/CVE-2012-3993.html
- http://support.novell.com/security/cve/CVE-2012-3994.html
- http://support.novell.com/security/cve/CVE-2012-3995.html
- http://support.novell.com/security/cve/CVE-2012-4179.html
- http://support.novell.com/security/cve/CVE-2012-4180.html
- http://support.novell.com/security/cve/CVE-2012-4181.html
- http://support.novell.com/security/cve/CVE-2012-4182.html
- http://support.novell.com/security/cve/CVE-2012-4183.html
- http://support.novell.com/security/cve/CVE-2012-4184.html
- http://support.novell.com/security/cve/CVE-2012-4185.html
- http://support.novell.com/security/cve/CVE-2012-4186.html
- http://support.novell.com/security/cve/CVE-2012-4187.html
- http://support.novell.com/security/cve/CVE-2012-4188.html
- http://support.novell.com/security/cve/CVE-2012-4192.html
- http://support.novell.com/security/cve/CVE-2012-4193.html
- https://bugzilla.novell.com/783533
- http://download.suse.com/patch/finder/?keywords=9df8424f201589e4fca1abdc2e0b1023
- http://download.suse.com/patch/finder/?keywords=b54051bb7b93d9b879c04f373ce0061d