Security update for Mozilla Firefox

SUSE Security Update: Security update for Mozilla Firefox
Announcement ID: SUSE-SU-2012:1592-1
Rating: important
References: #790140
Affected Products:
  • SUSE Linux Enterprise Software Development Kit 11 SP2
  • SUSE Linux Enterprise Server 11 SP2 for VMware
  • SUSE Linux Enterprise Server 11 SP2
  • SUSE Linux Enterprise Server 10 SP4
  • SUSE Linux Enterprise Desktop 11 SP2
  • SUSE Linux Enterprise Desktop 10 SP4
  • SLE SDK 10 SP4

  • An update that contains security fixes can now be installed. It includes two new package versions.

    Description:


    Mozilla Firefox has been updated to the 10.0.11 ESR
    security release, which fixes various bugs and security
    issues.

    *

    MFSA 2012-106: Security researcher miaubiz used the
    Address Sanitizer tool to discover a series critically
    rated of use-after-free, buffer overflow, and memory
    corruption issues in shipped software. These issues are
    potentially exploitable, allowing for remote code
    execution. We would also like to thank miaubiz for
    reporting two additional use-after-free and memory
    corruption issues introduced during Firefox development
    that have been fixed before general release.

    In general these flaws cannot be exploited through
    email in the Thunderbird and SeaMonkey products because
    scripting is disabled, but are potentially a risk in
    browser or browser-like contexts in those products.
    References

    The following issues have been fixed in Firefox 17
    and ESR 10.0.11:

    o use-after-free when loading html file on osx
    (CVE-2012-5830) o Mesa crashes on certain texImage2D calls
    involving level>0 (CVE-2012-5833) o integer overflow,
    invalid write w/webgl bufferdata (CVE-2012-5835)

    The following issues have been fixed in Firefox 17:

    o crash in copyTexImage2D with image dimensions
    too large for given level (CVE-2012-5838)
    *

    MFSA 2012-105: Security researcher Abhishek Arya
    (Inferno) of the Google Chrome Security Team discovered a
    series critically rated of use-after-free and buffer
    overflow issues using the Address Sanitizer tool in shipped
    software. These issues are potentially exploitable,
    allowing for remote code execution. We would also like to
    thank Abhishek for reporting five additional
    use-after-free, out of bounds read, and buffer overflow
    flaws introduced during Firefox development that have been
    fixed before general release.

    In general these flaws cannot be exploited through
    email in the Thunderbird and SeaMonkey products because
    scripting is disabled, but are potentially a risk in
    browser or browser-like contexts in those products.
    References

    The following issues have been fixed in Firefox 17
    and ESR 10.0.11:

    o Heap-use-after-free in
    nsTextEditorState::PrepareEditor (CVE-2012-4214) o
    Heap-use-after-free in
    nsPlaintextEditor::FireClipboardEvent (CVE-2012-4215) o
    Heap-use-after-free in gfxFont::GetFontEntry
    (CVE-2012-4216) o Heap-buffer-overflow in
    nsWindow::OnExposeEvent (CVE-2012-5829) o
    heap-buffer-overflow in
    gfxShapedWord::CompressedGlyph::IsClusterStart o
    CVE-2012-5839 o Heap-use-after-free in
    nsTextEditorState::PrepareEditor (CVE-2012-5840)

    The following issues have been fixed in Firefox 17:

    o Heap-use-after-free in XPCWrappedNative::Mark
    (CVE-2012-4212) o Heap-use-after-free in
    nsEditor::FindNextLeafNode (CVE-2012-4213) o
    Heap-use-after-free in nsViewManager::ProcessPendingUpdates
    (CVE-2012-4217) o Heap-use-after-free
    BuildTextRunsScanner::BreakSink::SetBreaks (CVE-2012-4218)
    *

    MFSA 2012-104 / CVE-2012-4210: Security researcher
    Mariusz Mlynski reported that when a maliciously crafted
    stylesheet is inspected in the Style Inspector, HTML and
    CSS can run in a chrome privileged context without being
    properly sanitized first. This can lead to arbitrary code
    execution.

    *

    MFSA 2012-103 / CVE-2012-4209: Security researcher
    Mariusz Mlynski reported that the location property can be
    accessed by binary plugins through top.location with a
    frame whose name attribute's value is set to "top". This
    can allow for possible cross-site scripting (XSS) attacks
    through plugins.

    In general these flaws cannot be exploited through
    email in the Thunderbird and SeaMonkey products because
    scripting is disabled, but are potentially a risk in
    browser or browser-like contexts in those products.

    *

    MFSA 2012-102 / CVE-2012-5837: Security researcher
    Masato Kinugawa reported that when script is entered into
    the Developer Toolbar, it runs in a chrome privileged
    context. This allows for arbitrary code execution or
    cross-site scripting (XSS) if a user can be convinced to
    paste malicious code into the Developer Toolbar.

    *

    MFSA 2012-101 / CVE-2012-4207: Security researcher
    Masato Kinugawa found when HZ-GB-2312 charset encoding is
    used for text, the "~" character will destroy another
    character near the chunk delimiter. This can lead to a
    cross-site scripting (XSS) attack in pages encoded in
    HZ-GB-2312.

    *

    MFSA 2012-100 / CVE-2012-5841: Mozilla developer
    Bobby Holley reported that security wrappers filter at the
    time of property access, but once a function is returned,
    the caller can use this function without further security
    checks. This affects cross-origin wrappers, allowing for
    write actions on objects when only read actions should be
    properly allowed. This can lead to cross-site scripting
    (XSS) attacks.

    In general these flaws cannot be exploited through
    email in the Thunderbird and SeaMonkey products because
    scripting is disabled, but are potentially a risk in
    browser or browser-like contexts in those products.

    *

    MFSA 2012-99 / CVE-2012-4208: Mozilla developer Peter
    Van der Beken discovered that same-origin XrayWrappers
    expose chrome-only properties even when not in a chrome
    compartment. This can allow web content to get properties
    of DOM objects that are intended to be chrome-only.

    In general these flaws cannot be exploited through
    email in the Thunderbird and SeaMonkey products because
    scripting is disabled, but are potentially a risk in
    browser or browser-like contexts in those products.

    *

    MFSA 2012-98 / CVE-2012-4206: Security researcher
    Robert Kugler reported that when a specifically named DLL
    file on a Windows computer is placed in the default
    downloads directory with the Firefox installer, the Firefox
    installer will load this DLL when it is launched. In
    circumstances where the installer is run by an
    administrator privileged account, this allows for the
    downloaded DLL file to be run with administrator
    privileges. This can lead to arbitrary code execution from
    a privileged account.

    *

    MFSA 2012-97 / CVE-2012-4205: Mozilla developer Gabor
    Krizsanits discovered that XMLHttpRequest objects created
    within sandboxes have the system principal instead of the
    sandbox principal. This can lead to cross-site request
    forgery (CSRF) or information theft via an add-on running
    untrusted code in a sandbox.

    *

    MFSA 2012-96 / CVE-2012-4204: Security researcher
    Scott Bell of Security-Assessment.com used the Address
    Sanitizer tool to discover a memory corruption in
    str_unescape in the Javascript engine. This could
    potentially lead to arbitrary code execution.

    In general these flaws cannot be exploited through
    email in the Thunderbird and SeaMonkey products because
    scripting is disabled, but are potentially a risk in
    browser or browser-like contexts in those products.

    *

    MFSA 2012-95 / CVE-2012-4203: Security researcher
    kakzz.ng@gmail.com reported that if a javascript: URL is
    selected from the list of Firefox "new tab" page, the
    script will inherit the privileges of the privileged "new
    tab" page. This allows for the execution of locally
    installed programs if a user can be convinced to save a
    bookmark of a malicious javascript: URL.

    *

    MFSA 2012-94 / CVE-2012-5836: Security researcher
    Jonathan Stephens discovered that combining SVG text on a
    path with the setting of CSS properties could lead to a
    potentially exploitable crash.

    *

    MFSA 2012-93 / CVE-2012-4201: Mozilla security
    researcher moz_bug_r_a4 reported that if code executed by
    the evalInSandbox function sets location.href, it can get
    the wrong subject principal for the URL check, ignoring the
    sandbox's Javascript context and gaining the context of
    evalInSandbox object. This can lead to malicious web
    content being able to perform a cross-site scripting (XSS)
    attack or stealing a copy of a local file if the user has
    installed an add-on vulnerable to this attack.

    *

    MFSA 2012-92 / CVE-2012-4202: Security researcher
    Atte Kettunen from OUSPG used the Address Sanitizer tool to
    discover a buffer overflow while rendering GIF format
    images. This issue is potentially exploitable and could
    lead to arbitrary code execution.

    *

    MFSA 2012-91: Mozilla developers identified and fixed
    several memory safety bugs in the browser engine used in
    Firefox and other Mozilla-based products. Some of these
    bugs showed evidence of memory corruption under certain
    circumstances, and we presume that with enough effort at
    least some of these could be exploited to run arbitrary
    code.

    In general these flaws cannot be exploited through
    email in the Thunderbird and SeaMonkey products because
    scripting is disabled, but are potentially a risk in
    browser or browser-like contexts in those products.
    References

    Gary Kwong, Jesse Ruderman, Christian Holler, Bob
    Clary, Kyle Huey, Ed Morley, Chris Lord, Boris Zbarsky,
    Julian Seward, and Bill McCloskey reported memory safety
    problems and crashes that affect Firefox 16. (CVE-2012-5843)

    Jesse Ruderman, Andrew McCreight, Bob Clary, and Kyle
    Huey reported memory safety problems and crashes that
    affect Firefox ESR 10 and Firefox 16. (CVE-2012-5842)

    Patch Instructions:

    To install this SUSE Security Update use YaST online_update.
    Alternatively you can run the command listed for your product:

    • SUSE Linux Enterprise Software Development Kit 11 SP2:
      zypper in -t patch sdksp2-firefox-20121121-7093
    • SUSE Linux Enterprise Server 11 SP2 for VMware:
      zypper in -t patch slessp2-firefox-20121121-7093
    • SUSE Linux Enterprise Server 11 SP2:
      zypper in -t patch slessp2-firefox-20121121-7093
    • SUSE Linux Enterprise Desktop 11 SP2:
      zypper in -t patch sledsp2-firefox-20121121-7093

    To bring your system up-to-date, use "zypper patch".

    Package List:

    • SUSE Linux Enterprise Software Development Kit 11 SP2 (i586 ia64 ppc64 s390x x86_64) [New Version: 3.14]:
    • mozilla-nss-devel-3.14-0.3.1
    • SUSE Linux Enterprise Server 11 SP2 for VMware (i586 x86_64) [New Version: 10.0.11 and 3.14]:
    • MozillaFirefox-10.0.11-0.3.1
    • MozillaFirefox-translations-10.0.11-0.3.1
    • libfreebl3-3.14-0.3.1
    • mozilla-nss-3.14-0.3.1
    • mozilla-nss-tools-3.14-0.3.1
    • SUSE Linux Enterprise Server 11 SP2 for VMware (x86_64) [New Version: 3.14]:
    • libfreebl3-32bit-3.14-0.3.1
    • mozilla-nss-32bit-3.14-0.3.1
    • SUSE Linux Enterprise Server 11 SP2 (i586 ia64 ppc64 s390x x86_64) [New Version: 10.0.11 and 3.14]:
    • MozillaFirefox-10.0.11-0.3.1
    • MozillaFirefox-translations-10.0.11-0.3.1
    • libfreebl3-3.14-0.3.1
    • mozilla-nss-3.14-0.3.1
    • mozilla-nss-tools-3.14-0.3.1
    • SUSE Linux Enterprise Server 11 SP2 (ppc64 s390x x86_64) [New Version: 3.14]:
    • libfreebl3-32bit-3.14-0.3.1
    • mozilla-nss-32bit-3.14-0.3.1
    • SUSE Linux Enterprise Server 11 SP2 (ia64) [New Version: 3.14]:
    • libfreebl3-x86-3.14-0.3.1
    • mozilla-nss-x86-3.14-0.3.1
    • SUSE Linux Enterprise Server 10 SP4 (i586 ia64 ppc s390x x86_64) [New Version: 3.14]:
    • mozilla-nss-3.14-0.6.1
    • mozilla-nss-devel-3.14-0.6.1
    • mozilla-nss-tools-3.14-0.6.1
    • SUSE Linux Enterprise Server 10 SP4 (i586 ia64 ppc s390x):
    • MozillaFirefox-10.0.11-0.5.1
    • MozillaFirefox-translations-10.0.11-0.5.1
    • SUSE Linux Enterprise Server 10 SP4 (s390x x86_64) [New Version: 3.14]:
    • mozilla-nss-32bit-3.14-0.6.1
    • SUSE Linux Enterprise Server 10 SP4 (ia64) [New Version: 3.14]:
    • mozilla-nss-x86-3.14-0.6.1
    • SUSE Linux Enterprise Server 10 SP4 (ppc) [New Version: 3.14]:
    • mozilla-nss-64bit-3.14-0.6.1
    • SUSE Linux Enterprise Desktop 11 SP2 (i586 x86_64) [New Version: 10.0.11 and 3.14]:
    • MozillaFirefox-10.0.11-0.3.1
    • MozillaFirefox-translations-10.0.11-0.3.1
    • libfreebl3-3.14-0.3.1
    • mozilla-nss-3.14-0.3.1
    • mozilla-nss-tools-3.14-0.3.1
    • SUSE Linux Enterprise Desktop 11 SP2 (x86_64) [New Version: 3.14]:
    • libfreebl3-32bit-3.14-0.3.1
    • mozilla-nss-32bit-3.14-0.3.1
    • SUSE Linux Enterprise Desktop 10 SP4 (i586 x86_64) [New Version: 3.14]:
    • mozilla-nss-3.14-0.6.1
    • mozilla-nss-devel-3.14-0.6.1
    • mozilla-nss-tools-3.14-0.6.1
    • SUSE Linux Enterprise Desktop 10 SP4 (x86_64) [New Version: 3.14]:
    • mozilla-nss-32bit-3.14-0.6.1
    • SUSE Linux Enterprise Desktop 10 SP4 (i586):
    • MozillaFirefox-10.0.11-0.5.1
    • MozillaFirefox-translations-10.0.11-0.5.1
    • SLE SDK 10 SP4 (i586 ia64 ppc s390x x86_64) [New Version: 3.14]:
    • mozilla-nss-tools-3.14-0.6.1
    • SLE SDK 10 SP4 (i586 ia64 ppc s390x):
    • MozillaFirefox-branding-upstream-10.0.11-0.5.1

    References:

    • https://bugzilla.novell.com/790140
    • http://download.suse.com/patch/finder/?keywords=8f4e08deca5960ae494ddceeb6c10708
    • http://download.suse.com/patch/finder/?keywords=be7a175297dfe6897d72c7cf8ca67245