Security update for MozillaFirefox

SUSE Security Update: Security update for MozillaFirefox
Announcement ID: SUSE-SU-2013:0049-1
Rating: important
References: #796628 #796895
Affected Products:
  • SUSE Linux Enterprise Server 10 SP4
  • SUSE Linux Enterprise Desktop 10 SP4
  • SLE SDK 10 SP4

  • An update that contains security fixes can now be installed. It includes two new package versions.

    Description:


    Mozilla Firefox was updated to the 10.0.12ESR release.

    *

    MFSA 2013-01: Mozilla developers identified and fixed
    several memory safety bugs in the browser engine used in
    Firefox and other Mozilla-based products. Some of these
    bugs showed evidence of memory corruption under certain
    circumstances, and we presume that with enough effort at
    least some of these could be exploited to run arbitrary
    code.

    o Christoph Diehl, Christian Holler, Mats
    Palmgren, and Chiaki Ishikawa reported memory safety
    problems and crashes that affect Firefox ESR 10, Firefox
    ESR 17, and Firefox 17. ( CVE-2013-0769
    > ) o Bill Gianopoulos, Benoit Jacob, Christoph Diehl,
    Christian Holler, Gary Kwong, Robert O'Callahan, and
    Scoobidiver reported memory safety problems and crashes
    that affect Firefox ESR 17 and Firefox 17. (CVE-2013-0749
    > ) o Jesse Ruderman, Christian Holler, Julian Seward, and
    Scoobidiver reported memory safety problems and crashes
    that affect Firefox 17. (CVE-2013-0770
    > )
    *

    MFSA 2013-02: Security researcher Abhishek Arya
    (Inferno) of the Google Chrome Security Team discovered a
    series critically rated of use-after-free, out of bounds
    read, and buffer overflow issues using the Address
    Sanitizer tool in shipped software. These issues are
    potentially exploitable, allowing for remote code
    execution. We would also like to thank Abhishek for
    reporting three additional user-after-free and out of
    bounds read flaws introduced during Firefox development
    that were fixed before general release.

    The following issue was fixed in Firefox 18:

    o Global-buffer-overflow in
    CharDistributionAnalysis::HandleOneChar (CVE-2013-0760
    > )

    The following issues were fixed in Firefox 18, ESR
    17.0.1, and ESR 10.0.12:

    o Heap-use-after-free in imgRequest::OnStopFrame
    (CVE-2013-0762
    > ) o Heap-use-after-free in ~nsHTMLEditRules
    (CVE-2013-0766
    > ) o Out of bounds read in
    nsSVGPathElement::GetPathLengthScale ( CVE-2013-0767
    > )

    The following issues were fixed in Firefox 18 and ESR
    17.0.1:

    o Heap-use-after-free in
    mozilla::TrackUnionStream::EndTrack ( CVE-2013-0761
    > ) o Heap-use-after-free in Mesa, triggerable by resizing
    a WebGL canvas (CVE-2013-0763
    > ) o Heap-buffer-overflow in
    gfxTextRun::ShrinkToLigatureBoundaries (CVE-2013-0771
    > )

    The following issue was fixed in Firefox 18 and in
    the earlier ESR 10.0.11 release:

    o Heap-buffer-overflow in nsWindow::OnExposeEvent
    (CVE-2012-5829
    > )
    *

    MFSA 2013-03: Security researcher miaubiz used the
    Address Sanitizer tool to discover a buffer overflow in
    Canvas when specific bad height and width values were given
    through HTML. This could lead to a potentially exploitable
    crash. (CVE-2013-0768
    > )

    Miaubiz also found a potentially exploitable crash
    when 2D and 3D content was mixed which was introduced
    during Firefox development and fixed before general release.

    *

    MFSA 2013-04: Security researcher Masato Kinugawa
    found a flaw in which the displayed URL values within the
    addressbar can be spoofed by a page during loading. This
    allows for phishing attacks where a malicious page can
    spoof the identify of another site. ( CVE-2013-0759
    > )

    *

    MFSA 2013-05: Using the Address Sanitizer tool,
    security researcher Atte Kettunen from OUSPG discovered
    that the combination of large numbers of columns and column
    groups in a table could cause the array containing the
    columns during rendering to overwrite itself. This can lead
    to a user-after-free causing a potentially exploitable
    crash. ( CVE-2013-0744
    > )

    *

    MFSA 2013-06: Mozilla developer Wesley Johnston
    reported that when there are two or more iframes on the
    same HTML page, an iframe is able to see the touch events
    and their targets that occur within the other iframes on
    the page. If the iframes are from the same origin, they can
    also access the properties and methods of the targets of
    other iframes but same-origin policy (SOP) restricts access
    across domains. This allows for information leakage and
    possibilities for cross-site scripting (XSS) if another
    vulnerability can be used to get around SOP restrictions.
    (CVE-2013-0751
    > )

    *

    MFSA 2013-07: Mozilla community member Jerry Baker
    reported a crashing issue found through Thunderbird when
    downloading messages over a Secure Sockets Layer (SSL)
    connection. This was caused by a bug in the networking code
    assuming that secure connections were entirely handled on
    the socket transport thread when they can occur on a
    variety of threads. The resulting crash was potentially
    exploitable. (CVE-2013-0764
    > )

    *

    MFSA 2013-08: Mozilla developer Olli Pettay
    discovered that the AutoWrapperChanger class fails to keep
    some javascript objects alive during garbage collection.
    This can lead to an exploitable crash allowing for
    arbitrary code execution. (CVE-2013-0745
    > )

    *

    MFSA 2013-09: Mozilla developer Boris Zbarsky
    reported reported a problem where jsval-returning
    quickstubs fail to wrap their return values, causing a
    compartment mismatch. This mismatch can cause garbage
    collection to occur incorrectly and lead to a potentially
    exploitable crash. (CVE-2013-0746
    > )

    *

    MFSA 2013-10: Mozilla security researcher Jesse
    Ruderman reported that events in the plugin handler can be
    manipulated by web content to bypass same-origin policy
    (SOP) restrictions. This can allow for clickjacking on
    malicious web pages. (CVE-2013-0747
    > )

    *

    MFSA 2013-11: Mozilla security researcher Jesse
    Ruderman discovered that using the toString function of XBL
    objects can lead to inappropriate information leakage by
    revealing the address space layout instead of just the ID
    of the object. This layout information could potentially be
    used to bypass ASLR and other security protections.
    (CVE-2013-0748
    > )

    *

    MFSA 2013-12: Security researcher pa_kt reported a
    flaw via TippingPoint's Zero Day Initiative that an integer
    overflow is possible when calculating the length for a
    Javascript string concatenation, which is then used for
    memory allocation. This results in a buffer overflow,
    leading to a potentially exploitable memory corruption.
    (CVE-2013-0750
    > )

    *

    MFSA 2013-13: Security researcher Sviatoslav Chagaev
    reported that when using an XBL file containing multiple
    XML bindings with SVG content, a memory corruption can
    occur. In concern with remote XUL, this can lead to an
    exploitable crash. (CVE-2013-0752
    > )

    *

    MFSA 2013-14: Security researcher Mariusz Mlynski
    reported that it is possible to change the prototype of an
    object and bypass Chrome Object Wrappers (COW) to gain
    access to chrome privileged functions. This could allow for
    arbitrary code execution. (CVE-2013-0757
    > )

    *

    MFSA 2013-15: Security researcher Mariusz Mlynski
    reported that it is possible to open a chrome privileged
    web page through plugin objects through interaction with
    SVG elements. This could allow for arbitrary code
    execution. (CVE-2013-0758
    > )

    *

    MFSA 2013-16: Security researcher regenrecht
    reported, via TippingPoint's Zero Day Initiative, a
    use-after-free in XMLSerializer by the exposing of
    serializeToStream to web content. This can lead to
    arbitrary code execution when exploited. (CVE-2013-0753
    > )

    *

    MFSA 2013-17: Security researcher regenrecht
    reported, via TippingPoint's Zero Day Initiative, a
    use-after-free within the ListenerManager when garbage
    collection is forced after data in listener objects have
    been allocated in some circumstances. This results in a
    use-after-free which can lead to arbitrary code execution.
    (CVE-2013-0754
    > )

    *

    MFSA 2013-18: Security researcher regenrecht
    reported, via TippingPoint's Zero Day Initiative, a
    use-after-free using the domDoc pointer within Vibrate
    library. This can lead to arbitrary code execution when
    exploited. (CVE-2013-0755
    > )

    *

    MFSA 2013-19: Security researcher regenrecht
    reported, via TippingPoint's Zero Day Initiative, a garbage
    collection flaw in Javascript Proxy objects. This can lead
    to a use-after-free leading to arbitrary code execution.
    (CVE-2013-0756
    > )

    *

    MFSA 2013-20: Google reported to Mozilla that
    TURKTRUST, a certificate authority in Mozilla's root
    program, had mis-issued two intermediate certificates to
    customers. The issue was not specific to Firefox but there
    was evidence that one of the certificates was used for
    man-in-the-middle (MITM) traffic management of domain names
    that the customer did not legitimately own or control. This
    issue was resolved by revoking the trust for these specific
    mis-issued certificates. (CVE-2013-0743
    > )

    Special Instructions and Notes:

    This update triggers a restart of the software management stack. More updates will be available for installation after applying this update and restarting the application. This update triggers a restart of the software management stack. More updates will be available for installation after applying this update and restarting the application. This update triggers a restart of the software management stack. More updates will be available for installation after applying this update and restarting the application.

    Package List:

    • SUSE Linux Enterprise Server 10 SP4 (i586 ia64 ppc s390x x86_64) [New Version: 3.14.1 and 4.9.4]:
    • mozilla-nspr-4.9.4-0.6.1
    • mozilla-nspr-devel-4.9.4-0.6.1
    • mozilla-nss-3.14.1-0.6.1
    • mozilla-nss-devel-3.14.1-0.6.1
    • mozilla-nss-tools-3.14.1-0.6.1
    • SUSE Linux Enterprise Server 10 SP4 (i586 ia64 ppc s390x):
    • MozillaFirefox-10.0.12-0.6.1
    • MozillaFirefox-translations-10.0.12-0.6.1
    • SUSE Linux Enterprise Server 10 SP4 (s390x x86_64) [New Version: 3.14.1 and 4.9.4]:
    • mozilla-nspr-32bit-4.9.4-0.6.1
    • mozilla-nss-32bit-3.14.1-0.6.1
    • SUSE Linux Enterprise Server 10 SP4 (ia64) [New Version: 3.14.1 and 4.9.4]:
    • mozilla-nspr-x86-4.9.4-0.6.1
    • mozilla-nss-x86-3.14.1-0.6.1
    • SUSE Linux Enterprise Server 10 SP4 (ppc) [New Version: 3.14.1 and 4.9.4]:
    • mozilla-nspr-64bit-4.9.4-0.6.1
    • mozilla-nss-64bit-3.14.1-0.6.1
    • SUSE Linux Enterprise Desktop 10 SP4 (i586 x86_64) [New Version: 3.14.1 and 4.9.4]:
    • mozilla-nspr-4.9.4-0.6.1
    • mozilla-nspr-devel-4.9.4-0.6.1
    • mozilla-nss-3.14.1-0.6.1
    • mozilla-nss-devel-3.14.1-0.6.1
    • mozilla-nss-tools-3.14.1-0.6.1
    • SUSE Linux Enterprise Desktop 10 SP4 (x86_64) [New Version: 3.14.1 and 4.9.4]:
    • mozilla-nspr-32bit-4.9.4-0.6.1
    • mozilla-nss-32bit-3.14.1-0.6.1
    • SUSE Linux Enterprise Desktop 10 SP4 (i586):
    • MozillaFirefox-10.0.12-0.6.1
    • MozillaFirefox-translations-10.0.12-0.6.1
    • SLE SDK 10 SP4 (i586 ia64 ppc s390x x86_64) [New Version: 3.14.1]:
    • mozilla-nss-tools-3.14.1-0.6.1
    • SLE SDK 10 SP4 (i586 ia64 ppc s390x):
    • MozillaFirefox-branding-upstream-10.0.12-0.6.1

    References:

    • https://bugzilla.novell.com/796628
    • https://bugzilla.novell.com/796895
    • http://download.suse.com/patch/finder/?keywords=dbe0a7820fa20c51a9e400f8a2814641