Security update for Mozilla Firefox
SUSE Security Update: Security update for Mozilla Firefox
Mozilla Firefox is updated to the 10.0.12ESR version.
This is a roll-up update for LTSS.
It fixes a lot of security issues and bugs. 10.0.12ESR
fixes specifically:
*
MFSA 2013-01: Mozilla developers identified and fixed
several memory safety bugs in the browser engine used in
Firefox and other Mozilla-based products. Some of these
bugs showed evidence of memory corruption under certain
circumstances, and we presume that with enough effort at
least some of these could be exploited to run arbitrary
code.
Christoph Diehl, Christian Holler, Mats Palmgren, and
Chiaki Ishikawa reported memory safety problems and crashes
that affect Firefox ESR 10, Firefox ESR 17, and Firefox 17.
(CVE-2013-0769)
Bill Gianopoulos, Benoit Jacob, Christoph Diehl,
Christian Holler, Gary Kwong, Robert O'Callahan, and
Scoobidiver reported memory safety problems and crashes
that affect Firefox ESR 17 and Firefox 17. (CVE-2013-0749)
Jesse Ruderman, Christian Holler, Julian Seward, and
Scoobidiver reported memory safety problems and crashes
that affect Firefox 17. (CVE-2013-0770)
*
MFSA 2013-02: Security researcher Abhishek Arya
(Inferno) of the Google Chrome Security Team discovered a
series critically rated of use-after-free, out of bounds
read, and buffer overflow issues using the Address
Sanitizer tool in shipped software. These issues are
potentially exploitable, allowing for remote code
execution. We would also like to thank Abhishek for
reporting three additional user-after-free and out of
bounds read flaws introduced during Firefox development
that were fixed before general release.
The following issue has been fixed in Firefox 18:
o Global-buffer-overflow in
CharDistributionAnalysis::HandleOneChar (CVE-2013-0760)
The following issues has been fixed in Firefox 18,
ESR 17.0.1, and ESR 10.0.12:
o Heap-use-after-free in imgRequest::OnStopFrame
(CVE-2013-0762) o Heap-use-after-free in ~nsHTMLEditRules
(CVE-2013-0766) o Out of bounds read in
nsSVGPathElement::GetPathLengthScale (CVE-2013-0763) o
Heap-buffer-overflow in
gfxTextRun::ShrinkToLigatureBoundaries (CVE-2013-0771)
The following issue has been fixed in Firefox 18 and
in the earlier ESR 10.0.11 release:
o Heap-buffer-overflow in nsWindow::OnExposeEvent
(CVE-2012-5829)
*
MFSA 2013-03: Security researcher miaubiz used the
Address Sanitizer tool to discover a buffer overflow in
Canvas when specific bad height and width values were given
through HTML. This could lead to a potentially exploitable
crash. (CVE-2013-0768)
Miaubiz also found a potentially exploitable crash
when 2D and 3D content was mixed which was introduced
during Firefox development and fixed before general release.
*
MFSA 2013-04: Security researcher Masato Kinugawa
found a flaw in which the displayed URL values within the
addressbar can be spoofed by a page during loading. This
allows for phishing attacks where a malicious page can
spoof the identify of another site. (CVE-2013-0759)
*
MFSA 2013-05: Using the Address Sanitizer tool,
security researcher Atte Kettunen from OUSPG discovered
that the combination of large numbers of columns and column
groups in a table could cause the array containing the
columns during rendering to overwrite itself. This can lead
to a user-after-free causing a potentially exploitable
crash. (CVE-2013-0744)
*
MFSA 2013-06: Mozilla developer Wesley Johnston
reported that when there are two or more iframes on the
same HTML page, an iframe is able to see the touch events
and their targets that occur within the other iframes on
the page. If the iframes are from the same origin, they can
also access the properties and methods of the targets of
other iframes but same-origin policy (SOP) restricts access
across domains. This allows for information leakage and
possibilities for cross-site scripting (XSS) if another
vulnerability can be used to get around SOP restrictions.
(CVE-2013-0751)
*
MFSA 2013-07: Mozilla community member Jerry Baker
reported a crashing issue found through Thunderbird when
downloading messages over a Secure Sockets Layer (SSL)
connection. This was caused by a bug in the networking code
assuming that secure connections were entirely handled on
the socket transport thread when they can occur on a
variety of threads. The resulting crash was potentially
exploitable. (CVE-2013-0764)
*
MFSA 2013-08: Mozilla developer Olli Pettay
discovered that the AutoWrapperChanger class fails to keep
some javascript objects alive during garbage collection.
This can lead to an exploitable crash allowing for
arbitrary code execution. (CVE-2013-0745)
*
MFSA 2013-09: Mozilla developer Boris Zbarsky
reported reported a problem where jsval-returning
quickstubs fail to wrap their return values, causing a
compartment mismatch. This mismatch can cause garbage
collection to occur incorrectly and lead to a potentially
exploitable crash. (CVE-2013-0746)
*
MFSA 2013-10: Mozilla security researcher Jesse
Ruderman reported that events in the plugin handler can be
manipulated by web content to bypass same-origin policy
(SOP) restrictions. This can allow for clickjacking on
malicious web pages. (CVE-2013-0747)
*
MFSA 2013-11: Mozilla security researcher Jesse
Ruderman discovered that using the toString function of XBL
objects can lead to inappropriate information leakage by
revealing the address space layout instead of just the ID
of the object. This layout information could potentially be
used to bypass ASLR and other security protections.
(CVE-2013-0748)
*
MFSA 2013-12: Security researcher pa_kt reported a
flaw via TippingPoint's Zero Day Initiative that an integer
overflow is possible when calculating the length for a
Javascript string concatenation, which is then used for
memory allocation. This results in a buffer overflow,
leading to a potentially exploitable memory corruption.
(CVE-2013-0750)
*
MFSA 2013-13: Security researcher Sviatoslav Chagaev
reported that when using an XBL file containing multiple
XML bindings with SVG content, a memory corruption can
occur. In concern with remote XUL, this can lead to an
exploitable crash. (CVE-2013-0752)
*
MFSA 2013-14: Security researcher Mariusz Mlynski
reported that it is possible to change the prototype of an
object and bypass Chrome Object Wrappers (COW) to gain
access to chrome privileged functions. This could allow for
arbitrary code execution. (CVE-2013-0757)
*
MFSA 2013-15: Security researcher Mariusz Mlynski
reported that it is possible to open a chrome privileged
web page through plugin objects through interaction with
SVG elements. This could allow for arbitrary code
execution. (CVE-2013-0758)
*
MFSA 2013-16: Security researcher regenrecht
reported, via TippingPoint's Zero Day Initiative, a
use-after-free in XMLSerializer by the exposing of
serializeToStream to web content. This can lead to
arbitrary code execution when exploited. (CVE-2013-0753)
*
MFSA 2013-17: Security researcher regenrecht
reported, via TippingPoint's Zero Day Initiative, a
use-after-free within the ListenerManager when garbage
collection is forced after data in listener objects have
been allocated in some circumstances. This results in a
use-after-free which can lead to arbitrary code execution.
(CVE-2013-0754)
*
MFSA 2013-18: Security researcher regenrecht
reported, via TippingPoint's Zero Day Initiative, a
use-after-free using the domDoc pointer within Vibrate
library. This can lead to arbitrary code execution when
exploited. (CVE-2013-0755)
*
MFSA 2013-19: Security researcher regenrecht
reported, via TippingPoint's Zero Day Initiative, a garbage
collection flaw in Javascript Proxy objects. This can lead
to a use-after-free leading to arbitrary code execution.
(CVE-2013-0756)
*
MFSA 2013-20: Google reported to Mozilla that
TURKTRUST, a certificate authority in Mozilla's root
program, had mis-issued two intermediate certificates to
customers. The issue was not specific to Firefox but there
was evidence that one of the certificates was used for
man-in-the-middle (MITM) traffic management of domain names
that the customer did not legitimately own or control. This
issue was resolved by revoking the trust for these specific
mis-issued certificates. (CVE-2013-0743)
| Announcement ID: | SUSE-SU-2013:0306-1 |
| Rating: | important |
| References: | #666101 #681836 #684069 #712248 #769762 #796895 |
| Affected Products: |
An update that contains security fixes can now be installed. It includes three new package versions.
Description:
Mozilla Firefox is updated to the 10.0.12ESR version.
This is a roll-up update for LTSS.
It fixes a lot of security issues and bugs. 10.0.12ESR
fixes specifically:
*
MFSA 2013-01: Mozilla developers identified and fixed
several memory safety bugs in the browser engine used in
Firefox and other Mozilla-based products. Some of these
bugs showed evidence of memory corruption under certain
circumstances, and we presume that with enough effort at
least some of these could be exploited to run arbitrary
code.
Christoph Diehl, Christian Holler, Mats Palmgren, and
Chiaki Ishikawa reported memory safety problems and crashes
that affect Firefox ESR 10, Firefox ESR 17, and Firefox 17.
(CVE-2013-0769)
Bill Gianopoulos, Benoit Jacob, Christoph Diehl,
Christian Holler, Gary Kwong, Robert O'Callahan, and
Scoobidiver reported memory safety problems and crashes
that affect Firefox ESR 17 and Firefox 17. (CVE-2013-0749)
Jesse Ruderman, Christian Holler, Julian Seward, and
Scoobidiver reported memory safety problems and crashes
that affect Firefox 17. (CVE-2013-0770)
*
MFSA 2013-02: Security researcher Abhishek Arya
(Inferno) of the Google Chrome Security Team discovered a
series critically rated of use-after-free, out of bounds
read, and buffer overflow issues using the Address
Sanitizer tool in shipped software. These issues are
potentially exploitable, allowing for remote code
execution. We would also like to thank Abhishek for
reporting three additional user-after-free and out of
bounds read flaws introduced during Firefox development
that were fixed before general release.
The following issue has been fixed in Firefox 18:
o Global-buffer-overflow in
CharDistributionAnalysis::HandleOneChar (CVE-2013-0760)
The following issues has been fixed in Firefox 18,
ESR 17.0.1, and ESR 10.0.12:
o Heap-use-after-free in imgRequest::OnStopFrame
(CVE-2013-0762) o Heap-use-after-free in ~nsHTMLEditRules
(CVE-2013-0766) o Out of bounds read in
nsSVGPathElement::GetPathLengthScale (CVE-2013-0763) o
Heap-buffer-overflow in
gfxTextRun::ShrinkToLigatureBoundaries (CVE-2013-0771)
The following issue has been fixed in Firefox 18 and
in the earlier ESR 10.0.11 release:
o Heap-buffer-overflow in nsWindow::OnExposeEvent
(CVE-2012-5829)
*
MFSA 2013-03: Security researcher miaubiz used the
Address Sanitizer tool to discover a buffer overflow in
Canvas when specific bad height and width values were given
through HTML. This could lead to a potentially exploitable
crash. (CVE-2013-0768)
Miaubiz also found a potentially exploitable crash
when 2D and 3D content was mixed which was introduced
during Firefox development and fixed before general release.
*
MFSA 2013-04: Security researcher Masato Kinugawa
found a flaw in which the displayed URL values within the
addressbar can be spoofed by a page during loading. This
allows for phishing attacks where a malicious page can
spoof the identify of another site. (CVE-2013-0759)
*
MFSA 2013-05: Using the Address Sanitizer tool,
security researcher Atte Kettunen from OUSPG discovered
that the combination of large numbers of columns and column
groups in a table could cause the array containing the
columns during rendering to overwrite itself. This can lead
to a user-after-free causing a potentially exploitable
crash. (CVE-2013-0744)
*
MFSA 2013-06: Mozilla developer Wesley Johnston
reported that when there are two or more iframes on the
same HTML page, an iframe is able to see the touch events
and their targets that occur within the other iframes on
the page. If the iframes are from the same origin, they can
also access the properties and methods of the targets of
other iframes but same-origin policy (SOP) restricts access
across domains. This allows for information leakage and
possibilities for cross-site scripting (XSS) if another
vulnerability can be used to get around SOP restrictions.
(CVE-2013-0751)
*
MFSA 2013-07: Mozilla community member Jerry Baker
reported a crashing issue found through Thunderbird when
downloading messages over a Secure Sockets Layer (SSL)
connection. This was caused by a bug in the networking code
assuming that secure connections were entirely handled on
the socket transport thread when they can occur on a
variety of threads. The resulting crash was potentially
exploitable. (CVE-2013-0764)
*
MFSA 2013-08: Mozilla developer Olli Pettay
discovered that the AutoWrapperChanger class fails to keep
some javascript objects alive during garbage collection.
This can lead to an exploitable crash allowing for
arbitrary code execution. (CVE-2013-0745)
*
MFSA 2013-09: Mozilla developer Boris Zbarsky
reported reported a problem where jsval-returning
quickstubs fail to wrap their return values, causing a
compartment mismatch. This mismatch can cause garbage
collection to occur incorrectly and lead to a potentially
exploitable crash. (CVE-2013-0746)
*
MFSA 2013-10: Mozilla security researcher Jesse
Ruderman reported that events in the plugin handler can be
manipulated by web content to bypass same-origin policy
(SOP) restrictions. This can allow for clickjacking on
malicious web pages. (CVE-2013-0747)
*
MFSA 2013-11: Mozilla security researcher Jesse
Ruderman discovered that using the toString function of XBL
objects can lead to inappropriate information leakage by
revealing the address space layout instead of just the ID
of the object. This layout information could potentially be
used to bypass ASLR and other security protections.
(CVE-2013-0748)
*
MFSA 2013-12: Security researcher pa_kt reported a
flaw via TippingPoint's Zero Day Initiative that an integer
overflow is possible when calculating the length for a
Javascript string concatenation, which is then used for
memory allocation. This results in a buffer overflow,
leading to a potentially exploitable memory corruption.
(CVE-2013-0750)
*
MFSA 2013-13: Security researcher Sviatoslav Chagaev
reported that when using an XBL file containing multiple
XML bindings with SVG content, a memory corruption can
occur. In concern with remote XUL, this can lead to an
exploitable crash. (CVE-2013-0752)
*
MFSA 2013-14: Security researcher Mariusz Mlynski
reported that it is possible to change the prototype of an
object and bypass Chrome Object Wrappers (COW) to gain
access to chrome privileged functions. This could allow for
arbitrary code execution. (CVE-2013-0757)
*
MFSA 2013-15: Security researcher Mariusz Mlynski
reported that it is possible to open a chrome privileged
web page through plugin objects through interaction with
SVG elements. This could allow for arbitrary code
execution. (CVE-2013-0758)
*
MFSA 2013-16: Security researcher regenrecht
reported, via TippingPoint's Zero Day Initiative, a
use-after-free in XMLSerializer by the exposing of
serializeToStream to web content. This can lead to
arbitrary code execution when exploited. (CVE-2013-0753)
*
MFSA 2013-17: Security researcher regenrecht
reported, via TippingPoint's Zero Day Initiative, a
use-after-free within the ListenerManager when garbage
collection is forced after data in listener objects have
been allocated in some circumstances. This results in a
use-after-free which can lead to arbitrary code execution.
(CVE-2013-0754)
*
MFSA 2013-18: Security researcher regenrecht
reported, via TippingPoint's Zero Day Initiative, a
use-after-free using the domDoc pointer within Vibrate
library. This can lead to arbitrary code execution when
exploited. (CVE-2013-0755)
*
MFSA 2013-19: Security researcher regenrecht
reported, via TippingPoint's Zero Day Initiative, a garbage
collection flaw in Javascript Proxy objects. This can lead
to a use-after-free leading to arbitrary code execution.
(CVE-2013-0756)
*
MFSA 2013-20: Google reported to Mozilla that
TURKTRUST, a certificate authority in Mozilla's root
program, had mis-issued two intermediate certificates to
customers. The issue was not specific to Firefox but there
was evidence that one of the certificates was used for
man-in-the-middle (MITM) traffic management of domain names
that the customer did not legitimately own or control. This
issue was resolved by revoking the trust for these specific
mis-issued certificates. (CVE-2013-0743)
Indications:
Everyone using Firefox should update.
Package List:
- SUSE Linux Enterprise Server 10 SP3 LTSS (i586 s390x x86_64) [New Version: 3.14.1 and 4.9.4]:
- firefox3-cairo-1.2.4-0.8.5
- firefox3-gtk2-2.10.6-0.12.21
- firefox3-pango-1.14.5-0.12.178
- mozilla-nspr-4.9.4-0.6.1
- mozilla-nspr-devel-4.9.4-0.6.1
- mozilla-nss-3.14.1-0.6.1
- mozilla-nss-devel-3.14.1-0.6.1
- mozilla-nss-tools-3.14.1-0.6.1
- SUSE Linux Enterprise Server 10 SP3 LTSS (s390x x86_64) [New Version: 3.14.1 and 4.9.4]:
- firefox3-cairo-32bit-1.2.4-0.8.5
- firefox3-gtk2-32bit-2.10.6-0.12.21
- firefox3-pango-32bit-1.14.5-0.12.178
- mozilla-nspr-32bit-4.9.4-0.6.1
- mozilla-nss-32bit-3.14.1-0.6.1
- SUSE Linux Enterprise Server 10 SP3 LTSS (i586 s390x) [New Version: 7]:
- MozillaFirefox-10.0.12-0.6.3
- MozillaFirefox-branding-SLED-7-0.8.46
- MozillaFirefox-translations-10.0.12-0.6.3
References:
- https://bugzilla.novell.com/666101
- https://bugzilla.novell.com/681836
- https://bugzilla.novell.com/684069
- https://bugzilla.novell.com/712248
- https://bugzilla.novell.com/769762
- https://bugzilla.novell.com/796895
- http://download.suse.com/patch/finder/?keywords=8d645904d43fff2d5195e42ae81f6d59