Security update for Mozilla Firefox

SUSE Security Update: Security update for Mozilla Firefox
Announcement ID: SUSE-SU-2013:1152-1
Rating: important
References: #792432 #813026 #819204 #825935
Affected Products:
  • SUSE Linux Enterprise Software Development Kit 11 SP3
  • SUSE Linux Enterprise Server 11 SP3 for VMware
  • SUSE Linux Enterprise Server 11 SP3
  • SUSE Linux Enterprise Desktop 11 SP3

  • An update that fixes 9 vulnerabilities is now available. It includes one version update.

    Description:


    Mozilla Firefox has been updated to the 17.0.7 ESR version,
    which fixes bugs and security fixes.

    *

    MFSA 2013-49: Mozilla developers identified and fixed
    several memory safety bugs in the browser engine used in
    Firefox and other Mozilla-based products. Some of these
    bugs showed evidence of memory corruption under certain
    circumstances, and we presume that with enough effort at
    least some of these could be exploited to run arbitrary
    code.

    Gary Kwong, Jesse Ruderman, and Andrew McCreight
    reported memory safety problems and crashes that affect
    Firefox ESR 17, and Firefox 21. (CVE-2013-1682)

    *

    MFSA 2013-50: Security researcher Abhishek Arya
    (Inferno) of the Google Chrome Security Team used the
    Address Sanitizer tool to discover a series of
    use-after-free problems rated critical as security issues
    in shipped software. Some of these issues are potentially
    exploitable, allowing for remote code execution. We would
    also like to thank Abhishek for reporting additional
    use-after-free and buffer overflow flaws in code introduced
    during Firefox development. These were fixed before general
    release.

    o Heap-use-after-free in
    mozilla::dom::HTMLMediaElement::LookupMediaElementURITable
    (CVE-2013-1684) o Heap-use-after-free in
    nsIDocument::GetRootElement (CVE-2013-1685) o
    Heap-use-after-free in mozilla::ResetDir (CVE-2013-1686)
    *

    MFSA 2013-51 / CVE-2013-1687: Security researcher
    Mariusz Mlynski reported that it is possible to compile a
    user-defined function in the XBL scope of a specific
    element and then trigger an event within this scope to run
    code. In some circumstances, when this code is run, it can
    access content protected by System Only Wrappers (SOW) and
    chrome-privileged pages. This could potentially lead to
    arbitrary code execution. Additionally, Chrome Object
    Wrappers (COW) can be bypassed by web content to access
    privileged methods, leading to a cross-site scripting (XSS)
    attack from privileged pages.

    *

    MFSA 2013-53 / CVE-2013-1690: Security researcher
    Nils reported that specially crafted web content using the
    onreadystatechange event and reloading of pages could
    sometimes cause a crash when unmapped memory is executed.
    This crash is potentially exploitable.

    *

    MFSA 2013-54 / CVE-2013-1692: Security researcher
    Johnathan Kuskos reported that Firefox is sending data in
    the body of XMLHttpRequest (XHR) HEAD requests, which goes
    agains the XHR specification. This can potentially be used
    for Cross-Site Request Forgery (CSRF) attacks against sites
    which do not distinguish between HEAD and POST requests.

    *

    MFSA 2013-55 / CVE-2013-1693: Security researcher
    Paul Stone of Context Information Security discovered that
    timing differences in the processing of SVG format images
    with filters could allow for pixel values to be read. This
    could potentially allow for text values to be read across
    domains, leading to information disclosure.

    *

    MFSA 2013-59 / CVE-2013-1697: Mozilla security
    researcher moz_bug_r_a4 reported that XrayWrappers can be
    bypassed to call content-defined toString and valueOf
    methods through DefaultValue. This can lead to unexpected
    behavior when privileged code acts on the incorrect values.

    *

    MFSA 2013-30: Mozilla developers identified and fixed
    several memory safety bugs in the browser engine used in
    Firefox and other Mozilla-based products. Some of these
    bugs showed evidence of memory corruption under certain
    circumstances, and we presume that with enough effort at
    least some of these could be exploited to run arbitrary
    code.

    Olli Pettay, Jesse Ruderman, Boris Zbarsky, Christian
    Holler, Milan Sreckovic, and Joe Drew reported memory
    safety problems and crashes that affect Firefox ESR 17, and
    Firefox 19. (CVE-2013-0788)

    *

    MFSA 2013-31 / CVE-2013-0800: Security researcher
    Abhishek Arya (Inferno) of the Google Chrome Security Team
    used the Address Sanitizer tool to discover an
    out-of-bounds write in Cairo graphics library. When certain
    values are passed to it during rendering, Cairo attempts to
    use negative boundaries or sizes for boxes, leading to a
    potentially exploitable crash in some instances.

    *

    MFSA 2013-32 / CVE-2013-0799: Security researcher
    Frederic Hoguin discovered that the Mozilla Maintenance
    Service on Windows was vulnerable to a buffer overflow.
    This system is used to update software without invoking the
    User Account Control (UAC) prompt. The Mozilla Maintenance
    Service is configured to allow unprivileged users to start
    it with arbitrary arguments. By manipulating the data
    passed in these arguments, an attacker can execute
    arbitrary code with the system privileges used by the
    service. This issue requires local file system access to be
    exploitable.

    *

    MFSA 2013-34 / CVE-2013-0797: Security researcher Ash
    reported an issue with the Mozilla Updater. The Mozilla
    Updater can be made to load a malicious local DLL file in a
    privileged context through either the Mozilla Maintenance
    Service or independently on systems that do not use the
    service. This occurs when the DLL file is placed in a
    specific location on the local system before the Mozilla
    Updater is run. Local file system access is necessary in
    order for this issue to be exploitable.

    *

    MFSA 2013-35 / CVE-2013-0796: Security researcher
    miaubiz used the Address Sanitizer tool to discover a crash
    in WebGL rendering when memory is freed that has not
    previously been allocated. This issue only affects Linux
    users who have Intel Mesa graphics drivers. The resulting
    crash could be potentially exploitable.

    *

    MFSA 2013-36 / CVE-2013-0795: Security researcher
    Cody Crews reported a mechanism to use the cloneNode method
    to bypass System Only Wrappers (SOW) and clone a protected
    node. This allows violation of the browser's same origin
    policy and could also lead to privilege escalation and the
    execution of arbitrary code.

    *

    MFSA 2013-37 / CVE-2013-0794: Security researcher
    shutdown reported a method for removing the origin
    indication on tab-modal dialog boxes in combination with
    browser navigation. This could allow an attacker's dialog
    to overlay a page and show another site's content. This can
    be used for phishing by allowing users to enter data into a
    modal prompt dialog on an attacking, site while appearing
    to be from the displayed site.

    *

    MFSA 2013-38 / CVE-2013-0793: Security researcher
    Mariusz Mlynski reported a method to use browser
    navigations through history to load an arbitrary website
    with that page's baseURI property pointing to another site
    instead of the seemingly loaded one. The user will continue
    to see the incorrect site in the addressbar of the browser.
    This allows for a cross-site scripting (XSS) attack or the
    theft of data through a phishing attack.

    *

    MFSA 2013-39 / CVE-2013-0792: Mozilla community
    member Tobias Schula reported that if
    gfx.color_management.enablev4 preference is enabled
    manually in about:config, some grayscale PNG images will be
    rendered incorrectly and cause memory corruption during PNG
    decoding when certain color profiles are in use. A crafted
    PNG image could use this flaw to leak data through rendered
    images drawing from random memory. By default, this
    preference is not enabled.

    *

    MFSA 2013-40 / CVE-2013-0791: Mozilla community
    member Ambroz Bizjak reported an out-of-bounds array read
    in the CERT_DecodeCertPackage function of the Network
    Security Services (NSS) libary when decoding a certificate.
    When this occurs, it will lead to memory corruption and a
    non-exploitable crash.

    *

    MFSA 2013-41: Mozilla developers identified and fixed
    several memory safety bugs in the browser engine used in
    Firefox and other Mozilla-based products. Some of these
    bugs showed evidence of memory corruption under certain
    circumstances, and we presume that with enough effort at
    least some of these could be exploited to run arbitrary
    code.

    References

    o Christoph Diehl, Christian Holler, Jesse
    Ruderman, Timothy Nikkel, and Jeff Walden reported memory
    safety problems and crashes that affect Firefox ESR 17, and
    Firefox 20. o Bob Clary, Ben Turner, Benoit Jacob, Bobby
    Holley, Christoph Diehl, Christian Holler, Andrew
    McCreight, Gary Kwong, Jason Orendorff, Jesse Ruderman,
    Matt Wobensmith, and Mats Palmgren reported memory safety
    problems and crashes that affect Firefox 20.
    *

    MFSA 2013-42 / CVE-2013-1670: Security researcher
    Cody Crews reported a method to call a content level
    constructor that allows for this constructor to have chrome
    privileged accesss. This affects chrome object wrappers
    (COW) and allows for write actions on objects when only
    read actions should be allowed. This can lead to cross-site
    scripting (XSS) attacks.

    *

    MFSA 2013-43 / CVE-2013-1671: Mozilla security
    researcher moz_bug_r_a4 reported a mechanism to exploit the
    control when set to the file type in order to get the full
    path. This can lead to information leakage and could be
    combined with other exploits to target attacks on the local
    file system.

    *

    MFSA 2013-44 / CVE-2013-1672: Security researcher Seb
    Patane reported an issue with the Mozilla Maintenance
    Service on Windows. This issue allows unprivileged users to
    local privilege escalation through the system privileges
    used by the service when interacting with local malicious
    software. This allows the user to bypass integrity checks
    leading to local privilege escalation. Local file system
    access is necessary in order for this issue to be
    exploitable and it cannot be triggered through web content.

    *

    MFSA 2013-45: Security researcher Robert Kugler
    discovered that in some instances the Mozilla Maintenance
    Service on Windows will be vulnerable to some previously
    fixed privilege escalation attacks that allowed for local
    privilege escalation. This was caused by the Mozilla
    Updater not updating Windows Registry entries for the
    Mozilla Maintenance Service, which fixed the earlier issues
    present if Firefox 12 had been installed. New installations
    of Firefox after version 12 are not affected by this issue.
    Local file system access is necessary in order for this
    issue to be exploitable and it cannot be triggered through
    web content. References: - old MozillaMaintenance Service
    registry entry not updated leading to Trusted Path
    Privilege Escalation (CVE-2013-1673) - Possible Arbitrary
    Code Execution by Update Service (CVE-2012-1942)

    *

    MFSA 2013-46 / CVE-2013-1674: Security researcher
    Nils reported a use-after-free when resizing video while
    playing. This could allow for arbitrary code execution.

    *

    MFSA 2013-47 / CVE-2013-1675: Mozilla community
    member Ms2ger discovered that some DOMSVGZoomEvent
    functions are used without being properly initialized,
    causing uninitialized memory to be used when they are
    called by web content. This could lead to a information
    leakage to sites depending on the contents of this
    uninitialized memory.

    *

    MFSA 2013-48: Security researcher Abhishek Arya
    (Inferno) of the Google Chrome Security Team used the
    Address Sanitizer tool to discover a series of
    use-after-free, out of bounds read, and invalid write
    problems rated as moderate to critical as security issues
    in shipped software. Some of these issues are potentially
    exploitable, allowing for remote code execution. We would
    also like to thank Abhishek for reporting additional
    use-after-free flaws in dir=auto code introduced during
    Firefox development. These were fixed before general
    release.

    References

    o Out of Bounds Read in
    SelectionIterator::GetNextSegment (CVE-2013-1676) o
    Out-of-bound read in gfxSkipCharsIterator::SetOffsets
    (CVE-2013-1677)) o Invalid write in
    _cairo_xlib_surface_add_glyph (CVE-2013-1678) o
    Heap-use-after-free in
    mozilla::plugins::child::_geturlnotify (CVE-2013-1679) o
    Heap-use-after-free in nsFrameList::FirstChild
    (CVE-2013-1680) o Heap-use-after-free in
    nsContentUtils::RemoveScriptBlocker (CVE-2013-1681)
    *

    CVE-2012-1942
    >

    * CVE-2013-0788
    >
    * CVE-2013-0791
    >
    * CVE-2013-0792
    >
    * CVE-2013-0793
    >
    * CVE-2013-0794
    >
    * CVE-2013-0795
    >
    * CVE-2013-0796
    >
    * CVE-2013-0797
    >
    * CVE-2013-0798
    >
    * CVE-2013-0799
    >
    * CVE-2013-0800
    >
    * CVE-2013-0801
    >
    * CVE-2013-1669
    >
    * CVE-2013-1670
    >
    * CVE-2013-1671
    >
    * CVE-2013-1672
    >
    * CVE-2013-1673
    >
    * CVE-2013-1674
    >
    * CVE-2013-1675
    >
    * CVE-2013-1676
    >
    * CVE-2013-1677
    >
    * CVE-2013-1678
    >
    * CVE-2013-1679
    >
    * CVE-2013-1680
    >
    * CVE-2013-1681
    >
    * CVE-2013-1682
    >
    * CVE-2013-1684
    >
    * CVE-2013-1685
    >
    * CVE-2013-1686
    >
    * CVE-2013-1687
    >
    * CVE-2013-1690
    >
    * CVE-2013-1692
    >
    * CVE-2013-1693
    >
    * CVE-2013-1697
    >

    Patch Instructions:

    To install this SUSE Security Update use YaST online_update.
    Alternatively you can run the command listed for your product:

    • SUSE Linux Enterprise Software Development Kit 11 SP3:
      zypper in -t patch sdksp3-firefox-20130628-8001
    • SUSE Linux Enterprise Server 11 SP3 for VMware:
      zypper in -t patch slessp3-firefox-20130628-8001
    • SUSE Linux Enterprise Server 11 SP3:
      zypper in -t patch slessp3-firefox-20130628-8001
    • SUSE Linux Enterprise Desktop 11 SP3:
      zypper in -t patch sledsp3-firefox-20130628-8001

    To bring your system up-to-date, use "zypper patch".

    Package List:

    • SUSE Linux Enterprise Software Development Kit 11 SP3 (i586 ia64 ppc64 s390x x86_64):
    • MozillaFirefox-devel-17.0.7esr-0.8.1
    • SUSE Linux Enterprise Server 11 SP3 for VMware (i586 x86_64) [New Version: 17.0.7esr]:
    • MozillaFirefox-17.0.7esr-0.8.1
    • MozillaFirefox-translations-17.0.7esr-0.8.1
    • SUSE Linux Enterprise Server 11 SP3 (i586 ia64 ppc64 s390x x86_64) [New Version: 17.0.7esr]:
    • MozillaFirefox-17.0.7esr-0.8.1
    • MozillaFirefox-branding-SLED-7-0.12.1
    • MozillaFirefox-translations-17.0.7esr-0.8.1
    • SUSE Linux Enterprise Desktop 11 SP3 (i586 x86_64) [New Version: 17.0.7esr]:
    • MozillaFirefox-17.0.7esr-0.8.1
    • MozillaFirefox-branding-SLED-7-0.12.1
    • MozillaFirefox-translations-17.0.7esr-0.8.1

    References:

    • http://support.novell.com/security/cve/CVE-2013-1682.html
    • http://support.novell.com/security/cve/CVE-2013-1684.html
    • http://support.novell.com/security/cve/CVE-2013-1685.html
    • http://support.novell.com/security/cve/CVE-2013-1686.html
    • http://support.novell.com/security/cve/CVE-2013-1687.html
    • http://support.novell.com/security/cve/CVE-2013-1690.html
    • http://support.novell.com/security/cve/CVE-2013-1692.html
    • http://support.novell.com/security/cve/CVE-2013-1693.html
    • http://support.novell.com/security/cve/CVE-2013-1697.html
    • https://bugzilla.novell.com/792432
    • https://bugzilla.novell.com/813026
    • https://bugzilla.novell.com/819204
    • https://bugzilla.novell.com/825935
    • http://download.suse.com/patch/finder/?keywords=2c55ef365e2022c62abed41b2a31ed0f