Security update for MozillaFirefox
SUSE Security Update: Security update for MozillaFirefox
Mozilla Firefox was updated to 24.4.0ESR release, fixing
various security issues and bugs:
*
MFSA 2014-15: Mozilla developers and community
identified identified and fixed several memory safety bugs
in the browser engine used in Firefox and other
Mozilla-based products. Some of these bugs showed evidence
of memory corruption under certain circumstances, and we
presume that with enough effort at least some of these
could be exploited to run arbitrary code.
*
Benoit Jacob, Olli Pettay, Jan Varga, Jan de Mooij,
Jesse Ruderman, Dan Gohman, and Christoph Diehl reported
memory safety problems and crashes that affect Firefox ESR
24.3 and Firefox 27. (CVE-2014-1493)
*
Gregor Wagner, Olli Pettay, Gary Kwong, Jesse
Ruderman, Luke Wagner, Rob Fletcher, and Makoto Kato
reported memory safety problems and crashes that affect
Firefox 27. (CVE-2014-1494)
*
MFSA 2014-16 / CVE-2014-1496: Security researcher Ash
reported an issue where the extracted files for updates to
existing files are not read only during the update process.
This allows for the potential replacement or modification
of these files during the update process if a malicious
application is present on the local system.
*
MFSA 2014-17 / CVE-2014-1497: Security researcher
Atte Kettunen from OUSPG reported an out of bounds read
during the decoding of WAV format audio files for playback.
This could allow web content access to heap data as well as
causing a crash.
*
MFSA 2014-18 / CVE-2014-1498: Mozilla developer David
Keeler reported that the crypto.generateCRFMRequest method
did not correctly validate the key type of the KeyParams
argument when generating ec-dual-use requests. This could
lead to a crash and a denial of service (DOS) attack.
*
MFSA 2014-19 / CVE-2014-1499: Mozilla developer Ehsan
Akhgari reported a spoofing attack where the permission
prompt for a WebRTC session can appear to be from a
different site than its actual originating site if a timed
navigation occurs during the prompt generation. This allows
an attacker to potentially gain access to the webcam or
microphone by masquerading as another site and gaining user
permission through spoofing.
*
MFSA 2014-20 / CVE-2014-1500: Security researchers
Tim Philipp Schaefers and Sebastian Neef, the team of
Internetwache.org, reported a mechanism using JavaScript
onbeforeunload events with page navigation to prevent users
from closing a malicious page's tab and causing the browser
to become unresponsive. This allows for a denial of service
(DOS) attack due to resource consumption and blocks the
ability of users to exit the application.
*
MFSA 2014-21 / CVE-2014-1501: Security researcher
Alex Infuehr reported that on Firefox for Android it is
possible to open links to local files from web content by
selecting "Open Link in New Tab" from the context menu
using the file: protocol. The web content would have to
know the precise location of a malicious local file in
order to exploit this issue. This issue does not affect
Firefox on non-Android systems.
*
MFSA 2014-22 / CVE-2014-1502: Mozilla developer Jeff
Gilbert discovered a mechanism where a malicious site with
WebGL content could inject content from its context to that
of another site's WebGL context, causing the second site to
replace textures and similar content. This cannot be used
to steal data but could be used to render arbitrary content
in these limited circumstances.
*
MFSA 2014-23 / CVE-2014-1504: Security researcher
Nicolas Golubovic reported that the Content Security Policy
(CSP) of data: documents was not saved as part of session
restore. If an attacker convinced a victim to open a
document from a data: URL injected onto a page, this can
lead to a Cross-Site Scripting (XSS) attack. The target
page may have a strict CSP that protects against this XSS
attack, but if the attacker induces a browser crash with
another bug, an XSS attack would occur during session
restoration, bypassing the CSP on the site.
*
MFSA 2014-26 / CVE-2014-1508: Security researcher
Tyson Smith and Jesse Schwartzentruber of the BlackBerry
Security Automated Analysis Team used the Address Sanitizer
tool while fuzzing to discover an out-of-bounds read during
polygon rendering in MathML. This can allow web content to
potentially read protected memory addresses. In combination
with previous techniques used for SVG timing attacks, this
could allow for text values to be read across domains,
leading to information disclosure.
*
MFSA 2014-27 / CVE-2014-1509: Security researcher
John Thomson discovered a memory corruption in the Cairo
graphics library during font rendering of a PDF file for
display. This memory corruption leads to a potentially
exploitable crash and to a denial of service (DOS). This
issues is not able to be triggered in a default
configuration and would require a malicious extension to be
installed.
*
MFSA 2014-28 / CVE-2014-1505: Mozilla developer
Robert O'Callahan reported a mechanism for timing attacks
involving SVG filters and displacements input to
feDisplacementMap. This allows displacements to potentially
be correlated with values derived from content. This is
similar to the previously reported techniques used for SVG
timing attacks and could allow for text values to be read
across domains, leading to information disclosure.
*
MFSA 2014-29 / CVE-2014-1510 / CVE-2014-1511:
Security researcher Mariusz Mlynski, via TippingPoint's
Pwn2Own contest, reported that it is possible for untrusted
web content to load a chrome-privileged page by getting
JavaScript-implemented WebIDL to call window.open(). A
second bug allowed the bypassing of the popup-blocker
without user interaction. Combined these two bugs allow an
attacker to load a JavaScript URL that is executed with the
full privileges of the browser, which allows arbitrary code
execution.
*
MFSA 2014-30 / CVE-2014-1512: Security research firm
VUPEN, via TippingPoint's Pwn2Own contest, reported that
memory pressure during Garbage Collection could lead to
memory corruption of TypeObjects in the JS engine,
resulting in an exploitable use-after-free condition.
*
MFSA 2014-31 / CVE-2014-1513: Security researcher
Jueri Aedla, via TippingPoint's Pwn2Own contest, reported
that TypedArrayObject does not handle the case where
ArrayBuffer objects are neutered, setting their length to
zero while still in use. This leads to out-of-bounds reads
and writes into the JavaScript heap, allowing for arbitrary
code execution.
*
MFSA 2014-32 / CVE-2014-1514: Security researcher
George Hotz, via TippingPoint's Pwn2Own contest, discovered
an issue where values are copied from an array into a
second, neutered array. This allows for an out-of-bounds
write into memory, causing an exploitable crash leading to
arbitrary code execution.
| Announcement ID: | SUSE-SU-2014:0418-1 |
| Rating: | important |
| References: | #868603 |
| Affected Products: |
An update that contains security fixes can now be installed. It includes two new package versions.
Description:
Mozilla Firefox was updated to 24.4.0ESR release, fixing
various security issues and bugs:
*
MFSA 2014-15: Mozilla developers and community
identified identified and fixed several memory safety bugs
in the browser engine used in Firefox and other
Mozilla-based products. Some of these bugs showed evidence
of memory corruption under certain circumstances, and we
presume that with enough effort at least some of these
could be exploited to run arbitrary code.
*
Benoit Jacob, Olli Pettay, Jan Varga, Jan de Mooij,
Jesse Ruderman, Dan Gohman, and Christoph Diehl reported
memory safety problems and crashes that affect Firefox ESR
24.3 and Firefox 27. (CVE-2014-1493)
*
Gregor Wagner, Olli Pettay, Gary Kwong, Jesse
Ruderman, Luke Wagner, Rob Fletcher, and Makoto Kato
reported memory safety problems and crashes that affect
Firefox 27. (CVE-2014-1494)
*
MFSA 2014-16 / CVE-2014-1496: Security researcher Ash
reported an issue where the extracted files for updates to
existing files are not read only during the update process.
This allows for the potential replacement or modification
of these files during the update process if a malicious
application is present on the local system.
*
MFSA 2014-17 / CVE-2014-1497: Security researcher
Atte Kettunen from OUSPG reported an out of bounds read
during the decoding of WAV format audio files for playback.
This could allow web content access to heap data as well as
causing a crash.
*
MFSA 2014-18 / CVE-2014-1498: Mozilla developer David
Keeler reported that the crypto.generateCRFMRequest method
did not correctly validate the key type of the KeyParams
argument when generating ec-dual-use requests. This could
lead to a crash and a denial of service (DOS) attack.
*
MFSA 2014-19 / CVE-2014-1499: Mozilla developer Ehsan
Akhgari reported a spoofing attack where the permission
prompt for a WebRTC session can appear to be from a
different site than its actual originating site if a timed
navigation occurs during the prompt generation. This allows
an attacker to potentially gain access to the webcam or
microphone by masquerading as another site and gaining user
permission through spoofing.
*
MFSA 2014-20 / CVE-2014-1500: Security researchers
Tim Philipp Schaefers and Sebastian Neef, the team of
Internetwache.org, reported a mechanism using JavaScript
onbeforeunload events with page navigation to prevent users
from closing a malicious page's tab and causing the browser
to become unresponsive. This allows for a denial of service
(DOS) attack due to resource consumption and blocks the
ability of users to exit the application.
*
MFSA 2014-21 / CVE-2014-1501: Security researcher
Alex Infuehr reported that on Firefox for Android it is
possible to open links to local files from web content by
selecting "Open Link in New Tab" from the context menu
using the file: protocol. The web content would have to
know the precise location of a malicious local file in
order to exploit this issue. This issue does not affect
Firefox on non-Android systems.
*
MFSA 2014-22 / CVE-2014-1502: Mozilla developer Jeff
Gilbert discovered a mechanism where a malicious site with
WebGL content could inject content from its context to that
of another site's WebGL context, causing the second site to
replace textures and similar content. This cannot be used
to steal data but could be used to render arbitrary content
in these limited circumstances.
*
MFSA 2014-23 / CVE-2014-1504: Security researcher
Nicolas Golubovic reported that the Content Security Policy
(CSP) of data: documents was not saved as part of session
restore. If an attacker convinced a victim to open a
document from a data: URL injected onto a page, this can
lead to a Cross-Site Scripting (XSS) attack. The target
page may have a strict CSP that protects against this XSS
attack, but if the attacker induces a browser crash with
another bug, an XSS attack would occur during session
restoration, bypassing the CSP on the site.
*
MFSA 2014-26 / CVE-2014-1508: Security researcher
Tyson Smith and Jesse Schwartzentruber of the BlackBerry
Security Automated Analysis Team used the Address Sanitizer
tool while fuzzing to discover an out-of-bounds read during
polygon rendering in MathML. This can allow web content to
potentially read protected memory addresses. In combination
with previous techniques used for SVG timing attacks, this
could allow for text values to be read across domains,
leading to information disclosure.
*
MFSA 2014-27 / CVE-2014-1509: Security researcher
John Thomson discovered a memory corruption in the Cairo
graphics library during font rendering of a PDF file for
display. This memory corruption leads to a potentially
exploitable crash and to a denial of service (DOS). This
issues is not able to be triggered in a default
configuration and would require a malicious extension to be
installed.
*
MFSA 2014-28 / CVE-2014-1505: Mozilla developer
Robert O'Callahan reported a mechanism for timing attacks
involving SVG filters and displacements input to
feDisplacementMap. This allows displacements to potentially
be correlated with values derived from content. This is
similar to the previously reported techniques used for SVG
timing attacks and could allow for text values to be read
across domains, leading to information disclosure.
*
MFSA 2014-29 / CVE-2014-1510 / CVE-2014-1511:
Security researcher Mariusz Mlynski, via TippingPoint's
Pwn2Own contest, reported that it is possible for untrusted
web content to load a chrome-privileged page by getting
JavaScript-implemented WebIDL to call window.open(). A
second bug allowed the bypassing of the popup-blocker
without user interaction. Combined these two bugs allow an
attacker to load a JavaScript URL that is executed with the
full privileges of the browser, which allows arbitrary code
execution.
*
MFSA 2014-30 / CVE-2014-1512: Security research firm
VUPEN, via TippingPoint's Pwn2Own contest, reported that
memory pressure during Garbage Collection could lead to
memory corruption of TypeObjects in the JS engine,
resulting in an exploitable use-after-free condition.
*
MFSA 2014-31 / CVE-2014-1513: Security researcher
Jueri Aedla, via TippingPoint's Pwn2Own contest, reported
that TypedArrayObject does not handle the case where
ArrayBuffer objects are neutered, setting their length to
zero while still in use. This leads to out-of-bounds reads
and writes into the JavaScript heap, allowing for arbitrary
code execution.
*
MFSA 2014-32 / CVE-2014-1514: Security researcher
George Hotz, via TippingPoint's Pwn2Own contest, discovered
an issue where values are copied from an array into a
second, neutered array. This allows for an out-of-bounds
write into memory, causing an exploitable crash leading to
arbitrary code execution.
Patch Instructions:
To install this SUSE Security Update use YaST online_update.
Alternatively you can run the command listed for your product:
- SUSE Linux Enterprise Software Development Kit 11 SP3:
zypper in -t patch sdksp3-firefox-201403-9049 - SUSE Linux Enterprise Server 11 SP3 for VMware:
zypper in -t patch slessp3-firefox-201403-9049 - SUSE Linux Enterprise Server 11 SP3:
zypper in -t patch slessp3-firefox-201403-9049 - SUSE Linux Enterprise Desktop 11 SP3:
zypper in -t patch sledsp3-firefox-201403-9049
To bring your system up-to-date, use "zypper patch".
Package List:
- SUSE Linux Enterprise Software Development Kit 11 SP3 (i586 ia64 ppc64 s390x x86_64) [New Version: 4.10.4]:
- MozillaFirefox-devel-24.4.0esr-0.8.1
- mozilla-nspr-devel-4.10.4-0.3.1
- SUSE Linux Enterprise Server 11 SP3 for VMware (i586 x86_64) [New Version: 24.4.0esr and 4.10.4]:
- MozillaFirefox-24.4.0esr-0.8.1
- MozillaFirefox-translations-24.4.0esr-0.8.1
- mozilla-nspr-4.10.4-0.3.1
- SUSE Linux Enterprise Server 11 SP3 for VMware (x86_64) [New Version: 4.10.4]:
- mozilla-nspr-32bit-4.10.4-0.3.1
- SUSE Linux Enterprise Server 11 SP3 (i586 ia64 ppc64 s390x x86_64) [New Version: 24.4.0esr and 4.10.4]:
- MozillaFirefox-24.4.0esr-0.8.1
- MozillaFirefox-branding-SLED-24-0.7.23
- MozillaFirefox-translations-24.4.0esr-0.8.1
- mozilla-nspr-4.10.4-0.3.1
- SUSE Linux Enterprise Server 11 SP3 (ppc64 s390x x86_64) [New Version: 4.10.4]:
- mozilla-nspr-32bit-4.10.4-0.3.1
- SUSE Linux Enterprise Server 11 SP3 (ia64) [New Version: 4.10.4]:
- mozilla-nspr-x86-4.10.4-0.3.1
- SUSE Linux Enterprise Desktop 11 SP3 (i586 x86_64) [New Version: 24.4.0esr and 4.10.4]:
- MozillaFirefox-24.4.0esr-0.8.1
- MozillaFirefox-branding-SLED-24-0.7.23
- MozillaFirefox-translations-24.4.0esr-0.8.1
- mozilla-nspr-4.10.4-0.3.1
- SUSE Linux Enterprise Desktop 11 SP3 (x86_64) [New Version: 4.10.4]:
- mozilla-nspr-32bit-4.10.4-0.3.1
References:
- https://bugzilla.novell.com/868603
- http://download.suse.com/patch/finder/?keywords=459a5273e5dbc348d118a48052078601