openSUSE Security Update: seamonkey: Update to Mozilla Seamonkey 2.4
______________________________________________________________________________

Announcement ID:    openSUSE-SU-2011:1077-1
Rating:             important
References:         #720264 
Cross-References:   CVE-2011-2372 CVE-2011-2995 CVE-2011-2997
                    CVE-2011-2999 CVE-2011-3000 CVE-2011-3001
                    CVE-2011-3002 CVE-2011-3003 CVE-2011-3004
                    CVE-2011-3005 CVE-2011-3232
Affected Products:
                    openSUSE 11.4
                    openSUSE 11.3
______________________________________________________________________________

   An update that fixes 11 vulnerabilities is now available.
   It includes two new package versions.

Description:

   Mozilla Seamonkey was updated to version 2.4, fixing
   various bugs and security issues.

   MFSA 2011-36: Mozilla developers identified and fixed
   several memory safety bugs in the browser engine used in
   Firefox and other Mozilla-based products. Some of these
   bugs showed evidence of memory corruption under certain
   circumstances, and we presume that with enough effort at
   least some of these could be exploited to run arbitrary
   code.

   In general these flaws cannot be exploited through email in
   the Thunderbird and SeaMonkey products because scripting is
   disabled, but are potentially a risk in browser or
   browser-like contexts in those products.

   Benjamin Smedberg, Bob Clary, and Jesse Ruderman reported
   memory safety problems that affected Firefox 3.6 and
   Firefox 6. (CVE-2011-2995)

   Bob Clary, Andrew McCreight, Andreas Gal, Gary Kwong, Igor
   Bukanov, Jason Orendorff, Jesse Ruderman, and Marcia Knous
   reported memory safety problems that affected Firefox 6,
   fixed in Firefox 7. (CVE-2011-2997)



   MFSA 2011-38: Mozilla developer Boris Zbarsky reported that
   a frame named "location" could shadow the window.location
   object unless a script in a page grabbed a reference to the
   true object before the frame was created. Because some
   plugins use the value of window.location to determine the
   page origin this could fool the plugin into granting the
   plugin content access to another site or the local file
   system in violation of the Same Origin Policy. This flaw
   allows circumvention of the fix added for MFSA 2010-10.
   (CVE-2011-2999)

   MFSA 2011-39: Ian Graham of Citrix Online reported that
   when multiple Location headers were present in a redirect
   response Mozilla behavior differed from other browsers:
   Mozilla would use the second Location header while Chrome
   and Internet Explorer would use the first. Two copies of
   this header with different values could be a symptom of a
   CRLF injection attack against a vulnerable server. Most
   commonly it is the Location header itself that is
   vulnerable to the response splitting and therefore the copy
   preferred by Mozilla is more likely to be the malicious
   one. It is possible, however, that the first copy was the
   injected one depending on the nature of the server
   vulnerability.

   The Mozilla browser engine has been changed to treat two
   copies of this header with different values as an error
   condition. The same has been done with the headers   Content-Length and Content-Disposition. (CVE-2011-3000)

   MFSA 2011-40: Mariusz Mlynski reported that if you could
   convince a user to hold down the Enter key--as part of a
   game or test, perhaps--a malicious page could pop up a
   download dialog where the held key would then activate the
   default Open action. For some file types this would be
   merely annoying (the equivalent of a pop-up) but other file
   types have powerful scripting capabilities. And this would
   provide an avenue for an attacker to exploit a
   vulnerability in applications not normally exposed to
   potentially hostile internet content.

   Mariusz also reported a similar flaw with manual plugin
   installation using the PLUGINSPAGE attribute. It was
   possible to create an internal error that suppressed a
   confirmation dialog, such that holding enter would lead to
   the installation of an arbitrary add-on. (This variant did
   not affect Firefox 3.6)

   Holding enter allows arbitrary code execution due to
   Download Manager (CVE-2011-2372)

   Holding enter allows arbitrary extension installation
   (CVE-2011-3001)

   MFSA 2011-41: Michael Jordon of Context IS reported that in
   the ANGLE library used by WebGL the return value from
   GrowAtomTable() was not checked for errors. If an attacker
   could cause requests that exceeded the available memeory
   those would fail and potentially lead to a buffer overrun
   as subsequent code wrote into the non-allocated space.
   (CVE-2011-3002)

   Ben Hawkes of the Google Security Team reported a WebGL
   test case that demonstrated an out of bounds write after an
   allocation failed. (CVE-2011-3003)

   MFSA 2011-42: Security researcher Aki Helin reported a
   potentially exploitable crash in the YARR regular
   expression library used by JavaScript. (CVE-2011-3232)


   MFSA 2011-43: David Rees reported that the
   JSSubScriptLoader (a feature used by some add-ons) was
   "unwrapping" XPCNativeWrappers when they were used as the
   scope parameter to loadSubScript(). Without the protection
   of the wrappers the add-on could be vulnerable to privilege
   escalation attacks from malicious web content. Whether any
   given add-on were vulnerable would depend on how the add-on
   used the feature and whether it interacted directly with
   web content, but we did find at least one vulnerable add-on
   and presumer there are more. (CVE-2011-3004)

   The unwrapping behavior was a change introduced during
   Firefox 4 development. Firefox 3.6 and earlier versions are
   not affected.


   MFSA 2011-44: sczimmer reported that Firefox crashed when
   loading a particular .ogg file. This was due to a
   use-after-free condition and could potentially be exploited
   to install malware. (CVE-2011-3005)

   This vulnerability does not affect Firefox 3.6 or earlier.


   MFSA 2011-45: University of California, Davis researchers   Liang Cai and Hao Chen presented a paper at the 2011 USENIX
   HotSec workshop on inferring keystrokes from device motion
   data on mobile devices. Web pages can now receive data
   similar to the apps studied in that paper and likely
   present a similar risk. We have decided to limit motion
   data events to the currently-active tab to prevent the
   possibility of background tabs attempting to decipher
   keystrokes the user is entering into the foreground tab.


Patch Instructions:

   To install this openSUSE Security Update use YaST online_update.
   Alternatively you can run the command listed for your product:

   - openSUSE 11.4:

      zypper in -t patch MozillaFirefox-5208 seamonkey-5210

   - openSUSE 11.3:

      zypper in -t patch seamonkey-5210

   To bring your system up-to-date, use "zypper patch".


Package List:

   - openSUSE 11.4 (i586 x86_64) [New Version: 2.4 and 7.0]:

      MozillaFirefox-7.0-1.2.1
      MozillaFirefox-branding-upstream-7.0-1.2.1
      MozillaFirefox-buildsymbols-7.0-1.2.1
      MozillaFirefox-devel-7.0-1.2.1
      MozillaFirefox-translations-common-7.0-1.2.1
      MozillaFirefox-translations-other-7.0-1.2.1
      seamonkey-2.4-1.2.1
      seamonkey-dom-inspector-2.4-1.2.1
      seamonkey-irc-2.4-1.2.1
      seamonkey-translations-common-2.4-1.2.1
      seamonkey-translations-other-2.4-1.2.1
      seamonkey-venkman-2.4-1.2.1

   - openSUSE 11.3 (i586 x86_64) [New Version: 2.4]:

      seamonkey-2.4-1.2.1
      seamonkey-dom-inspector-2.4-1.2.1
      seamonkey-irc-2.4-1.2.1
      seamonkey-translations-common-2.4-1.2.1
      seamonkey-translations-other-2.4-1.2.1
      seamonkey-venkman-2.4-1.2.1


References:

   https://www.suse.com/security/cve/CVE-2011-2372.html
   https://www.suse.com/security/cve/CVE-2011-2995.html
   https://www.suse.com/security/cve/CVE-2011-2997.html
   https://www.suse.com/security/cve/CVE-2011-2999.html
   https://www.suse.com/security/cve/CVE-2011-3000.html
   https://www.suse.com/security/cve/CVE-2011-3001.html
   https://www.suse.com/security/cve/CVE-2011-3002.html
   https://www.suse.com/security/cve/CVE-2011-3003.html
   https://www.suse.com/security/cve/CVE-2011-3004.html
   https://www.suse.com/security/cve/CVE-2011-3005.html
   https://www.suse.com/security/cve/CVE-2011-3232.html
   https://bugzilla.novell.com/720264

--

openSUSE: 2011:1077-1: important: seamonkey

September 29, 2011
An update that fixes 11 vulnerabilities is now available

Description

Mozilla Seamonkey was updated to version 2.4, fixing various bugs and security issues. MFSA 2011-36: Mozilla developers identified and fixed several memory safety bugs in the browser engine used in Firefox and other Mozilla-based products. Some of these bugs showed evidence of memory corruption under certain circumstances, and we presume that with enough effort at least some of these could be exploited to run arbitrary code. In general these flaws cannot be exploited through email in the Thunderbird and SeaMonkey products because scripting is disabled, but are potentially a risk in browser or browser-like contexts in those products. Benjamin Smedberg, Bob Clary, and Jesse Ruderman reported memory safety problems that affected Firefox 3.6 and Firefox 6. (CVE-2011-2995) Bob Clary, Andrew McCreight, Andreas Gal, Gary Kwong, Igor Bukanov, Jason Orendorff, Jesse Ruderman, and Marcia Knous reported memory safety problems that affected Firefox 6, fixed in Firefox 7. (CVE-2011-2997) MFSA 2011-38: Mozilla developer Boris Zbarsky reported that a frame named "location" could shadow the window.location object unless a script in a page grabbed a reference to the true object before the frame was created. Because some plugins use the value of window.location to determine the page origin this could fool the plugin into granting the plugin content access to another site or the local file system in violation of the Same Origin Policy. This flaw allows circumvention of the fix added for MFSA 2010-10. (CVE-2011-2999) MFSA 2011-39: Ian Graham of Citrix Online reported that when multiple Location headers were present in a redirect response Mozilla behavior differed from other browsers: Mozilla would use the second Location header while Chrome and Internet Explorer would use the first. Two copies of this header with different values could be a symptom of a CRLF injection attack against a vulnerable server. Most commonly it is the Location header itself that is vulnerable to the response splitting and therefore the copy preferred by Mozilla is more likely to be the malicious one. It is possible, however, that the first copy was the injected one depending on the nature of the server vulnerability. The Mozilla browser engine has been changed to treat two copies of this header with different values as an error condition. The same has been done with the headers Content-Length and Content-Disposition. (CVE-2011-3000) MFSA 2011-40: Mariusz Mlynski reported that if you could convince a user to hold down the Enter key--as part of a game or test, perhaps--a malicious page could pop up a download dialog where the held key would then activate the default Open action. For some file types this would be merely annoying (the equivalent of a pop-up) but other file types have powerful scripting capabilities. And this would provide an avenue for an attacker to exploit a vulnerability in applications not normally exposed to potentially hostile internet content. Mariusz also reported a similar flaw with manual plugin installation using the PLUGINSPAGE attribute. It was possible to create an internal error that suppressed a confirmation dialog, such that holding enter would lead to the installation of an arbitrary add-on. (This variant did not affect Firefox 3.6) Holding enter allows arbitrary code execution due to Download Manager (CVE-2011-2372) Holding enter allows arbitrary extension installation (CVE-2011-3001) MFSA 2011-41: Michael Jordon of Context IS reported that in the ANGLE library used by WebGL the return value from GrowAtomTable() was not checked for errors. If an attacker could cause requests that exceeded the available memeory those would fail and potentially lead to a buffer overrun as subsequent code wrote into the non-allocated space. (CVE-2011-3002) Ben Hawkes of the Google Security Team reported a WebGL test case that demonstrated an out of bounds write after an allocation failed. (CVE-2011-3003) MFSA 2011-42: Security researcher Aki Helin reported a potentially exploitable crash in the YARR regular expression library used by JavaScript. (CVE-2011-3232) MFSA 2011-43: David Rees reported that the JSSubScriptLoader (a feature used by some add-ons) was "unwrapping" XPCNativeWrappers when they were used as the scope parameter to loadSubScript(). Without the protection of the wrappers the add-on could be vulnerable to privilege escalation attacks from malicious web content. Whether any given add-on were vulnerable would depend on how the add-on used the feature and whether it interacted directly with web content, but we did find at least one vulnerable add-on and presumer there are more. (CVE-2011-3004) The unwrapping behavior was a change introduced during Firefox 4 development. Firefox 3.6 and earlier versions are not affected. MFSA 2011-44: sczimmer reported that Firefox crashed when loading a particular .ogg file. This was due to a use-after-free condition and could potentially be exploited to install malware. (CVE-2011-3005) This vulnerability does not affect Firefox 3.6 or earlier. MFSA 2011-45: University of California, Davis researchers Liang Cai and Hao Chen presented a paper at the 2011 USENIX HotSec workshop on inferring keystrokes from device motion data on mobile devices. Web pages can now receive data similar to the apps studied in that paper and likely present a similar risk. We have decided to limit motion data events to the currently-active tab to prevent the possibility of background tabs attempting to decipher keystrokes the user is entering into the foreground tab.

 

Patch

Patch Instructions: To install this openSUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - openSUSE 11.4: zypper in -t patch MozillaFirefox-5208 seamonkey-5210 - openSUSE 11.3: zypper in -t patch seamonkey-5210 To bring your system up-to-date, use "zypper patch".


Package List

- openSUSE 11.4 (i586 x86_64) [New Version: 2.4 and 7.0]: MozillaFirefox-7.0-1.2.1 MozillaFirefox-branding-upstream-7.0-1.2.1 MozillaFirefox-buildsymbols-7.0-1.2.1 MozillaFirefox-devel-7.0-1.2.1 MozillaFirefox-translations-common-7.0-1.2.1 MozillaFirefox-translations-other-7.0-1.2.1 seamonkey-2.4-1.2.1 seamonkey-dom-inspector-2.4-1.2.1 seamonkey-irc-2.4-1.2.1 seamonkey-translations-common-2.4-1.2.1 seamonkey-translations-other-2.4-1.2.1 seamonkey-venkman-2.4-1.2.1 - openSUSE 11.3 (i586 x86_64) [New Version: 2.4]: seamonkey-2.4-1.2.1 seamonkey-dom-inspector-2.4-1.2.1 seamonkey-irc-2.4-1.2.1 seamonkey-translations-common-2.4-1.2.1 seamonkey-translations-other-2.4-1.2.1 seamonkey-venkman-2.4-1.2.1


References

https://www.suse.com/security/cve/CVE-2011-2372.html https://www.suse.com/security/cve/CVE-2011-2995.html https://www.suse.com/security/cve/CVE-2011-2997.html https://www.suse.com/security/cve/CVE-2011-2999.html https://www.suse.com/security/cve/CVE-2011-3000.html https://www.suse.com/security/cve/CVE-2011-3001.html https://www.suse.com/security/cve/CVE-2011-3002.html https://www.suse.com/security/cve/CVE-2011-3003.html https://www.suse.com/security/cve/CVE-2011-3004.html https://www.suse.com/security/cve/CVE-2011-3005.html https://www.suse.com/security/cve/CVE-2011-3232.html https://bugzilla.novell.com/720264--


Severity
Announcement ID: openSUSE-SU-2011:1077-1
Rating: important
Affected Products: openSUSE 11.4 openSUSE 11.3 . It includes two new package versions.

Related News

Linux Mint 22: Elevating Security and Usability for Admins
3 - 5 min read
Linux Mint has has long been recognized as a versatile and user-friendly distribution and has earned great popularity among administrators and
Exim 4.98 Addresses Critical Vulnerabilities, Bolsters Email Server Security
2 - 4 min read
Exim is one of Unix-like systems' most widely used mail transfer agents. It's essential for email delivery and handling and is a significant part of
Recent OpenSSH RCE Bug Explained: Impact & Mitigations
2 - 4 min read
In an era where cybersecurity threats loom larger than ever, the discovery of a Remote Code Execution (RCE) vulnerability in OpenSSH by Qualys’
CVE-2024-4577: A Swiftly Weaponized Vulnerability for Ransomware Distribution
2 - 4 min read
Security researchers recently issued an update detailing how attackers are exploiting a PHP code execution vulnerability to spread TellYouThePass
Play Ransomware Group Unleashes New Threat on ESXi Environments: Analysis & Mitigation Strategies
3 - 5 min read
The Play ransomware group, well-known for its double-extortion tactics, recently unveiled a Linux variant targeting ESXi environments. This
Critical Linux Kernel Vulnerabilities Patched in Ubuntu Azure Systems
2 - 4 min read
Canonical has fixed several recently identified critical Linux kernel vulnerabilities in July 2024. These vulnerabilities primarily affect Microsoft
The Urgent Need for Secure Software Development: New Report Serves as a Wake-Up Call for the Industry
3 - 5 min read
The Linux Foundation and Open Source Security Foundation recently published a report entitled "Secure Software Development Education 2024
Severe Linux Kernel Privilege Escalation Bugs Could Compromise Entire Systems
2 - 4 min read
The Cybersecurity and Infrastructure Security Agency (CISA) recently added a new Linux kernel privilege escalation bug ( CVE-2024-1086 ) to its

Get the Latest News & Insights

Sign up to get the latest security news affecting Linux and open source delivered straight to your inbox.

© 2024 Guardian Digital, Inc All Rights Reserved