openSUSE Security Update: MozillaFirefox to 14.0.1
______________________________________________________________________________

Announcement ID:    openSUSE-SU-2012:0899-1
Rating:             critical
References:         #771583 
Cross-References:   CVE-2012-1948 CVE-2012-1949 CVE-2012-1950
                    CVE-2012-1951 CVE-2012-1952 CVE-2012-1953
                    CVE-2012-1954 CVE-2012-1955 CVE-2012-1957
                    CVE-2012-1958 CVE-2012-1959 CVE-2012-1961
                    CVE-2012-1962 CVE-2012-1963 CVE-2012-1964
                    CVE-2012-1965 CVE-2012-1966 CVE-2012-1967
                   
Affected Products:
                    openSUSE 12.1
                    openSUSE 11.4
______________________________________________________________________________

   An update that fixes 18 vulnerabilities is now available.

Description:

   MozillaFirefox was updated to 14.0.1 to fix various bugs
   and security issues.


   Following security issues were fixed: MFSA 2012-42: Mozilla
   developers identified and fixed several memory safety bugs
   in the browser engine used in Firefox and other
   Mozilla-based products. Some of these bugs showed evidence
   of memory corruption under certain circumstances, and we
   presume that with enough effort at least some of these
   could be exploited to run arbitrary code.

   CVE-2012-1949: Brian Smith, Gary Kwong, Christian Holler,
   Jesse Ruderman, Christoph Diehl, Chris Jones, Brad Lassey,
   and Kyle Huey reported memory safety problems and crashes
   that affect Firefox 13.

   CVE-2012-1948: Benoit Jacob, Jesse Ruderman, Christian
   Holler, and Bill McCloskey reported memory safety problems
   and crashes that affect Firefox ESR 10 and Firefox 13.


   MFSA 2012-43 / CVE-2012-1950: Security researcher Mario
   Gomes andresearch firm Code Audit Labs reported a mechanism
   to short-circuit page loads through drag and drop to the
   addressbar by canceling the page load. This causes the
   address of the previously site entered to be displayed in
   the addressbar instead of the currently loaded page. This
   could lead to potential phishing attacks on users.

   MFSA 2012-44 Google security researcher Abhishek Arya used
   the Address Sanitizer tool to uncover four issues: two
   use-after-free problems, one out of bounds read bug, and a
   bad cast. The first use-after-free problem is caused when
   an array of nsSMILTimeValueSpec objects is destroyed but
   attempts are made to call into objects in this array later.
   The second use-after-free problem is in
   nsDocument::AdoptNode when it adopts into an empty document
   and then adopts into another document, emptying the first
   one. The heap buffer overflow is in ElementAnimations when
   data is read off of end of an array and then pointers are
   dereferenced. The bad cast happens when
   nsTableFrame::InsertFrames is called with frames in
   aFrameList that are a mix of row group frames and column
   group frames. AppendFrames is not able to handle this mix.

   All four of these issues are potentially exploitable.
   CVE-2012-1951: Heap-use-after-free in
   nsSMILTimeValueSpec::IsEventBased CVE-2012-1954:
   Heap-use-after-free in nsDocument::AdoptNode CVE-2012-1953:
   Out of bounds read in ElementAnimations::EnsureStyleRuleFor
   CVE-2012-1952: Bad cast in nsTableFrame::InsertFrames


   MFSA 2012-45 / CVE-2012-1955: Security researcher Mariusz
   Mlynski reported an issue with spoofing of the location
   property. In this issue, calls to history.forward and
   history.back are used to navigate to a site while
   displaying the previous site in the addressbar but changing
   the baseURI to the newer site. This can be used for
   phishing by allowing the user input form or other data on
   the newer, attacking, site while appearing to be on the
   older, displayed site.

   MFSA 2012-46 / CVE-2012-1966: Mozilla security researcher
   moz_bug_r_a4 reported a cross-site scripting (XSS) attack
   through the context menu using a data: URL. In this issue,
   context menu functionality ("View Image", "Show only this
   frame", and "View background image") are disallowed in a
   javascript: URL but allowed in a data: URL, allowing for
   XSS. This can lead to arbitrary code execution.

   MFSA 2012-47 / CVE-2012-1957: Security researcher Mario
   Heiderich reported that javascript could be executed in the
   HTML feed-view using  tag within the RSS
   . This problem is due to  tags not
   being filtered out during parsing and can lead to a
   potential cross-site scripting (XSS) attack. The flaw
   existed in a parser utility class and could affect other
   parts of the browser or add-ons which rely on that class to
   sanitize untrusted input.


   MFSA 2012-48 / CVE-2012-1958: Security researcher Arthur
   Gerkis used the Address Sanitizer tool to find a
   use-after-free in nsGlobalWindow::PageHidden when
   mFocusedContent is released and oldFocusedContent is used
   afterwards. This use-after-free could possibly allow for
   remote code execution.


   MFSA 2012-49 / CVE-2012-1959: Mozilla developer Bobby
   Holley found that same-compartment security wrappers (SCSW)
   can be bypassed by passing them to another compartment.
   Cross-compartment wrappers often do not go through SCSW,
   but have a filtering policy built into them. When an object
   is wrapped cross-compartment, the SCSW is stripped off and,
   when the object is read read back, it is not known that
   SCSW was previously present, resulting in a bypassing of
   SCSW. This could result in untrusted content having access
   to the XBL that implements browser functionality.

   MFSA 2012-50 / CVE-2012-1960: Google developer Tony Payne
   reported an out of bounds (OOB) read in QCMS, Mozilla’s
   color management library. With a carefully crafted color
   profile portions of a user's memory could be incorporated
   into a transformed image and possibly deciphered.


   MFSA 2012-51 / CVE-2012-1961: Bugzilla developer Frédéric
   Buclin reported that the "X-Frame-Options header is ignored
   when the value is duplicated, for example X-Frame-Options:
   SAMEORIGIN, SAMEORIGIN. This duplication occurs for unknown
   reasons on some websites and when it occurs results in
   Mozilla browsers not being protected against possible
   clickjacking attacks on those pages.


   MFSA 2012-52 / CVE-2012-1962: Security researcher Bill
   Keese reported a memory corruption. This is caused by
   JSDependentString::undepend changing a dependent string
   into a fixed string when there are additional dependent
   strings relying on the same base. When the undepend occurs   during conversion, the base data is freed, leaving other
   dependent strings with dangling pointers. This can lead to
   a potentially exploitable crash.


   MFSA 2012-53 / CVE-2012-1963: Security researcher
   Karthikeyan Bhargavan of Prosecco at INRIA reported Content
   Security Policy (CSP) 1.0 implementation errors. CSP
   violation reports generated by Firefox and sent to the
   "report-uri" location include sensitive data within the
   "blocked-uri" parameter. These include fragment components
   and query strings even if the "blocked-uri" parameter has a
   different origin than the protected resource. This can be
   used to retrieve a user's OAuth 2.0 access tokens and
   OpenID credentials by malicious sites.

   MFSA 2012-54 / CVE-2012-1964: Security Researcher Matt
   McCutchen reported that a clickjacking attack using the
   certificate warning page. A man-in-the-middle (MITM)
   attacker can use an iframe to display its own certificate
   error warning page (about:certerror) with the "Add
   Exception" button of a real warning page from a malicious
   site. This can mislead users to adding a certificate
   exception for a different site than the perceived one. This
   can lead to compromised communications with the user
   perceived site through the MITM attack once the certificate
   exception has been added.


   MFSA 2012-55 / CVE-2012-1965: Security researchers Mario
   Gomes and Soroush Dalili reported that since Mozilla allows
   the pseudo-protocol feed: to prefix any valid URL, it is
   possible to construct feed:javascript: URLs that will
   execute scripts in some contexts. On some sites it may be
   possible to use this to evade output filtering that would
   otherwise strip javascript: URLs and thus contribute to
   cross-site scripting (XSS) problems on these sites.

   MFSA 2012-56 / CVE-2012-1967: Mozilla security researcher
   moz_bug_r_a4 reported a arbitrary code execution attack
   using a javascript: URL. The Gecko engine features a
   JavaScript sandbox utility that allows the browser or
   add-ons to safely execute script in the context of a web
   page. In certain cases, javascript: URLs are executed in
   such a sandbox with insufficient context that can allow
   those scripts to escape from the sandbox and run with
   elevated privilege. This can lead to arbitrary code
   execution.


Patch Instructions:

   To install this openSUSE Security Update use YaST online_update.
   Alternatively you can run the command listed for your product:

   - openSUSE 12.1:

      zypper in -t patch openSUSE-2012-410

   - openSUSE 11.4:

      zypper in -t patch openSUSE-2012-410

   To bring your system up-to-date, use "zypper patch".


Package List:

   - openSUSE 12.1 (i586 x86_64):

      MozillaFirefox-14.0.1-2.33.1
      MozillaFirefox-branding-upstream-14.0.1-2.33.1
      MozillaFirefox-buildsymbols-14.0.1-2.33.1
      MozillaFirefox-debuginfo-14.0.1-2.33.1
      MozillaFirefox-debugsource-14.0.1-2.33.1
      MozillaFirefox-devel-14.0.1-2.33.1
      MozillaFirefox-translations-common-14.0.1-2.33.1
      MozillaFirefox-translations-other-14.0.1-2.33.1

   - openSUSE 11.4 (i586 x86_64):

      MozillaFirefox-14.0.1-28.1
      MozillaFirefox-branding-upstream-14.0.1-28.1
      MozillaFirefox-buildsymbols-14.0.1-28.1
      MozillaFirefox-debuginfo-14.0.1-28.1
      MozillaFirefox-debugsource-14.0.1-28.1
      MozillaFirefox-devel-14.0.1-28.1
      MozillaFirefox-translations-common-14.0.1-28.1
      MozillaFirefox-translations-other-14.0.1-28.1


References:

   https://www.suse.com/security/cve/CVE-2012-1948.html
   https://www.suse.com/security/cve/CVE-2012-1949.html
   https://www.suse.com/security/cve/CVE-2012-1950.html
   https://www.suse.com/security/cve/CVE-2012-1951.html
   https://www.suse.com/security/cve/CVE-2012-1952.html
   https://www.suse.com/security/cve/CVE-2012-1953.html
   https://www.suse.com/security/cve/CVE-2012-1954.html
   https://www.suse.com/security/cve/CVE-2012-1955.html
   https://www.suse.com/security/cve/CVE-2012-1957.html
   https://www.suse.com/security/cve/CVE-2012-1958.html
   https://www.suse.com/security/cve/CVE-2012-1959.html
   https://www.suse.com/security/cve/CVE-2012-1961.html
   https://www.suse.com/security/cve/CVE-2012-1962.html
   https://www.suse.com/security/cve/CVE-2012-1963.html
   https://www.suse.com/security/cve/CVE-2012-1964.html
   https://www.suse.com/security/cve/CVE-2012-1965.html
   https://www.suse.com/security/cve/CVE-2012-1966.html
   https://www.suse.com/security/cve/CVE-2012-1967.html
   https://bugzilla.novell.com/771583

openSUSE: 2012:0899-1: critical: MozillaFirefox

July 23, 2012
An update that fixes 18 vulnerabilities is now available

Description

MozillaFirefox was updated to 14.0.1 to fix various bugs and security issues. Following security issues were fixed: MFSA 2012-42: Mozilla developers identified and fixed several memory safety bugs in the browser engine used in Firefox and other Mozilla-based products. Some of these bugs showed evidence of memory corruption under certain circumstances, and we presume that with enough effort at least some of these could be exploited to run arbitrary code. CVE-2012-1949: Brian Smith, Gary Kwong, Christian Holler, Jesse Ruderman, Christoph Diehl, Chris Jones, Brad Lassey, and Kyle Huey reported memory safety problems and crashes that affect Firefox 13. CVE-2012-1948: Benoit Jacob, Jesse Ruderman, Christian Holler, and Bill McCloskey reported memory safety problems and crashes that affect Firefox ESR 10 and Firefox 13. MFSA 2012-43 / CVE-2012-1950: Security researcher Mario Gomes andresearch firm Code Audit Labs reported a mechanism to short-circuit page loads through drag and drop to the addressbar by canceling the page load. This causes the address of the previously site entered to be displayed in the addressbar instead of the currently loaded page. This could lead to potential phishing attacks on users. MFSA 2012-44 Google security researcher Abhishek Arya used the Address Sanitizer tool to uncover four issues: two use-after-free problems, one out of bounds read bug, and a bad cast. The first use-after-free problem is caused when an array of nsSMILTimeValueSpec objects is destroyed but attempts are made to call into objects in this array later. The second use-after-free problem is in nsDocument::AdoptNode when it adopts into an empty document and then adopts into another document, emptying the first one. The heap buffer overflow is in ElementAnimations when data is read off of end of an array and then pointers are dereferenced. The bad cast happens when nsTableFrame::InsertFrames is called with frames in aFrameList that are a mix of row group frames and column group frames. AppendFrames is not able to handle this mix. All four of these issues are potentially exploitable. CVE-2012-1951: Heap-use-after-free in nsSMILTimeValueSpec::IsEventBased CVE-2012-1954: Heap-use-after-free in nsDocument::AdoptNode CVE-2012-1953: Out of bounds read in ElementAnimations::EnsureStyleRuleFor CVE-2012-1952: Bad cast in nsTableFrame::InsertFrames MFSA 2012-45 / CVE-2012-1955: Security researcher Mariusz Mlynski reported an issue with spoofing of the location property. In this issue, calls to history.forward and history.back are used to navigate to a site while displaying the previous site in the addressbar but changing the baseURI to the newer site. This can be used for phishing by allowing the user input form or other data on the newer, attacking, site while appearing to be on the older, displayed site. MFSA 2012-46 / CVE-2012-1966: Mozilla security researcher moz_bug_r_a4 reported a cross-site scripting (XSS) attack through the context menu using a data: URL. In this issue, context menu functionality ("View Image", "Show only this frame", and "View background image") are disallowed in a javascript: URL but allowed in a data: URL, allowing for XSS. This can lead to arbitrary code execution. MFSA 2012-47 / CVE-2012-1957: Security researcher Mario Heiderich reported that javascript could be executed in the HTML feed-view using tag within the RSS . This problem is due to tags not being filtered out during parsing and can lead to a potential cross-site scripting (XSS) attack. The flaw existed in a parser utility class and could affect other parts of the browser or add-ons which rely on that class to sanitize untrusted input. MFSA 2012-48 / CVE-2012-1958: Security researcher Arthur Gerkis used the Address Sanitizer tool to find a use-after-free in nsGlobalWindow::PageHidden when mFocusedContent is released and oldFocusedContent is used afterwards. This use-after-free could possibly allow for remote code execution. MFSA 2012-49 / CVE-2012-1959: Mozilla developer Bobby Holley found that same-compartment security wrappers (SCSW) can be bypassed by passing them to another compartment. Cross-compartment wrappers often do not go through SCSW, but have a filtering policy built into them. When an object is wrapped cross-compartment, the SCSW is stripped off and, when the object is read read back, it is not known that SCSW was previously present, resulting in a bypassing of SCSW. This could result in untrusted content having access to the XBL that implements browser functionality. MFSA 2012-50 / CVE-2012-1960: Google developer Tony Payne reported an out of bounds (OOB) read in QCMS, Mozilla’s color management library. With a carefully crafted color profile portions of a user's memory could be incorporated into a transformed image and possibly deciphered. MFSA 2012-51 / CVE-2012-1961: Bugzilla developer Frédéric Buclin reported that the "X-Frame-Options header is ignored when the value is duplicated, for example X-Frame-Options: SAMEORIGIN, SAMEORIGIN. This duplication occurs for unknown reasons on some websites and when it occurs results in Mozilla browsers not being protected against possible clickjacking attacks on those pages. MFSA 2012-52 / CVE-2012-1962: Security researcher Bill Keese reported a memory corruption. This is caused by JSDependentString::undepend changing a dependent string into a fixed string when there are additional dependent strings relying on the same base. When the undepend occurs during conversion, the base data is freed, leaving other dependent strings with dangling pointers. This can lead to a potentially exploitable crash. MFSA 2012-53 / CVE-2012-1963: Security researcher Karthikeyan Bhargavan of Prosecco at INRIA reported Content Security Policy (CSP) 1.0 implementation errors. CSP violation reports generated by Firefox and sent to the "report-uri" location include sensitive data within the "blocked-uri" parameter. These include fragment components and query strings even if the "blocked-uri" parameter has a different origin than the protected resource. This can be used to retrieve a user's OAuth 2.0 access tokens and OpenID credentials by malicious sites. MFSA 2012-54 / CVE-2012-1964: Security Researcher Matt McCutchen reported that a clickjacking attack using the certificate warning page. A man-in-the-middle (MITM) attacker can use an iframe to display its own certificate error warning page (about:certerror) with the "Add Exception" button of a real warning page from a malicious site. This can mislead users to adding a certificate exception for a different site than the perceived one. This can lead to compromised communications with the user perceived site through the MITM attack once the certificate exception has been added. MFSA 2012-55 / CVE-2012-1965: Security researchers Mario Gomes and Soroush Dalili reported that since Mozilla allows the pseudo-protocol feed: to prefix any valid URL, it is possible to construct feed:javascript: URLs that will execute scripts in some contexts. On some sites it may be possible to use this to evade output filtering that would otherwise strip javascript: URLs and thus contribute to cross-site scripting (XSS) problems on these sites. MFSA 2012-56 / CVE-2012-1967: Mozilla security researcher moz_bug_r_a4 reported a arbitrary code execution attack using a javascript: URL. The Gecko engine features a JavaScript sandbox utility that allows the browser or add-ons to safely execute script in the context of a web page. In certain cases, javascript: URLs are executed in such a sandbox with insufficient context that can allow those scripts to escape from the sandbox and run with elevated privilege. This can lead to arbitrary code execution.

 

Patch

Patch Instructions: To install this openSUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - openSUSE 12.1: zypper in -t patch openSUSE-2012-410 - openSUSE 11.4: zypper in -t patch openSUSE-2012-410 To bring your system up-to-date, use "zypper patch".


Package List

- openSUSE 12.1 (i586 x86_64): MozillaFirefox-14.0.1-2.33.1 MozillaFirefox-branding-upstream-14.0.1-2.33.1 MozillaFirefox-buildsymbols-14.0.1-2.33.1 MozillaFirefox-debuginfo-14.0.1-2.33.1 MozillaFirefox-debugsource-14.0.1-2.33.1 MozillaFirefox-devel-14.0.1-2.33.1 MozillaFirefox-translations-common-14.0.1-2.33.1 MozillaFirefox-translations-other-14.0.1-2.33.1 - openSUSE 11.4 (i586 x86_64): MozillaFirefox-14.0.1-28.1 MozillaFirefox-branding-upstream-14.0.1-28.1 MozillaFirefox-buildsymbols-14.0.1-28.1 MozillaFirefox-debuginfo-14.0.1-28.1 MozillaFirefox-debugsource-14.0.1-28.1 MozillaFirefox-devel-14.0.1-28.1 MozillaFirefox-translations-common-14.0.1-28.1 MozillaFirefox-translations-other-14.0.1-28.1


References

https://www.suse.com/security/cve/CVE-2012-1948.html https://www.suse.com/security/cve/CVE-2012-1949.html https://www.suse.com/security/cve/CVE-2012-1950.html https://www.suse.com/security/cve/CVE-2012-1951.html https://www.suse.com/security/cve/CVE-2012-1952.html https://www.suse.com/security/cve/CVE-2012-1953.html https://www.suse.com/security/cve/CVE-2012-1954.html https://www.suse.com/security/cve/CVE-2012-1955.html https://www.suse.com/security/cve/CVE-2012-1957.html https://www.suse.com/security/cve/CVE-2012-1958.html https://www.suse.com/security/cve/CVE-2012-1959.html https://www.suse.com/security/cve/CVE-2012-1961.html https://www.suse.com/security/cve/CVE-2012-1962.html https://www.suse.com/security/cve/CVE-2012-1963.html https://www.suse.com/security/cve/CVE-2012-1964.html https://www.suse.com/security/cve/CVE-2012-1965.html https://www.suse.com/security/cve/CVE-2012-1966.html https://www.suse.com/security/cve/CVE-2012-1967.html https://bugzilla.novell.com/771583


Severity
Announcement ID: openSUSE-SU-2012:0899-1
Rating: critical
Affected Products: openSUSE 12.1 openSUSE 11.4 .

Related News

Google Chrome 129: Addressing Crucial Vulnerabilities and Enhancing Security
2 - 4 min read
Google Chrome remains the crown jewel in the browser market, with an impressive user base of approximately 3.45 billion. However, this immense
Fighting Back Against Hadooken Malware by Strengthening WebLogic Security
2 - 4 min read
Cybercriminals have been relentlessly attacking the digital landscape, aiming to exploit vulnerabilities in well-known systems. One such exploit is
CISA Sounds Alarm on Newly Exploited Vulnerabilities: Is Your System at Risk?
3 - 5 min read
CISA regularly publishes updates regarding vulnerabilities that present severe threats to global cybersecurity. Recently, CISA added three
Defending Against Remote Code Execution in Google Chrome: A Critical Update
2 - 3 min read
Google Chrome, a widely used web browser, serves millions of internet users by connecting them to the online world. Unfortunately, severe
Navigating the Linux Kernel
2 - 4 min read
The Linux operating system, widely acclaimed for its robustness and security , recently received widespread media attention due to a significant
Staying a Step Ahead of Adversaries: Mitigating Chromium
2 - 4 min read
Google Chrome, one of the world's most widely used web browsers, has recently been scrutinized due to the discovery of multiple Chromium
Unmasking Cicada3301: Examining the Threat of the New Rust-Based Ransomware
2 - 4 min read
Ransomware has long been a severe threat to organizations and admins alike. Recently, cybersecurity researchers discovered a new variant called
Buffer Overflow Exploits in Linux: Origins, Impact, and Countermeasures
3 - 6 min read
Buffer overflow vulnerabilities have long been one of the biggest headaches in computer security, especially on Linux operating systems that power

Get the Latest News & Insights

Sign up to get the latest security news affecting Linux and open source delivered straight to your inbox.

© 2024 Guardian Digital, Inc All Rights Reserved