SciLinux: CVE-2010-0654 Critical: firefox SL4.x, SL5.x i386/x86_64
Summary
CVE-2010-2751 CVE-2010-2752 CVE-2010-2753CVE-2010-2754Several flaws were found in the processing of malformed web content. Aweb page containing malicious content could cause Firefox to crash or,potentially, execute arbitrary code with the privileges of the userrunning Firefox. (CVE-2010-1208, CVE-2010-1209, CVE-2010-1211,CVE-2010-1212, CVE-2010-1214, CVE-2010-1215, CVE-2010-2752, CVE-2010-2753)A memory corruption flaw was found in the way Firefox decoded certainPNG images. An attacker could create a specially-crafted PNG image that,when opened, could cause Firefox to crash or, potentially, executearbitrary code with the privileges of the user running Firefox.(CVE-2010-1205)Several same-origin policy bypass flaws were found in Firefox. Anattacker could create a malicious web page that, when viewed by avictim, could steal private data from a different website the victim hasloaded with Firefox. (CVE-2010-0654, CVE-2010-1207, CVE-2010-1213,CVE-2010-2754)A flaw was found in the way Firefox presented the location bar to auser. A malicious website could trick a user into thinking they arevisiting the site reported by the location bar, when the page isactually content controlled by an attacker. (CVE-2010-1206)A flaw was found in the way Firefox displayed the location bar whenvisiting a secure web page. A malicious server could use this flaw topresent data that appears to originate from a secure server, even thoughit does not. (CVE-2010-2751)A flaw was found in the way Firefox displayed certain malformedcharacters. A malicious web page could use this flaw to bypass certainstring sanitization methods, allowing it to display maliciousinformation to users. (CVE-2010-1210)For technical details regarding these flaws, refer to the Mozillasecurity advisories for Firefox 3.6.7.After installing the update, Firefox must be restarted for the changesto take effect.