https://bugzilla.novell.com/show_bug.cgi?id=720264
https://bugzilla.novell.com/show_bug.cgi?id=720264#c8
--- Comment #8 from Marcus Meissner 2011-09-28 11:44:10 UTC ---
MFSA 2011-41:
Michael Jordon of Context IS reported that in the ANGLE library used by WebGL
the return value from GrowAtomTable() was not checked for errors. If an
attacker could cause requests that exceeded the available memeory those would
fail and potentially lead to a buffer overrun as subsequent code wrote into the
non-allocated space. (CVE-2011-3002)
Ben Hawkes of the Google Security Team reported a WebGL test case that
demonstrated an out of bounds write after an allocation failed. (CVE-2011-3003)
MFSA 2011-42:
Security researcher Aki Helin reported a potentially exploitable crash in the
YARR regular expression library used by JavaScript. (CVE-2011-3232)
MFSA 2011-43:
David Rees reported that the JSSubScriptLoader (a feature used by some add-ons)
was "unwrapping" XPCNativeWrappers when they were used as the scope parameter
to loadSubScript(). Without the protection of the wrappers the add-on could be
vulnerable to privilege escalation attacks from malicious web content. Whether
any given add-on were vulnerable would depend on how the add-on used the
feature and whether it interacted directly with web content, but we did find at
least one vulnerable add-on and presumer there are more. (CVE-2011-3004)
The unwrapping behavior was a change introduced during Firefox 4 development.
Firefox 3.6 and earlier versions are not affected.
MFSA 2011-44:
sczimmer reported that Firefox crashed when loading a particular .ogg file.
This was due to a use-after-free condition and could potentially be exploited
to install malware. (CVE-2011-3005)
This vulnerability does not affect Firefox 3.6 or earlier.
MFSA 2011-45:
University of California, Davis researchers Liang Cai and Hao Chen presented a
paper at the 2011 USENIX HotSec workshop on inferring keystrokes from device
motion data on mobile devices. Web pages can now receive data similar to the
apps studied in that paper and likely present a similar risk. We have decided
to limit motion data events to the currently-active tab to prevent the
possibility of background tabs attempting to decipher keystrokes the user is
entering into the foreground tab.
--
Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.