https://bugzilla.novell.com/show_bug.cgi?id=720264
https://bugzilla.novell.com/show_bug.cgi?id=720264#c7
--- Comment #7 from Marcus Meissner 2011-09-28 11:36:15 UTC ---
official info now there. lets paste ...
MFSA 2011-36:
Mozilla developers identified and fixed several memory safety bugs in the
browser engine used in Firefox and other Mozilla-based products. Some of these
bugs showed evidence of memory corruption under certain circumstances, and we
presume that with enough effort at least some of these could be exploited to
run arbitrary code.
In general these flaws cannot be exploited through email in the Thunderbird and
SeaMonkey products because scripting is disabled,, but are potentially a risk
in browser or browser-like contexts in those products.
Benjamin Smedberg, Bob Clary, and Jesse Ruderman reported memory safety
problems that affected Firefox 3.6 and Firefox 6. (CVE-2011-2995)
Josh Aas reported a potential crash in the plugin API that affected Firefox 3.6
only. (CVE-2011-2996)
Bob Clary, Andrew McCreight, Andreas Gal, Gary Kwong, Igor Bukanov, Jason
Orendorff, Jesse Ruderman, and Marcia Knous reported memory safety problems
that affected Firefox 6, fixed in Firefox 7. (CVE-2011-2997)
MFSA 2011-37:
Mark Kaplan reported a potentially exploitable crash due to integer underflow
when using a large JavaScript RegExp expression. We would also like to thank
Mark for contributing the fix for this problem. (no CVE yet)
MFSA 2011-38:
Mozilla developer Boris Zbarsky reported that a frame named "location" could
shadow the window.location object unless a script in a page grabbed a reference
to the true object before the frame was created. Because some plugins use the
value of window.location to determine the page origin this could fool the
plugin into granting the plugin content access to another site or the local
file system in violation of the Same Origin Policy. This flaw allows
circumvention of the fix added for MFSA 2010-10. (CVE-2011-2999)
MFSA 2011-39:
Ian Graham of Citrix Online reported that when multiple Location headers were
present in a redirect response Mozilla behavior differed from other browsers:
Mozilla would use the second Location header while Chrome and Internet Explorer
would use the first. Two copies of this header with different values could be a
symptom of a CRLF injection attack against a vulnerable server. Most commonly
it is the Location header itself that is vulnerable to the response splitting
and therefore the copy preferred by Mozilla is more likely to be the malicious
one. It is possible, however, that the first copy was the injected one
depending on the nature of the server vulnerability.
The Mozilla browser engine has been changed to treat two copies of this header
with different values as an error condition. The same has been done with the
headers Content-Length and Content-Disposition. (CVE-2011-3000)
MFSA 2011-40:
Mariusz Mlynski reported that if you could convince a user to hold down the
Enter key--as part of a game or test, perhaps--a malicious page could pop up a
download dialog where the held key would then activate the default Open action.
For some file types this would be merely annoying (the equivalent of a pop-up)
but other file types have powerful scripting capabilities. And this would
provide an avenue for an attacker to exploit a vulnerability in applications
not normally exposed to potentially hostile internet content.
Mariusz also reported a similar flaw with manual plugin installation using the
PLUGINSPAGE attribute. It was possible to create an internal error that
suppressed a confirmation dialog, such that holding enter would lead to the
installation of an arbitrary add-on. (This variant did not affect Firefox 3.6)
Holding enter allows arbitrary code execution due to Download Manager
(CVE-2011-2372)
Holding enter allows arbitrary extension installation (CVE-2011-3001)
--
Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.