) o Bill Gianopoulos, Benoit Jacob, Christoph Diehl, Christian Holler, Gary Kwong, Robert O'Callahan, and Scoobidiver reported memory safety problems and crashes
) o Jesse Ruderman, Christian Holler, Julian Seward, and Scoobidiver reported memory safety problems and crashes
)
SUSE Security Update: Security update for MozillaFirefox ______________________________________________________________________________ Announcement ID: SUSE-SU-2013:0048-1 Rating: important References: #796895 Cross-References: CVE-2012-5829 CVE-2013-0743 CVE-2013-0744 CVE-2013-0745 CVE-2013-0746 CVE-2013-0747 CVE-2013-0748 CVE-2013-0749 CVE-2013-0750 CVE-2013-0751 CVE-2013-0752 CVE-2013-0753 CVE-2013-0754 CVE-2013-0755 CVE-2013-0756 CVE-2013-0757 CVE-2013-0758 CVE-2013-0759 CVE-2013-0760 CVE-2013-0761 CVE-2013-0762 CVE-2013-0763 CVE-2013-0764 CVE-2013-0766 CVE-2013-0767 CVE-2013-0768 CVE-2013-0769 CVE-2013-0770 CVE-2013-0771 Affected Products: SUSE Linux Enterprise Software Development Kit 11 SP2 SUSE Linux Enterprise Server 11 SP2 for VMware SUSE Linux Enterprise Server 11 SP2 SUSE Linux Enterprise Desktop 11 SP2 ______________________________________________________________________________ An update that fixes 29 vulnerabilities is now available. It includes three new package versions. Description: Mozilla Firefox was updated to the 10.0.12ESR release. * MFSA 2013-01: Mozilla developers identified and fixed several memory safety bugs in the browser engine used in Firefox and other Mozilla-based products. Some of these bugs showed evidence of memory corruption under certain circumstances, and we presume that with enough effort at least some of these could be exploited to run arbitrary code. o Christoph Diehl, Christian Holler, Mats Palmgren, and Chiaki Ishikawa reported memory safety problems and crashes that affect Firefox ESR 10, Firefox ESR 17, and Firefox 17. ( CVE-2013-0769 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0769 that affect Firefox ESR 17 and Firefox 17. (CVE-2013-0749 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0749 that affect Firefox 17. (CVE-2013-0770 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0770 * MFSA 2013-02: Security researcher Abhishek Arya (Inferno) of the Google Chrome Security Team discovered a series critically rated of use-after-free, out of bounds read, and buffer overflow issues using the Address Sanitizer tool in shipped software. These issues are potentially exploitable, allowing for remote code execution. We would also like to thank Abhishek for reporting three additional user-after-free and out of bounds read flaws introduced during Firefox development that were fixed before general release. The following issue was fixed in Firefox 18: o Global-buffer-overflow in CharDistributionAnalysis::HandleOneChar (CVE-2013-0760 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0760
)
The following issues were fixed in Firefox 18, ESR 17.0.1, and ESR 10.0.12: o Heap-use-after-free in imgRequest::OnStopFrame (CVE-2013-0762 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0762
) o Heap-use-after-free in ~nsHTMLEditRules (CVE-2013-0766 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0766 ) o Out of bounds read in nsSVGPathElement::GetPathLengthScale ( CVE-2013-0767 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0767 )
The following issues were fixed in Firefox 18 and ESR 17.0.1: o Heap-use-after-free in mozilla::TrackUnionStream::EndTrack ( CVE-2013-0761 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0761
) o Heap-use-after-free in Mesa, triggerable by resizing a WebGL canvas (CVE-2013-0763 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0763 ) o Heap-buffer-overflow in gfxTextRun::ShrinkToLigatureBoundaries (CVE-2013-0771 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0771 )
)
The following issue was fixed in Firefox 18 and in the earlier ESR 10.0.11 release: o Heap-buffer-overflow in nsWindow::OnExposeEvent (CVE-2012-5829 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5829 * MFSA 2013-03: Security researcher miaubiz used the Address Sanitizer tool to discover a buffer overflow in Canvas when specific bad height and width values were given through HTML. This could lead to a potentially exploitable crash. (CVE-2013-0768 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0768
)
Miaubiz also found a potentially exploitable crash when 2D and 3D content was mixed which was introduced during Firefox development and fixed before general release. * MFSA 2013-04: Security researcher Masato Kinugawa found a flaw in which the displayed URL values within the addressbar can be spoofed by a page during loading. This allows for phishing attacks where a malicious page can spoof the identify of another site. ( CVE-2013-0759 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0759
)
* MFSA 2013-05: Using the Address Sanitizer tool, security researcher Atte Kettunen from OUSPG discovered that the combination of large numbers of columns and column groups in a table could cause the array containing the columns during rendering to overwrite itself. This can lead to a user-after-free causing a potentially exploitable crash. ( CVE-2013-0744 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0744
)
* MFSA 2013-06: Mozilla developer Wesley Johnston reported that when there are two or more iframes on the same HTML page, an iframe is able to see the touch events and their targets that occur within the other iframes on the page. If the iframes are from the same origin, they can also access the properties and methods of the targets of other iframes but same-origin policy (SOP) restricts access across domains. This allows for information leakage and possibilities for cross-site scripting (XSS) if another vulnerability can be used to get around SOP restrictions. (CVE-2013-0751 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0751
)
* MFSA 2013-07: Mozilla community member Jerry Baker reported a crashing issue found through Thunderbird when downloading messages over a Secure Sockets Layer (SSL) connection. This was caused by a bug in the networking code assuming that secure connections were entirely handled on the socket transport thread when they can occur on a variety of threads. The resulting crash was potentially exploitable. (CVE-2013-0764 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0764
)
* MFSA 2013-08: Mozilla developer Olli Pettay discovered that the AutoWrapperChanger class fails to keep some javascript objects alive during garbage collection. This can lead to an exploitable crash allowing for arbitrary code execution. (CVE-2013-0745 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0745
)
* MFSA 2013-09: Mozilla developer Boris Zbarsky reported reported a problem where jsval-returning quickstubs fail to wrap their return values, causing a compartment mismatch. This mismatch can cause garbage collection to occur incorrectly and lead to a potentially exploitable crash. (CVE-2013-0746 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0746
)
* MFSA 2013-10: Mozilla security researcher Jesse Ruderman reported that events in the plugin handler can be manipulated by web content to bypass same-origin policy (SOP) restrictions. This can allow for clickjacking on malicious web pages. (CVE-2013-0747 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0747
)
* MFSA 2013-11: Mozilla security researcher Jesse Ruderman discovered that using the toString function of XBL objects can lead to inappropriate information leakage by revealing the address space layout instead of just the ID of the object. This layout information could potentially be used to bypass ASLR and other security protections. (CVE-2013-0748 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0748
)
* MFSA 2013-12: Security researcher pa_kt reported a flaw via TippingPoint's Zero Day Initiative that an integer overflow is possible when calculating the length for a Javascript string concatenation, which is then used for memory allocation. This results in a buffer overflow, leading to a potentially exploitable memory corruption. (CVE-2013-0750 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0750
)
* MFSA 2013-13: Security researcher Sviatoslav Chagaev reported that when using an XBL file containing multiple XML bindings with SVG content, a memory corruption can occur. In concern with remote XUL, this can lead to an exploitable crash. (CVE-2013-0752 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0752
)
* MFSA 2013-14: Security researcher Mariusz Mlynski reported that it is possible to change the prototype of an object and bypass Chrome Object Wrappers (COW) to gain access to chrome privileged functions. This could allow for arbitrary code execution. (CVE-2013-0757 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0757
)
* MFSA 2013-15: Security researcher Mariusz Mlynski reported that it is possible to open a chrome privileged web page through plugin objects through interaction with SVG elements. This could allow for arbitrary code execution. (CVE-2013-0758 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0758
)
* MFSA 2013-16: Security researcher regenrecht reported, via TippingPoint's Zero Day Initiative, a use-after-free in XMLSerializer by the exposing of serializeToStream to web content. This can lead to arbitrary code execution when exploited. (CVE-2013-0753 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0753
)
* MFSA 2013-17: Security researcher regenrecht reported, via TippingPoint's Zero Day Initiative, a use-after-free within the ListenerManager when garbage collection is forced after data in listener objects have been allocated in some circumstances. This results in a use-after-free which can lead to arbitrary code execution. (CVE-2013-0754 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0754
)
* MFSA 2013-18: Security researcher regenrecht reported, via TippingPoint's Zero Day Initiative, a use-after-free using the domDoc pointer within Vibrate library. This can lead to arbitrary code execution when exploited. (CVE-2013-0755 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0755
)
* MFSA 2013-19: Security researcher regenrecht reported, via TippingPoint's Zero Day Initiative, a garbage collection flaw in Javascript Proxy objects. This can lead to a use-after-free leading to arbitrary code execution. (CVE-2013-0756 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0756
)
* MFSA 2013-20: Google reported to Mozilla that TURKTRUST, a certificate authority in Mozilla's root program, had mis-issued two intermediate certificates to customers. The issue was not specific to Firefox but there was evidence that one of the certificates was used for man-in-the-middle (MITM) traffic management of domain names that the customer did not legitimately own or control. This issue was resolved by revoking the trust for these specific mis-issued certificates. (CVE-2013-0743 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0743
)
Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Software Development Kit 11 SP2: zypper in -t patch sdksp2-firefox-201301-7224 - SUSE Linux Enterprise Server 11 SP2 for VMware: zypper in -t patch slessp2-firefox-201301-7224 - SUSE Linux Enterprise Server 11 SP2: zypper in -t patch slessp2-firefox-201301-7224 - SUSE Linux Enterprise Desktop 11 SP2: zypper in -t patch sledsp2-firefox-201301-7224 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Software Development Kit 11 SP2 (i586 ia64 ppc64 s390x x86_64) [New Version: 3.14.1 and 4.9.4]: mozilla-nspr-devel-4.9.4-0.3.1 mozilla-nss-devel-3.14.1-0.3.1 - SUSE Linux Enterprise Server 11 SP2 for VMware (i586 x86_64) [New Version: 10.0.12,3.14.1 and 4.9.4]: MozillaFirefox-10.0.12-0.4.1 MozillaFirefox-translations-10.0.12-0.4.1 libfreebl3-3.14.1-0.3.1 mozilla-nspr-4.9.4-0.3.1 mozilla-nss-3.14.1-0.3.1 mozilla-nss-tools-3.14.1-0.3.1 - SUSE Linux Enterprise Server 11 SP2 for VMware (x86_64) [New Version: 3.14.1 and 4.9.4]: libfreebl3-32bit-3.14.1-0.3.1 mozilla-nspr-32bit-4.9.4-0.3.1 mozilla-nss-32bit-3.14.1-0.3.1 - SUSE Linux Enterprise Server 11 SP2 (i586 ia64 ppc64 s390x x86_64) [New Version: 10.0.12,3.14.1 and 4.9.4]: MozillaFirefox-10.0.12-0.4.1 MozillaFirefox-translations-10.0.12-0.4.1 libfreebl3-3.14.1-0.3.1 mozilla-nspr-4.9.4-0.3.1 mozilla-nss-3.14.1-0.3.1 mozilla-nss-tools-3.14.1-0.3.1 - SUSE Linux Enterprise Server 11 SP2 (ppc64 s390x x86_64) [New Version: 3.14.1 and 4.9.4]: libfreebl3-32bit-3.14.1-0.3.1 mozilla-nspr-32bit-4.9.4-0.3.1 mozilla-nss-32bit-3.14.1-0.3.1 - SUSE Linux Enterprise Server 11 SP2 (ia64) [New Version: 3.14.1 and 4.9.4]: libfreebl3-x86-3.14.1-0.3.1 mozilla-nspr-x86-4.9.4-0.3.1 mozilla-nss-x86-3.14.1-0.3.1 - SUSE Linux Enterprise Desktop 11 SP2 (i586 x86_64) [New Version: 10.0.12,3.14.1 and 4.9.4]: MozillaFirefox-10.0.12-0.4.1 MozillaFirefox-translations-10.0.12-0.4.1 libfreebl3-3.14.1-0.3.1 mozilla-nspr-4.9.4-0.3.1 mozilla-nss-3.14.1-0.3.1 mozilla-nss-tools-3.14.1-0.3.1 - SUSE Linux Enterprise Desktop 11 SP2 (x86_64) [New Version: 3.14.1 and 4.9.4]: libfreebl3-32bit-3.14.1-0.3.1 mozilla-nspr-32bit-4.9.4-0.3.1 mozilla-nss-32bit-3.14.1-0.3.1 References: http://support.novell.com/security/cve/CVE-2012-5829.html http://support.novell.com/security/cve/CVE-2013-0743.html http://support.novell.com/security/cve/CVE-2013-0744.html http://support.novell.com/security/cve/CVE-2013-0745.html http://support.novell.com/security/cve/CVE-2013-0746.html http://support.novell.com/security/cve/CVE-2013-0747.html http://support.novell.com/security/cve/CVE-2013-0748.html http://support.novell.com/security/cve/CVE-2013-0749.html http://support.novell.com/security/cve/CVE-2013-0750.html http://support.novell.com/security/cve/CVE-2013-0751.html http://support.novell.com/security/cve/CVE-2013-0752.html http://support.novell.com/security/cve/CVE-2013-0753.html http://support.novell.com/security/cve/CVE-2013-0754.html http://support.novell.com/security/cve/CVE-2013-0755.html http://support.novell.com/security/cve/CVE-2013-0756.html http://support.novell.com/security/cve/CVE-2013-0757.html http://support.novell.com/security/cve/CVE-2013-0758.html http://support.novell.com/security/cve/CVE-2013-0759.html http://support.novell.com/security/cve/CVE-2013-0760.html http://support.novell.com/security/cve/CVE-2013-0761.html http://support.novell.com/security/cve/CVE-2013-0762.html http://support.novell.com/security/cve/CVE-2013-0763.html http://support.novell.com/security/cve/CVE-2013-0764.html http://support.novell.com/security/cve/CVE-2013-0766.html http://support.novell.com/security/cve/CVE-2013-0767.html http://support.novell.com/security/cve/CVE-2013-0768.html http://support.novell.com/security/cve/CVE-2013-0769.html http://support.novell.com/security/cve/CVE-2013-0770.html http://support.novell.com/security/cve/CVE-2013-0771.html https://bugzilla.novell.com/796895 http://download.novell.com/patch/finder/?keywords=9589e71e3266116ae59aa9d6e4... -- To unsubscribe, e-mail: opensuse-security-announce+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-security-announce+help@opensuse.org