openSUSE Security Update: MozillaFirefox: Security update to 3.6.15 ______________________________________________________________________________ Announcement ID: openSUSE-SU-2011:0169-1 Rating: critical References: #667155 Cross-References: CVE-2010-1585 CVE-2011-0051 CVE-2011-0053 CVE-2011-0054 CVE-2011-0055 CVE-2011-0056 CVE-2011-0057 CVE-2011-0058 CVE-2011-0059 CVE-2011-0061 CVE-2011-0062 Affected Products: openSUSE 11.3 openSUSE 11.2 ______________________________________________________________________________ An update that fixes 11 vulnerabilities is now available. It includes 6 new package versions. Description: MozillaFirefox was updated to version 3.6.15, fixing various security issues. Following security issues were fixed: MFSA 2011-01: Mozilla developers identified and fixed several memory safety bugs in the browser engine used in Firefox and other Mozilla-based products. Some of these bugs showed evidence of memory corruption under certain circumstances, and we presume that with enough effort at least some of these could be exploited to run arbitrary code. References Jesse Ruderman, Igor Bukanov, Olli Pettay, Gary Kwong, Jeff Walden, Henry Sivonen, Martijn Wargers, David Baron and Marcia Knous reported memory safety problems that affected Firefox 3.6 and Firefox 3.5. (CVE-2011-0053) Igor Bukanov and Gary Kwong reported memory safety problems that affected Firefox 3.6 only. (CVE-2011-0062) MFSA 2011-02 / CVE-2011-0051: Security researcher Zach Hoffman reported that a recursive call to eval() wrapped in a try/catch statement places the browser into a inconsistent state. Any dialog box opened in this state is displayed without text and with non-functioning buttons. Closing the window causes the dialog to evaluate to true. An attacker could use this issue to force a user into accepting any dialog, such as one granting elevated privileges to the page presenting the dialog. MFSA 2011-03 / CVE-2011-0055: Security researcher regenrecht reported via TippingPoint's Zero Day Initiative that a method used by JSON.stringify contained a use-after-free error in which a currently in-use pointer was freed and subsequently dereferenced. This could lead to arbitrary code execution if an attacker was able to store malicious code in the freed section of memory. Mozilla developer Igor Bukanov also independently discovered and reported this issue two weeks after the initial report was received. MFSA 2011-04 / CVE-2011-0054: Security researcher Christian Holler reported that the JavaScript engine's internal memory mapping of non-local JS variables contained a buffer overflow which could potentially be used by an attacker to run arbitrary code on a victim's computer. MFSA 2011-05 / CVE-2011-0056: Security researcher Christian Holler reported that the JavaScript engine's internal mapping of string values contained an error in cases where the number of values being stored was above 64K. In such cases an offset pointer was manually moved forwards and backwards to access the larger address space. If an exception was thrown between the time that the offset pointer was moved forward and the time it was reset, then the exception object would be read from an invalid memory address, potentially executing attacker-controlled memory. MFSA 2011-06 / CVE-2011-0057: Daniel Kozlowski reported that a JavaScript Worker could be used to keep a reference to an object that could be freed during garbage collection. Subsequent calls through this deleted reference could cause attacker-controlled memory to be executed on a victim's computer. MFSA 2011-07 / CVE-2011-0058: Alex Miller reported that when very long strings were constructed and inserted into an HTML document, the browser would incorrectly construct the layout objects used to display the text. Under such conditions an incorrect length would be calculated for a text run resulting in too small of a memory buffer being allocated to store the text. This issue could be used by an attacker to write data past the end of the buffer and execute malicious code on a victim's computer. This issue affects only Mozilla browsers on Windows. MFSA 2011-08 / CVE-2010-1585: Mozilla security developer Roberto Suggi Liverani reported that ParanoidFragmentSink, a class used to sanitize potentially unsafe HTML for display, allows javascript: URLs and other inline JavaScript when the embedding document is a chrome document. While there are no unsafe uses of this class in any released products, extension code could have potentially used it in an unsafe manner. MFSA 2011-09 / CVE-2011-0061: Security researcher Jordi Chancel reported that a JPEG image could be constructed that would be decoded incorrectly, causing data to be written past the end of a buffer created to store the image. An attacker could potentially craft such an image that would cause malicious code to be stored in memory and then later executed on a victim's computer. MFSA 2011-10 / CVE-2011-0059: Adobe security researcher Peleus Uhley reported that when plugin-initiated requests receive a 307 redirect response, the plugin is not notified and the request is forwarded to the new location. This is true even for cross-site redirects, so any custom headers that were added as part of the initial request would be forwarded intact across origins. This poses a CSRF risk for web applications that rely on custom headers only being present in requests from their own origin. Patch Instructions: To install this openSUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - openSUSE 11.3: zypper in -t patch MozillaFirefox-4111 MozillaThunderbird-4070 mozilla-xulrunner191-4073 seamonkey-4074 - openSUSE 11.2: zypper in -t patch MozillaFirefox-4111 MozillaThunderbird-4070 mozilla-xulrunner191-4073 seamonkey-4074 To bring your system up-to-date, use "zypper patch". Package List: - openSUSE 11.3 (i586 x86_64) [New Version: 1.1.2,1.9.1.17,1.9.2.15,2.0.12,3.1.8 and 3.6.15]: MozillaFirefox-3.6.15-0.2.1 MozillaFirefox-branding-upstream-3.6.15-0.2.1 MozillaFirefox-translations-common-3.6.15-0.2.1 MozillaFirefox-translations-other-3.6.15-0.2.1 MozillaThunderbird-3.1.8-0.7.1 MozillaThunderbird-devel-3.1.8-0.7.1 MozillaThunderbird-translations-common-3.1.8-0.7.1 MozillaThunderbird-translations-other-3.1.8-0.7.1 enigmail-1.1.2-9.7.1 mozilla-js192-1.9.2.15-0.2.1 mozilla-xulrunner191-1.9.1.17-0.2.1 mozilla-xulrunner191-devel-1.9.1.17-0.2.1 mozilla-xulrunner191-gnomevfs-1.9.1.17-0.2.1 mozilla-xulrunner191-translations-common-1.9.1.17-0.2.1 mozilla-xulrunner191-translations-other-1.9.1.17-0.2.1 mozilla-xulrunner192-1.9.2.15-0.2.1 mozilla-xulrunner192-buildsymbols-1.9.2.15-0.2.1 mozilla-xulrunner192-devel-1.9.2.15-0.2.1 mozilla-xulrunner192-gnome-1.9.2.15-0.2.1 mozilla-xulrunner192-translations-common-1.9.2.15-0.2.1 mozilla-xulrunner192-translations-other-1.9.2.15-0.2.1 python-xpcom191-1.9.1.17-0.2.1 seamonkey-2.0.12-0.2.1 seamonkey-dom-inspector-2.0.12-0.2.1 seamonkey-irc-2.0.12-0.2.1 seamonkey-translations-common-2.0.12-0.2.1 seamonkey-translations-other-2.0.12-0.2.1 seamonkey-venkman-2.0.12-0.2.1 - openSUSE 11.3 (x86_64) [New Version: 1.9.1.17 and 1.9.2.15]: mozilla-js192-32bit-1.9.2.15-0.2.1 mozilla-xulrunner191-32bit-1.9.1.17-0.2.1 mozilla-xulrunner191-gnomevfs-32bit-1.9.1.17-0.2.1 mozilla-xulrunner192-32bit-1.9.2.15-0.2.1 mozilla-xulrunner192-gnome-32bit-1.9.2.15-0.2.1 mozilla-xulrunner192-translations-common-32bit-1.9.2.15-0.2.1 mozilla-xulrunner192-translations-other-32bit-1.9.2.15-0.2.1 - openSUSE 11.2 (i586 x86_64) [New Version: 1.1.2,1.9.1.17,1.9.2.15,2.0.12,3.1.8 and 3.6.15]: MozillaFirefox-3.6.15-0.2.2 MozillaFirefox-branding-upstream-3.6.15-0.2.2 MozillaFirefox-translations-common-3.6.15-0.2.2 MozillaFirefox-translations-other-3.6.15-0.2.2 MozillaThunderbird-3.1.8-0.7.1 MozillaThunderbird-devel-3.1.8-0.7.1 MozillaThunderbird-translations-common-3.1.8-0.7.1 MozillaThunderbird-translations-other-3.1.8-0.7.1 enigmail-1.1.2-9.7.1 mozilla-js192-1.9.2.15-0.2.2 mozilla-xulrunner191-1.9.1.17-0.2.1 mozilla-xulrunner191-devel-1.9.1.17-0.2.1 mozilla-xulrunner191-gnomevfs-1.9.1.17-0.2.1 mozilla-xulrunner191-translations-common-1.9.1.17-0.2.1 mozilla-xulrunner191-translations-other-1.9.1.17-0.2.1 mozilla-xulrunner192-1.9.2.15-0.2.2 mozilla-xulrunner192-buildsymbols-1.9.2.15-0.2.2 mozilla-xulrunner192-devel-1.9.2.15-0.2.2 mozilla-xulrunner192-gnome-1.9.2.15-0.2.2 mozilla-xulrunner192-translations-common-1.9.2.15-0.2.2 mozilla-xulrunner192-translations-other-1.9.2.15-0.2.2 python-xpcom191-1.9.1.17-0.2.1 seamonkey-2.0.12-0.2.1 seamonkey-dom-inspector-2.0.12-0.2.1 seamonkey-irc-2.0.12-0.2.1 seamonkey-venkman-2.0.12-0.2.1 - openSUSE 11.2 (x86_64) [New Version: 1.9.1.17 and 1.9.2.15]: mozilla-js192-32bit-1.9.2.15-0.2.2 mozilla-xulrunner191-32bit-1.9.1.17-0.2.1 mozilla-xulrunner191-gnomevfs-32bit-1.9.1.17-0.2.1 mozilla-xulrunner192-32bit-1.9.2.15-0.2.2 mozilla-xulrunner192-gnome-32bit-1.9.2.15-0.2.2 mozilla-xulrunner192-translations-common-32bit-1.9.2.15-0.2.2 mozilla-xulrunner192-translations-other-32bit-1.9.2.15-0.2.2 References: http://support.novell.com/security/cve/CVE-2010-1585.html http://support.novell.com/security/cve/CVE-2011-0051.html http://support.novell.com/security/cve/CVE-2011-0053.html http://support.novell.com/security/cve/CVE-2011-0054.html http://support.novell.com/security/cve/CVE-2011-0055.html http://support.novell.com/security/cve/CVE-2011-0056.html http://support.novell.com/security/cve/CVE-2011-0057.html http://support.novell.com/security/cve/CVE-2011-0058.html http://support.novell.com/security/cve/CVE-2011-0059.html http://support.novell.com/security/cve/CVE-2011-0061.html http://support.novell.com/security/cve/CVE-2011-0062.html https://bugzilla.novell.com/667155