Mailinglist Archive: opensuse-updates (57 mails)

< Previous Next >
openSUSE-SU-2010:0430-3 (important): MozillaFirefox: Update to 3.6.8 security release
  • From: opensuse-security@xxxxxxxxxxxx
  • Date: Thu, 29 Jul 2010 19:08:09 +0200 (CEST)
  • Message-id: <20100729170809.2AC85BE29@xxxxxxxxxxxxxx>
openSUSE Security Update: MozillaFirefox: Update to 3.6.8 security release
______________________________________________________________________________

Announcement ID: openSUSE-SU-2010:0430-3
Rating: important
References: #622506
Affected Products:
openSUSE 11.3
openSUSE 11.2
openSUSE 11.1
______________________________________________________________________________

An update that contains security fixes can now be
installed. It includes four new package versions.

Description:

This update brings Mozilla Firefox to the 3.6.8 security
release.

It fixes following security bugs: MFSA 2010-34 /
CVE-2010-1211 / CVE-2010-1212: Mozilla developers
identified and fixed several memory safety bugs in the
browser engine used in Firefox and other Mozilla-based
products. Some of these bugs showed evidence of memory
corruption under certain circumstances, and we presume that
with enough effort at least some of these could be
exploited to run arbitrary code.

MFSA 2010-35 / CVE-2010-1208: Security researcher
regenrecht reported via TippingPoint's Zero Day Initiative
an error in the DOM attribute cloning routine where under
certain circumstances an event attribute node can be
deleted while another object still contains a reference to
it. This reference could subsequently be accessed,
potentially causing the execution of attacker controlled
memory.

MFSA 2010-36 / CVE-2010-1209: Security researcher
regenrecht reported via TippingPoint's Zero Day Initiative
an error in Mozilla's implementation of NodeIterator in
which a malicious NodeFilter could be created which would
detach nodes from the DOM tree while it was being
traversed. The use of a detached and subsequently deleted
node could result in the execution of attacker-controlled
memory.

MFSA 2010-37 / CVE-2010-1214: Security researcher J23
reported via TippingPoint's Zero Day Initiative an error in
the code used to store the names and values of plugin
parameter elements. A malicious page could embed plugin
content containing a very large number of parameter
elements which would cause an overflow in the integer value
counting them. This integer is later used in allocating a
memory buffer used to store the plugin parameters. Under
such conditions, too small a buffer would be created and
attacker-controlled data could be written past the end of
the buffer, potentially resulting in code execution.

MFSA 2010-38 / CVE-2010-1215: Mozilla security researcher
moz_bug_r_a4 reported that when content script which is
running in a chrome context accesses a content object via
SJOW, the content code can gain access to an object from
the chrome scope and use that object to run arbitrary
JavaScript with chrome privileges.

Firefox 3.5 and other Mozilla products built from Gecko
1.9.1 were not affected by this issue.

MFSA 2010-39 / CVE-2010-2752: Security researcher J23
reported via TippingPoint's Zero Day Initiative that an
array class used to store CSS values contained an integer
overflow vulnerability. The 16 bit integer value used in
allocating the size of the array could overflow, resulting
in too small a memory buffer being created. When the array
was later populated with CSS values data would be written
past the end of the buffer potentially resulting in the
execution of attacker-controlled memory.

MFSA 2010-40 / CVE-2010-2753: Security researcher
regenrecht reported via TippingPoint's Zero Day Initiative
an integer overflow vulnerability in the implementation of
the XUL <tree> element's selection attribute. When the size
of a new selection is sufficiently large the integer used
in calculating the length of the selection can overflow,
resulting in a bogus range being marked selected. When
adjustSelection is then called on the bogus range the range
is deleted leaving dangling references to the ranges which
could be used by an attacker to call into deleted memory
and run arbitrary code on a victim's computer.

MFSA 2010-41 / CVE-2010-1205: OUSPG researcher Aki Helin
reported a buffer overflow in Mozilla graphics code which
consumes image data processed by libpng. A malformed PNG
file could be created which would cause libpng to
incorrectly report the size of the image to downstream
consumers. When the dimensions of such images are
underreported, the Mozilla code responsible for displaying
the graphic will allocate too small a memory buffer to
contain the image data and will wind up writing data past
the end of the buffer. This could result in the execution
of attacker-controlled memory.

MFSA 2010-42 / CVE-2010-1213: Security researcher Yosuke
Hasegawa reported that the Web Worker method importScripts
can read and parse resources from other domains even when
the content is not valid JavaScript. This is a violation of
the same-origin policy and could be used by an attacker to
steal information from other sites.

MFSA 2010-43 / CVE-2010-1207: Mozilla developer Vladimir
Vukicevic reported that a canvas element can be used to
read data from another site, violating the same-origin
policy. The read restriction placed on a canvas element
which has had cross-origin data rendered into it can be
bypassed by retaining a reference to the canvas element's
context and deleting the associated canvas node from the
DOM.

MFSA 2010-44 / CVE-2010-1210: Security researcher O.
Andersen reported that undefined positions within various 8
bit character encodings are mapped to the sequence U+FFFD
which when displayed causes the immediately following
character to disappear from the text run. This could
potentially contribute to XSS problems on sites which
expected extra characters to be present within strings
being sanitized on the server.

MFSA 2010-45 / CVE-2010-1206: Google security researcher
Michal Zalewski reported two methods for spoofing the
contents of the location bar. The first method works by
opening a new window containing a resource that responds
with an HTTP 204 (no content) and then using the reference
to the new window to insert HTML content into the blank
document. The second location bar spoofing method does not
require that the resource opened in a new window respond
with 204, as long as the opener calls window.stop() before
the document is loaded. In either case a user could be
mislead as to the correct location of the document they are
currently viewing.

MFSA 2010-45 / CVE-2010-2751: Security researcher Jordi
Chancel reported that the location bar could be spoofed to
look like a secure page when the current document was
served via plaintext. The vulnerability is triggered by a
server by first redirecting a request for a plaintext
resource to another resource behind a valid SSL/TLS
certificate. A second request made to the original
plaintext resource which is responded to not with a
redirect but with JavaScript containing history.back() and
history.forward() will result in the plaintext resource
being displayed with valid SSL/TLS badging in the location
bar. References

MFSA 2010-46 / CVE-2010-0654: Google security researcher
Chris Evans reported that data can be read across domains
by injecting bogus CSS selectors into a target site and
then retrieving the data using JavaScript APIs. If an
attacker can inject opening and closing portions of a CSS
selector into points A and B of a target page, then the
region between the two injection points becomes readable to
JavaScript through, for example, the getComputedStyle() API.

MFSA 2010-47 / CVE-2010-2754: Security researcher Soroush
Dalili reported that potentially sensitive URL parameters
could be leaked across domains upon script errors when the
script filename and line number is included in the error
message.

MFSA 2010-48 / CVE-2010-2755: Mozilla developer Daniel
Holbert reported that the fix to the plugin parameter array
crash that was fixed in Firefox 3.6.7 caused a crash
showing signs of memory corruption. In certain
circumstances, properties in the plugin instance's
parameter array could be freed prematurely leaving a
dangling pointer that the plugin could execute, potentially
calling into attacker-controlled memory.


Patch Instructions:

To install this openSUSE Security Update use YaST online_update.
Alternatively you can run the command listed for your product:

- openSUSE 11.3:

zypper in -t patch MozillaFirefox-2807 mozilla-xulrunner191-2779

- openSUSE 11.2:

zypper in -t patch MozillaFirefox-2774

- openSUSE 11.1:

zypper in -t patch MozillaFirefox-2774

To bring your system up-to-date, use "zypper patch".


Package List:

- openSUSE 11.3 (i586 src x86_64) [New Version: 1.9.1.11,1.9.2.8 and 3.6.8]:

MozillaFirefox-3.6.8-0.1.1
mozilla-xulrunner191-1.9.1.11-0.1.1
mozilla-xulrunner192-1.9.2.8-0.1.1

- openSUSE 11.3 (i586 x86_64) [New Version: 1.9.1.11,1.9.2.8 and 3.6.8]:

MozillaFirefox-branding-upstream-3.6.8-0.1.1
MozillaFirefox-translations-common-3.6.8-0.1.1
MozillaFirefox-translations-other-3.6.8-0.1.1
mozilla-js192-1.9.2.8-0.1.1
mozilla-xulrunner191-devel-1.9.1.11-0.1.1
mozilla-xulrunner191-gnomevfs-1.9.1.11-0.1.1
mozilla-xulrunner191-translations-common-1.9.1.11-0.1.1
mozilla-xulrunner191-translations-other-1.9.1.11-0.1.1
mozilla-xulrunner192-buildsymbols-1.9.2.8-0.1.1
mozilla-xulrunner192-devel-1.9.2.8-0.1.1
mozilla-xulrunner192-gnome-1.9.2.8-0.1.1
mozilla-xulrunner192-translations-common-1.9.2.8-0.1.1
mozilla-xulrunner192-translations-other-1.9.2.8-0.1.1
python-xpcom191-1.9.1.11-0.1.1

- openSUSE 11.3 (x86_64) [New Version: 1.9.1.11 and 1.9.2.8]:

mozilla-js192-32bit-1.9.2.8-0.1.1
mozilla-xulrunner191-32bit-1.9.1.11-0.1.1
mozilla-xulrunner191-gnomevfs-32bit-1.9.1.11-0.1.1
mozilla-xulrunner192-32bit-1.9.2.8-0.1.1
mozilla-xulrunner192-gnome-32bit-1.9.2.8-0.1.1
mozilla-xulrunner192-translations-common-32bit-1.9.2.8-0.1.1
mozilla-xulrunner192-translations-other-32bit-1.9.2.8-0.1.1

- openSUSE 11.2 (i586 src x86_64) [New Version: 1.9.1.11 and 3.5.11]:

MozillaFirefox-3.5.11-0.1.1
mozilla-xulrunner191-1.9.1.11-0.1.1

- openSUSE 11.2 (i586 x86_64) [New Version: 1.9.1.11 and 3.5.11]:

MozillaFirefox-branding-upstream-3.5.11-0.1.1
MozillaFirefox-translations-common-3.5.11-0.1.1
MozillaFirefox-translations-other-3.5.11-0.1.1
mozilla-xulrunner191-devel-1.9.1.11-0.1.1
mozilla-xulrunner191-gnomevfs-1.9.1.11-0.1.1
mozilla-xulrunner191-translations-common-1.9.1.11-0.1.1
mozilla-xulrunner191-translations-other-1.9.1.11-0.1.1
python-xpcom191-1.9.1.11-0.1.1

- openSUSE 11.2 (x86_64) [New Version: 1.9.1.11]:

mozilla-xulrunner191-32bit-1.9.1.11-0.1.1
mozilla-xulrunner191-gnomevfs-32bit-1.9.1.11-0.1.1

- openSUSE 11.1 (i586 ppc src x86_64) [New Version: 1.9.1.11 and 3.5.11]:

MozillaFirefox-3.5.11-0.1.1
mozilla-xulrunner191-1.9.1.11-0.1.1

- openSUSE 11.1 (i586 ppc x86_64) [New Version: 1.9.1.11 and 3.5.11]:

MozillaFirefox-branding-upstream-3.5.11-0.1.1
MozillaFirefox-translations-common-3.5.11-0.1.1
MozillaFirefox-translations-other-3.5.11-0.1.1
mozilla-xulrunner191-devel-1.9.1.11-0.1.1
mozilla-xulrunner191-gnomevfs-1.9.1.11-0.1.1
mozilla-xulrunner191-translations-common-1.9.1.11-0.1.1
mozilla-xulrunner191-translations-other-1.9.1.11-0.1.1
python-xpcom191-1.9.1.11-0.1.1

- openSUSE 11.1 (x86_64) [New Version: 1.9.1.11]:

mozilla-xulrunner191-32bit-1.9.1.11-0.1.1
mozilla-xulrunner191-gnomevfs-32bit-1.9.1.11-0.1.1


References:

https://bugzilla.novell.com/622506


< Previous Next >
This Thread
  • No further messages