-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
______________________________________________________________________________
SUSE Security Announcement
Package: MozillaFirefox,MozillaThunderbird,seamonkey
Announcement ID: SUSE-SA:2010:049
Date: Tue, 12 Oct 2010 13:00:00 +0000
Affected Products: openSUSE 11.1
openSUSE 11.2
openSUSE 11.3
SUSE Linux Enterprise Software Development Kit 11
SUSE Linux Enterprise Desktop 11
SUSE Linux Enterprise Server 11
SUSE Linux Enterprise Software Development Kit 11 SP1
SUSE Linux Enterprise Desktop 11 SP1
SUSE Linux Enterprise Server 11 SP1
Vulnerability Type: remote code execution
CVSS v2 Base Score: 9.3 (AV:N/AC:M/Au:N/C:C/I:C/A:C)
SUSE Default Package: yes
Cross-References: CVE-2010-2753, CVE-2010-2760, CVE-2010-2762
CVE-2010-2763, CVE-2010-2764, CVE-2010-2765
CVE-2010-2766, CVE-2010-2767, CVE-2010-2768
CVE-2010-2769, CVE-2010-2770, CVE-2010-3131
CVE-2010-3166, CVE-2010-3167, CVE-2010-3168
CVE-2010-3169, MFSA 2010-49, MFSA 2010-50
MFSA 2010-51, MFSA 2010-52, MFSA 2010-53
MFSA 2010-54, MFSA 2010-55, MFSA 2010-56
MFSA 2010-57, MFSA 2010-58, MFSA 2010-59
MFSA 2010-60, MFSA 2010-61, MFSA 2010-62
MFSA 2010-63
Content of This Advisory:
1) Security Vulnerability Resolved:
Mozilla Firefox security update
Problem Description
2) Solution or Work-Around
3) Special Instructions and Notes
4) Package Location and Checksums
5) Pending Vulnerabilities, Solutions, and Work-Arounds:
See SUSE Security Summary Report.
6) Authenticity Verification and Additional Information
______________________________________________________________________________
1) Problem Description and Brief Discussion
Mozilla Firefox was updated to version 3.6.10, fixing various bugs
and security issues.
Mozilla Thunderbird was updated to version 3.0.8 on openSUSE, fixing
the same bugs.
Mozilla Seamonkey was updated to version 2.0.8 on openSUSE, fixing
the same bugs.
A Firefox update for SUSE Linux Enterprise 10 Service Pack 3 is still
being worked on and currently held back due to legal problems with
the Firefox 3.5 - 3.6 version upgrade and some browser components.
Following security issues were fixed:
MFSA 2010-49 / CVE-2010-3169: Mozilla developers identified and fixed
several memory safety bugs in the browser engine used in Firefox and
other Mozilla-based products. Some of these bugs showed evidence of
memory corruption under certain circumstances, and we presume that
with enough effort at least some of these could be exploited to run
arbitrary code.
MFSA 2010-50 / CVE-2010-2765: Security researcher Chris Rohlf
of Matasano Security reported that the implementation of the HTML
frameset element contained an integer overflow vulnerability. The code
responsible for parsing the frameset columns used an 8-byte counter for
the column numbers, so when a very large number of columns was passed
in the counter would overflow. When this counter was subsequently
used to allocate memory for the frameset, the memory buffer would
be too small, potentially resulting in a heap buffer overflow and
execution of attacker-controlled memory.
MFSA 2010-51 / CVE-2010-2767: Security researcher Sergey Glazunov
reported a dangling pointer vulnerability in the implementation
of navigator.plugins in which the navigator object could retain a
pointer to the plugins array even after it had been destroyed. An
attacker could potentially use this issue to crash the browser and
run arbitrary code on a victim's computer.
MFSA 2010-52 / CVE-2010-3131: Security researcher Haifei Li of
FortiGuard Labs reported that Firefox could be used to load a malicious
code library that had been planted on a victim's computer. Firefox
attempts to load dwmapi.dll upon startup as part of its platform
detection, so on systems that don't have this library, such as Windows
XP, Firefox will subsequently attempt to load the library from the
current working directory. An attacker could use this vulnerability
to trick a user into downloading a HTML file and a malicious copy
of dwmapi.dll into the same directory on their computer and opening
the HTML file with Firefox, thus causing the malicious code to be
executed. If the attacker was on the same network as the victim,
the malicious DLL could also be loaded via a UNC path. The attack
also requires that Firefox not currently be running when it is asked
to open the HTML file and accompanying DLL.
As this is a Windows only problem, it does not affect the Linux
version. It is listed for completeness only.
MFSA 2010-53 / CVE-2010-3166: Security researcher wushi of team509
reported a heap buffer overflow in code routines responsible
for transforming text runs. A page could be constructed with a
bidirectional text run which upon reflow could result in an incorrect
length being calculated for the run of text. When this value is
subsequently used to allocate memory for the text too small a buffer
may be created potentially resulting in a buffer overflow and the
execution of attacker controlled memory.
MFSA 2010-54 / CVE-2010-2760: Security researcher regenrecht reported
via TippingPoint's Zero Day Initiative that there was a remaining
dangling pointer issue leftover from the fix to CVE-2010-2753. Under
certain circumstances one of the pointers held by a XUL tree selection
could be freed and then later reused, potentially resulting in the
execution of attacker-controlled memory.
MFSA 2010-55 / CVE-2010-3168: Security researcher regenrecht reported
via TippingPoint's Zero Day Initiative that XUL objects could be
manipulated such that the setting of certain properties on the object
would trigger the removal of the tree from the DOM and cause certain
sections of deleted memory to be accessed. In products based on Gecko
version 1.9.2 (Firefox 3.6, Thunderbird 3.1) and newer this memory has
been overwritten by a value that will cause an unexploitable crash. In
products based on Gecko version 1.9.1 (Firefox 3.5, Thunderbird 3.0,
and SeaMonkey 2.0) and older an attacker could potentially use this
vulnerability to crash a victim's browser and run arbitrary code on
their computer.
MFSA 2010-56 / CVE-2010-3167: Security researcher regenrecht reported
via TippingPoint's Zero Day Initiative that the implementation of XUL
's content view contains a dangling pointer vulnerability. One
of the content view's methods for accessing the internal structure of
the tree could be manipulated into removing a node prior to accessing
it, resulting in the accessing of deleted memory. If an attacker can
control the contents of the deleted memory prior to its access they
could use this vulnerability to run arbitrary code on a victim's
machine.
MFSA 2010-57 / CVE-2010-2766: Security researcher regenrecht reported
via TippingPoint's Zero Day Initiative that code used to normalize
a document contained a logical flaw that could be leveraged to run
arbitrary code. When the normalization code ran, a static count of
the document's child nodes was used in the traversal, so a page could
be constructed that would remove DOM nodes during this normalization
which could lead to the accessing of a deleted object and potentially
the execution of attacker-controlled memory.
MFSA 2010-58 / CVE-2010-2770: Security researcher Marc Schoenefeld
reported that a specially crafted font could be applied to a document
and cause a crash on Mac systems. The crash showed signs of memory
corruption and presumably could be used by an attacker to execute
arbitrary code on a victim's computer.
This issue probably does not affect the Linux builds and so is listed
for completeness.
MFSA 2010-59 / CVE-2010-2762: Mozilla developer Blake Kaplan reported
that the wrapper class XPCSafeJSObjectWrapper (SJOW), a security
wrapper that allows content-defined objects to be safely accessed by
privileged code, creates scope chains ending in outer objects. Users of SJOWs which expect the scope chain to end on an inner object may
be handed a chrome privileged object which could be leveraged to run
arbitrary JavaScript with chrome privileges.
Michal Zalewski's recent contributions helped to identify this
architectural weakness.
MFSA 2010-60 / CVE-2010-2763: Mozilla security researcher moz_bug_r_a4
reported that the wrapper class XPCSafeJSObjectWrapper (SJOW) on
the Mozilla 1.9.1 development branch has a logical error in its
scripted function implementation that allows the caller to run the
function within the context of another site. This is a violation of
the same-origin policy and could be used to mount an XSS attack.
MFSA 2010-61 / CVE-2010-2768: Security researchers David Huang and
Collin Jackson of Carnegie Mellon University CyLab (Silicon Valley
campus) reported that the type attribute of an
SuSE: 2010-049: Mozilla Firefox Security Update
October 12, 2010
Mozilla Firefox was updated to version 3.6.10, fixing various bugs Mozilla Firefox was updated to version 3.6.10, fixing various bugs and security issues
Summary
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
______________________________________________________________________________
SUSE Security Announcement
Package: MozillaFirefox,MozillaThunderbird,seamonkey
Announcement ID: SUSE-SA:2010:049
Date: Tue, 12 Oct 2010 13:00:00 +0000
Affected Products: openSUSE 11.1
openSUSE 11.2
openSUSE 11.3
SUSE Linux Enterprise Software Development Kit 11
SUSE Linux Enterprise Desktop 11
SUSE Linux Enterprise Server 11
SUSE Linux Enterprise Software Development Kit 11 SP1
SUSE Linux Enterprise Desktop 11 SP1
SUSE Linux Enterprise Server 11 SP1
Vulnerability Type: remote code execution
CVSS v2 Base Score: 9.3 (AV:N/AC:M/Au:N/C:C/I:C/A:C)
SUSE Default Package: yes
Cross-References: CVE-2010-2753, CVE-2010-2760, CVE-2010-2762
CVE-2010-2763, CVE-2010-2764, CVE-2010-2765
CVE-2010-2766, CVE-2010-2767, CVE-2010-2768
CVE-2010-2769, CVE-2010-2770, CVE-2010-3131
CVE-2010-3166, CVE-2010-3167, CVE-2010-3168
CVE-2010-3169, MFSA 2010-49, MFSA 2010-50
MFSA 2010-51, MFSA 2010-52, MFSA 2010-53
MFSA 2010-54, MFSA 2010-55, MFSA 2010-56
MFSA 2010-57, MFSA 2010-58, MFSA 2010-59
MFSA 2010-60, MFSA 2010-61, MFSA 2010-62
MFSA 2010-63
Content of This Advisory:
1) Security Vulnerability Resolved:
Mozilla Firefox security update
Problem Description
2) Solution or Work-Around
3) Special Instructions and Notes
4) Package Location and Checksums
5) Pending Vulnerabilities, Solutions, and Work-Arounds:
See SUSE Security Summary Report.
6) Authenticity Verification and Additional Information
______________________________________________________________________________
1) Problem Description and Brief Discussion
Mozilla Firefox was updated to version 3.6.10, fixing various bugs
and security issues.
Mozilla Thunderbird was updated to version 3.0.8 on openSUSE, fixing
the same bugs.
Mozilla Seamonkey was updated to version 2.0.8 on openSUSE, fixing
the same bugs.
A Firefox update for SUSE Linux Enterprise 10 Service Pack 3 is still
being worked on and currently held back due to legal problems with
the Firefox 3.5 - 3.6 version upgrade and some browser components.
Following security issues were fixed:
MFSA 2010-49 / CVE-2010-3169: Mozilla developers identified and fixed
several memory safety bugs in the browser engine used in Firefox and
other Mozilla-based products. Some of these bugs showed evidence of
memory corruption under certain circumstances, and we presume that
with enough effort at least some of these could be exploited to run
arbitrary code.
MFSA 2010-50 / CVE-2010-2765: Security researcher Chris Rohlf
of Matasano Security reported that the implementation of the HTML
frameset element contained an integer overflow vulnerability. The code
responsible for parsing the frameset columns used an 8-byte counter for
the column numbers, so when a very large number of columns was passed
in the counter would overflow. When this counter was subsequently
used to allocate memory for the frameset, the memory buffer would
be too small, potentially resulting in a heap buffer overflow and
execution of attacker-controlled memory.
MFSA 2010-51 / CVE-2010-2767: Security researcher Sergey Glazunov
reported a dangling pointer vulnerability in the implementation
of navigator.plugins in which the navigator object could retain a
pointer to the plugins array even after it had been destroyed. An
attacker could potentially use this issue to crash the browser and
run arbitrary code on a victim's computer.
MFSA 2010-52 / CVE-2010-3131: Security researcher Haifei Li of
FortiGuard Labs reported that Firefox could be used to load a malicious
code library that had been planted on a victim's computer. Firefox
attempts to load dwmapi.dll upon startup as part of its platform
detection, so on systems that don't have this library, such as Windows
XP, Firefox will subsequently attempt to load the library from the
current working directory. An attacker could use this vulnerability
to trick a user into downloading a HTML file and a malicious copy
of dwmapi.dll into the same directory on their computer and opening
the HTML file with Firefox, thus causing the malicious code to be
executed. If the attacker was on the same network as the victim,
the malicious DLL could also be loaded via a UNC path. The attack
also requires that Firefox not currently be running when it is asked
to open the HTML file and accompanying DLL.
As this is a Windows only problem, it does not affect the Linux
version. It is listed for completeness only.
MFSA 2010-53 / CVE-2010-3166: Security researcher wushi of team509
reported a heap buffer overflow in code routines responsible
for transforming text runs. A page could be constructed with a
bidirectional text run which upon reflow could result in an incorrect
length being calculated for the run of text. When this value is
subsequently used to allocate memory for the text too small a buffer
may be created potentially resulting in a buffer overflow and the
execution of attacker controlled memory.
MFSA 2010-54 / CVE-2010-2760: Security researcher regenrecht reported
via TippingPoint's Zero Day Initiative that there was a remaining
dangling pointer issue leftover from the fix to CVE-2010-2753. Under
certain circumstances one of the pointers held by a XUL tree selection
could be freed and then later reused, potentially resulting in the
execution of attacker-controlled memory.
MFSA 2010-55 / CVE-2010-3168: Security researcher regenrecht reported
via TippingPoint's Zero Day Initiative that XUL objects could be
manipulated such that the setting of certain properties on the object
would trigger the removal of the tree from the DOM and cause certain
sections of deleted memory to be accessed. In products based on Gecko
version 1.9.2 (Firefox 3.6, Thunderbird 3.1) and newer this memory has
been overwritten by a value that will cause an unexploitable crash. In
products based on Gecko version 1.9.1 (Firefox 3.5, Thunderbird 3.0,
and SeaMonkey 2.0) and older an attacker could potentially use this
vulnerability to crash a victim's browser and run arbitrary code on
their computer.
MFSA 2010-56 / CVE-2010-3167: Security researcher regenrecht reported
via TippingPoint's Zero Day Initiative that the implementation of XUL
's content view contains a dangling pointer vulnerability. One
of the content view's methods for accessing the internal structure of
the tree could be manipulated into removing a node prior to accessing
it, resulting in the accessing of deleted memory. If an attacker can
control the contents of the deleted memory prior to its access they
could use this vulnerability to run arbitrary code on a victim's
machine.
MFSA 2010-57 / CVE-2010-2766: Security researcher regenrecht reported
via TippingPoint's Zero Day Initiative that code used to normalize
a document contained a logical flaw that could be leveraged to run
arbitrary code. When the normalization code ran, a static count of
the document's child nodes was used in the traversal, so a page could
be constructed that would remove DOM nodes during this normalization
which could lead to the accessing of a deleted object and potentially
the execution of attacker-controlled memory.
MFSA 2010-58 / CVE-2010-2770: Security researcher Marc Schoenefeld
reported that a specially crafted font could be applied to a document
and cause a crash on Mac systems. The crash showed signs of memory
corruption and presumably could be used by an attacker to execute
arbitrary code on a victim's computer.
This issue probably does not affect the Linux builds and so is listed
for completeness.
MFSA 2010-59 / CVE-2010-2762: Mozilla developer Blake Kaplan reported
that the wrapper class XPCSafeJSObjectWrapper (SJOW), a security
wrapper that allows content-defined objects to be safely accessed by
privileged code, creates scope chains ending in outer objects. Users of SJOWs which expect the scope chain to end on an inner object may
be handed a chrome privileged object which could be leveraged to run
arbitrary JavaScript with chrome privileges.
Michal Zalewski's recent contributions helped to identify this
architectural weakness.
MFSA 2010-60 / CVE-2010-2763: Mozilla security researcher moz_bug_r_a4
reported that the wrapper class XPCSafeJSObjectWrapper (SJOW) on
the Mozilla 1.9.1 development branch has a logical error in its
scripted function implementation that allows the caller to run the
function within the context of another site. This is a violation of
the same-origin policy and could be used to mount an XSS attack.
MFSA 2010-61 / CVE-2010-2768: Security researchers David Huang and
Collin Jackson of Carnegie Mellon University CyLab (Silicon Valley
campus) reported that the type attribute of an
