Jump to content
Compatible Support Forums
Sign in to follow this  

[security-announce] SUSE-SU-2012:0896-1: important: Security update for Mozilla Firefox

Recommended Posts

SUSE Security Update: Security update for Mozilla Firefox



Announcement ID: SUSE-SU-2012:0896-1

Rating: important

References: #771583

Cross-References: CVE-2012-1948 CVE-2012-1949 CVE-2012-1950

CVE-2012-1951 CVE-2012-1952 CVE-2012-1953

CVE-2012-1954 CVE-2012-1955 CVE-2012-1957

CVE-2012-1958 CVE-2012-1959 CVE-2012-1961

CVE-2012-1962 CVE-2012-1963 CVE-2012-1964

CVE-2012-1965 CVE-2012-1966 CVE-2012-1967


Affected Products:

SUSE Linux Enterprise Server 11 SP2

SUSE Linux Enterprise Server 11 SP1 for VMware

SUSE Linux Enterprise Server 11 SP1

SUSE Linux Enterprise Desktop 11 SP2

SUSE Linux Enterprise Desktop 11 SP1



An update that fixes 18 vulnerabilities is now available.

It includes two new package versions.





MozillaFirefox has been updated to the 10.0.6ESR security

release fixing various bugs and several security issues,

some critical.


The following security issues have been fixed:




MFSA 2012-42: Mozilla developers identified and fixed

several memory safety bugs in the browser engine used in

Firefox and other Mozilla-based products. Some of these

bugs showed evidence of memory corruption under certain

circumstances, and we presume that with enough effort at

least some of these could be exploited to run arbitrary





CVE-2012-1948: Benoit Jacob, Jesse Ruderman,

Christian Holler, and Bill McCloskey reported memory safety

problems and crashes that affect Firefox ESR 10 and Firefox





MFSA 2012-43 / CVE-2012-1950: Security researcher

Mario Gomes andresearch firm Code Audit Labs reported a

mechanism to short-circuit page loads through drag and drop

to the addressbar by canceling the page load. This causes

the address of the previously site entered to be displayed

in the addressbar instead of the currently loaded page.

This could lead to potential phishing attacks on users.




MFSA 2012-44 Google security researcher Abhishek Arya

used the Address Sanitizer tool to uncover four issues: two

use-after-free problems, one out of bounds read bug, and a

bad cast. The first use-afte.r-free problem is caused when

an array of nsSMILTimeValueSpec objects is destroyed but

attempts are made to call into objects in this array later.

The second use-after-free problem is in

nsDocument::AdoptNode when it adopts into an empty document

and then adopts into another document, emptying the first

one. The heap buffer overflow is in ElementAnimations when

data is read off of end of an array and then pointers are

dereferenced. The bad cast happens when

nsTableFrame::InsertFrames is called with frames in

aFrameList that are a mix of row group frames and column

group frames. AppendFrames is not able to handle this mix.


All four of these issues are potentially exploitable.


o CVE-2012-1951: Heap-use-after-free in

nsSMILTimeValueSpec::IsEventBased o CVE-2012-1954:

Heap-use-after-free in nsDocument::AdoptNode o

CVE-2012-1953: Out of bounds read in

ElementAnimations::EnsureStyleRuleFor o CVE-2012-1952: Bad

cast in nsTableFrame::InsertFrames



MFSA 2012-45 / CVE-2012-1955: Security researcher

Mariusz Mlynski reported an issue with spoofing of the

location property. In this issue, calls to history.forward

and history.back are used to navigate to a site while

displaying the previous site in the addressbar but changing

the baseURI to the newer site. This can be used for

phishing by allowing the user input form or other data on

the newer, attacking, site while appearing to be on the

older, displayed site.




MFSA 2012-46 / CVE-2012-1966: Mozilla security

researcher moz_bug_r_a4 reported a cross-site scripting

(XSS) attack through the context menu using a data: URL. In

this issue, context menu functionality ("View Image", "Show

only this frame", and "View background image") are

disallowed in a javascript: URL but allowed in a data: URL,

allowing for XSS. This can lead to arbitrary code execution.




MFSA 2012-47 / CVE-2012-1957: Security researcher

Mario Heiderich reported that javascript could be executed

in the HTML feed-view using tag within the RSS . This

problem is due to tags not being filtered out during

parsing and can lead to a potential cross-site scripting

(XSS) attack. The flaw existed in a parser utility class

and could affect other parts of the browser or add-ons

which rely on that class to sanitize untrusted input.




MFSA 2012-48 / CVE-2012-1958: Security researcher

Arthur Gerkis used the Address Sanitizer tool to find a

use-after-free in nsGlobalWindow::PageHidden when

mFocusedContent is released and oldFocusedContent is used

afterwards. This use-after-free could possibly allow for

remote code execution.




MFSA 2012-49 / CVE-2012-1959: Mozilla developer Bobby

Holley found that same-compartment security wrappers (SCSW)

can be bypassed by passing them to another compartment.

Cross-compartment wrappers often do not go through SCSW,

but have a filtering policy built into them. When an object

is wrapped cross-compartment, the SCSW is stripped off and,

when the object is read read back, it is not known that

SCSW was previously present, resulting in a bypassing of

SCSW. This could result in untrusted content having access

to the XBL that implements browser functionality.




MFSA 2012-50 / CVE-2012-1960: Google developer Tony

Payne reported an out of bounds (OOB) read in QCMS,

Mozilla's color management library. With a carefully

crafted color profile portions of a user's memory could be

incorporated into a transformed image and possibly





MFSA 2012-51 / CVE-2012-1961: Bugzilla developer

Frederic Buclin reported that the "X-Frame-Options header

is ignored when the value is duplicated, for example

X-Frame-Options: SAMEORIGIN, SAMEORIGIN. This duplication

occurs for unknown reasons on some websites and when it

occurs results in Mozilla browsers not being protected

against possible clickjacking attacks on those pages.




MFSA 2012-52 / CVE-2012-1962: Security researcher

Bill Keese reported a memory corruption. This is caused by

JSDependentString::undepend changing a dependent string

into a fixed string when there are additional dependent

strings relying on the same base. When the undepend occurs

during conversion, the base data is freed, leaving other

dependent strings with dangling pointers. This can lead to

a potentially exploitable crash.




MFSA 2012-53 / CVE-2012-1963: Security researcher

Karthikeyan Bhargavan of Prosecco at INRIA reported Content

Security Policy (CSP) 1.0 implementation errors. CSP

violation reports generated by Firefox and sent to the

"report-uri" location include sensitive data within the

"blocked-uri" parameter. These include fragment components

and query strings even if the "blocked-uri" parameter has a

different origin than the protected resource. This can be

used to retrieve a user's OAuth 2.0 access tokens and

OpenID credentials by malicious sites.




MFSA 2012-54 / CVE-2012-1964: Security Researcher

Matt McCutchen reported that a clickjacking attack using

the certificate warning page. A man-in-the-middle (MITM)

attacker can use an iframe to display its own certificate

error warning page (about:certerror) with the "Add

Exception" button of a real warning page from a malicious

site. This can mislead users to adding a certificate

exception for a different site than the perceived one. This

can lead to compromised communications with the user

perceived site through the MITM attack once the certificate

exception has been added.




MFSA 2012-55 / CVE-2012-1965: Security researchers

Mario Gomes and Soroush Dalili reported that since Mozilla

allows the pseudo-protocol feed: to prefix any valid URL,

it is possible to construct feed:javascript: URLs that will

execute scripts in some contexts. On some sites it may be

possible to use this to evade output filtering that would

otherwise strip javascript: URLs and thus contribute to

cross-site scripting (XSS) problems on these sites.




MFSA 2012-56 / CVE-2012-1967: Mozilla security

researcher moz_bug_r_a4 reported a arbitrary code execution

attack using a javascript: URL. The Gecko engine features a

JavaScript sandbox utility that allows the browser or

add-ons to safely execute script in the context of a web

page. In certain cases, javascript: URLs are executed in

such a sandbox with insufficient context that can allow

those scripts to escape from the sandbox and run with

elevated privilege. This can lead to arbitrary code



Security Issue references:


* CVE-2012-1967


* CVE-2012-1948


* CVE-2012-1949


* CVE-2012-1951


* CVE-2012-1952


* CVE-2012-1953


* CVE-2012-1954


* CVE-2012-1966


* CVE-2012-1958


* CVE-2012-1959


* CVE-2012-1962


* CVE-2012-1950


* CVE-2012-1955


* CVE-2012-1957


* CVE-2012-1961


* CVE-2012-1963


* CVE-2012-1964


* CVE-2012-1965




Patch Instructions:


To install this SUSE Security Update use YaST online_update.

Alternatively you can run the command listed for your product:


- SUSE Linux Enterprise Server 11 SP2:


zypper in -t patch slessp1-firefox-201207-6574


- SUSE Linux Enterprise Server 11 SP1 for VMware:


zypper in -t patch slessp1-firefox-201207-6574


- SUSE Linux Enterprise Server 11 SP1:


zypper in -t patch slessp1-firefox-201207-6574


- SUSE Linux Enterprise Desktop 11 SP2:


zypper in -t patch sledsp1-firefox-201207-6574


- SUSE Linux Enterprise Desktop 11 SP1:


zypper in -t patch sledsp1-firefox-201207-6574


To bring your system up-to-date, use "zypper patch".



Package List:


- SUSE Linux Enterprise Server 11 SP2 (i586 ia64 ppc64 s390x x86_64) [New Version: 10.0.6 and 7]:






- SUSE Linux Enterprise Server 11 SP1 for VMware (i586 x86_64) [New Version: 10.0.6]:





- SUSE Linux Enterprise Server 11 SP1 (i586 ia64 ppc64 s390x x86_64) [New Version: 10.0.6 and 7]:






- SUSE Linux Enterprise Desktop 11 SP2 (i586 x86_64) [New Version: 10.0.6 and 7]:






- SUSE Linux Enterprise Desktop 11 SP1 (i586 x86_64) [New Version: 10.0.6 and 7]:































To unsubscribe, e-mail: opensuse-security-announce+unsubscribe ( -at -) opensuse.org

For additional commands, e-mail: opensuse-security-announce+help ( -at -) opensuse.org




Share this post

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this