[security-announce] SUSE-SU-2013:1152-1: important: Security update for Mozilla Firefox

[news 28]

SUSE Security Update: Security update for Mozilla Firefox

______________________________________________________________________________

 

Announcement ID: SUSE-SU-2013:1152-1

Rating: important

References: #792432 #813026 #819204 #825935

Cross-References: CVE-2013-1682 CVE-2013-1684 CVE-2013-1685

CVE-2013-1686 CVE-2013-1687 CVE-2013-1690

CVE-2013-1692 CVE-2013-1693 CVE-2013-1697

 

Affected Products:

SUSE Linux Enterprise Software Development Kit 11 SP3

SUSE Linux Enterprise Server 11 SP3 for VMware

SUSE Linux Enterprise Server 11 SP3

SUSE Linux Enterprise Desktop 11 SP3

______________________________________________________________________________

 

An update that fixes 9 vulnerabilities is now available. It

includes one version update.

 

Description:

 

 

Mozilla Firefox has been updated to the 17.0.7 ESR version,

which fixes bugs and security fixes.

 

*

 

MFSA 2013-49: Mozilla developers identified and fixed

several memory safety bugs in the browser engine used in

Firefox and other Mozilla-based products. Some of these

bugs showed evidence of memory corruption under certain

circumstances, and we presume that with enough effort at

least some of these could be exploited to run arbitrary

code.

 

Gary Kwong, Jesse Ruderman, and Andrew McCreight

reported memory safety problems and crashes that affect

Firefox ESR 17, and Firefox 21. (CVE-2013-1682)

 

*

 

MFSA 2013-50: Security researcher Abhishek Arya

(Inferno) of the Google Chrome Security Team used the

Address Sanitizer tool to discover a series of

use-after-free problems rated critical as security issues

in shipped software. Some of these issues are potentially

exploitable, allowing for remote code execution. We would

also like to thank Abhishek for reporting additional

use-after-free and buffer overflow flaws in code introduced

during Firefox development. These were fixed before general

release.

 

o Heap-use-after-free in

mozilla::dom::HTMLMediaElement::LookupMediaElementURITable

(CVE-2013-1684) o Heap-use-after-free in

nsIDocument::GetRootElement (CVE-2013-1685) o

Heap-use-after-free in mozilla::ResetDir (CVE-2013-1686)

*

 

MFSA 2013-51 / CVE-2013-1687: Security researcher

Mariusz Mlynski reported that it is possible to compile a

user-defined function in the XBL scope of a specific

element and then trigger an event within this scope to run

code. In some circumstances, when this code is run, it can

access content protected by System Only Wrappers (SOW) and

chrome-privileged pages. This could potentially lead to

arbitrary code execution. Additionally, Chrome Object

Wrappers (COW) can be bypassed by web content to access

privileged methods, leading to a cross-site scripting (XSS)

attack from privileged pages.

 

*

 

MFSA 2013-53 / CVE-2013-1690: Security researcher

Nils reported that specially crafted web content using the

onreadystatechange event and reloading of pages could

sometimes cause a crash when unmapped memory is executed.

This crash is potentially exploitable.

 

*

 

MFSA 2013-54 / CVE-2013-1692: Security researcher

Johnathan Kuskos reported that Firefox is sending data in

the body of XMLHttpRequest (XHR) HEAD requests, which goes

agains the XHR specification. This can potentially be used

for Cross-Site Request Forgery (CSRF) attacks against sites

which do not distinguish between HEAD and POST requests.

 

*

 

MFSA 2013-55 / CVE-2013-1693: Security researcher

Paul Stone of Context Information Security discovered that

timing differences in the processing of SVG format images

with filters could allow for pixel values to be read. This

could potentially allow for text values to be read across

domains, leading to information disclosure.

 

*

 

MFSA 2013-59 / CVE-2013-1697: Mozilla security

researcher moz_bug_r_a4 reported that XrayWrappers can be

bypassed to call content-defined toString and valueOf

methods through DefaultValue. This can lead to unexpected

behavior when privileged code acts on the incorrect values.

 

*

 

MFSA 2013-30: Mozilla developers identified and fixed

several memory safety bugs in the browser engine used in

Firefox and other Mozilla-based products. Some of these

bugs showed evidence of memory corruption under certain

circumstances, and we presume that with enough effort at

least some of these could be exploited to run arbitrary

code.

 

Olli Pettay, Jesse Ruderman, Boris Zbarsky, Christian

Holler, Milan Sreckovic, and Joe Drew reported memory

safety problems and crashes that affect Firefox ESR 17, and

Firefox 19. (CVE-2013-0788)

 

*

 

MFSA 2013-31 / CVE-2013-0800: Security researcher

Abhishek Arya (Inferno) of the Google Chrome Security Team

used the Address Sanitizer tool to discover an

out-of-bounds write in Cairo graphics library. When certain

values are passed to it during rendering, Cairo attempts to

use negative boundaries or sizes for boxes, leading to a

potentially exploitable crash in some instances.

 

*

 

MFSA 2013-32 / CVE-2013-0799: Security researcher

Frederic Hoguin discovered that the Mozilla Maintenance

Service on Windows was vulnerable to a buffer overflow.

This system is used to update software without invoking the

User Account Control (UAC) prompt. The Mozilla Maintenance

Service is configured to allow unprivileged users to start

it with arbitrary arguments. By manipulating the data

passed in these arguments, an attacker can execute

arbitrary code with the system privileges used by the

service. This issue requires local file system access to be

exploitable.

 

*

 

MFSA 2013-34 / CVE-2013-0797: Security researcher Ash

reported an issue with the Mozilla Updater. The Mozilla

Updater can be made to load a malicious local DLL file in a

privileged context through either the Mozilla Maintenance

Service or independently on systems that do not use the

service. This occurs when the DLL file is placed in a

specific location on the local system before the Mozilla

Updater is run. Local file system access is necessary in

order for this issue to be exploitable.

 

*

 

MFSA 2013-35 / CVE-2013-0796: Security researcher

miaubiz used the Address Sanitizer tool to discover a crash

in WebGL rendering when memory is freed that has not

previously been allocated. This issue only affects Linux

users who have Intel Mesa graphics drivers. The resulting

crash could be potentially exploitable.

 

*

 

MFSA 2013-36 / CVE-2013-0795: Security researcher

Cody Crews reported a mechanism to use the cloneNode method

to bypass System Only Wrappers (SOW) and clone a protected

node. This allows violation of the browser's same origin

policy and could also lead to privilege escalation and the

execution of arbitrary code.

 

*

 

MFSA 2013-37 / CVE-2013-0794: Security researcher

shutdown reported a method for removing the origin

indication on tab-modal dialog boxes in combination with

browser navigation. This could allow an attacker's dialog

to overlay a page and show another site's content. This can

be used for phishing by allowing users to enter data into a

modal prompt dialog on an attacking, site while appearing

to be from the displayed site.

 

*

 

MFSA 2013-38 / CVE-2013-0793: Security researcher

Mariusz Mlynski reported a method to use browser

navigations through history to load an arbitrary website

with that page's baseURI property pointing to another site

instead of the seemingly loaded one. The user will continue

to see the incorrect site in the addressbar of the browser.

This allows for a cross-site scripting (XSS) attack or the

theft of data through a phishing attack.

 

*

 

MFSA 2013-39 / CVE-2013-0792: Mozilla community

member Tobias Schula reported that if

gfx.color_management.enablev4 preference is enabled

manually in about:config, some grayscale PNG images will be

rendered incorrectly and cause memory corruption during PNG

decoding when certain color profiles are in use. A crafted

PNG image could use this flaw to leak data through rendered

images drawing from random memory. By default, this

preference is not enabled.

 

*

 

MFSA 2013-40 / CVE-2013-0791: Mozilla community

member Ambroz Bizjak reported an out-of-bounds array read

in the CERT_DecodeCertPackage function of the Network

Security Services (NSS) libary when decoding a certificate.

When this occurs, it will lead to memory corruption and a

non-exploitable crash.

 

*

 

MFSA 2013-41: Mozilla developers identified and fixed

several memory safety bugs in the browser engine used in

Firefox and other Mozilla-based products. Some of these

bugs showed evidence of memory corruption under certain

circumstances, and we presume that with enough effort at

least some of these could be exploited to run arbitrary

code.

 

References

 

o Christoph Diehl, Christian Holler, Jesse

Ruderman, Timothy Nikkel, and Jeff Walden reported memory

safety problems and crashes that affect Firefox ESR 17, and

Firefox 20. o Bob Clary, Ben Turner, Benoit Jacob, Bobby

Holley, Christoph Diehl, Christian Holler, Andrew

McCreight, Gary Kwong, Jason Orendorff, Jesse Ruderman,

Matt Wobensmith, and Mats Palmgren reported memory safety

problems and crashes that affect Firefox 20.

*

 

MFSA 2013-42 / CVE-2013-1670: Security researcher

Cody Crews reported a method to call a content level

constructor that allows for this constructor to have chrome

privileged accesss. This affects chrome object wrappers

(COW) and allows for write actions on objects when only

read actions should be allowed. This can lead to cross-site

scripting (XSS) attacks.

 

*

 

MFSA 2013-43 / CVE-2013-1671: Mozilla security

researcher moz_bug_r_a4 reported a mechanism to exploit the

control when set to the file type in order to get the full

path. This can lead to information leakage and could be

combined with other exploits to target attacks on the local

file system.

 

*

 

MFSA 2013-44 / CVE-2013-1672: Security researcher Seb

Patane reported an issue with the Mozilla Maintenance

Service on Windows. This issue allows unprivileged users to

local privilege escalation through the system privileges

used by the service when interacting with local malicious

software. This allows the user to bypass integrity checks

leading to local privilege escalation. Local file system

access is necessary in order for this issue to be

exploitable and it cannot be triggered through web content.

 

*

 

MFSA 2013-45: Security researcher Robert Kugler

discovered that in some instances the Mozilla Maintenance

Service on Windows will be vulnerable to some previously

fixed privilege escalation attacks that allowed for local

privilege escalation. This was caused by the Mozilla

Updater not up[censored] Windows Registry entries for the

Mozilla Maintenance Service, which fixed the earlier issues

present if Firefox 12 had been installed. New installations

of Firefox after version 12 are not affected by this issue.

Local file system access is necessary in order for this

issue to be exploitable and it cannot be triggered through

web content. References: - old MozillaMaintenance Service

registry entry not updated leading to Trusted Path

Privilege Escalation (CVE-2013-1673) - Possible Arbitrary

Code Execution by Update Service (CVE-2012-1942)

 

*

 

MFSA 2013-46 / CVE-2013-1674: Security researcher

Nils reported a use-after-free when resizing video while

playing. This could allow for arbitrary code execution.

 

*

 

MFSA 2013-47 / CVE-2013-1675: Mozilla community

member Ms2ger discovered that some DOMSVGZoomEvent

functions are used without being properly initialized,

causing uninitialized memory to be used when they are

called by web content. This could lead to a information

leakage to sites depending on the contents of this

uninitialized memory.

 

*

 

MFSA 2013-48: Security researcher Abhishek Arya

(Inferno) of the Google Chrome Security Team used the

Address Sanitizer tool to discover a series of

use-after-free, out of bounds read, and invalid write

problems rated as moderate to critical as security issues

in shipped software. Some of these issues are potentially

exploitable, allowing for remote code execution. We would

also like to thank Abhishek for reporting additional

use-after-free flaws in dir=auto code introduced during

Firefox development. These were fixed before general

release.

 

References

 

o Out of Bounds Read in

SelectionIterator::GetNextSegment (CVE-2013-1676) o

Out-of-bound read in gfxSkipCharsIterator::SetOffsets

(CVE-2013-1677)) o Invalid write in

_cairo_xlib_surface_add_glyph (CVE-2013-1678) o

Heap-use-after-free in

mozilla::plugins::child::_geturlnotify (CVE-2013-1679) o

Heap-use-after-free in nsFrameList::FirstChild

(CVE-2013-1680) o Heap-use-after-free in

nsContentUtils::RemoveScriptBlocker (CVE-2013-1681)

*

 

CVE-2012-1942

 

 

* CVE-2013-0788

 

* CVE-2013-0791

 

* CVE-2013-0792

 

* CVE-2013-0793

 

* CVE-2013-0794

 

* CVE-2013-0795

 

* CVE-2013-0796

 

* CVE-2013-0797

 

* CVE-2013-0798

 

* CVE-2013-0799

 

* CVE-2013-0800

 

* CVE-2013-0801

 

* CVE-2013-1669

 

* CVE-2013-1670

 

* CVE-2013-1671

 

* CVE-2013-1672

 

* CVE-2013-1673

 

* CVE-2013-1674

 

* CVE-2013-1675

 

* CVE-2013-1676

 

* CVE-2013-1677

 

* CVE-2013-1678

 

* CVE-2013-1679

 

* CVE-2013-1680

 

* CVE-2013-1681

 

* CVE-2013-1682

 

* CVE-2013-1684

 

* CVE-2013-1685

 

* CVE-2013-1686

 

* CVE-2013-1687

 

* CVE-2013-1690

 

* CVE-2013-1692

 

* CVE-2013-1693

 

* CVE-2013-1697

 

 

 

Patch Instructions:

 

To install this SUSE Security Update use YaST online_update.

Alternatively you can run the command listed for your product:

 

- SUSE Linux Enterprise Software Development Kit 11 SP3:

 

zypper in -t patch sdksp3-firefox-20130628-8001

 

- SUSE Linux Enterprise Server 11 SP3 for VMware:

 

zypper in -t patch slessp3-firefox-20130628-8001

 

- SUSE Linux Enterprise Server 11 SP3:

 

zypper in -t patch slessp3-firefox-20130628-8001

 

- SUSE Linux Enterprise Desktop 11 SP3:

 

zypper in -t patch sledsp3-firefox-20130628-8001

 

To bring your system up-to-date, use "zypper patch".

 

 

Package List:

 

- SUSE Linux Enterprise Software Development Kit 11 SP3 (i586 ia64 ppc64 s390x x86_64):

 

MozillaFirefox-devel-17.0.7esr-0.8.1

 

- SUSE Linux Enterprise Server 11 SP3 for VMware (i586 x86_64) [New Version: 17.0.7esr]:

 

MozillaFirefox-17.0.7esr-0.8.1

MozillaFirefox-translations-17.0.7esr-0.8.1

 

- SUSE Linux Enterprise Server 11 SP3 (i586 ia64 ppc64 s390x x86_64) [New Version: 17.0.7esr]:

 

MozillaFirefox-17.0.7esr-0.8.1

MozillaFirefox-branding-SLED-7-0.12.1

MozillaFirefox-translations-17.0.7esr-0.8.1

 

- SUSE Linux Enterprise Desktop 11 SP3 (i586 x86_64) [New Version: 17.0.7esr]:

 

MozillaFirefox-17.0.7esr-0.8.1

MozillaFirefox-branding-SLED-7-0.12.1

MozillaFirefox-translations-17.0.7esr-0.8.1

 

 

References:

 

http://support.novell.com/security/cve/CVE-2013-1682.html

http://support.novell.com/security/cve/CVE-2013-1684.html

http://support.novell.com/security/cve/CVE-2013-1685.html

http://support.novell.com/security/cve/CVE-2013-1686.html

http://support.novell.com/security/cve/CVE-2013-1687.html

http://support.novell.com/security/cve/CVE-2013-1690.html

http://support.novell.com/security/cve/CVE-2013-1692.html

http://support.novell.com/security/cve/CVE-2013-1693.html

http://support.novell.com/security/cve/CVE-2013-1697.html

https://bugzilla.novell.com/792432

https://bugzilla.novell.com/813026

https://bugzilla.novell.com/819204

https://bugzilla.novell.com/825935

http://download.novell.com/patch/finder/?keywords=2c55ef365e2022c62abed41b2a31ed0f

 

--

To unsubscribe, e-mail: opensuse-security-announce+unsubscribe ( -at -) opensuse.org

For additional commands, e-mail: opensuse-security-announce+help ( -at -) opensuse.org