SUSE Security Update: Security update for Mozilla Firefox
______________________________________________________________________________

Announcement ID:    SUSE-SU-2012:1351-1
Rating:             important
References:         #783533 
Cross-References:   CVE-2012-3977 CVE-2012-3982 CVE-2012-3983
                    CVE-2012-3984 CVE-2012-3985 CVE-2012-3986
                    CVE-2012-3987 CVE-2012-3988 CVE-2012-3989
                    CVE-2012-3990 CVE-2012-3991 CVE-2012-3992
                    CVE-2012-3993 CVE-2012-3994 CVE-2012-3995
                    CVE-2012-4179 CVE-2012-4180 CVE-2012-4181
                    CVE-2012-4182 CVE-2012-4183 CVE-2012-4184
                    CVE-2012-4185 CVE-2012-4186 CVE-2012-4187
                    CVE-2012-4188 CVE-2012-4192 CVE-2012-4193
                   
Affected Products:
                    SUSE Linux Enterprise Server 11 SP2 for VMware
                    SUSE Linux Enterprise Server 11 SP2
                    SUSE Linux Enterprise Server 10 SP4
                    SUSE Linux Enterprise Desktop 11 SP2
                    SUSE Linux Enterprise Desktop 10 SP4
                    SLE SDK 10 SP4
______________________________________________________________________________

   An update that fixes 27 vulnerabilities is now available.
   It includes two new package versions.

Description:


   MozillaFirefox was updated to the 10.0.9ESR security
   release which fixes  bugs and security issues:

   *

   MFSA 2012-73 / CVE-2012-3977: Security researchers
   Thai Duong and Juliano Rizzo reported that SPDY's request
   header compression leads to information leakage, which can
   allow the extraction of private data such as session
   cookies, even over an encrypted SSL connection. (This does
   not affect Firefox 10 as it does not feature the SPDY
   extension. It was silently fixed for Firefox 15.)

   *

   MFSA 2012-74: Mozilla developers identified and fixed
   several memory safety bugs in the browser engine used in
   Firefox and other Mozilla-based products. Some of these
   bugs showed evidence of memory corruption under certain
   circumstances, and we presume that with enough effort at
   least some of these could be exploited to run arbitrary
   code.

   In general these flaws cannot be exploited through
   email in the Thunderbird and SeaMonkey products because
   scripting is disabled, but are potentially a risk in
   browser or browser-like contexts in those products.

   *

   CVE-2012-3983: Henrik Skupin, Jesse Ruderman and
   moz_bug_r_a4 reported memory safety problems and crashes
   that affect Firefox 15.

   *

   CVE-2012-3982: Christian Holler and Jesse Ruderman
   reported memory safety problems and crashes that affect
   Firefox ESR 10 and Firefox 15.

   *

   MFSA 2012-75 / CVE-2012-3984: Security researcher
   David Bloom of Cue discovered that "select" elements are
   always-on-top chromeless windows and that navigation away
   from a page with an active "select" menu does not remove
   this window.When another menu is opened programmatically on
   a new page, the original "select" menu can be retained and
   arbitrary HTML content within it rendered, allowing an
   attacker to cover arbitrary portions of the new page
   through absolute positioning/scrolling, leading to spoofing
   attacks. Security researcher Jordi Chancel found a
   variation that would allow for click-jacking attacks was
   well.

   In general these flaws cannot be exploited through
   email in the Thunderbird and SeaMonkey products because
   scripting is disabled, but are potentially a risk in
   browser or browser-like contexts in those products.
   References

   Navigation away from a page with an active "select"
   dropdown menu can be used for URL spoofing, other evil

   Firefox 10.0.1 : Navigation away from a page with
   multiple active "select" dropdown menu can be used for
   Spoofing And ClickJacking with XPI using window.open and
   geolocalisation

   *

   MFSA 2012-76 / CVE-2012-3985: Security researcher
   Collin Jackson reported a violation of the HTML5
   specifications for document.domain behavior. Specified
   behavior requires pages to only have access to windows in a
   new document.domain but the observed violation allowed
   pages to retain access to windows from the page's initial
   origin in addition to the new document.domain. This could
   potentially lead to cross-site scripting (XSS) attacks.

   *

   MFSA 2012-77 / CVE-2012-3986: Mozilla developer
   Johnny Stenback discovered that several methods of a
   feature used for testing (DOMWindowUtils) are not protected
   by existing security checks, allowing these methods to be
   called through script by web pages. This was addressed by
   adding the existing security checks to these methods.

   *

   MFSA 2012-78 / CVE-2012-3987: Security researcher
   Warren He reported that when a page is transitioned into
   Reader Mode in Firefox for Android, the resulting page has
   chrome privileges and its content is not thoroughly
   sanitized. A successful attack requires user enabling of
   reader mode for a malicious page, which could then perform
   an attack similar to cross-site scripting (XSS) to gain the
   privileges allowed to Firefox on an Android device. This
   has been fixed by changing the Reader Mode page into an
   unprivileged page.

   This vulnerability only affects Firefox for Android.

   *

   MFSA 2012-79 / CVE-2012-3988: Security researcher
   Soroush Dalili reported that a combination of invoking full
   screen mode and navigating backwards in history could, in
   some circumstances, cause a hang or crash due to a timing
   dependent use-after-free pointer reference. This crash may
   be potentially exploitable.

   *

   MFSA 2012-80 / CVE-2012-3989: Mozilla community
   member Ms2ger reported a crash due to an invalid cast when
   using the instanceof operator on certain types of
   JavaScript objects. This can lead to a potentially
   exploitable crash.

   *

   MFSA 2012-81 / CVE-2012-3991: Mozilla community
   member Alice White reported that when the GetProperty
   function is invoked through JSAPI, security checking can be
   bypassed when getting cross-origin properties. This
   potentially allowed for arbitrary code execution.

   *

   MFSA 2012-82 / CVE-2012-3994: Security researcher
   Mariusz Mlynski reported that the location property can be
   accessed by binary plugins through top.location and top can
   be shadowed by Object.defineProperty as well. This can
   allow for possible cross-site scripting (XSS) attacks
   through plugins.

   *

   MFSA 2012-83: Security researcher Mariusz Mlynski
   reported that when InstallTrigger fails, it throws an error
   wrapped in a Chrome Object Wrapper (COW) that fails to
   specify exposed properties. These can then be added to the
   resulting object by an attacker, allowing access to chrome
   privileged functions through script.

   While investigating this issue, Mozilla security
   researcher moz_bug_r_a4 found that COW did not disallow
   accessing of properties from a standard prototype in some
   situations, even when the original issue had been fixed.

   These issues could allow for a cross-site scripting
   (XSS) attack or arbitrary code execution.

   *

   CVE-2012-3993: XrayWrapper pollution via unsafe COW

   *

   CVE-2012-4184: ChromeObjectWrapper is not implemented
   as intended

   *

   MFSA 2012-84 / CVE-2012-3992: Security researcher
   Mariusz Mlynski reported an issue with spoofing of the
   location property. In this issue, writes to location.hash
   can be used in concert with scripted history navigation to
   cause a specific website to be loaded into the history
   object. The baseURI can then be changed to this stored
   site, allowing an attacker to inject a script or intercept
   posted data posted to a location specified with a relative
   path.

   *

   MFSA 2012-85: Security researcher Abhishek Arya
   (Inferno) of the Google Chrome Security Team discovered a
   series of use-after-free, buffer overflow, and out of
   bounds read issues using the Address Sanitizer tool in
   shipped software. These issues are potentially exploitable,
   allowing for remote code execution. We would also like to
   thank Abhishek for reporting two additional use-after-free
   flaws introduced during Firefox 16 development and fixed
   before general release.

   *

   CVE-2012-3995: Out of bounds read in
   IsCSSWordSpacingSpace

   *

   CVE-2012-4179: Heap-use-after-free in
   nsHTMLCSSUtils::CreateCSSPropertyTxn

   *

   CVE-2012-4180: Heap-buffer-overflow in
   nsHTMLEditor::IsPrevCharInNodeWhitespace

   *

   CVE-2012-4181: Heap-use-after-free in
   nsSMILAnimationController::DoSample

   *

   CVE-2012-4182: Heap-use-after-free in
   nsTextEditRules::WillInsert

   *

   CVE-2012-4183: Heap-use-after-free in
   DOMSVGTests::GetRequiredFeatures

   *

   MFSA 2012-86: Security researcher Atte Kettunen from
   OUSPG reported several heap memory corruption issues found
   using the Address Sanitizer tool. These issues are
   potentially exploitable, allowing for remote code execution.

   *

   CVE-2012-4185: Global-buffer-overflow in
   nsCharTraits::length

   *

   CVE-2012-4186: Heap-buffer-overflow in
   nsWaveReader::DecodeAudioData

   *

   CVE-2012-4187: Crash with ASSERTION: insPos too small

   *

   CVE-2012-4188: Heap-buffer-overflow in Convolve3x3

   *

   MFSA 2012-87 / CVE-2012-3990: Security researcher
   miaubiz used the Address Sanitizer tool to discover a
   use-after-free in the IME State Manager code. This could
   lead to a potentially exploitable crash.

   *

   MFSA 2012-89 / CVE-2012-4192 / CVE-2012-4193: Mozilla
   security researcher moz_bug_r_a4 reported a regression
   where security wrappers are unwrapped without doing a
   security check in defaultValue(). This can allow for
   improper access access to the Location object. In versions
   15 and earlier of affected products, there was also the
   potential for arbitrary code execution.

   Security Issue reference:

   * CVE-2012-3977
   <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3977
   >
   * CVE-2012-3982
   <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3982
   >
   * CVE-2012-3983
   <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3983
   >
   * CVE-2012-3984
   <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3984
   >
   * CVE-2012-3985
   <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3985
   >
   * CVE-2012-3986
   <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3986
   >
   * CVE-2012-3987
   <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3987
   >
   * CVE-2012-3988
   <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3988
   >
   * CVE-2012-3989
   <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3989
   >
   * CVE-2012-3990
   <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3990
   >
   * CVE-2012-3991
   <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3991
   >
   * CVE-2012-3992
   <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3992
   >
   * CVE-2012-3993
   <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3993
   >
   * CVE-2012-3994
   <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3994
   >
   * CVE-2012-3995
   <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3995
   >
   * CVE-2012-4179
   <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4179
   >
   * CVE-2012-4180
   <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4180
   >
   * CVE-2012-4181
   <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4181
   >
   * CVE-2012-4182
   <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4182
   >
   * CVE-2012-4183
   <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4183
   >
   * CVE-2012-4184
   <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4184
   >
   * CVE-2012-4185
   <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4185
   >
   * CVE-2012-4186
   <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4186
   >
   * CVE-2012-4187
   <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4187
   >
   * CVE-2012-4188
   <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4188
   >
   * CVE-2012-4192
   <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4192
   >
   * CVE-2012-4193
   <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4193
   >


Patch Instructions:

   To install this SUSE Security Update use YaST online_update.
   Alternatively you can run the command listed for your product:

   - SUSE Linux Enterprise Server 11 SP2 for VMware:

      zypper in -t patch slessp2-firefox-201210-6951

   - SUSE Linux Enterprise Server 11 SP2:

      zypper in -t patch slessp2-firefox-201210-6951

   - SUSE Linux Enterprise Desktop 11 SP2:

      zypper in -t patch sledsp2-firefox-201210-6951

   To bring your system up-to-date, use "zypper patch".


Package List:

   - SUSE Linux Enterprise Server 11 SP2 for VMware (i586 x86_64) [New Version:
 10.0.9]:

      MozillaFirefox-10.0.9-0.3.1
      MozillaFirefox-translations-10.0.9-0.3.1

   - SUSE Linux Enterprise Server 11 SP2 (i586 ia64 ppc64 s390x x86_64) [New
 Version: 10.0.9]:

      MozillaFirefox-10.0.9-0.3.1
      MozillaFirefox-branding-SLED-7-0.6.7.85
      MozillaFirefox-translations-10.0.9-0.3.1

   - SUSE Linux Enterprise Server 10 SP4 (i586 ia64 ppc s390x) [New Version:
 7]:

      MozillaFirefox-10.0.9-0.5.1
      MozillaFirefox-branding-SLED-7-0.8.35
      MozillaFirefox-translations-10.0.9-0.5.1

   - SUSE Linux Enterprise Desktop 11 SP2 (i586 x86_64) [New Version: 10.0.9]:

      MozillaFirefox-10.0.9-0.3.1
      MozillaFirefox-branding-SLED-7-0.6.7.85
      MozillaFirefox-translations-10.0.9-0.3.1

   - SUSE Linux Enterprise Desktop 10 SP4 (i586) [New Version: 7]:

      MozillaFirefox-10.0.9-0.5.1
      MozillaFirefox-branding-SLED-7-0.8.35
      MozillaFirefox-translations-10.0.9-0.5.1

   - SLE SDK 10 SP4 (i586 ia64 ppc s390x):

      MozillaFirefox-branding-upstream-10.0.9-0.5.1


References:

   http://support.novell.com/security/cve/CVE-2012-3977.html
   http://support.novell.com/security/cve/CVE-2012-3982.html
   http://support.novell.com/security/cve/CVE-2012-3983.html
   http://support.novell.com/security/cve/CVE-2012-3984.html
   http://support.novell.com/security/cve/CVE-2012-3985.html
   http://support.novell.com/security/cve/CVE-2012-3986.html
   http://support.novell.com/security/cve/CVE-2012-3987.html
   http://support.novell.com/security/cve/CVE-2012-3988.html
   http://support.novell.com/security/cve/CVE-2012-3989.html
   http://support.novell.com/security/cve/CVE-2012-3990.html
   http://support.novell.com/security/cve/CVE-2012-3991.html
   http://support.novell.com/security/cve/CVE-2012-3992.html
   http://support.novell.com/security/cve/CVE-2012-3993.html
   http://support.novell.com/security/cve/CVE-2012-3994.html
   http://support.novell.com/security/cve/CVE-2012-3995.html
   http://support.novell.com/security/cve/CVE-2012-4179.html
   http://support.novell.com/security/cve/CVE-2012-4180.html
   http://support.novell.com/security/cve/CVE-2012-4181.html
   http://support.novell.com/security/cve/CVE-2012-4182.html
   http://support.novell.com/security/cve/CVE-2012-4183.html
   http://support.novell.com/security/cve/CVE-2012-4184.html
   http://support.novell.com/security/cve/CVE-2012-4185.html
   http://support.novell.com/security/cve/CVE-2012-4186.html
   http://support.novell.com/security/cve/CVE-2012-4187.html
   http://support.novell.com/security/cve/CVE-2012-4188.html
   http://support.novell.com/security/cve/CVE-2012-4192.html
   http://support.novell.com/security/cve/CVE-2012-4193.html
   https://bugzilla.novell.com/783533
   ?keywords=9df8424f201589e4fca1abdc2e0b1023
   ?keywords=b54051bb7b93d9b879c04f373ce0061d

-- 
To unsubscribe, e-mail: opensuse-security-announce+unsubscribe@opensuse.org
For additional commands, e-mail: opensuse-security-announce+help@opensuse.org