MiracleLinux 3 : firefox-3.6.9-2.0.1.AXS3, nspr-4.8.6-1.AXS3, nss-3.12.7-2.AXS3, xulrunner-1.9.2.9-1.0.1.AXS3 (AXSA:2010-445:06)

#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
#
# The package checks in this plugin were extracted from
# Miracle Linux Security Advisory AXSA:2010-445:06.
##

include('deprecated_nasl_level.inc');
include('compat.inc');

if (description)
{
  script_id(284240);
  script_version("1.1");
  script_set_attribute(attribute:"plugin_modification_date", value:"2026/01/14");

  script_cve_id(
    "CVE-2010-2760",
    "CVE-2010-2762",
    "CVE-2010-2764",
    "CVE-2010-2765",
    "CVE-2010-2766",
    "CVE-2010-2767",
    "CVE-2010-2768",
    "CVE-2010-2769",
    "CVE-2010-3166",
    "CVE-2010-3167",
    "CVE-2010-3168",
    "CVE-2010-3169"
  );

  script_name(english:"MiracleLinux 3 : firefox-3.6.9-2.0.1.AXS3, nspr-4.8.6-1.AXS3, nss-3.12.7-2.AXS3, xulrunner-1.9.2.9-1.0.1.AXS3 (AXSA:2010-445:06)");

  script_set_attribute(attribute:"synopsis", value:
"The remote MiracleLinux host is missing one or more security updates.");
  script_set_attribute(attribute:"description", value:
"The remote MiracleLinux 3 host has packages installed that are affected by multiple vulnerabilities as referenced in the
AXSA:2010-445:06 advisory.

    Mozilla Firefox is an open-source web browser, designed for standards compliance, performance and
    portability.
    NSPR provides platform independence for non-GUI operating system facilities. These facilities include
    threads, thread synchronization, normal file and network I/O, interval timing and calendar time, basic
    memory management (malloc and free) and shared library linking.
    Network Security Services (NSS) is a set of libraries designed to support cross-platform development of
    security-enabled client and server applications. Applications built with NSS can support SSL v2 and v3,
    TLS, PKCS #5, PKCS #7, PKCS #11, PKCS #12, S/MIME, X.509 v3 certificates, and other security standards.
    XULRunner provides the XUL Runtime environment for Gecko applications.
    Security issues fixed with this release:
    CVE-2010-2760
    Use-after-free vulnerability in the nsTreeSelection function in Mozilla Firefox before 3.5.12 and 3.6.x
    before 3.6.9, Thunderbird before 3.0.7 and 3.1.x before 3.1.3, and SeaMonkey before 2.0.7 might allow
    remote attackers to execute arbitrary code via vectors involving a XUL tree selection, related to a
    dangling pointer vulnerability. NOTE: this issue exists because of an incomplete fix for CVE-2010-2753.
    CVE-2010-2762
    The XPCSafeJSObjectWrapper class in the SafeJSObjectWrapper (aka SJOW) implementation in Mozilla Firefox
    3.6.x before 3.6.9 and Thunderbird 3.1.x before 3.1.3 does not properly restrict objects at the end of
    scope chains, which allows remote attackers to execute arbitrary JavaScript code with chrome privileges
    via vectors related to a chrome privileged object and a chain ending in an outer object.
    CVE-2010-2764
    Mozilla Firefox before 3.5.12 and 3.6.x before 3.6.9, Thunderbird before 3.0.7 and 3.1.x before 3.1.3, and
    SeaMonkey before 2.0.7 do not properly restrict read access to the statusText property of XMLHttpRequest
    objects, which allows remote attackers to discover the existence of intranet web servers via cross-origin
    requests.
    CVE-2010-2765
    Integer overflow in the FRAMESET element implementation in Mozilla Firefox before 3.5.12 and 3.6.x before
    3.6.9, Thunderbird before 3.0.7 and 3.1.x before 3.1.3, and SeaMonkey before 2.0.7 might allow remote
    attackers to execute arbitrary code via a large number of values in the cols (aka columns) attribute,
    leading to a heap-based buffer overflow.
    CVE-2010-2766
    The normalizeDocument function in Mozilla Firefox before 3.5.12 and 3.6.x before 3.6.9, Thunderbird before
    3.0.7 and 3.1.x before 3.1.3, and SeaMonkey before 2.0.7 does not properly handle the removal of DOM nodes
    during normalization, which might allow remote attackers to execute arbitrary code via vectors involving
    access to a deleted object.
    CVE-2010-2767
    The navigator.plugins implementation in Mozilla Firefox before 3.5.12 and 3.6.x before 3.6.9, Thunderbird
    before 3.0.7 and 3.1.x before 3.1.3, and SeaMonkey before 2.0.7 does not properly handle destruction of
    the DOM plugin array, which might allow remote attackers to cause a denial of service (application crash)
    or execute arbitrary code via crafted access to the navigator object, related to a dangling pointer
    vulnerability.
    CVE-2010-2768
    Mozilla Firefox before 3.5.12 and 3.6.x before 3.6.9, Thunderbird before 3.0.7 and 3.1.x before 3.1.3, and
    SeaMonkey before 2.0.7 do not properly restrict use of the type attribute of an OBJECT element to set a
    document's charset, which allows remote attackers to bypass cross-site scripting (XSS) protection
    mechanisms via UTF-7 encoding.
    CVE-2010-2769
    Cross-site scripting (XSS) vulnerability in Mozilla Firefox before 3.5.12 and 3.6.x before 3.6.9,
    Thunderbird before 3.0.7 and 3.1.x before 3.1.3, and SeaMonkey before 2.0.7 allows user-assisted remote
    attackers to inject arbitrary web script or HTML via a selection that is added to a document in which the
    designMode property is enabled.
    CVE-2010-3166
    Heap-based buffer overflow in the nsTextFrameUtils::TransformText function in Mozilla Firefox before
    3.5.12 and 3.6.x before 3.6.9, Thunderbird before 3.0.7 and 3.1.x before 3.1.3, and SeaMonkey before 2.0.7
    might allow remote attackers to execute arbitrary code via a bidirectional text run.
    CVE-2010-3167
    The nsTreeContentView function in Mozilla Firefox before 3.5.12 and 3.6.x before 3.6.9, Thunderbird before
    3.0.7 and 3.1.x before 3.1.3, and SeaMonkey before 2.0.7 does not properly handle node removal in XUL
    trees, which allows remote attackers to execute arbitrary code via vectors involving access to deleted
    memory, related to a dangling pointer vulnerability.
    CVE-2010-3168
    Mozilla Firefox before 3.5.12 and 3.6.x before 3.6.9, Thunderbird before 3.0.7 and 3.1.x before 3.1.3, and
    SeaMonkey before 2.0.7 do not properly restrict the role of property changes in triggering XUL tree
    removal, which allows remote attackers to cause a denial of service (deleted memory access and application
    crash) or possibly execute arbitrary code by setting unspecified properties.
    CVE-2010-3169
    Multiple unspecified vulnerabilities in the browser engine in Mozilla Firefox before 3.5.12 and 3.6.x
    before 3.6.9, Thunderbird before 3.0.7 and 3.1.x before 3.1.3, and SeaMonkey before 2.0.7 allow remote
    attackers to cause a denial of service (memory corruption and application crash) or possibly execute
    arbitrary code via unknown vectors.

Tenable has extracted the preceding description block directly from the MiracleLinux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version
number.");
  script_set_attribute(attribute:"see_also", value:"https://tsn.miraclelinux.com/en/node/1608");
  script_set_attribute(attribute:"solution", value:
"Update the affected firefox and / or xulrunner packages.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2010-3169");
  script_set_attribute(attribute:"cvss3_score_source", value:"CVE-2010-2768");

  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");
  script_set_attribute(attribute:"vendor_severity", value:"High");

  script_set_attribute(attribute:"vuln_publication_date", value:"2010/09/07");
  script_set_attribute(attribute:"patch_publication_date", value:"2010/09/15");
  script_set_attribute(attribute:"plugin_publication_date", value:"2026/01/14");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:miracle:linux:firefox");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:miracle:linux:xulrunner");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:miracle:linux:3");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Miracle Linux Local Security Checks");

  script_copyright(english:"This script is Copyright (C) 2026 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/MiracleLinux/release", "Host/MiracleLinux/rpm-list", "Host/cpu");

  exit(0);
}


include('rpm2.inc');

if (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
var os_product = get_kb_item('installed_os/local/SSH/0/product');
if (isnull(os_product) || 'MIRACLE LINUX' >!< os_product) audit(AUDIT_OS_NOT, 'MIRACLE LINUX');
var os_version = get_kb_item('installed_os/local/SSH/0/version');
if (isnull(os_version)) audit(AUDIT_UNKNOWN_APP_VER, 'MIRACLE LINUX');
if (! preg(pattern:"^3([^0-9]|$)", string:os_version)) audit(AUDIT_OS_NOT, 'MiracleLinux 3.x', 'MIRACLE LINUX ' + os_version);

if (!get_kb_item('Host/MiracleLinux/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING);

var cpu = get_kb_item('Host/cpu');
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ('aarch64' >!< cpu && 'ppc' >!< cpu && 's390' >!< cpu && 'x86_64' >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'MIRACLE LINUX', cpu);

var constraints = [
  {
    'release': '3',
    'pkgs': [
      {'reference':'firefox-3.6.9-2.0.1.AXS3', 'cpu':'x86_64', 'rpm_spec_vers_cmp':TRUE, 'epoch':'0', 'allowmaj':TRUE},
      {'reference':'xulrunner-1.9.2.9-1.0.1.AXS3', 'cpu':'x86_64', 'rpm_spec_vers_cmp':TRUE, 'epoch':'0'}
    ]
  }
];

var os_release = get_one_kb_item('installed_os/local/SSH/0/release');
var os_sp = get_one_kb_item('Host/*/minor_release');

var flag = 0;
var reference;
var sp;
var _cpu;
var el_string;
var rpm_spec_vers_cmp;
var epoch;
var allowmaj;
var exists_check;
var cves;
foreach var constraint ( constraints ) {
  # Check that the target release is equal to the affected release
  if (!empty_or_null(constraint['release'])){
    if (constraint['release'] != os_release) continue;
  }
  if (!empty_or_null(constraint['sp'])){
    if (constraint['sp'] != os_sp) continue;
  }
  foreach var pkg ( constraint['pkgs'] ) {
    reference = NULL;
    sp = NULL;
    _cpu = NULL;
    el_string = NULL;
    rpm_spec_vers_cmp = NULL;
    epoch = NULL;
    allowmaj = NULL;
    exists_check = NULL;
    cves = NULL;
    if (!empty_or_null(pkg['reference'])) reference = pkg['reference'];
    if (!empty_or_null(pkg['sp'])) sp = pkg['sp'];
    if (!empty_or_null(pkg['cpu'])) _cpu = pkg['cpu'];
    if (!empty_or_null(pkg['el_string'])) el_string = pkg['el_string'];
    if (!empty_or_null(pkg['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = pkg['rpm_spec_vers_cmp'];
    if (!empty_or_null(pkg['epoch'])) epoch = pkg['epoch'];
    if (!empty_or_null(pkg['allowmaj'])) allowmaj = pkg['allowmaj'];
    if (!empty_or_null(pkg['exists_check'])) exists_check = pkg['exists_check'];
    if (!empty_or_null(pkg['cves'])) cves = pkg['cves'];
    if (reference &&
        ## (no known rpm to check OR known rpm_exists)
        (!exists_check || rpm_exists(rpm:exists_check)) &&
        rpm_check(sp:sp, cpu:_cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj, cves:cves)) flag++;
  }
}
if (flag)
{
  security_report_v4(
      port       : 0,
      severity   : SECURITY_HOLE,
      extra      : rpm_report_get()
  );
  exit(0);
}
else
{
  var tested = pkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'firefox / xulrunner');
}