MozillaFirefox has been updated to 10.0.5ESR fixing various bugs and security issues.
Mozilla developers identified and fixed several memory safety bugs in the browser engine used in Firefox and other Mozilla-based products. Some of these bugs showed evidence of memory corruption under certain circumstances, and we presume that with enough effort at least some of these could be exploited to run arbitrary code. (MFSA 2012-34)
In general these flaws cannot be exploited through email in the Thunderbird and SeaMonkey products because scripting is disabled, but are potentially a risk in browser or browser-like contexts in those products.
References
Jesse Ruderman, Igor Bukanov, Bill McCloskey, Christian Holler, Andrew McCreight, and Brian Bondy reported memory safety problems and crashes that affect Firefox 12. (CVE-2012-1938)
Christian Holler reported a memory safety problem that affects Firefox ESR. (CVE-2012-1939)
Igor Bukanov, Olli Pettay, Boris Zbarsky, and Jesse Ruderman reported memory safety problems and crashes that affect Firefox ESR and Firefox 13. (CVE-2012-1937)
Ken Russell of Google reported a bug in NVIDIA graphics drivers that they needed to work around in the Chromium WebGL implementation. Mozilla has done the same in Firefox 13 and ESR 10.0.5. (CVE-2011-3101)
Security researcher James Forshaw of Context Information Security found two issues with the Mozilla updater and the Mozilla updater service introduced in Firefox 12 for Windows. The first issue allows Mozilla’s updater to load a local DLL file in a privileged context. The updater can be called by the Updater Service or independently on systems that do not use the service.
The second of these issues allows for the updater service to load an arbitrary local DLL file, which can then be run with the same system privileges used by the service. Both of these issues require local file system access to be exploitable. (MFSA 2012-35)
Possible Arbitrary Code Execution by Update Service (CVE-2012-1942) Updater.exe loads wsock32.dll from application directory. (CVE-2012-1943)
Security researcher Adam Barth found that inline event handlers, such as onclick, were no longer blocked by Content Security Policy’s (CSP) inline-script blocking feature. Web applications relying on this feature of CSP to protect against cross-site scripting (XSS) were not fully protected. (CVE-2012-1944). (MFSA 2012-36)
Security researcher Paul Stone reported an attack where an HTML page hosted on a Windows share and then loaded could then load Windows shortcut files (.lnk) in the same share. These shortcut files could then link to arbitrary locations on the local file system of the individual loading the HTML page. That page could show the contents of these linked files or directories from the local file system in an iframe, causing information disclosure. (MFSA 2012-37)
This issue could potentially affect Linux machines with samba shares enabled. (CVE-2012-1945)
Security researcher Arthur Gerkis used the Address Sanitizer tool to find a use-after-free while replacing/inserting a node in a document. This use-after-free could possibly allow for remote code execution. (CVE-2012-1946). (MFSA 2012-38)
Security researcher Kaspar Brand found a flaw in how the Network Security Services (NSS) ASN.1 decoder handles zero length items. Effects of this issue depend on the field. One known symptom is an unexploitable crash in handling OCSP responses. NSS also mishandles zero-length basic constraints, assuming default values for some types that should be rejected as malformed. These issues have been addressed in NSS 3.13.4, which is now being used by Mozilla. (CVE-2012-0441). (MFSA 2012-39)
Security researcher Abhishek Arya of Google used the Address Sanitizer tool to uncover several issues: two heap buffer overflow bugs and a use-after-free problem.
The first heap buffer overflow was found in conversion from unicode to native character sets when the function fails. The use-after-free occurs in nsFrameList when working with column layout with absolute positioning in a container that changes size. The second buffer overflow occurs in nsHTMLReflowState when a window is resized on a page with nested columns and a combination of absolute and relative positioning. All three of these issues are potentially exploitable. (MFSA 2012-40)
Heap-buffer-overflow in utf16_to_isolatin1 (CVE-2012-1947) Heap-use-after-free in nsFrameList::FirstChild. (CVE-2012-1940)
Heap-buffer-overflow in nsHTMLReflowState::CalculateHypotheticalBox, with nested multi-column, relative position, and absolute position.
(CVE-2012-1941)
More information on security issues can be found on:
http://www.mozilla.org/security/announce/
#%NASL_MIN_LEVEL 70300
#
# (C) Tenable Network Security, Inc.
#
# The text description of this plugin is (C) Novell, Inc.
#
if (NASL_LEVEL < 3000) exit(0);
include('deprecated_nasl_level.inc');
include('compat.inc');
if (description)
{
script_id(59520);
script_version("1.10");
script_set_attribute(attribute:"plugin_modification_date", value:"2021/01/19");
script_cve_id("CVE-2011-3101", "CVE-2012-0441", "CVE-2012-1937", "CVE-2012-1938", "CVE-2012-1939", "CVE-2012-1940", "CVE-2012-1941", "CVE-2012-1942", "CVE-2012-1943", "CVE-2012-1944", "CVE-2012-1945", "CVE-2012-1946", "CVE-2012-1947");
script_name(english:"SuSE 10 Security Update : Mozilla Firefox (ZYPP Patch Number 8189)");
script_summary(english:"Checks rpm output for the updated packages");
script_set_attribute(
attribute:"synopsis",
value:"The remote SuSE 10 host is missing a security-related patch."
);
script_set_attribute(
attribute:"description",
value:
"MozillaFirefox has been updated to 10.0.5ESR fixing various bugs and
security issues.
- Mozilla developers identified and fixed several memory
safety bugs in the browser engine used in Firefox and
other Mozilla-based products. Some of these bugs showed
evidence of memory corruption under certain
circumstances, and we presume that with enough effort at
least some of these could be exploited to run arbitrary
code. (MFSA 2012-34)
In general these flaws cannot be exploited through email
in the Thunderbird and SeaMonkey products because
scripting is disabled, but are potentially a risk in
browser or browser-like contexts in those products.
References
Jesse Ruderman, Igor Bukanov, Bill McCloskey, Christian
Holler, Andrew McCreight, and Brian Bondy reported
memory safety problems and crashes that affect Firefox
12. (CVE-2012-1938)
Christian Holler reported a memory safety problem that
affects Firefox ESR. (CVE-2012-1939)
Igor Bukanov, Olli Pettay, Boris Zbarsky, and Jesse
Ruderman reported memory safety problems and crashes
that affect Firefox ESR and Firefox 13. (CVE-2012-1937)
Ken Russell of Google reported a bug in NVIDIA graphics
drivers that they needed to work around in the Chromium
WebGL implementation. Mozilla has done the same in
Firefox 13 and ESR 10.0.5. (CVE-2011-3101)
- Security researcher James Forshaw of Context Information
Security found two issues with the Mozilla updater and
the Mozilla updater service introduced in Firefox 12 for
Windows. The first issue allows Mozilla's updater to
load a local DLL file in a privileged context. The
updater can be called by the Updater Service or
independently on systems that do not use the service.
The second of these issues allows for the updater
service to load an arbitrary local DLL file, which can
then be run with the same system privileges used by the
service. Both of these issues require local file system
access to be exploitable. (MFSA 2012-35)
Possible Arbitrary Code Execution by Update Service
(CVE-2012-1942) Updater.exe loads wsock32.dll from
application directory. (CVE-2012-1943)
- Security researcher Adam Barth found that inline event
handlers, such as onclick, were no longer blocked by
Content Security Policy's (CSP) inline-script blocking
feature. Web applications relying on this feature of CSP
to protect against cross-site scripting (XSS) were not
fully protected. (CVE-2012-1944). (MFSA 2012-36)
- Security researcher Paul Stone reported an attack where
an HTML page hosted on a Windows share and then loaded
could then load Windows shortcut files (.lnk) in the
same share. These shortcut files could then link to
arbitrary locations on the local file system of the
individual loading the HTML page. That page could show
the contents of these linked files or directories from
the local file system in an iframe, causing information
disclosure. (MFSA 2012-37)
This issue could potentially affect Linux machines with
samba shares enabled. (CVE-2012-1945)
- Security researcher Arthur Gerkis used the Address
Sanitizer tool to find a use-after-free while
replacing/inserting a node in a document. This
use-after-free could possibly allow for remote code
execution. (CVE-2012-1946). (MFSA 2012-38)
- Security researcher Kaspar Brand found a flaw in how the
Network Security Services (NSS) ASN.1 decoder handles
zero length items. Effects of this issue depend on the
field. One known symptom is an unexploitable crash in
handling OCSP responses. NSS also mishandles zero-length
basic constraints, assuming default values for some
types that should be rejected as malformed. These issues
have been addressed in NSS 3.13.4, which is now being
used by Mozilla. (CVE-2012-0441). (MFSA 2012-39)
- Security researcher Abhishek Arya of Google used the
Address Sanitizer tool to uncover several issues: two
heap buffer overflow bugs and a use-after-free problem.
The first heap buffer overflow was found in conversion
from unicode to native character sets when the function
fails. The use-after-free occurs in nsFrameList when
working with column layout with absolute positioning in
a container that changes size. The second buffer
overflow occurs in nsHTMLReflowState when a window is
resized on a page with nested columns and a combination
of absolute and relative positioning. All three of these
issues are potentially exploitable. (MFSA 2012-40)
Heap-buffer-overflow in utf16_to_isolatin1
(CVE-2012-1947) Heap-use-after-free in
nsFrameList::FirstChild. (CVE-2012-1940)
Heap-buffer-overflow in
nsHTMLReflowState::CalculateHypotheticalBox, with nested
multi-column, relative position, and absolute position.
(CVE-2012-1941)
More information on security issues can be found on:
http://www.mozilla.org/security/announce/"
);
# http://www.mozilla.org/security/announce/2012/mfsa2012-34.html
script_set_attribute(
attribute:"see_also",
value:"https://www.mozilla.org/en-US/security/advisories/mfsa2012-34/"
);
# http://www.mozilla.org/security/announce/2012/mfsa2012-35.html
script_set_attribute(
attribute:"see_also",
value:"https://www.mozilla.org/en-US/security/advisories/mfsa2012-35/"
);
# http://www.mozilla.org/security/announce/2012/mfsa2012-36.html
script_set_attribute(
attribute:"see_also",
value:"https://www.mozilla.org/en-US/security/advisories/mfsa2012-36/"
);
# http://www.mozilla.org/security/announce/2012/mfsa2012-37.html
script_set_attribute(
attribute:"see_also",
value:"https://www.mozilla.org/en-US/security/advisories/mfsa2012-37/"
);
# http://www.mozilla.org/security/announce/2012/mfsa2012-38.html
script_set_attribute(
attribute:"see_also",
value:"https://www.mozilla.org/en-US/security/advisories/mfsa2012-38/"
);
# http://www.mozilla.org/security/announce/2012/mfsa2012-39.html
script_set_attribute(
attribute:"see_also",
value:"https://www.mozilla.org/en-US/security/advisories/mfsa2012-39/"
);
# http://www.mozilla.org/security/announce/2012/mfsa2012-40.html
script_set_attribute(
attribute:"see_also",
value:"https://www.mozilla.org/en-US/security/advisories/mfsa2012-40/"
);
script_set_attribute(
attribute:"see_also",
value:"http://support.novell.com/security/cve/CVE-2011-3101.html"
);
script_set_attribute(
attribute:"see_also",
value:"http://support.novell.com/security/cve/CVE-2012-0441.html"
);
script_set_attribute(
attribute:"see_also",
value:"http://support.novell.com/security/cve/CVE-2012-1937.html"
);
script_set_attribute(
attribute:"see_also",
value:"http://support.novell.com/security/cve/CVE-2012-1938.html"
);
script_set_attribute(
attribute:"see_also",
value:"http://support.novell.com/security/cve/CVE-2012-1939.html"
);
script_set_attribute(
attribute:"see_also",
value:"http://support.novell.com/security/cve/CVE-2012-1940.html"
);
script_set_attribute(
attribute:"see_also",
value:"http://support.novell.com/security/cve/CVE-2012-1941.html"
);
script_set_attribute(
attribute:"see_also",
value:"http://support.novell.com/security/cve/CVE-2012-1942.html"
);
script_set_attribute(
attribute:"see_also",
value:"http://support.novell.com/security/cve/CVE-2012-1943.html"
);
script_set_attribute(
attribute:"see_also",
value:"http://support.novell.com/security/cve/CVE-2012-1944.html"
);
script_set_attribute(
attribute:"see_also",
value:"http://support.novell.com/security/cve/CVE-2012-1945.html"
);
script_set_attribute(
attribute:"see_also",
value:"http://support.novell.com/security/cve/CVE-2012-1946.html"
);
script_set_attribute(
attribute:"see_also",
value:"http://support.novell.com/security/cve/CVE-2012-1947.html"
);
script_set_attribute(attribute:"solution", value:"Apply ZYPP patch number 8189.");
script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
script_set_attribute(attribute:"plugin_type", value:"local");
script_set_attribute(attribute:"cpe", value:"cpe:/o:suse:suse_linux");
script_set_attribute(attribute:"vuln_publication_date", value:"2012/05/15");
script_set_attribute(attribute:"patch_publication_date", value:"2012/06/11");
script_set_attribute(attribute:"plugin_publication_date", value:"2012/06/15");
script_set_attribute(attribute:"generated_plugin", value:"current");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_copyright(english:"This script is Copyright (C) 2012-2021 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_family(english:"SuSE Local Security Checks");
script_dependencies("ssh_get_info.nasl");
script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/SuSE/release", "Host/SuSE/rpm-list");
exit(0);
}
include("global_settings.inc");
include("rpm.inc");
if (!get_kb_item("Host/local_checks_enabled")) exit(0, "Local checks are not enabled.");
if (!get_kb_item("Host/SuSE/release")) exit(0, "The host is not running SuSE.");
if (!get_kb_item("Host/SuSE/rpm-list")) exit(1, "Could not obtain the list of installed packages.");
cpu = get_kb_item("Host/cpu");
if (isnull(cpu)) exit(1, "Failed to determine the architecture type.");
if (cpu >!< "x86_64" && cpu !~ "^i[3-6]86$") exit(1, "Local checks for SuSE 10 on the '"+cpu+"' architecture have not been implemented.");
flag = 0;
if (rpm_check(release:"SLED10", sp:4, reference:"MozillaFirefox-10.0.5-0.8.4")) flag++;
if (rpm_check(release:"SLED10", sp:4, reference:"MozillaFirefox-translations-10.0.5-0.8.4")) flag++;
if (rpm_check(release:"SLED10", sp:4, reference:"mozilla-nspr-4.9.1-0.8.1")) flag++;
if (rpm_check(release:"SLED10", sp:4, reference:"mozilla-nspr-devel-4.9.1-0.8.1")) flag++;
if (rpm_check(release:"SLED10", sp:4, reference:"mozilla-nss-3.13.5-0.7.2")) flag++;
if (rpm_check(release:"SLED10", sp:4, reference:"mozilla-nss-devel-3.13.5-0.7.2")) flag++;
if (rpm_check(release:"SLED10", sp:4, reference:"mozilla-nss-tools-3.13.5-0.7.2")) flag++;
if (rpm_check(release:"SLED10", sp:4, cpu:"x86_64", reference:"mozilla-nspr-32bit-4.9.1-0.8.1")) flag++;
if (rpm_check(release:"SLED10", sp:4, cpu:"x86_64", reference:"mozilla-nss-32bit-3.13.5-0.7.2")) flag++;
if (rpm_check(release:"SLES10", sp:4, reference:"MozillaFirefox-10.0.5-0.8.4")) flag++;
if (rpm_check(release:"SLES10", sp:4, reference:"MozillaFirefox-translations-10.0.5-0.8.4")) flag++;
if (rpm_check(release:"SLES10", sp:4, reference:"mozilla-nspr-4.9.1-0.8.1")) flag++;
if (rpm_check(release:"SLES10", sp:4, reference:"mozilla-nspr-devel-4.9.1-0.8.1")) flag++;
if (rpm_check(release:"SLES10", sp:4, reference:"mozilla-nss-3.13.5-0.7.2")) flag++;
if (rpm_check(release:"SLES10", sp:4, reference:"mozilla-nss-devel-3.13.5-0.7.2")) flag++;
if (rpm_check(release:"SLES10", sp:4, reference:"mozilla-nss-tools-3.13.5-0.7.2")) flag++;
if (rpm_check(release:"SLES10", sp:4, cpu:"x86_64", reference:"mozilla-nspr-32bit-4.9.1-0.8.1")) flag++;
if (rpm_check(release:"SLES10", sp:4, cpu:"x86_64", reference:"mozilla-nss-32bit-3.13.5-0.7.2")) flag++;
if (flag)
{
if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());
else security_hole(0);
exit(0);
}
else exit(0, "The host is not affected.");
Vendor | Product | Version | CPE |
---|---|---|---|
suse | suse_linux | cpe:/o:suse:suse_linux |
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3101
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0441
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1937
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1938
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1939
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1940
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1941
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1942
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1943
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1944
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1945
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1946
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1947
support.novell.com/security/cve/CVE-2011-3101.html
support.novell.com/security/cve/CVE-2012-0441.html
support.novell.com/security/cve/CVE-2012-1937.html
support.novell.com/security/cve/CVE-2012-1938.html
support.novell.com/security/cve/CVE-2012-1939.html
support.novell.com/security/cve/CVE-2012-1940.html
support.novell.com/security/cve/CVE-2012-1941.html
support.novell.com/security/cve/CVE-2012-1942.html
support.novell.com/security/cve/CVE-2012-1943.html
support.novell.com/security/cve/CVE-2012-1944.html
support.novell.com/security/cve/CVE-2012-1945.html
support.novell.com/security/cve/CVE-2012-1946.html
support.novell.com/security/cve/CVE-2012-1947.html
www.mozilla.org/en-US/security/advisories/mfsa2012-34/
www.mozilla.org/en-US/security/advisories/mfsa2012-35/
www.mozilla.org/en-US/security/advisories/mfsa2012-36/
www.mozilla.org/en-US/security/advisories/mfsa2012-37/
www.mozilla.org/en-US/security/advisories/mfsa2012-38/
www.mozilla.org/en-US/security/advisories/mfsa2012-39/
www.mozilla.org/en-US/security/advisories/mfsa2012-40/