Security update for Mozilla Firefox (important)

MozillaFirefox has been updated to 10.0.5ESR fixing various
bugs and security issues.

MFSA 2012-34 Mozilla developers identified and fixed
several memory safety bugs in the browser engine used in
Firefox and other Mozilla-based products. Some of these
bugs showed evidence of memory corruption under certain
circumstances, and we presume that with enough effort at
least some of these could be exploited to run arbitrary
code.

In general these flaws cannot be exploited through
email in the Thunderbird and SeaMonkey products because
scripting is disabled, but are potentially a risk in
browser or browser-like contexts in those products.
References

Jesse Ruderman, Igor Bukanov, Bill McCloskey,
Christian Holler, Andrew McCreight, and Brian Bondy
reported memory safety problems and crashes that affect
Firefox 12.(CVE-2012-1938)

Christian Holler reported a memory safety problem
that affects Firefox ESR. (CVE-2012-1939)

Igor Bukanov, Olli Pettay, Boris Zbarsky, and Jesse
Ruderman reported memory safety problems and crashes that
affect Firefox ESR and Firefox 13. (CVE-2012-1937)

Ken Russell of Google reported a bug in NVIDIA
graphics drivers that they needed to work around in the
Chromium WebGL implementation. Mozilla has done the same in
Firefox 13 and ESR 10.0.5. (CVE-2011-3101)

MFSA 2012-35 Security researcher James Forshaw of
Context Information Security found two issues with the
Mozilla updater and the Mozilla updater service introduced
in Firefox 12 for Windows. The first issue allows Mozilla’s
updater to load a local DLL file in a privileged context.
The updater can be called by the Updater Service or
independently on systems that do not use the service. The
second of these issues allows for the updater service to
load an arbitrary local DLL file, which can then be run
with the same system privileges used by the service. Both
of these issues require local file system access to be
exploitable.

Possible Arbitrary Code Execution by Update Service
(CVE-2012-1942) Updater.exe loads wsock32.dll from
application directory (CVE-2012-1943)

MFSA 2012-36 Security researcher Adam Barth found
that inline event handlers, such as onclick, were no longer
blocked by Content Security Policy’s (CSP) inline-script
blocking feature. Web applications relying on this feature
of CSP to protect against cross-site scripting (XSS) were
not fully protected. (CVE-2012-1944)

MFSA 2012-37 Security researcher Paul Stone reported
an attack where an HTML page hosted on a Windows share and
then loaded could then load Windows shortcut files (.lnk)
in the same share. These shortcut files could then link to
arbitrary locations on the local file system of the
individual loading the HTML page. That page could show the
contents of these linked files or directories from the
local file system in an iframe, causing information
disclosure.

This issue could potentially affect Linux machines
with samba shares enabled. (CVE-2012-1945)

MFSA 2012-38 Security researcher Arthur Gerkis used
the Address Sanitizer tool to find a use-after-free while
replacing/inserting a node in a document. This
use-after-free could possibly allow for remote code
execution. (CVE-2012-1946)

MFSA 2012-39 Security researcher Kaspar Brand found a
flaw in how the Network Security Services (NSS) ASN.1
decoder handles zero length items. Effects of this issue
depend on the field. One known symptom is an unexploitable
crash in handling OCSP responses. NSS also mishandles
zero-length basic constraints, assuming default values for
some types that should be rejected as malformed. These
issues have been addressed in NSS 3.13.4, which is now
being used by Mozilla. (CVE-2012-0441)

MFSA 2012-40 Security researcher Abhishek Arya of
Google used the Address Sanitizer tool to uncover several
issues: two heap buffer overflow bugs and a use-after-free
problem. The first heap buffer overflow was found in
conversion from unicode to native character sets when the
function fails. The use-after-free occurs in nsFrameList
when working with column layout with absolute positioning
in a container that changes size. The second buffer
overflow occurs in nsHTMLReflowState when a window is
resized on a page with nested columns and a combination of
absolute and relative positioning. All three of these
issues are potentially exploitable.

Heap-buffer-overflow in utf16_to_isolatin1
(CVE-2012-1947) Heap-use-after-free in
nsFrameList::FirstChild (CVE-2012-1940)

Heap-buffer-overflow in
nsHTMLReflowState::CalculateHypotheticalBox, with nested
multi-column, relative position, and absolute position
(CVE-2012-1941)

More information on security issues can be found on:
<a href=“http://www.mozilla.org/security/announce/”>http://www.mozilla.org/security/announce/</a>
<<a href=“http://www.mozilla.org/security/announce/”>http://www.mozilla.org/security/announce/</a>>