Security update for Mozilla Firefox (important)

MozillaFirefox was updated to 10.0.7ESR release, fixing a
lot of bugs and security problems.

The following security issues have been addressed:

MFSA 2012-57: Mozilla developers identified and fixed
several memory safety bugs in the browser engine used in
Firefox and other Mozilla-based products. Some of these
bugs showed evidence of memory corruption under certain
circumstances, and we presume that with enough effort at
least some of these could be exploited to run arbitrary
code.

In general these flaws cannot be exploited through
email in the Thunderbird and SeaMonkey products because
scripting is disabled, but are potentially a risk in
browser or browser-like contexts in those products.

CVE-2012-1971: Gary Kwong, Christian Holler, Jesse
Ruderman, Steve Fink, Bob Clary, Andrew Sutherland, and
Jason Smith reported memory safety problems and crashes
that affect Firefox 14.

CVE-2012-1970: Gary Kwong, Christian Holler, Jesse
Ruderman, John Schoenick, Vladimir Vukicevic and Daniel
Holbert reported memory safety problems and crashes that
affect Firefox ESR 10 and Firefox 14.

MFSA 2012-58: Security researcher Abhishek Arya
(Inferno) of Google Chrome Security Team discovered a
series of use-after-free issues using the Address Sanitizer
tool. Many of these issues are potentially exploitable,
allowing for remote code execution.

o Heap-use-after-free in
nsHTMLEditor::CollapseAdjacentTextNodes CVE-2012-1972 o
Heap-use-after-free in nsObjectLoadingContent::LoadObject
CVE-2012-1973 o Heap-use-after-free in
gfxTextRun::CanBreakLineBefore CVE-2012-1974 o
Heap-use-after-free in PresShell::CompleteMove
CVE-2012-1975 o Heap-use-after-free in
nsHTMLSelectElement::SubmitNamesValues CVE-2012-1976 o
Heap-use-after-free in
MediaStreamGraphThreadRunnable::Run() CVE-2012-3956 o
Heap-buffer-overflow in nsBlockFrame::MarkLineDirty
CVE-2012-3957 o Heap-use-after-free in
nsHTMLEditRules::DeleteNonTableElements CVE-2012-3958 o
Heap-use-after-free in nsRangeUpdater::SelAdjDeleteNode
CVE-2012-3959 o Heap-use-after-free in
mozSpellChecker::SetCurrentDictionary CVE-2012-3960 o
Heap-use-after-free in RangeData::~RangeData CVE-2012-3961
o Bad iterator in text runs CVE-2012-3962 o use after free
in js::gc::MapAllocToTraceKind CVE-2012-3963 o
Heap-use-after-free READ 8 in gfxTextRun::GetUserData
CVE-2012-3964
*

MFSA 2012-59 / CVE-2012-1956: Security researcher
Mariusz Mlynski reported that it is possible to shadow the
location object using Object.defineProperty. This could be
used to confuse the current location to plugins, allowing
for possible cross-site scripting (XSS) attacks.

MFSA 2012-60 / CVE-2012-3965: Security researcher
Mariusz Mlynski reported that when a page opens a new tab,
a subsequent window can then be opened that can be
navigated to about:newtab, a chrome privileged page. Once
about:newtab is loaded, the special context can potentially
be used to escalate privilege, allowing for arbitrary code
execution on the local system in a maliciously crafted
attack.

MFSA 2012-61 / CVE-2012-3966: Security researcher
Frederic Hoguin reported two related issues with the
decoding of bitmap (.BMP) format images embedded in icon
(.ICO) format files. When processing a negative "height"
header value for the bitmap image, a memory corruption can
be induced, allowing an attacker to write random memory and
cause a crash. This crash may be potentially exploitable.

MFSA 2012-62: Security researcher miaubiz used the
Address Sanitizer tool to discover two WebGL issues. The
first issue is a use-after-free when WebGL shaders are
called after being destroyed. The second issue exposes a
problem with Mesa drivers on Linux, leading to a
potentially exploitable crash.

o

use after free, webgl fragment shader deleted
by accessor CVE-2012-3968

o

stack scribbling with 4-byte values choosable
among a few values, when using more than 16 sampler
uniforms, on Mesa, with all drivers CVE-2012-3967

MFSA 2012-63: Security researcher Arthur Gerkis used
the Address Sanitizer tool to find two issues involving
Scalable Vector Graphics (SVG) files. The first issue is a
buffer overflow in Gecko’s SVG filter code when the sum of
two values is too large to be stored as a signed 32-bit
integer, causing the function to write past the end of an
array. The second issue is a use-after-free when an element
with a "requiredFeatures" attribute is moved between
documents. In that situation, the internal representation
of the "requiredFeatures" value could be freed prematurely.
Both issues are potentially exploitable.

o

Heap-buffer-overflow in
nsSVGFEMorphologyElement::Filter CVE-2012-3969

o

Heap-use-after-free in nsTArray_base::Length()
CVE-2012-3970

MFSA 2012-64 / CVE-2012-3971: Using the Address
Sanitizer tool, Mozilla security researcher Christoph Diehl
discovered two memory corruption issues involving the
Graphite 2 library used in Mozilla products. Both of these
issues can cause a potentially exploitable crash. These
problems were fixed in the Graphite 2 library, which has
been updated for Mozilla products.

MFSA 2012-65 / CVE-2012-3972: Security research
Nicolas Gregoire used the Address Sanitizer tool to
discover an out-of-bounds read in the format-number feature
of XSLT, which can cause inaccurate formatting of numbers
and information leakage. This is not directly exploitable.

MFSA 2012-66 / CVE-2012-3973: Mozilla security
researcher Mark Goodwin discovered an issue with the
Firefox developer tools’ debugger. If remote debugging is
disabled, but the experimental HTTPMonitor extension has
been installed and enabled, a remote user can connect to
and use the remote debugging service through the port used
by HTTPMonitor. A remote-enabled flag has been added to
resolve this problem and close the port unless debugging is
explicitly enabled.

MFSA 2012-67 / CVE-2012-3974: Security researcher
Masato Kinugawa reported that if a crafted executable is
placed in the root partition on a Windows file system, the
Firefox and Thunderbird installer will launch this program
after a standard installation instead of Firefox or
Thunderbird, running this program with the user’s
privileges.

MFSA 2012-68 / CVE-2012-3975: Security researcher
vsemozhetbyt reported that when the DOMParser is used to
parse text/html data in a Firefox extension, linked
resources within this HTML data will be loaded. If the data
being parsed in the extension is untrusted, it could lead
to information leakage and can potentially be combined with
other attacks to become exploitable.

MFSA 2012-69 / CVE-2012-3976: Security researcher
Mark Poticha reported an issue where incorrect SSL
certificate information can be displayed on the addressbar,
showing the SSL data for a previous site while another has
been loaded. This is caused by two onLocationChange events
being fired out of the expected order, leading to the
displayed certificate data to not be updated. This can be
used for phishing attacks by allowing the user to input
form or other data on a newer, attacking, site while the
credentials of an older site appear on the addressbar.

MFSA 2012-70 / CVE-2012-3978: Mozilla security
researcher moz_bug_r_a4 reported that certain security
checks in the location object can be bypassed if chrome
code is called content in a specific manner. This allowed
for the loading of restricted content. This can be combined
with other issues to become potentially exploitable.

MFSA 2012-71 / CVE-2012-3979: Mozilla developer Blake
Kaplan reported that __android_log_print is called
insecurely in places. If a malicious web page used a dump()
statement with a specially crafted string, it can trigger a
potentially exploitable crash.

This vulnerability only affects Firefox for Android.

MFSA 2012-72 / CVE-2012-3980: Security researcher
Colby Russell discovered that eval in the web console can
execute injected code with chrome privileges, leading to
the running of malicious code in a privileged context. This
allows for arbitrary code execution through a malicious web
page if the web console is invoked by the user.