Security update for Mozilla Firefox (important)

Mozilla Firefox has been updated to the 10.0.11 ESR
security release, which fixes various bugs and security
issues.

MFSA 2012-106: Security researcher miaubiz used the
Address Sanitizer tool to discover a series critically
rated of use-after-free, buffer overflow, and memory
corruption issues in shipped software. These issues are
potentially exploitable, allowing for remote code
execution. We would also like to thank miaubiz for
reporting two additional use-after-free and memory
corruption issues introduced during Firefox development
that have been fixed before general release.

In general these flaws cannot be exploited through
email in the Thunderbird and SeaMonkey products because
scripting is disabled, but are potentially a risk in
browser or browser-like contexts in those products.
References

The following issues have been fixed in Firefox 17
and ESR 10.0.11:

o use-after-free when loading html file on osx
(CVE-2012-5830) o Mesa crashes on certain texImage2D calls
involving level>0 (CVE-2012-5833) o integer overflow,
invalid write w/webgl bufferdata (CVE-2012-5835)

The following issues have been fixed in Firefox 17:

o crash in copyTexImage2D with image dimensions
too large for given level (CVE-2012-5838)
*

MFSA 2012-105: Security researcher Abhishek Arya
(Inferno) of the Google Chrome Security Team discovered a
series critically rated of use-after-free and buffer
overflow issues using the Address Sanitizer tool in shipped
software. These issues are potentially exploitable,
allowing for remote code execution. We would also like to
thank Abhishek for reporting five additional
use-after-free, out of bounds read, and buffer overflow
flaws introduced during Firefox development that have been
fixed before general release.

In general these flaws cannot be exploited through
email in the Thunderbird and SeaMonkey products because
scripting is disabled, but are potentially a risk in
browser or browser-like contexts in those products.
References

The following issues have been fixed in Firefox 17
and ESR 10.0.11:

o Heap-use-after-free in
nsTextEditorState::PrepareEditor (CVE-2012-4214) o
Heap-use-after-free in
nsPlaintextEditor::FireClipboardEvent (CVE-2012-4215) o
Heap-use-after-free in gfxFont::GetFontEntry
(CVE-2012-4216) o Heap-buffer-overflow in
nsWindow::OnExposeEvent (CVE-2012-5829) o
heap-buffer-overflow in
gfxShapedWord::CompressedGlyph::IsClusterStart o
CVE-2012-5839 o Heap-use-after-free in
nsTextEditorState::PrepareEditor (CVE-2012-5840)

The following issues have been fixed in Firefox 17:

o Heap-use-after-free in XPCWrappedNative::Mark
(CVE-2012-4212) o Heap-use-after-free in
nsEditor::FindNextLeafNode (CVE-2012-4213) o
Heap-use-after-free in nsViewManager::ProcessPendingUpdates
(CVE-2012-4217) o Heap-use-after-free
BuildTextRunsScanner::BreakSink::SetBreaks (CVE-2012-4218)
*

MFSA 2012-104 / CVE-2012-4210: Security researcher
Mariusz Mlynski reported that when a maliciously crafted
stylesheet is inspected in the Style Inspector, HTML and
CSS can run in a chrome privileged context without being
properly sanitized first. This can lead to arbitrary code
execution.

MFSA 2012-103 / CVE-2012-4209: Security researcher
Mariusz Mlynski reported that the location property can be
accessed by binary plugins through top.location with a
frame whose name attribute’s value is set to "top". This
can allow for possible cross-site scripting (XSS) attacks
through plugins.

In general these flaws cannot be exploited through
email in the Thunderbird and SeaMonkey products because
scripting is disabled, but are potentially a risk in
browser or browser-like contexts in those products.

MFSA 2012-102 / CVE-2012-5837: Security researcher
Masato Kinugawa reported that when script is entered into
the Developer Toolbar, it runs in a chrome privileged
context. This allows for arbitrary code execution or
cross-site scripting (XSS) if a user can be convinced to
paste malicious code into the Developer Toolbar.

MFSA 2012-101 / CVE-2012-4207: Security researcher
Masato Kinugawa found when HZ-GB-2312 charset encoding is
used for text, the "~" character will destroy another
character near the chunk delimiter. This can lead to a
cross-site scripting (XSS) attack in pages encoded in
HZ-GB-2312.

MFSA 2012-100 / CVE-2012-5841: Mozilla developer
Bobby Holley reported that security wrappers filter at the
time of property access, but once a function is returned,
the caller can use this function without further security
checks. This affects cross-origin wrappers, allowing for
write actions on objects when only read actions should be
properly allowed. This can lead to cross-site scripting
(XSS) attacks.

In general these flaws cannot be exploited through
email in the Thunderbird and SeaMonkey products because
scripting is disabled, but are potentially a risk in
browser or browser-like contexts in those products.

MFSA 2012-99 / CVE-2012-4208: Mozilla developer Peter
Van der Beken discovered that same-origin XrayWrappers
expose chrome-only properties even when not in a chrome
compartment. This can allow web content to get properties
of DOM objects that are intended to be chrome-only.

In general these flaws cannot be exploited through
email in the Thunderbird and SeaMonkey products because
scripting is disabled, but are potentially a risk in
browser or browser-like contexts in those products.

MFSA 2012-98 / CVE-2012-4206: Security researcher
Robert Kugler reported that when a specifically named DLL
file on a Windows computer is placed in the default
downloads directory with the Firefox installer, the Firefox
installer will load this DLL when it is launched. In
circumstances where the installer is run by an
administrator privileged account, this allows for the
downloaded DLL file to be run with administrator
privileges. This can lead to arbitrary code execution from
a privileged account.

MFSA 2012-97 / CVE-2012-4205: Mozilla developer Gabor
Krizsanits discovered that XMLHttpRequest objects created
within sandboxes have the system principal instead of the
sandbox principal. This can lead to cross-site request
forgery (CSRF) or information theft via an add-on running
untrusted code in a sandbox.

MFSA 2012-96 / CVE-2012-4204: Security researcher
Scott Bell of Security-Assessment.com used the Address
Sanitizer tool to discover a memory corruption in
str_unescape in the Javascript engine. This could
potentially lead to arbitrary code execution.

In general these flaws cannot be exploited through
email in the Thunderbird and SeaMonkey products because
scripting is disabled, but are potentially a risk in
browser or browser-like contexts in those products.

MFSA 2012-95 / CVE-2012-4203: Security researcher
kakzz.ng@xxxxxxxxx reported that if a javascript: URL is
selected from the list of Firefox "new tab" page, the
script will inherit the privileges of the privileged "new
tab" page. This allows for the execution of locally
installed programs if a user can be convinced to save a
bookmark of a malicious javascript: URL.

MFSA 2012-94 / CVE-2012-5836: Security researcher
Jonathan Stephens discovered that combining SVG text on a
path with the setting of CSS properties could lead to a
potentially exploitable crash.

MFSA 2012-93 / CVE-2012-4201: Mozilla security
researcher moz_bug_r_a4 reported that if code executed by
the evalInSandbox function sets location.href, it can get
the wrong subject principal for the URL check, ignoring the
sandbox’s Javascript context and gaining the context of
evalInSandbox object. This can lead to malicious web
content being able to perform a cross-site scripting (XSS)
attack or stealing a copy of a local file if the user has
installed an add-on vulnerable to this attack.

MFSA 2012-92 / CVE-2012-4202: Security researcher
Atte Kettunen from OUSPG used the Address Sanitizer tool to
discover a buffer overflow while rendering GIF format
images. This issue is potentially exploitable and could
lead to arbitrary code execution.

MFSA 2012-91: Mozilla developers identified and fixed
several memory safety bugs in the browser engine used in
Firefox and other Mozilla-based products. Some of these
bugs showed evidence of memory corruption under certain
circumstances, and we presume that with enough effort at
least some of these could be exploited to run arbitrary
code.

In general these flaws cannot be exploited through
email in the Thunderbird and SeaMonkey products because
scripting is disabled, but are potentially a risk in
browser or browser-like contexts in those products.
References

Gary Kwong, Jesse Ruderman, Christian Holler, Bob
Clary, Kyle Huey, Ed Morley, Chris Lord, Boris Zbarsky,
Julian Seward, and Bill McCloskey reported memory safety
problems and crashes that affect Firefox 16. (CVE-2012-5843)

Jesse Ruderman, Andrew McCreight, Bob Clary, and Kyle
Huey reported memory safety problems and crashes that
affect Firefox ESR 10 and Firefox 16. (CVE-2012-5842)