SUSE-SU-2014:0418-1: important: Security update for MozillaFirefox

sle-updates at lists.suse.com sle-updates at lists.suse.com
Fri Mar 21 16:04:14 MDT 2014


   SUSE Security Update: Security update for MozillaFirefox
______________________________________________________________________________

Announcement ID:    SUSE-SU-2014:0418-1
Rating:             important
References:         #868603 
Affected Products:
                    SUSE Linux Enterprise Software Development Kit 11 SP3
                    SUSE Linux Enterprise Server 11 SP3 for VMware
                    SUSE Linux Enterprise Server 11 SP3
                    SUSE Linux Enterprise Desktop 11 SP3
______________________________________________________________________________

   An update that contains security fixes can now be
   installed. It includes two new package versions.

Description:


   Mozilla Firefox was updated to 24.4.0ESR release, fixing
   various security  issues and bugs:

   *

   MFSA 2014-15: Mozilla developers and community
   identified identified and fixed several memory safety bugs
   in the browser engine used in Firefox and other
   Mozilla-based products. Some of these bugs showed evidence
   of memory corruption under certain circumstances, and we
   presume that with enough effort at least some of these
   could be exploited to run arbitrary code.

   *

   Benoit Jacob, Olli Pettay, Jan Varga, Jan de Mooij,
   Jesse Ruderman, Dan Gohman, and Christoph Diehl reported
   memory safety problems and crashes that affect Firefox ESR
   24.3 and Firefox 27. (CVE-2014-1493)

   *

   Gregor Wagner, Olli Pettay, Gary Kwong, Jesse
   Ruderman, Luke Wagner, Rob Fletcher, and Makoto Kato
   reported memory safety problems and crashes that affect
   Firefox 27. (CVE-2014-1494)

   *

   MFSA 2014-16 / CVE-2014-1496: Security researcher Ash
   reported an issue where the extracted files for updates to
   existing files are not read only during the update process.
   This allows for the potential replacement or modification
   of these files during the update process if a malicious
   application is present on the local system.

   *

   MFSA 2014-17 / CVE-2014-1497: Security researcher
   Atte Kettunen from OUSPG reported an out of bounds read
   during the decoding of WAV format audio files for playback.
   This could allow web content access to heap data as well as
   causing a crash.

   *

   MFSA 2014-18 / CVE-2014-1498: Mozilla developer David
   Keeler reported that the crypto.generateCRFMRequest method
   did not correctly validate the key type of the KeyParams
   argument when generating ec-dual-use requests. This could
   lead to a crash and a denial of service (DOS) attack.

   *

   MFSA 2014-19 / CVE-2014-1499: Mozilla developer Ehsan
   Akhgari reported a spoofing attack where the permission
   prompt for a WebRTC session can appear to be from a
   different site than its actual originating site if a timed
   navigation occurs during the prompt generation. This allows
   an attacker to potentially gain access to the webcam or
   microphone by masquerading as another site and gaining user
   permission through spoofing.

   *

   MFSA 2014-20 / CVE-2014-1500: Security researchers
   Tim Philipp Schaefers and Sebastian Neef, the team of
   Internetwache.org, reported a mechanism using JavaScript
   onbeforeunload events with page navigation to prevent users
   from closing a malicious page's tab and causing the browser
   to become unresponsive. This allows for a denial of service
   (DOS) attack due to resource consumption and blocks the
   ability of users to exit the application.

   *

   MFSA 2014-21 / CVE-2014-1501: Security researcher
   Alex Infuehr reported that on Firefox for Android it is
   possible to open links to local files from web content by
   selecting "Open Link in New Tab" from the context menu
   using the file: protocol. The web content would have to
   know the precise location of a malicious local file in
   order to exploit this issue. This issue does not affect
   Firefox on non-Android systems.

   *

   MFSA 2014-22 / CVE-2014-1502: Mozilla developer Jeff
   Gilbert discovered a mechanism where a malicious site with
   WebGL content could inject content from its context to that
   of another site's WebGL context, causing the second site to
   replace textures and similar content. This cannot be used
   to steal data but could be used to render arbitrary content
   in these limited circumstances.

   *

   MFSA 2014-23 / CVE-2014-1504: Security researcher
   Nicolas Golubovic reported that the Content Security Policy
   (CSP) of data: documents was not saved as part of session
   restore. If an attacker convinced a victim to open a
   document from a data: URL injected onto a page, this can
   lead to a Cross-Site Scripting (XSS) attack. The target
   page may have a strict CSP that protects against this XSS
   attack, but if the attacker induces a browser crash with
   another bug, an XSS attack would occur during session
   restoration, bypassing the CSP on the site.

   *

   MFSA 2014-26 / CVE-2014-1508: Security researcher
   Tyson Smith and Jesse Schwartzentruber of the BlackBerry
   Security Automated Analysis Team used the Address Sanitizer
   tool while fuzzing to discover an out-of-bounds read during
   polygon rendering in MathML. This can allow web content to
   potentially read protected memory addresses. In combination
   with previous techniques used for SVG timing attacks, this
   could allow for text values to be read across domains,
   leading to information disclosure.

   *

   MFSA 2014-27 / CVE-2014-1509: Security researcher
   John Thomson discovered a memory corruption in the Cairo
   graphics library during font rendering of a PDF file for
   display. This memory corruption leads to a potentially
   exploitable crash and to a denial of service (DOS). This
   issues is not able to be triggered in a default
   configuration and would require a malicious extension to be
   installed.

   *

   MFSA 2014-28 / CVE-2014-1505: Mozilla developer
   Robert O'Callahan reported a mechanism for timing attacks
   involving SVG filters and displacements input to
   feDisplacementMap. This allows displacements to potentially
   be correlated with values derived from content. This is
   similar to the previously reported techniques used for SVG
   timing attacks and could allow for text values to be read
   across domains, leading to information disclosure.

   *

   MFSA 2014-29 / CVE-2014-1510 / CVE-2014-1511:
   Security researcher Mariusz Mlynski, via TippingPoint's
   Pwn2Own contest, reported that it is possible for untrusted
   web content to load a chrome-privileged page by getting
   JavaScript-implemented WebIDL to call window.open(). A
   second bug allowed the bypassing of the popup-blocker
   without user interaction. Combined these two bugs allow an
   attacker to load a JavaScript URL that is executed with the
   full privileges of the browser, which allows arbitrary code
   execution.

   *

   MFSA 2014-30 / CVE-2014-1512: Security research firm
   VUPEN, via TippingPoint's Pwn2Own contest, reported that
   memory pressure during Garbage Collection could lead to
   memory corruption of TypeObjects in the JS engine,
   resulting in an exploitable use-after-free condition.

   *

   MFSA 2014-31 / CVE-2014-1513: Security researcher
   Jueri Aedla, via TippingPoint's Pwn2Own contest, reported
   that TypedArrayObject does not handle the case where
   ArrayBuffer objects are neutered, setting their length to
   zero while still in use. This leads to out-of-bounds reads
   and writes into the JavaScript heap, allowing for arbitrary
   code execution.

   *

   MFSA 2014-32 / CVE-2014-1514: Security researcher
   George Hotz, via TippingPoint's Pwn2Own contest, discovered
   an issue where values are copied from an array into a
   second, neutered array. This allows for an out-of-bounds
   write into memory, causing an exploitable crash leading to
   arbitrary code execution.


Patch Instructions:

   To install this SUSE Security Update use YaST online_update.
   Alternatively you can run the command listed for your product:

   - SUSE Linux Enterprise Software Development Kit 11 SP3:

      zypper in -t patch sdksp3-firefox-201403-9049

   - SUSE Linux Enterprise Server 11 SP3 for VMware:

      zypper in -t patch slessp3-firefox-201403-9049

   - SUSE Linux Enterprise Server 11 SP3:

      zypper in -t patch slessp3-firefox-201403-9049

   - SUSE Linux Enterprise Desktop 11 SP3:

      zypper in -t patch sledsp3-firefox-201403-9049

   To bring your system up-to-date, use "zypper patch".


Package List:

   - SUSE Linux Enterprise Software Development Kit 11 SP3 (i586 ia64 ppc64 s390x x86_64) [New Version: 4.10.4]:

      MozillaFirefox-devel-24.4.0esr-0.8.1
      mozilla-nspr-devel-4.10.4-0.3.1

   - SUSE Linux Enterprise Server 11 SP3 for VMware (i586 x86_64) [New Version: 24.4.0esr and 4.10.4]:

      MozillaFirefox-24.4.0esr-0.8.1
      MozillaFirefox-translations-24.4.0esr-0.8.1
      mozilla-nspr-4.10.4-0.3.1

   - SUSE Linux Enterprise Server 11 SP3 for VMware (x86_64) [New Version: 4.10.4]:

      mozilla-nspr-32bit-4.10.4-0.3.1

   - SUSE Linux Enterprise Server 11 SP3 (i586 ia64 ppc64 s390x x86_64) [New Version: 24.4.0esr and 4.10.4]:

      MozillaFirefox-24.4.0esr-0.8.1
      MozillaFirefox-branding-SLED-24-0.7.23
      MozillaFirefox-translations-24.4.0esr-0.8.1
      mozilla-nspr-4.10.4-0.3.1

   - SUSE Linux Enterprise Server 11 SP3 (ppc64 s390x x86_64) [New Version: 4.10.4]:

      mozilla-nspr-32bit-4.10.4-0.3.1

   - SUSE Linux Enterprise Server 11 SP3 (ia64) [New Version: 4.10.4]:

      mozilla-nspr-x86-4.10.4-0.3.1

   - SUSE Linux Enterprise Desktop 11 SP3 (i586 x86_64) [New Version: 24.4.0esr and 4.10.4]:

      MozillaFirefox-24.4.0esr-0.8.1
      MozillaFirefox-branding-SLED-24-0.7.23
      MozillaFirefox-translations-24.4.0esr-0.8.1
      mozilla-nspr-4.10.4-0.3.1

   - SUSE Linux Enterprise Desktop 11 SP3 (x86_64) [New Version: 4.10.4]:

      mozilla-nspr-32bit-4.10.4-0.3.1


References:

   https://bugzilla.novell.com/868603
   http://download.suse.com/patch/finder/?keywords=459a5273e5dbc348d118a48052078601



More information about the sle-updates mailing list