Advisories MDVSA-2010:070-1: firefox

[paul]

Security issues were identified and fixed in firefox:

 

Security researcher regenrecht reported (via TippingPoint's Zero Day

Initiative) a potential reuse of a deleted image frame in Firefox 3.6's

handling of multipart/x-mixed-replace images. Although no exploit was

shown, re-use of freed memory has led to exploitable vulnerabilities

in the past (CVE-2010-0164).

 

Mozilla developers identified and fixed several stability bugs in the

browser engine used in Firefox and other Mozilla-based products. Some

of these crashes showed evidence of memory corruption under certain

circumstances and we presume that with enough effort at least some

of these could be exploited to run arbitrary code (CVE-2010-0165,

CVE-2010-0167).

 

Mozilla developer Josh Soref of Nokia reported that documents

failed to call certain security checks when attempting to preload

images. Although the image content is not available to the page, it

is possible to specify protocols that are normally not allowed in a

web page such as file:. This includes internal schemes implemented

by add-ons that might perform privileged actions resulting in

something like a Cross-Site Request Forgery (CSRF) attack against

the add-on. Potential severity would depend on the add-ons installed

(CVE-2010-0168).

 

Mozilla developer Blake Kaplan reported that the window.location object

was made a normal overridable JavaScript object in the Firefox 3.6

browser engine (Gecko 1.9.2) because new mechanisms were developed

to enforce the same-origin policy between windows and frames. This

object is unfortunately also used by some plugins to determine the page

origin used for access restrictions. A malicious page could override

this object to fool a plugin into granting access to data on another

site or the local file system. The behavior of older Firefox versions

has been restored (CVE-2010-0170).

 

Mozilla developer Justin Dolske reported that the new asynchronous

Authorization Prompt (HTTP username and password) was not always

attached to the correct window. Although we have not demonstrated

this, it may be possible for a malicious page to convince a user

to open a new tab or popup to a trusted service and then have the

HTTP authorization prompt from the malicious page appear to be the

login prompt for the trusted page. This potential attack is greatly

mitigated by the fact that very few web sites use HTTP authorization,

preferring instead to use web forms and cookies (CVE-2010-0172).

 

Unspecified vulnerability in Mozilla Firefox 3.5.x through 3.5.8 allows

remote attackers to cause a denial of service (memory corruption and

application crash) and possibly have unknown other impact via vectors

that might involve compressed data, a different vulnerability than

CVE-2010-1028 (CVE-2010-1122).

 

Mozilla developers identified and fixed several stability bugs in the

browser engine used in Firefox and other Mozilla-based products. Some

of these crashes showed evidence of memory corruption under certain

circumstances, and we presume that with enough effort at least some

of these could be exploited to run arbitrary code (CVE-2010-0173,

CVE-2010-0174)

 

Security researcher regenrecht reported via TippingPoint's Zero Day

Initiative that a select event handler for XUL tree items could be

called after the tree item was deleted. This results in the execution

of previously freed memory which an attacker could use to crash a

victim's browser and run arbitrary code on the victim's computer

(CVE-2010-0175).

 

Security researcher regenrecht reported via TippingPoint's Zero Day

Initiative an error in the way elements are inserted into

a XUL tree . In certain cases, the number of references

to an element is under-counted so that when the element is

deleted, a live pointer to its old location is kept around and may

later be used. An attacker could potentially use these conditions to

run arbitrary code on a victim's computer (CVE-2010-0176).

 

Security researcher regenrecht reported via TippingPoint's

Zero Day Initiative an error in the implementation of the

window.navigator.plugins object. When a page reloads, the plugins array

would reallocate all of its members without checking for existing

references to each member. This could result in the deletion of

objects for which valid pointers still exist. An attacker could use

this vulnerability to crash a victim's browser and run arbitrary code

on the victim's machine (CVE-2010-0177).

 

Security researcher Paul Stone reported that a browser applet could

be used to turn a simple mouse click into a drag-and-drop action,

potentially resulting in the unintended loading of resources in a

user's browser. This behavior could be used twice in succession to

first load a privileged chrome: URL in a victim's browser, then load

a malicious javascript: URL on top of the same document resulting in

arbitrary script execution with chrome privileges (CVE-2010-0178).

 

Mozilla security researcher moz_bug_r_a4 reported that the

XMLHttpRequestSpy module in the Firebug add-on was exposing

an underlying chrome privilege escalation vulnerability. When

the XMLHttpRequestSpy object was created, it would attach various

properties of itself to objects defined in web content, which were not

being properly wrapped to prevent their exposure to chrome privileged

objects. This could result in an attacker running arbitrary JavaScript

on a victim's machine, though it required the victim to have Firebug

installed, so the overall severity of the issue was determined to be

High (CVE-2010-0179).

 

phpBB developer Henry Sudhof reported that when an image tag points to

a resource that redirects to a mailto: URL, the external mail handler

application is launched. This issue poses no security threat to users

but could create an annoyance when browsing a site that allows users

to post arbitrary images (CVE-2010-0181).

 

Mozilla community member Wladimir Palant reported that XML documents

were failing to call certain security checks when loading new

content. This could result in certain resources being loaded that

would otherwise violate security policies set by the browser or

installed add-ons (CVE-2010-0182).

 

Note that to benefit from the fix for CVE-2009-3555 added

in nss-3.12.6, Firefox 3.6 users will need to set their

security.ssl.require_safe_negotiation preference to true. In Mandriva

the default setting is false due to problems with some common sites.

 

Since firefox-3.0.19 is the last 3.0.x release Mandriva

opted to provide the latest 3.6.3 version for Mandriva Linux

2008.0/2009.0/2009.1/MES5/2010.0.

 

Packages for 2008.0 and 2009.0 are provided due to the Extended

Maintenance Program for those products.

 

Additionally, some packages which require so, have been rebuilt and

are being provided as updates.

 

Update:

 

Packages for 2009.0 are provided due to the Extended Maintenance

Program.