Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 408161 (CVE-2012-0451) - <www-client/firefox{,-bin}-10.0.3 ,<mail-client/thunderbird{,-bin}-10.0.3 , <www-client/seamonkey{,-bin}-2.8: Multiple vulnerabilities (CVE-2012-{0451,0454,0455,0456,0457,0458,0459,0460,0461,0462,0463,0464})
Summary: <www-client/firefox{,-bin}-10.0.3 ,<mail-client/thunderbird{,-bin}-10.0.3 , <...
Status: RESOLVED FIXED
Alias: CVE-2012-0451
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: https://secunia.com/advisories/48402/
Whiteboard: B2 [glsa]
Keywords:
: 408359 408371 (view as bug list)
Depends on: CVE-2011-3062
Blocks: CVE-2012-0452
  Show dependency tree
 
Reported: 2012-03-14 13:00 UTC by Agostino Sarubbo
Modified: 2013-01-08 01:05 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2012-03-14 13:00:54 UTC
From secunia security advisory:


1) A use-after-free error exists within shlwapi.dll when closing a child window that uses the file open dialog.

2) An error when handling certain drag and drop actions can be exploited to conduct cross-site scripting attacks.

3) A use-after-free error exists within the "nsSMILTimeValueSpec::ConvertBetweenTimeContainers()" function when handling certain SVG animation.

4) An out-of-bounds read error in SVG filters can be exploited to disclose certain data.

5) An error when handling Content Security Policy headers can be exploited to conduct cross-site scripting attacks.

6) An error when handling "javascript:" home page can be exploited to execute script code in "about:sessionrestore" context.

7) An unspecified error exists when accessing a keyframe's cssText after dynamic modification.

8) The window.fullScreen property does not properly enforce the mozRequestFullscreen policy, which can be exploited to bypass the policy and spoof certain content.

9) Multiple unspecified errors can be exploited to corrupt memory.

Successful exploitation of vulnerabilities #1, #3, #6, #7, and #9 may allow execution of arbitrary code.


Solution
Update or upgrade to Firefox versions 11.0 or 10.0.3, Thunderbird versions 11.0 or 10.0.3, and SeaMonkey version 2.8.
Comment 1 Agostino Sarubbo gentoo-dev 2012-03-15 16:25:39 UTC
*** Bug 408371 has been marked as a duplicate of this bug. ***
Comment 2 Jory A. Pratt gentoo-dev 2012-03-15 18:23:13 UTC
*** Bug 408359 has been marked as a duplicate of this bug. ***
Comment 3 Nirbheek Chauhan (RETIRED) gentoo-dev 2012-03-21 05:44:55 UTC
Firefox-10.0.3 and Thunderbird-10.0.3 are in the tree now, and are the stable candidates.
Comment 4 Agostino Sarubbo gentoo-dev 2012-03-21 13:25:11 UTC
Arches, please test and mark stable:

=www-client/firefox-10.0.3
Target keywords : "alpha amd64 arm ia64 ppc x86"

=www-client/firefox-bin-10.0.3
Target keywords : "amd64 x86"

=mail-client/thunderbird-10.0.3
Target keywords : "alpha amd64 x86"

=mail-client/thunderbird-bin-10.0.3
Target keywords : "amd64 x86"

=www-client/seamonkey-2.8
Target keywords : "alpha amd64 arm ppc x86"

=www-client/seamonkey-bin-2.8
Target keywords : "amd64 x86"

Icecat will be masked asap.
Comment 5 Maurizio Camisaschi (amd64 AT) 2012-03-22 11:53:17 UTC
(In reply to comment #4)
> =www-client/firefox-bin-10.0.3
> =mail-client/thunderbird-bin-10.0.3
> =www-client/seamonkey-bin-2.8

amd64 ok
Comment 6 Agostino Sarubbo gentoo-dev 2012-03-22 13:11:40 UTC
Pulled in also:

=dev-libs/nss-3.13.3
=dev-libs/nspr-4.9
Comment 7 Agostino Sarubbo gentoo-dev 2012-03-22 13:40:34 UTC
amd64 stable
Comment 8 GLSAMaker/CVETool Bot gentoo-dev 2012-03-22 17:47:28 UTC
CVE-2012-0464 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0464):
  Use-after-free vulnerability in the browser engine in Mozilla Firefox before
  3.6.28 and 4.x through 10.0, Firefox ESR 10.x before 10.0.3, Thunderbird
  before 3.1.20 and 5.0 through 10.0, Thunderbird ESR 10.x before 10.0.3, and
  SeaMonkey before 2.8 allows remote attackers to execute arbitrary code via
  vectors involving an empty argument to the array.join function in
  conjunction with the triggering of garbage collection.

CVE-2012-0463 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0463):
  The nsWindow implementation in the browser engine in Mozilla Firefox before
  3.6.28 and 4.x through 10.0, Firefox ESR 10.x before 10.0.3, Thunderbird
  before 3.1.20 and 5.0 through 10.0, Thunderbird ESR 10.x before 10.0.3, and
  SeaMonkey before 2.8 does not check the validity of an instance after event
  dispatching, which allows remote attackers to cause a denial of service
  (memory corruption and application crash) or possibly execute arbitrary code
  via unknown vectors, as demonstrated by Mobile Firefox on Android.

CVE-2012-0462 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0462):
  Multiple unspecified vulnerabilities in the browser engine in Mozilla
  Firefox 4.x through 10.0, Firefox ESR 10.x before 10.0.3, Thunderbird 5.0
  through 10.0, Thunderbird ESR 10.x before 10.0.3, and SeaMonkey before 2.8
  allow remote attackers to cause a denial of service (memory corruption and
  application crash) or possibly execute arbitrary code via unknown vectors.

CVE-2012-0461 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0461):
  Multiple unspecified vulnerabilities in the browser engine in Mozilla
  Firefox before 3.6.28 and 4.x through 10.0, Firefox ESR 10.x before 10.0.3,
  Thunderbird before 3.1.20 and 5.0 through 10.0, Thunderbird ESR 10.x before
  10.0.3, and SeaMonkey before 2.8 allow remote attackers to cause a denial of
  service (memory corruption and application crash) or possibly execute
  arbitrary code via unknown vectors.

CVE-2012-0460 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0460):
  Mozilla Firefox 4.x through 10.0, Firefox ESR 10.x before 10.0.3,
  Thunderbird 5.0 through 10.0, Thunderbird ESR 10.x before 10.0.3, and
  SeaMonkey before 2.8 do not properly restrict write access to the
  window.fullScreen object, which allows remote attackers to spoof the user
  interface via a crafted web page.

CVE-2012-0459 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0459):
  The Cascading Style Sheets (CSS) implementation in Mozilla Firefox 4.x
  through 10.0, Firefox ESR 10.x before 10.0.3, Thunderbird 5.0 through 10.0,
  Thunderbird ESR 10.x before 10.0.3, and SeaMonkey before 2.8 allows remote
  attackers to cause a denial of service (application crash) or possibly
  execute arbitrary code via dynamic modification of a keyframe followed by
  access to the cssText of the keyframe.

CVE-2012-0458 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0458):
  Mozilla Firefox before 3.6.28 and 4.x through 10.0, Firefox ESR 10.x before
  10.0.3, Thunderbird before 3.1.20 and 5.0 through 10.0, Thunderbird ESR 10.x
  before 10.0.3, and SeaMonkey before 2.8 do not properly restrict setting the
  home page through the dragging of a URL to the home button, which allows
  user-assisted remote attackers to execute arbitrary JavaScript code with
  chrome privileges via a javascript: URL that is later interpreted in the
  about:sessionrestore context.

CVE-2012-0457 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0457):
  Use-after-free vulnerability in the
  nsSMILTimeValueSpec::ConvertBetweenTimeContainer function in Mozilla Firefox
  before 3.6.28 and 4.x through 10.0, Firefox ESR 10.x before 10.0.3,
  Thunderbird before 3.1.20 and 5.0 through 10.0, Thunderbird ESR 10.x before
  10.0.3, and SeaMonkey before 2.8 might allow remote attackers to execute
  arbitrary code via an SVG animation.

CVE-2012-0456 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0456):
  The SVG Filters implementation in Mozilla Firefox before 3.6.28 and 4.x
  through 10.0, Firefox ESR 10.x before 10.0.3, Thunderbird before 3.1.20 and
  5.0 through 10.0, Thunderbird ESR 10.x before 10.0.3, and SeaMonkey before
  2.8 might allow remote attackers to obtain sensitive information from
  process memory via vectors that trigger an out-of-bounds read.

CVE-2012-0455 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0455):
  Mozilla Firefox before 3.6.28 and 4.x through 10.0, Firefox ESR 10.x before
  10.0.3, Thunderbird before 3.1.20 and 5.0 through 10.0, Thunderbird ESR 10.x
  before 10.0.3, and SeaMonkey before 2.8 do not properly restrict
  drag-and-drop operations on javascript: URLs, which allows user-assisted
  remote attackers to conduct cross-site scripting (XSS) attacks via a crafted
  web page, related to a "DragAndDropJacking" issue.

CVE-2012-0454 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0454):
  Use-after-free vulnerability in Mozilla Firefox 4.x through 10.0, Firefox
  ESR 10.x before 10.0.3, Thunderbird 5.0 through 10.0, Thunderbird ESR 10.x
  before 10.0.3, and SeaMonkey before 2.8 on 32-bit Windows 7 platforms allows
  remote attackers to cause a denial of service (application crash) or
  possibly execute arbitrary code via vectors involving use of the file-open
  dialog in a child window, related to the IUnknown_QueryService function in
  the Windows shlwapi.dll library.

CVE-2012-0451 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0451):
  CRLF injection vulnerability in Mozilla Firefox 4.x through 10.0, Firefox
  ESR 10.x before 10.0.3, Thunderbird 5.0 through 10.0, Thunderbird ESR 10.x
  before 10.0.3, and SeaMonkey before 2.8 allows remote web servers to bypass
  intended Content Security Policy (CSP) restrictions and possibly conduct
  cross-site scripting (XSS) attacks via crafted HTTP headers.
Comment 9 Sean Amoss (RETIRED) gentoo-dev Security 2012-03-22 17:52:26 UTC
@mozilla:

Will updated 3.6.28 ebuilds be provided for sparc?
Comment 10 Jory A. Pratt gentoo-dev 2012-03-22 19:56:23 UTC
(In reply to comment #9)
> @mozilla:
> 
> Will updated 3.6.28 ebuilds be provided for sparc?

I am not wanting to what I need is a bt of the failure on sparc so it can be resolved.
Comment 11 Myckel Habets 2012-03-23 06:19:39 UTC
Arches, could you look out for bug 409331 while testing and report there? This wasn't caught by the AMD64 team.
Comment 12 Agostino Sarubbo gentoo-dev 2012-03-23 07:02:08 UTC
(In reply to comment #11)
> Arches, could you look out for bug 409331 while testing and report there?
> This wasn't caught by the AMD64 team.

Myckel, this is a duplicate of bug 388585 and this is not a regression.
Comment 13 Fabian Köster 2012-03-23 10:54:48 UTC
(In reply to comment #12)
> (In reply to comment #11)
> > Arches, could you look out for bug 409331 while testing and report there?
> > This wasn't caught by the AMD64 team.
> 
> Myckel, this is a duplicate of bug 388585 and this is not a regression.

I think it is a regression, www-client/firefox-10.0.1-r1 builts and 10.0.3 does not.
Comment 14 Thomas Kahle (RETIRED) gentoo-dev 2012-03-25 15:31:49 UTC
Alright bug 409331 is solved and (independently) bug 388585 is not a regression. x86 stable.  Thanks.
Comment 15 Sean Amoss (RETIRED) gentoo-dev Security 2012-04-27 11:28:06 UTC
Once again, remaining arches will continue in bug 413657
Comment 16 GLSAMaker/CVETool Bot gentoo-dev 2013-01-08 01:05:16 UTC
This issue was resolved and addressed in
 GLSA 201301-01 at http://security.gentoo.org/glsa/glsa-201301-01.xml
by GLSA coordinator Sean Amoss (ackle).