jsinfer.cpp in Mozilla Firefox ESR 10.x before 10.0.5 and Thunderbird ESR 10.x before 10.0.5 does not properly determine data types, which allows remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via crafted JavaScript code.

From Red Hat Security Advisory 2012:0715 :

An updated thunderbird package that fixes multiple security issues is now available for Red Hat Enterprise Linux 5 and 6.

The Red Hat Security Response Team has rated this update as having critical security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.

Mozilla Thunderbird is a standalone mail and newsgroup client.

Several flaws were found in the processing of malformed content.
Malicious content could cause Thunderbird to crash or, potentially, execute arbitrary code with the privileges of the user running Thunderbird. (CVE-2011-3101, CVE-2012-1937, CVE-2012-1938, CVE-2012-1939, CVE-2012-1940, CVE-2012-1941, CVE-2012-1946, CVE-2012-1947)

Note: CVE-2011-3101 only affected users of certain NVIDIA display drivers with graphics cards that have hardware acceleration enabled.

It was found that the Content Security Policy (CSP) implementation in Thunderbird no longer blocked Thunderbird inline event handlers.
Malicious content could possibly bypass intended restrictions if that content relied on CSP to protect against flaws such as cross-site scripting (XSS). (CVE-2012-1944)

If a web server hosted content that is stored on a Microsoft Windows share, or a Samba share, loading such content with Thunderbird could result in Windows shortcut files (.lnk) in the same share also being loaded. An attacker could use this flaw to view the contents of local files and directories on the victim's system. This issue also affected users opening content from Microsoft Windows shares, or Samba shares, that are mounted on their systems. (CVE-2012-1945)

Red Hat would like to thank the Mozilla project for reporting these issues. Upstream acknowledges Ken Russell of Google as the original reporter of CVE-2011-3101; Igor Bukanov, Olli Pettay, Boris Zbarsky, and Jesse Ruderman as the original reporters of CVE-2012-1937; Jesse Ruderman, Igor Bukanov, Bill McCloskey, Christian Holler, Andrew McCreight, and Brian Bondy as the original reporters of CVE-2012-1938;
Christian Holler as the original reporter of CVE-2012-1939; security researcher Abhishek Arya of Google as the original reporter of CVE-2012-1940, CVE-2012-1941, and CVE-2012-1947; security researcher Arthur Gerkis as the original reporter of CVE-2012-1946; security researcher Adam Barth as the original reporter of CVE-2012-1944; and security researcher Paul Stone as the original reporter of CVE-2012-1945.

Note: None of the issues in this advisory can be exploited by a specially crafted HTML mail message as JavaScript is disabled by default for mail messages. They could be exploited another way in Thunderbird, for example, when viewing the full remote content of an RSS feed.

All Thunderbird users should upgrade to this updated package, which contains Thunderbird version 10.0.5 ESR, which corrects these issues.
After installing the update, Thunderbird must be restarted for the changes to take effect.

From Red Hat Security Advisory 2012:0710 :

Updated firefox packages that fix multiple security issues are now available for Red Hat Enterprise Linux 5 and 6.

The Red Hat Security Response Team has rated this update as having critical security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.

Mozilla Firefox is an open source web browser. XULRunner provides the XUL Runtime environment for Mozilla Firefox.

Several flaws were found in the processing of malformed web content. A web page containing malicious content could cause Firefox to crash or, potentially, execute arbitrary code with the privileges of the user running Firefox. (CVE-2011-3101, CVE-2012-1937, CVE-2012-1938, CVE-2012-1939, CVE-2012-1940, CVE-2012-1941, CVE-2012-1946, CVE-2012-1947)

Note: CVE-2011-3101 only affected users of certain NVIDIA display drivers with graphics cards that have hardware acceleration enabled.

It was found that the Content Security Policy (CSP) implementation in Firefox no longer blocked Firefox inline event handlers. A remote attacker could use this flaw to possibly bypass a web application's intended restrictions, if that application relied on CSP to protect against flaws such as cross-site scripting (XSS). (CVE-2012-1944)

If a web server hosted HTML files that are stored on a Microsoft Windows share, or a Samba share, loading such files with Firefox could result in Windows shortcut files (.lnk) in the same share also being loaded. An attacker could use this flaw to view the contents of local files and directories on the victim's system. This issue also affected users opening HTML files from Microsoft Windows shares, or Samba shares, that are mounted on their systems. (CVE-2012-1945)

For technical details regarding these flaws, refer to the Mozilla security advisories for Firefox 10.0.5 ESR. You can find a link to the Mozilla advisories in the References section of this erratum.

Red Hat would like to thank the Mozilla project for reporting these issues. Upstream acknowledges Ken Russell of Google as the original reporter of CVE-2011-3101; Igor Bukanov, Olli Pettay, Boris Zbarsky, and Jesse Ruderman as the original reporters of CVE-2012-1937; Jesse Ruderman, Igor Bukanov, Bill McCloskey, Christian Holler, Andrew McCreight, and Brian Bondy as the original reporters of CVE-2012-1938;
Christian Holler as the original reporter of CVE-2012-1939; security researcher Abhishek Arya of Google as the original reporter of CVE-2012-1940, CVE-2012-1941, and CVE-2012-1947; security researcher Arthur Gerkis as the original reporter of CVE-2012-1946; security researcher Adam Barth as the original reporter of CVE-2012-1944; and security researcher Paul Stone as the original reporter of CVE-2012-1945.

All Firefox users should upgrade to these updated packages, which contain Firefox version 10.0.5 ESR, which corrects these issues. After installing the update, Firefox must be restarted for the changes to take effect.

Mozilla Firefox has been updated to 10.0.5ESR fixing various bugs and security issues.

  - Mozilla developers identified and fixed several memory     safety bugs in the browser engine used in Firefox and     other Mozilla-based products. Some of these bugs showed     evidence of memory corruption under certain     circumstances, and we presume that with enough effort at     least some of these could be exploited to run arbitrary     code. (MFSA 2012-34)

    In general these flaws cannot be exploited through email     in the Thunderbird and SeaMonkey products because     scripting is disabled, but are potentially a risk in     browser or browser-like contexts in those products.
    References

    Jesse Ruderman, Igor Bukanov, Bill McCloskey, Christian     Holler, Andrew McCreight, and Brian Bondy reported     memory safety problems and crashes that affect Firefox     12. (CVE-2012-1938)

    Christian Holler reported a memory safety problem that     affects Firefox ESR. (CVE-2012-1939)

    Igor Bukanov, Olli Pettay, Boris Zbarsky, and Jesse     Ruderman reported memory safety problems and crashes     that affect Firefox ESR and Firefox 13. (CVE-2012-1937)

    Ken Russell of Google reported a bug in NVIDIA graphics     drivers that they needed to work around in the Chromium     WebGL implementation. Mozilla has done the same in     Firefox 13 and ESR 10.0.5. (CVE-2011-3101)

  - Security researcher James Forshaw of Context Information     Security found two issues with the Mozilla updater and     the Mozilla updater service introduced in Firefox 12 for     Windows. The first issue allows Mozilla's updater to     load a local DLL file in a privileged context. The     updater can be called by the Updater Service or     independently on systems that do not use the service.
    The second of these issues allows for the updater     service to load an arbitrary local DLL file, which can     then be run with the same system privileges used by the     service. Both of these issues require local file system     access to be exploitable. (MFSA 2012-35)

    Possible Arbitrary Code Execution by Update Service     (CVE-2012-1942) Updater.exe loads wsock32.dll from     application directory. (CVE-2012-1943)

  - Security researcher Adam Barth found that inline event     handlers, such as onclick, were no longer blocked by     Content Security Policy's (CSP) inline-script blocking     feature. Web applications relying on this feature of CSP     to protect against cross-site scripting (XSS) were not     fully protected. (CVE-2012-1944). (MFSA 2012-36)

  - Security researcher Paul Stone reported an attack where     an HTML page hosted on a Windows share and then loaded     could then load Windows shortcut files (.lnk) in the     same share. These shortcut files could then link to     arbitrary locations on the local file system of the     individual loading the HTML page. That page could show     the contents of these linked files or directories from     the local file system in an iframe, causing information     disclosure. (MFSA 2012-37)

    This issue could potentially affect Linux machines with     samba shares enabled. (CVE-2012-1945)

  - Security researcher Arthur Gerkis used the Address     Sanitizer tool to find a use-after-free while     replacing/inserting a node in a document. This     use-after-free could possibly allow for remote code     execution. (CVE-2012-1946). (MFSA 2012-38)

  - Security researcher Kaspar Brand found a flaw in how the     Network Security Services (NSS) ASN.1 decoder handles     zero length items. Effects of this issue depend on the     field. One known symptom is an unexploitable crash in     handling OCSP responses. NSS also mishandles zero-length     basic constraints, assuming default values for some     types that should be rejected as malformed. These issues     have been addressed in NSS 3.13.4, which is now being     used by Mozilla. (CVE-2012-0441). (MFSA 2012-39)

  - Security researcher Abhishek Arya of Google used the     Address Sanitizer tool to uncover several issues: two     heap buffer overflow bugs and a use-after-free problem.
    The first heap buffer overflow was found in conversion     from unicode to native character sets when the function     fails. The use-after-free occurs in nsFrameList when     working with column layout with absolute positioning in     a container that changes size. The second buffer     overflow occurs in nsHTMLReflowState when a window is     resized on a page with nested columns and a combination     of absolute and relative positioning. All three of these     issues are potentially exploitable. (MFSA 2012-40)

    Heap-buffer-overflow in utf16_to_isolatin1     (CVE-2012-1947) Heap-use-after-free in     nsFrameList::FirstChild. (CVE-2012-1940)

    Heap-buffer-overflow in     nsHTMLReflowState::CalculateHypotheticalBox, with nested     multi-column, relative position, and absolute position.
    (CVE-2012-1941)

More information on security issues can be found on:
http://www.mozilla.org/security/announce/

The remote host is affected by the vulnerability described in GLSA-201301-01 (Mozilla Products: Multiple vulnerabilities)

    Multiple vulnerabilities have been discovered in Mozilla Firefox,       Thunderbird, SeaMonkey, NSS, GNU IceCat, and XULRunner. Please review the       CVE identifiers referenced below for details.
  Impact :

    A remote attacker could entice a user to view a specially crafted web       page or email, possibly resulting in execution of arbitrary code or a       Denial of Service condition. Furthermore, a remote attacker may be able       to perform Man-in-the-Middle attacks, obtain sensitive information,       bypass restrictions and protection mechanisms, force file downloads,       conduct XML injection attacks, conduct XSS attacks, bypass the Same       Origin Policy, spoof URL&rsquo;s for phishing attacks, trigger a vertical       scroll, spoof the location bar, spoof an SSL indicator, modify the       browser&rsquo;s font, conduct clickjacking attacks, or have other unspecified       impact.
    A local attacker could gain escalated privileges, obtain sensitive       information, or replace an arbitrary downloaded file.
  Workaround :

    There is no known workaround at this time.

Several vulnerabilities have been discovered in Icedove, the Debian version of the Mozilla Thunderbird mail/news client. There were miscellaneous memory safety hazards (CVE-2012-1937, CVE-2012-1939 ) and a use-after-free issue (CVE-2012-1940 ).

Security issues were identified and fixed in mozilla firefox and thunderbird :

Heap-based buffer overflow in the utf16_to_isolatin1 function in Mozilla Firefox 4.x through 12.0, Firefox ESR 10.x before 10.0.5, Thunderbird 5.0 through 12.0, Thunderbird ESR 10.x before 10.0.5, and SeaMonkey before 2.10 allows remote attackers to execute arbitrary code via vectors that trigger a character-set conversion failure (CVE-2012-1947)

Use-after-free vulnerability in the nsFrameList::FirstChild function in Mozilla Firefox 4.x through 12.0, Firefox ESR 10.x before 10.0.5, Thunderbird 5.0 through 12.0, Thunderbird ESR 10.x before 10.0.5, and SeaMonkey before 2.10 allows remote attackers to execute arbitrary code or cause a denial of service (heap memory corruption and application crash) by changing the size of a container of absolutely positioned elements in a column (CVE-2012-1940).

Heap-based buffer overflow in the nsHTMLReflowState::CalculateHypotheticalBox function in Mozilla Firefox 4.x through 12.0, Firefox ESR 10.x before 10.0.5, Thunderbird 5.0 through 12.0, Thunderbird ESR 10.x before 10.0.5, and SeaMonkey before 2.10 allows remote attackers to execute arbitrary code by resizing a window displaying absolutely positioned and relatively positioned elements in nested columns (CVE-2012-1941).

Use-after-free vulnerability in the nsINode::ReplaceOrInsertBefore function in Mozilla Firefox 4.x through 12.0, Firefox ESR 10.x before 10.0.5, Thunderbird 5.0 through 12.0, Thunderbird ESR 10.x before 10.0.5, and SeaMonkey before 2.10 might allow remote attackers to execute arbitrary code via document changes involving replacement or insertion of a node (CVE-2012-1946).

Mozilla Firefox 4.x through 12.0, Firefox ESR 10.x before 10.0.5, Thunderbird 5.0 through 12.0, Thunderbird ESR 10.x before 10.0.5, and SeaMonkey before 2.10 allow local users to obtain sensitive information via an HTML document that loads a shortcut (aka .lnk) file for display within an IFRAME element, as demonstrated by a network share implemented by (1) Microsoft Windows or (2) Samba (CVE-2012-1945).

The Content Security Policy (CSP) implementation in Mozilla Firefox 4.x through 12.0, Firefox ESR 10.x before 10.0.5, Thunderbird 5.0 through 12.0, Thunderbird ESR 10.x before 10.0.5, and SeaMonkey before 2.10 does not block inline event handlers, which makes it easier for remote attackers to conduct cross-site scripting (XSS) attacks via a crafted HTML document (CVE-2012-1944).

Multiple unspecified vulnerabilities in the browser engine in Mozilla Firefox before 13.0, Thunderbird before 13.0, and SeaMonkey before 2.10 allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via vectors related to (1) methodjit/ImmutableSync.cpp, (2) the JSObject::makeDenseArraySlow function in js/src/jsarray.cpp, and unknown other components (CVE-2012-1938).

jsinfer.cpp in Mozilla Firefox ESR 10.x before 10.0.5 and Thunderbird ESR 10.x before 10.0.5 does not properly determine data types, which allows remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via crafted JavaScript code (CVE-2012-1939).

Multiple unspecified vulnerabilities in the browser engine in Mozilla Firefox 4.x through 12.0, Firefox ESR 10.x before 10.0.5, Thunderbird 5.0 through 12.0, Thunderbird ESR 10.x before 10.0.5, and SeaMonkey before 2.10 allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unknown vectors (CVE-2012-1937).

Ken Russell of Google reported a bug in NVIDIA graphics drivers that they needed to work around in the Chromium WebGL implementation.
Mozilla has done the same in Firefox 13 and ESR 10.0.5 (CVE-2011-3101).

The ASN.1 decoder in the QuickDER decoder in Mozilla Network Security Services (NSS) before 3.13.4, as used in Firefox 4.x through 12.0, Firefox ESR 10.x before 10.0.5, Thunderbird 5.0 through 12.0, Thunderbird ESR 10.x before 10.0.5, and SeaMonkey before 2.10, allows remote attackers to cause a denial of service (application crash) via a zero-length item, as demonstrated by (1) a zero-length basic constraint or (2) a zero-length field in an OCSP response (CVE-2012-0441). NOTE: This flaw was addressed earlier with the MDVA-2012:036 advisory.

The mozilla firefox and thunderbird packages has been upgraded to the latest respective versions which is unaffected by these security flaws.

Additionally the NSPR and the NSS packages has been upgraded to the latest versions which resolves various upstream bugs.

MozillaFirefox has been updated to 10.0.5ESR fixing various bugs and security issues.

  - Mozilla developers identified and fixed several memory     safety bugs in the browser engine used in Firefox and     other Mozilla-based products. Some of these bugs showed     evidence of memory corruption under certain     circumstances, and we presume that with enough effort at     least some of these could be exploited to run arbitrary     code. (MFSA 2012-34)

    In general these flaws cannot be exploited through email     in the Thunderbird and SeaMonkey products because     scripting is disabled, but are potentially a risk in     browser or browser-like contexts in those products.
    References

    Jesse Ruderman, Igor Bukanov, Bill McCloskey, Christian     Holler, Andrew McCreight, and Brian Bondy reported     memory safety problems and crashes that affect Firefox     12. (CVE-2012-1938)

    Christian Holler reported a memory safety problem that     affects Firefox ESR. (CVE-2012-1939)

    Igor Bukanov, Olli Pettay, Boris Zbarsky, and Jesse     Ruderman reported memory safety problems and crashes     that affect Firefox ESR and Firefox 13. (CVE-2012-1937)

    Ken Russell of Google reported a bug in NVIDIA graphics     drivers that they needed to work around in the Chromium     WebGL implementation. Mozilla has done the same in     Firefox 13 and ESR 10.0.5. (CVE-2011-3101)

  - Security researcher James Forshaw of Context Information     Security found two issues with the Mozilla updater and     the Mozilla updater service introduced in Firefox 12 for     Windows. The first issue allows Mozilla's updater to     load a local DLL file in a privileged context. The     updater can be called by the Updater Service or     independently on systems that do not use the service.
    The second of these issues allows for the updater     service to load an arbitrary local DLL file, which can     then be run with the same system privileges used by the     service. Both of these issues require local file system     access to be exploitable. (MFSA 2012-35)

    Possible Arbitrary Code Execution by Update Service     (CVE-2012-1942) Updater.exe loads wsock32.dll from     application directory. (CVE-2012-1943)

  - Security researcher Adam Barth found that inline event     handlers, such as onclick, were no longer blocked by     Content Security Policy's (CSP) inline-script blocking     feature. Web applications relying on this feature of CSP     to protect against cross-site scripting (XSS) were not     fully protected. (CVE-2012-1944). (MFSA 2012-36)

  - Security researcher Paul Stone reported an attack where     an HTML page hosted on a Windows share and then loaded     could then load Windows shortcut files (.lnk) in the     same share. These shortcut files could then link to     arbitrary locations on the local file system of the     individual loading the HTML page. That page could show     the contents of these linked files or directories from     the local file system in an iframe, causing information     disclosure. (MFSA 2012-37)

    This issue could potentially affect Linux machines with     samba shares enabled. (CVE-2012-1945)

  - Security researcher Arthur Gerkis used the Address     Sanitizer tool to find a use-after-free while     replacing/inserting a node in a document. This     use-after-free could possibly allow for remote code     execution. (CVE-2012-1946). (MFSA 2012-38)

  - Security researcher Kaspar Brand found a flaw in how the     Network Security Services (NSS) ASN.1 decoder handles     zero length items. Effects of this issue depend on the     field. One known symptom is an unexploitable crash in     handling OCSP responses. NSS also mishandles zero-length     basic constraints, assuming default values for some     types that should be rejected as malformed. These issues     have been addressed in NSS 3.13.4, which is now being     used by Mozilla. (CVE-2012-0441). (MFSA 2012-39)

  - Security researcher Abhishek Arya of Google used the     Address Sanitizer tool to uncover several issues: two     heap buffer overflow bugs and a use-after-free problem.
    The first heap buffer overflow was found in conversion     from unicode to native character sets when the function     fails. The use-after-free occurs in nsFrameList when     working with column layout with absolute positioning in     a container that changes size. The second buffer     overflow occurs in nsHTMLReflowState when a window is     resized on a page with nested columns and a combination     of absolute and relative positioning. All three of these     issues are potentially exploitable. (MFSA 2012-40)

    Heap-buffer-overflow in utf16_to_isolatin1     (CVE-2012-1947) Heap-use-after-free in     nsFrameList::FirstChild. (CVE-2012-1940)

    Heap-buffer-overflow in     nsHTMLReflowState::CalculateHypotheticalBox, with nested     multi-column, relative position, and absolute position.
    (CVE-2012-1941)

More information on security issues can be found on:
http://www.mozilla.org/security/announce/

Versions of SeaMonkey 2.x earlier than 2.10 are potentially affected by the following security issues :

  - An error exists in the ASN.1 decoder when handling zero length items that can lead to application crashes. (CVE-2012-0441)

  - Multiple memory corruption errors exist. (CVE-2012-1937, CVE-2012-1938)

  - Two heap-based buffer overflows and one heap-based use-after-free error exist and are potentially exploitable. (CVE-2012-1940, CVE-2012-1941, CVE-2012-1947)

  - Two arbitrary DLL load issues exist related to the application update and update service functionality. (CVE-2012-1942, CVE-2012-1943)

  - The inline-script blocking feature of the 'Content Security Policy' (CSP) does not properly block inline event handlers. This error allows remote attackers to more easily carry out cross-site scripting attacks. (CVE-2012-1944)

  -  A use-after-free error exists related to replacing or inserting a node into a web document. (CVE-2012-1946)

An updated thunderbird package that fixes multiple security issues is now available for Red Hat Enterprise Linux 5 and 6.

The Red Hat Security Response Team has rated this update as having critical security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.

Mozilla Thunderbird is a standalone mail and newsgroup client.

Several flaws were found in the processing of malformed content.
Malicious content could cause Thunderbird to crash or, potentially, execute arbitrary code with the privileges of the user running Thunderbird. (CVE-2011-3101, CVE-2012-1937, CVE-2012-1938, CVE-2012-1939, CVE-2012-1940, CVE-2012-1941, CVE-2012-1946, CVE-2012-1947)

Note: CVE-2011-3101 only affected users of certain NVIDIA display drivers with graphics cards that have hardware acceleration enabled.

It was found that the Content Security Policy (CSP) implementation in Thunderbird no longer blocked Thunderbird inline event handlers.
Malicious content could possibly bypass intended restrictions if that content relied on CSP to protect against flaws such as cross-site scripting (XSS). (CVE-2012-1944)

If a web server hosted content that is stored on a Microsoft Windows share, or a Samba share, loading such content with Thunderbird could result in Windows shortcut files (.lnk) in the same share also being loaded. An attacker could use this flaw to view the contents of local files and directories on the victim's system. This issue also affected users opening content from Microsoft Windows shares, or Samba shares, that are mounted on their systems. (CVE-2012-1945)

Red Hat would like to thank the Mozilla project for reporting these issues. Upstream acknowledges Ken Russell of Google as the original reporter of CVE-2011-3101; Igor Bukanov, Olli Pettay, Boris Zbarsky, and Jesse Ruderman as the original reporters of CVE-2012-1937; Jesse Ruderman, Igor Bukanov, Bill McCloskey, Christian Holler, Andrew McCreight, and Brian Bondy as the original reporters of CVE-2012-1938;
Christian Holler as the original reporter of CVE-2012-1939; security researcher Abhishek Arya of Google as the original reporter of CVE-2012-1940, CVE-2012-1941, and CVE-2012-1947; security researcher Arthur Gerkis as the original reporter of CVE-2012-1946; security researcher Adam Barth as the original reporter of CVE-2012-1944; and security researcher Paul Stone as the original reporter of CVE-2012-1945.

Note: None of the issues in this advisory can be exploited by a specially crafted HTML mail message as JavaScript is disabled by default for mail messages. They could be exploited another way in Thunderbird, for example, when viewing the full remote content of an RSS feed.

All Thunderbird users should upgrade to this updated package, which contains Thunderbird version 10.0.5 ESR, which corrects these issues.
After installing the update, Thunderbird must be restarted for the changes to take effect.

Versions of Firefox 12.x  are potentially affected by the following security issues :

  - An error exists in the ASN.1 decoder when handling zero length items that can lead to application crashes. (CVE-2012-0441)

  - Multiple memory corruption errors exist. (CVE-2012-1937, CVE-2012-1038)

  - Two heap-based buffer overflows and one heap-based use-after-free error exist and are potentially exploitable. (CVE-2012-1940, CVE-2012-1941, CVE-2012-1947)

  - Two arbitrary DLL load issues exist related to the application update and update service functionality. (CVE-2012-1942, CVE-2012-1943)

  - The inline-script blocking feature of the 'Content Security Policy' (CSP) does not properly block inline event handlers. This error allows remote attackers to more easily carry out cross-site scripting attacks. (CVE-2012-1944)

  -  A use-after-free error exists related to replacing or inserting a node into a web document. (CVE-2012-1946)

Versions of Thunderbird 12.x  are potentially affected by the following security issues :

  - An error exists in the ASN.1 decoder when handling zero length items that can lead to application crashes. (CVE-2012-0441)

  - Multiple memory corruption errors exist. (CVE-2012-1937, CVE-2012-1038)

  - Two heap-based buffer overflows and one heap-based use-after-free error exist and are potentially exploitable. (CVE-2012-1940, CVE-2012-1941, CVE-2012-1947)

  - Two arbitrary DLL load issues exist related to the application update and update service functionality. (CVE-2012-1942, CVE-2012-1943)

  - The inline-script blocking feature of the 'Content Security Policy' (CSP) does not properly block inline event handlers. This error allows remote attackers to more easily carry out cross-site scripting attacks. (CVE-2012-1944)

  -  A use-after-free error exists related to replacing or inserting a node into a web document. (CVE-2012-1946)

Versions of Mozilla Thunderbird prior to 13.0 are affected by the following security issues :

 - An error exists in the ASN.1 decoder when handling zero length items that can lead to application crashes. (CVE-2012-0441)
 - Multiple memory corruption errors exist. (CVE-2012-1937, CVE-2012-1038)
 - Two heap-based buffer overflows and one heap-based use-after-free error exist and are potentially exploitable. (CVE-2012-1940, CVE-2012-1941, CVE-2012-1947)
 - Two arbitrary DLL load issues exist related to the application update and update service functionality. (CVE-2012-1942, CVE-2012-1943)
 - The inline-script blocking feature of the 'Content Security Policy' (CSP) does not properly block inline event handlers. This error allows remote attackers to more easily carry out cross-site scripting attacks. (CVE-2012-1944)
 - A use-after-free error exists related to replacing or inserting a node into a web document. (CVE-2012-1946)

Versions of Firefox prior to 13.0 are potentially affected by the following security issues :

 - An error exists in the ASN.1 decoder when handling zero length items that can lead to application crashes. (CVE-2012-0441)
 - Multiple memory corruption errors exist. (CVE-2012-1937, CVE-2012-1038)
 - Two heap-based buffer overflows and one heap-based use-after-free error exist and are potentially exploitable. (CVE-2012-1940, CVE-2012-1941, CVE-2012-1947)
 - Two arbitrary DLL load issues exist related to the application update and update service functionality. (CVE-2012-1942, CVE-2012-1943)
 - The inline-script blocking feature of the 'Content Security Policy' (CSP) does not properly block inline event handlers. This error allows remote attackers to more easily carry out cross-site scripting attacks. (CVE-2012-1944)
 -  A use-after-free error exists related to replacing or inserting a node into a web document. (CVE-2012-1946)


The installed version of Thunderbird 10.0.x is potentially affected by the following security issues :

  - An error exists in the ASN.1 decoder when handling zero     length items that can lead to application crashes.
    (CVE-2012-0441)

   - Multiple memory corruption errors exist. (CVE-2012-1937,     CVE-2012-1939)

  - Two heap-based buffer overflows and one heap-based use-     after-free error exist and are potentially exploitable.
    (CVE-2012-1940, CVE-2012-1941, CVE-2012-1947)

  - The inline-script blocking feature of the 'Content     Security Policy' (CSP) does not properly block inline     event handlers. This error allows remote attackers to     more easily carry out cross-site scripting attacks.
    (CVE-2012-1944)

  - A use-after-free error exists related to replacing or     inserting a node into a web document. (CVE-2012-1946)

The installed version of Firefox 10.0.x is potentially affected by the following security issues :

  - An error exists in the ASN.1 decoder when handling zero     length items that can lead to application crashes.
    (CVE-2012-0441)

  - Multiple memory corruption errors exist. (CVE-2012-1937,     CVE-2012-1939)

  - Two heap-based buffer overflows and one heap-based use-     after-free error exist and are potentially exploitable.
    (CVE-2012-1940, CVE-2012-1941, CVE-2012-1947)

  - The inline-script blocking feature of the 'Content     Security Policy' (CSP) does not properly block inline     event handlers. This error allows remote attackers to     more easily carry out cross-site scripting attacks.
    (CVE-2012-1944)

  - A use-after-free error exists related to replacing or     inserting a node into a web document. (CVE-2012-1946)

The installed version of Thunderbird 10.0.x is potentially affected by the following security issues :

  - An error exists in the ASN.1 decoder when handling zero     length items that can lead to application crashes.
    (CVE-2012-0441)

  - Multiple memory corruption errors exist. (CVE-2012-1937,     CVE-2012-1939)

  - Two heap-based buffer overflows and one heap-based use-     after-free error exist and are potentially exploitable.
    (CVE-2012-1940, CVE-2012-1941, CVE-2012-1947)

  - The inline-script blocking feature of the 'Content     Security Policy' (CSP) does not properly block inline     event handlers. This error allows remote attackers to     more easily carry out cross-site scripting attacks.
    (CVE-2012-1944)

  - A use-after-free error exists related to replacing or     inserting a node into a web document. (CVE-2012-1946)

The installed version of Firefox is earlier than 10.0.5 and thus, is potentially affected by the following security issues :

  - An error exists in the ASN.1 decoder when handling zero     length items that can lead to application crashes.
    (CVE-2012-0441)

  - Multiple memory corruption errors exist. (CVE-2012-1937,     CVE-2012-1939)

  - Two heap-based buffer overflows and one heap-based use-     after-free error exist and are potentially exploitable.
    (CVE-2012-1940, CVE-2012-1941, CVE-2012-1947)

  - The inline-script blocking feature of the 'Content     Security Policy' (CSP) does not properly block inline     event handlers. This error allows remote attackers to     more easily carry out cross-site scripting attacks.
    (CVE-2012-1944)

  - A use-after-free error exists related to replacing or     inserting a node into a web document. (CVE-2012-1946)

Updated firefox packages that fix multiple security issues are now available for Red Hat Enterprise Linux 5 and 6.

The Red Hat Security Response Team has rated this update as having critical security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.

Mozilla Firefox is an open source web browser. XULRunner provides the XUL Runtime environment for Mozilla Firefox.

Several flaws were found in the processing of malformed web content. A web page containing malicious content could cause Firefox to crash or, potentially, execute arbitrary code with the privileges of the user running Firefox. (CVE-2011-3101, CVE-2012-1937, CVE-2012-1938, CVE-2012-1939, CVE-2012-1940, CVE-2012-1941, CVE-2012-1946, CVE-2012-1947)

Note: CVE-2011-3101 only affected users of certain NVIDIA display drivers with graphics cards that have hardware acceleration enabled.

It was found that the Content Security Policy (CSP) implementation in Firefox no longer blocked Firefox inline event handlers. A remote attacker could use this flaw to possibly bypass a web application's intended restrictions, if that application relied on CSP to protect against flaws such as cross-site scripting (XSS). (CVE-2012-1944)

If a web server hosted HTML files that are stored on a Microsoft Windows share, or a Samba share, loading such files with Firefox could result in Windows shortcut files (.lnk) in the same share also being loaded. An attacker could use this flaw to view the contents of local files and directories on the victim's system. This issue also affected users opening HTML files from Microsoft Windows shares, or Samba shares, that are mounted on their systems. (CVE-2012-1945)

For technical details regarding these flaws, refer to the Mozilla security advisories for Firefox 10.0.5 ESR. You can find a link to the Mozilla advisories in the References section of this erratum.

Red Hat would like to thank the Mozilla project for reporting these issues. Upstream acknowledges Ken Russell of Google as the original reporter of CVE-2011-3101; Igor Bukanov, Olli Pettay, Boris Zbarsky, and Jesse Ruderman as the original reporters of CVE-2012-1937; Jesse Ruderman, Igor Bukanov, Bill McCloskey, Christian Holler, Andrew McCreight, and Brian Bondy as the original reporters of CVE-2012-1938;
Christian Holler as the original reporter of CVE-2012-1939; security researcher Abhishek Arya of Google as the original reporter of CVE-2012-1940, CVE-2012-1941, and CVE-2012-1947; security researcher Arthur Gerkis as the original reporter of CVE-2012-1946; security researcher Adam Barth as the original reporter of CVE-2012-1944; and security researcher Paul Stone as the original reporter of CVE-2012-1945.

All Firefox users should upgrade to these updated packages, which contain Firefox version 10.0.5 ESR, which corrects these issues. After installing the update, Firefox must be restarted for the changes to take effect.

The remote Redhat Enterprise Linux 5 / 6 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2012:0710 advisory.

  - Mozilla: Miscellaneous memory safety hazards (rv:13.0/ rv:10.0.5) (MFSA 2012-34) (CVE-2011-3101,     CVE-2012-1937, CVE-2012-1938, CVE-2012-1939, CVE-2012-3105)

  - Mozilla: Buffer overflow and use-after-free issues found using Address Sanitizer (MFSA 2012-40)     (CVE-2012-1940, CVE-2012-1941, CVE-2012-1947)

  - Mozilla: Content Security Policy inline-script bypass (MFSA 2012-36) (CVE-2012-1944)

  - Mozilla: Information disclosure though Windows file shares and shortcut files (MFSA 2012-37)     (CVE-2012-1945)

  - Mozilla: Use-after-free while replacing/inserting a node in a document (MFSA 2012-38) (CVE-2012-1946)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The Mozilla Project reports :

MFSA 2012-34 Miscellaneous memory safety hazards (rv:13.0/ rv:10.0.5)

MFSA 2012-36 Content Security Policy inline-script bypass

MFSA 2012-37 Information disclosure though Windows file shares and shortcut files

MFSA 2012-38 Use-after-free while replacing/inserting a node in a document

MFSA 2012-39 NSS parsing errors with zero length items

MFSA 2012-40 Buffer overflow and use-after-free issues found using Address Sanitizer

ID	Name	Product	Family	Severity
68536	Oracle Linux 6 : thunderbird (ELSA-2012-0715)	Nessus	Oracle Linux Local Security Checks	critical
68535	Oracle Linux 5 / 6 : firefox (ELSA-2012-0710)	Nessus	Oracle Linux Local Security Checks	critical
64208	SuSE 11.1 Security Update : Mozilla Firefox (SAT Patch Number 6425)	Nessus	SuSE Local Security Checks	critical
63402	GLSA-201301-01 : Mozilla Products: Multiple vulnerabilities (BEAST)	Nessus	Gentoo Local Security Checks	critical
59777	Debian DSA-2499-1 : icedove - several vulnerabilities	Nessus	Debian Local Security Checks	high
59681	Mandriva Linux Security Advisory : mozilla (MDVSA-2012:088-1)	Nessus	Mandriva Local Security Checks	critical
59520	SuSE 10 Security Update : Mozilla Firefox (ZYPP Patch Number 8189)	Nessus	SuSE Local Security Checks	critical
801375	Mozilla SeaMonkey 2.x < 2.10 Multiple Vulnerabilities	Log Correlation Engine	Web Clients	high
6496	SeaMonkey 2.x < 2.10 Multiple Vulnerabilities	Nessus Network Monitor	Web Clients	high
59412	CentOS 5 / 6 : thunderbird (CESA-2012:0715)	Nessus	CentOS Local Security Checks	critical
801297	Mozilla Firefox 12.x < 12 Multiple Vulnerabilities	Log Correlation Engine	Web Clients	high
801240	Mozilla Thunderbird 12.x < 12 Multiple Vulnerabilities	Log Correlation Engine	SMTP Clients	high
6498	Mozilla Thunderbird < 13.0 Multiple Vulnerabilities	Nessus Network Monitor	SMTP Clients	high
6497	Mozilla Firefox < 13.0 Multiple Vulnerabilities	Nessus Network Monitor	Web Clients	high
59410	Mozilla Thunderbird 10.0.x < 10.0.5 Multiple Vulnerabilities	Nessus	Windows	high
59408	Firefox 10.0.x < 10.0.5 Multiple Vulnerabilities	Nessus	Windows	high
59406	Thunderbird 10.0.x < 10.0.5 Multiple Vulnerabilities (Mac OS X)	Nessus	MacOS X Local Security Checks	high
59404	Firefox < 10.0.5 Multiple Vulnerabilities (Mac OS X)	Nessus	MacOS X Local Security Checks	high
59392	RHEL 5 / 6 : thunderbird (RHSA-2012:0715)	Nessus	Red Hat Local Security Checks	critical
59388	CentOS 5 / 6 : firefox (CESA-2012:0710)	Nessus	CentOS Local Security Checks	critical
59383	RHEL 5 / 6 : firefox (RHSA-2012:0710)	Nessus	Red Hat Local Security Checks	medium
59381	FreeBSD : mozilla -- multiple vulnerabilities (bfecf7c1-af47-11e1-9580-4061862b8c22)	Nessus	FreeBSD Local Security Checks	critical

Detections

Analytics

CVE-2012-1939

high

Tenable Plugins

critical

critical

critical

critical

high

critical

critical

high

high

critical

high

high

high

high

high

high

high

high

critical

critical

medium

critical