Mandriva Linux Security Advisory : firefox (MDVSA-2010:042)

This script is Copyright (C) 2010-2016 Tenable Network Security, Inc.


Synopsis :

The remote Mandriva Linux host is missing one or more security
updates.

Description :

Security issues were identified and fixed in firefox 3.0.x and 3.5.x :

Mozilla developers identified and fixed several stability bugs in the
browser engine used in Firefox and other Mozilla-based products. Some
of these crashes showed evidence of memory corruption under certain
circumstances and we presume that with enough effort at least some of
these could be exploited to run arbitrary code (CVE-2010-0159).

Security researcher Orlando Barrera II reported via TippingPoint's
Zero Day Initiative that Mozilla's implementation of Web Workers
contained an error in its handling of array data types when processing
posted messages. This error could be used by an attacker to corrupt
heap memory and crash the browser, potentially running arbitrary code
on a victim's computer (CVE-2010-0160).

Security researcher Alin Rad Pop of Secunia Research reported that the
HTML parser incorrectly freed used memory when insufficient space was
available to process remaining input. Under such circumstances, memory
occupied by in-use objects was freed and could later be filled with
attacker-controlled text. These conditions could result in the
execution or arbitrary code if methods on the freed objects were
subsequently called (CVE-2009-1571).

Security researcher Hidetake Jo of Microsoft Vulnerability Research
reported that the properties set on an object passed to
showModalDialog were readable by the document contained in the dialog,
even when the document was from a different domain. This is a
violation of the same-origin policy and could result in a website
running untrusted JavaScript if it assumed the dialogArguments could
not be initialized by another site. An anonymous security researcher,
via TippingPoint's Zero Day Initiative, also independently reported
this issue to Mozilla (CVE-2009-3988).

Mozilla security researcher Georgi Guninski reported that when a SVG
document which is served with Content-Type: application/octet-stream
is embedded into another document via an <embed> tag with
type=image/svg+xml, the Content-Type is ignored and the SVG document
is processed normally. A website which allows arbitrary binary data to
be uploaded but which relies on Content-Type: application/octet-stream
to prevent script execution could have such protection bypassed. An
attacker could upload a SVG document containing JavaScript as a binary
file to a website, embed the SVG document into a malicous page on
another site, and gain access to the script environment from the
SVG-serving site, bypassing the same-origin policy (CVE-2010-0162).

The CSSLoaderImpl::DoSheetComplete function in
layout/style/nsCSSLoader.cpp in Mozilla Firefox 3.0.x before 3.0.18,
3.5.x before 3.5.8, and 3.6.x before 3.6.2; Thunderbird before 3.0.2;
and SeaMonkey before 2.0.3 changes the case of certain strings in a
stylesheet before adding this stylesheet to the XUL cache, which might
allow remote attackers to modify the browser's font and other CSS
attributes, and potentially disrupt rendering of a web page, by
forcing the browser to perform this erroneous stylesheet caching
(CVE-2010-0169).

Mozilla Firefox 3.0.x before 3.0.18, 3.5.x before 3.5.8, and 3.6.x
before 3.6.2; Thunderbird before 3.0.2; and SeaMonkey before 2.0.3
allow remote attackers to perform cross-origin keystroke capture, and
possibly conduct cross-site scripting (XSS) attacks, by using the
addEventListener and setTimeout functions in conjunction with a
wrapped object. NOTE: this vulnerability exists because of an
incomplete fix for CVE-2007-3736 (CVE-2010-0171).

Packages for 2008.0 are provided for Corporate Desktop 2008.0
customers.

Additionally, some packages which require so, have been rebuilt and
are being provided as updates.

See also :

http://www.nessus.org/u?59131da5
http://www.nessus.org/u?3063625e

Solution :

Update the affected packages.

Risk factor :

Critical / CVSS Base Score : 10.0
(CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C)
CVSS Temporal Score : 8.7
(CVSS2#E:ND/RL:OF/RC:C)
Public Exploit Available : false

Family: Mandriva Local Security Checks

Nessus Plugin ID: 44672 (mandriva_MDVSA-2010-042.nasl)

Bugtraq ID: 38285
38286
38287
38288
38289

CVE ID: CVE-2009-1571
CVE-2009-3988
CVE-2010-0159
CVE-2010-0160
CVE-2010-0162
CVE-2010-0169
CVE-2010-0171

Ready to Amp Up Your Nessus Experience?

Get Nessus Professional to scan unlimited IPs, run compliance checks & more

Buy Nessus Professional Now