SuSE 10 Security Update : mozilla-xulrunner191 (ZYPP Patch Number 7363)

This script is Copyright (C) 2011-2012 Tenable Network Security, Inc.


Synopsis :

The remote SuSE 10 host is missing a security-related patch.

Description :

Mozilla XULRunner 1.9.1 has been updated to version 1.9.1.17, fixing
the following security issues :

- Several memory safety bugs in the browser engine used in
Firefox and other Mozilla-based products have been
identified and fixed. Some of these bugs showed evidence
of memory corruption under certain circumstances, and it
is assumed that with enough effort at least some of
these could be exploited to run arbitrary code. (MFSA
2010-74 / CVE-2010-3777)

- Several memory safety bugs in the browser engine used in
Firefox and other Mozilla-based products have been
identified and fixed. Some of these bugs showed evidence
of memory corruption under certain circumstances, and it
is assumed that with enough effort at least some of
these could be exploited to run arbitrary code. (MFSA
2011-01 / CVE-2011-0053 / CVE-2011-0062)

- A recursive call to eval() wrapped in a try/catch
statement places the browser into a inconsistent state.
Any dialog box opened in this state is displayed without
text and with non-functioning buttons. Closing the
window causes the dialog to evaluate to true. An
attacker could use this issue to force a user into
accepting any dialog, such as one granting elevated
privileges to the page presenting the dialog. (MFSA
2011-02 / CVE-2011-0051)

- A method used by JSON.stringify contains a
use-after-free error in which a currently in-use pointer
was freed and subsequently dereferenced. This could lead
to arbitrary code execution if an attacker is able to
store malicious code in the freed section of memory.
(MFSA 2011-03 / CVE-2011-0055)

- The JavaScript engine's internal memory mapping of
non-local JS variables contains a buffer overflow which
could potentially be used by an attacker to run
arbitrary code on a victim's computer. (MFSA 2011-04 /
CVE-2011-0054)

- The JavaScript engine's internal mapping of string
values contains an error in cases where the number of
values being stored is above 64K. In such cases an
offset pointer is manually moved forwards and backwards
to access the larger address space. If an exception is
thrown between the time that the offset pointer was
moved forward and the time it gets reset, the exception
object would be read from an invalid memory address,
potentially executing attacker-controlled memory. (MFSA
2011-05 / CVE-2011-0056)

- A JavaScript Worker could be used to keep a reference to
an object that could be freed during garbage collection.
Subsequent calls through this deleted reference could
cause attacker-controlled memory to be executed on a
victim's computer. (MFSA 2011-06 / CVE-2011-0057)

- When very long strings are constructed and inserted into
an HTML document, the browser incorrectly constructs the
layout objects used to display the text. Under such
conditions an incorrect length would be calculated for a
text run resulting in too small of a memory buffer being
allocated to store the text. This issue could be used by
an attacker to write data past the end of the buffer and
execute malicious code on a victim's computer. It
affects only Mozilla browsers on Windows. (MFSA 2011-07
/ CVE-2011-0058)

- ParanoidFragmentSink, a class used to sanitize
potentially unsafe HTML for display, allows javascript:
URLs and other inline JavaScript when the embedding
document is a chrome document. While there are no unsafe
uses of this class in any released products, extension
code could potentially use it in an unsafe manner. (MFSA
2011-08 / CVE-2010-1585)

- When plugin-initiated requests receive a 307 redirect
response, the plugin is not notified and the request is
forwarded to the new location. This is true even for
cross-site redirects, so any custom headers that were
added as part of the initial request would be forwarded
intact across origins. This poses a CSRF risk for web
applications that rely on custom headers only being
present in requests from their own origin. (MFSA 2011-10
/ CVE-2011-0059)

See also :

http://www.mozilla.org/security/announce/2010/mfsa2010-74.html
http://www.mozilla.org/security/announce/2011/mfsa2011-01.html
http://www.mozilla.org/security/announce/2011/mfsa2011-02.html
http://www.mozilla.org/security/announce/2011/mfsa2011-03.html
http://www.mozilla.org/security/announce/2011/mfsa2011-05.html
http://www.mozilla.org/security/announce/2011/mfsa2011-06.html
http://www.mozilla.org/security/announce/2011/mfsa2011-07.html
http://www.mozilla.org/security/announce/2011/mfsa2011-08.html
http://www.mozilla.org/security/announce/2011/mfsa2011-10.html
http://support.novell.com/security/cve/CVE-2010-1585.html
http://support.novell.com/security/cve/CVE-2010-3777.html
http://support.novell.com/security/cve/CVE-2011-0051.html
http://support.novell.com/security/cve/CVE-2011-0053.html
http://support.novell.com/security/cve/CVE-2011-0054.html
http://support.novell.com/security/cve/CVE-2011-0055.html
http://support.novell.com/security/cve/CVE-2011-0056.html
http://support.novell.com/security/cve/CVE-2011-0057.html
http://support.novell.com/security/cve/CVE-2011-0058.html
http://support.novell.com/security/cve/CVE-2011-0059.html
http://support.novell.com/security/cve/CVE-2011-0062.html

Solution :

Apply ZYPP patch number 7363.

Risk factor :

Critical / CVSS Base Score : 10.0
(CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C)

Ready to Amp Up Your Nessus Experience?

Get Nessus Professional to scan unlimited IPs, run compliance checks & more

Buy Nessus Professional Now