Mandriva Linux Security Advisory : mozilla (MDVSA-2012:110-1)

This script is Copyright (C) 2012-2014 Tenable Network Security, Inc.

Synopsis :

The remote Mandriva Linux host is missing one or more security

Description :

Security issues were identified and fixed in mozilla firefox and
thunderbird :

Mozilla developers identified and fixed several memory safety bugs in
the browser engine used in Firefox and other Mozilla-based products.
Some of these bugs showed evidence of memory corruption under certain
circumstances, and we presume that with enough effort at least some of
these could be exploited to run arbitrary code (CVE-2012-1949,

Security researcher Mario Gomes andresearch firm Code Audit Labs
reported a mechanism to short-circuit page loads through drag and drop
to the addressbar by canceling the page load. This causes the address
of the previously site entered to be displayed in the addressbar
instead of the currently loaded page. This could lead to potential
phishing attacks on users (CVE-2012-1950).

Google security researcher Abhishek Arya used the Address Sanitizer
tool to uncover four issues: two use-after-free problems, one out of
bounds read bug, and a bad cast. The first use-after-free problem is
caused when an array of nsSMILTimeValueSpec objects is destroyed but
attempts are made to call into objects in this array later. The second
use-after-free problem is in nsDocument::AdoptNode when it adopts into
an empty document and then adopts into another document, emptying the
first one. The heap buffer overflow is in ElementAnimations when data
is read off of end of an array and then pointers are dereferenced. The
bad cast happens when nsTableFrame::InsertFrames is called with frames
in aFrameList that are a mix of row group frames and column group
frames. AppendFrames is not able to handle this mix. All four of these
issues are potentially exploitable (CVE-2012-1951, CVE-2012-1954,
CVE-2012-1953, CVE-2012-1952).

Security researcher Mariusz Mlynski reported an issue with spoofing of
the location property. In this issue, calls to history.forward and
history.back are used to navigate to a site while displaying the
previous site in the addressbar but changing the baseURI to the newer
site. This can be used for phishing by allowing the user input form or
other data on the newer, attacking, site while appearing to be on the
older, displayed site (CVE-2012-1955).

Mozilla security researcher moz_bug_r_a4 reported a cross-site
scripting (XSS) attack through the context menu using a data: URL. In
this issue, context menu functionality (View Image, Show only this
frame, and View background image) are disallowed in a javascript: URL
but allowed in a data: URL, allowing for XSS. This can lead to
arbitrary code execution (CVE-2012-1966).

Security researcher Mario Heiderich reported that JavaScript could be
executed in the HTML feed-view using <embed> tag within the RSS
<description>. This problem is due to <embed> tags not being filtered
out during parsing and can lead to a potential cross-site scripting
(XSS) attack. The flaw existed in a parser utility class and could
affect other parts of the browser or add-ons which rely on that class
to sanitize untrusted input (CVE-2012-1957).

Security researcher Arthur Gerkis used the Address Sanitizer tool to
find a use-after-free in nsGlobalWindow::PageHidden when
mFocusedContent is released and oldFocusedContent is used afterwards.
This use-after-free could possibly allow for remote code execution

Mozilla developer Bobby Holley found that same-compartment security
wrappers (SCSW) can be bypassed by passing them to another
compartment. Cross-compartment wrappers often do not go through SCSW,
but have a filtering policy built into them. When an object is wrapped
cross-compartment, the SCSW is stripped off and, when the object is
read read back, it is not known that SCSW was previously present,
resulting in a bypassing of SCSW. This could result in untrusted
content having access to the XBL that implements browser functionality

Google developer Tony Payne reported an out of bounds (OOB) read in
QCMS, Mozillas color management library. With a carefully crafted
color profile portions of a user's memory could be incorporated into a
transformed image and possibly deciphered (CVE-2012-1960).

Bugzilla developer Fredric Buclin reported that the X-Frame-Options
header is ignored when the value is duplicated, for example
X-Frame-Options: SAMEORIGIN, SAMEORIGIN. This duplication occurs for
unknown reasons on some websites and when it occurs results in Mozilla
browsers not being protected against possible clickjacking attacks on
those pages (CVE-2012-1961).

Security researcher Bill Keese reported a memory corruption. This is
caused by JSDependentString::undepend changing a dependent string into
a fixed string when there are additional dependent strings relying on
the same base. When the undepend occurs during conversion, the base
data is freed, leaving other dependent strings with dangling pointers.
This can lead to a potentially exploitable crash (CVE-2012-1962).

Security researcher Karthikeyan Bhargavan of Prosecco at INRIA
reported Content Security Policy (CSP) 1.0 implementation errors. CSP
violation reports generated by Firefox and sent to the report-uri
location include sensitive data within the blocked-uri parameter.
These include fragment components and query strings even if the
blocked-uri parameter has a different origin than the protected
resource. This can be used to retrieve a user's OAuth 2.0 access
tokens and OpenID credentials by malicious sites (CVE-2012-1963).

Security Researcher Matt McCutchen reported that a clickjacking attack
using the certificate warning page. A man-in-the-middle (MITM)
attacker can use an iframe to display its own certificate error
warning page (about:certerror) with the Add Exception button of a real
warning page from a malicious site. This can mislead users to adding a
certificate exception for a different site than the perceived one.
This can lead to compromised communications with the user perceived
site through the MITM attack once the certificate exception has been
added (CVE-2012-1964).

Security researchers Mario Gomes and Soroush Dalili reported that
since Mozilla allows the pseudo-protocol feed: to prefix any valid
URL, it is possible to construct feed:javascript: URLs that will
execute scripts in some contexts. On some sites it may be possible to
use this to evade output filtering that would otherwise strip
javascript: URLs and thus contribute to cross-site scripting (XSS)
problems on these sites (CVE-2012-1965).

Mozilla security researcher moz_bug_r_a4 reported a arbitrary code
execution attack using a javascript: URL. The Gecko engine features a
JavaScript sandbox utility that allows the browser or add-ons to
safely execute script in the context of a web page. In certain cases,
javascript: URLs are executed in such a sandbox with insufficient
context that can allow those scripts to escape from the sandbox and
run with elevated privilege. This can lead to arbitrary code execution

The mozilla firefox and thunderbird packages has been upgraded to the
latest respective versions which is unaffected by these security

Additionally the rootcerts packages has been upgraded to the latest
version which brings updated root CA data.

Update :

Localization packages for firefox was missing with the MDVSA-2012:110
advisory and is being provided with this advisory.

See also :

Solution :

Update the affected packages.

Risk factor :

Critical / CVSS Base Score : 10.0
CVSS Temporal Score : 8.7
Public Exploit Available : false