openSUSE Security Update : mozilla-xulrunner191 (mozilla-xulrunner191-2779)

This script is Copyright (C) 2014 Tenable Network Security, Inc.

Synopsis :

The remote openSUSE host is missing a security update.

Description :

This update brings Mozilla XULRunner to the security release.

It fixes following security bugs: MFSA 2010-34 / CVE-2010-1211:
Mozilla developers identified and fixed several memory safety bugs in
the browser engine used in Firefox and other Mozilla-based products.
Some of these bugs showed evidence of memory corruption under certain
circumstances, and we presume that with enough effort at least some of
these could be exploited to run arbitrary code. Jesse Ruderman, Ehsan
Akhgari, Mats Palmgren, Igor Bukanov, Gary Kwong, Tobias Markus and
Daniel Holbert reported memory safety problems that affected Firefox
3.6 and Firefox 3.5.

MFSA 2010-35 / CVE-2010-1208: Security researcher regenrecht reported
via TippingPoint's Zero Day Initiative an error in the DOM attribute
cloning routine where under certain circumstances an event attribute
node can be deleted while another object still contains a reference to
it. This reference could subsequently be accessed, potentially causing
the execution of attacker controlled memory.

MFSA 2010-36 / CVE-2010-1209: Security researcher regenrecht reported
via TippingPoint's Zero Day Initiative an error in Mozilla's
implementation of NodeIterator in which a malicious NodeFilter could
be created which would detach nodes from the DOM tree while it was
being traversed. The use of a detached and subsequently deleted node
could result in the execution of attacker-controlled memory.

MFSA 2010-37 / CVE-2010-1214: Security researcher J23 reported via
TippingPoint's Zero Day Initiative an error in the code used to store
the names and values of plugin parameter elements. A malicious page
could embed plugin content containing a very large number of parameter
elements which would cause an overflow in the integer value counting
them. This integer is later used in allocating a memory buffer used to
store the plugin parameters. Under such conditions, too small a buffer
would be created and attacker-controlled data could be written past
the end of the buffer, potentially resulting in code execution.

MFSA 2010-39 / CVE-2010-2752: Security researcher J23 reported via
TippingPoint's Zero Day Initiative that an array class used to store
CSS values contained an integer overflow vulnerability. The 16 bit
integer value used in allocating the size of the array could overflow,
resulting in too small a memory buffer being created. When the array
was later populated with CSS values data would be written past the end
of the buffer potentially resulting in the execution of
attacker-controlled memory.

MFSA 2010-40 / CVE-2010-2753: Security researcher regenrecht reported
via TippingPoint's Zero Day Initiative an integer overflow
vulnerability in the implementation of the XUL <tree> element's
selection attribute. When the size of a new selection is sufficiently
large the integer used in calculating the length of the selection can
overflow, resulting in a bogus range being marked selected. When
adjustSelection is then called on the bogus range the range is deleted
leaving dangling references to the ranges which could be used by an
attacker to call into deleted memory and run arbitrary code on a
victim's computer.

MFSA 2010-41 / CVE-2010-1205: OUSPG researcher Aki Helin reported a
buffer overflow in Mozilla graphics code which consumes image data
processed by libpng. A malformed PNG file could be created which would
cause libpng to incorrectly report the size of the image to downstream
consumers. When the dimensions of such images are underreported, the
Mozilla code responsible for displaying the graphic will allocate too
small a memory buffer to contain the image data and will wind up
writing data past the end of the buffer. This could result in the
execution of attacker-controlled memory.

MFSA 2010-42 / CVE-2010-1213: Security researcher Yosuke Hasegawa
reported that the Web Worker method importScripts can read and parse
resources from other domains even when the content is not valid
JavaScript. This is a violation of the same-origin policy and could be
used by an attacker to steal information from other sites.

MFSA 2010-45 / CVE-2010-1206: Google security researcher Michal
Zalewski reported two methods for spoofing the contents of the
location bar. The first method works by opening a new window
containing a resource that responds with an HTTP 204 (no content) and
then using the reference to the new window to insert HTML content into
the blank document. The second location bar spoofing method does not
require that the resource opened in a new window respond with 204, as
long as the opener calls window.stop() before the document is loaded.
In either case a user could be mislead as to the correct location of
the document they are currently viewing.

MFSA 2010-45 / CVE-2010-2751: Security researcher Jordi Chancel
reported that the location bar could be spoofed to look like a secure
page when the current document was served via plaintext. The
vulnerability is triggered by a server by first redirecting a request
for a plaintext resource to another resource behind a valid SSL/TLS
certificate. A second request made to the original plaintext resource
which is responded to not with a redirect but with JavaScript
containing history.back() and history.forward() will result in the
plaintext resource being displayed with valid SSL/TLS badging in the
location bar. References

MFSA 2010-46 / CVE-2010-0654: Google security researcher Chris Evans
reported that data can be read across domains by injecting bogus CSS
selectors into a target site and then retrieving the data using
JavaScript APIs. If an attacker can inject opening and closing
portions of a CSS selector into points A and B of a target page, then
the region between the two injection points becomes readable to
JavaScript through, for example, the getComputedStyle() API.

MFSA 2010-47 / CVE-2010-2754: Security researcher Soroush Dalili
reported that potentially sensitive URL parameters could be leaked
across domains upon script errors when the script filename and line
number is included in the error message.

See also :

Solution :

Update the affected mozilla-xulrunner191 packages.

Risk factor :

High / CVSS Base Score : 9.3

Ready to Amp Up Your Nessus Experience?

Get Nessus Professional to scan unlimited IPs, run compliance checks & more

Buy Nessus Professional Now