Oracle Solaris Third-Party Patch Update : firefox (multiple_vulnerabilities_in_firefox)

This script is Copyright (C) 2015 Tenable Network Security, Inc.


Synopsis :

The remote Solaris system is missing a security patch for third-party
software.

Description :

The remote Solaris system is missing necessary patches to address
security updates :

- The qcms_transform_data_rgb_out_lut_sse2 function in the
QCMS implementation in Mozilla Firefox 4.x through 13.0,
Thunderbird 5.0 through 13.0, and SeaMonkey before 2.11
might allow remote attackers to obtain sensitive
information from process memory via a crafted color
profile that triggers an out-of-bounds read operation.
(CVE-2012-1960)

- Multiple unspecified vulnerabilities in the browser
engine in Mozilla Firefox before 15.0, Firefox ESR 10.x
before 10.0.7, Thunderbird before 15.0, Thunderbird ESR
10.x before 10.0.7, and SeaMonkey before 2.12 allow
remote attackers to cause a denial of service (memory
corruption and application crash) or possibly execute
arbitrary code via unknown vectors. (CVE-2012-1970)

- Multiple unspecified vulnerabilities in the browser
engine in Mozilla Firefox before 15.0, Thunderbird
before 15.0, and SeaMonkey before 2.12 allow remote
attackers to cause a denial of service (memory
corruption and application crash) or possibly execute
arbitrary code via vectors related to garbage collection
after certain MethodJIT execution, and unknown other
vectors. (CVE-2012-1971)

- Use-after-free vulnerability in the
nsHTMLEditor::CollapseAdjacentTextNodes function in
Mozilla Firefox before 15.0, Firefox ESR 10.x before
10.0.7, Thunderbird before 15.0, Thunderbird ESR 10.x
before 10.0.7, and SeaMonkey before 2.12 allows remote
attackers to execute arbitrary code or cause a denial of
service (heap memory corruption) via unspecified
vectors. (CVE-2012-1972)

- Use-after-free vulnerability in the
nsObjectLoadingContent::LoadObject function in Mozilla
Firefox before 15.0, Firefox ESR 10.x before 10.0.7,
Thunderbird before 15.0, Thunderbird ESR 10.x before
10.0.7, and SeaMonkey before 2.12 allows remote
attackers to execute arbitrary code or cause a denial of
service (heap memory corruption) via unspecified
vectors. (CVE-2012-1973)

- Use-after-free vulnerability in the
gfxTextRun::CanBreakLineBefore function in Mozilla
Firefox before 15.0, Firefox ESR 10.x before 10.0.7,
Thunderbird before 15.0, Thunderbird ESR 10.x before
10.0.7, and SeaMonkey before 2.12 allows remote
attackers to execute arbitrary code or cause a denial of
service (heap memory corruption) via unspecified
vectors. (CVE-2012-1974)

- Use-after-free vulnerability in the
PresShell::CompleteMove function in Mozilla Firefox
before 15.0, Firefox ESR 10.x before 10.0.7, Thunderbird
before 15.0, Thunderbird ESR 10.x before 10.0.7, and
SeaMonkey before 2.12 allows remote attackers to execute
arbitrary code or cause a denial of service (heap memory
corruption) via unspecified vectors. (CVE-2012-1975)

- Use-after-free vulnerability in the
nsHTMLSelectElement::SubmitNamesValues function in
Mozilla Firefox before 15.0, Firefox ESR 10.x before
10.0.7, Thunderbird before 15.0, Thunderbird ESR 10.x
before 10.0.7, and SeaMonkey before 2.12 allows remote
attackers to execute arbitrary code or cause a denial of
service (heap memory corruption) via unspecified
vectors. (CVE-2012-1976)

- Use-after-free vulnerability in the
MediaStreamGraphThreadRunnable::Run function in Mozilla
Firefox before 15.0, Firefox ESR 10.x before 10.0.7,
Thunderbird before 15.0, Thunderbird ESR 10.x before
10.0.7, and SeaMonkey before 2.12 allows remote
attackers to execute arbitrary code or cause a denial of
service (heap memory corruption) via unspecified
vectors. (CVE-2012-3956)

- Heap-based buffer overflow in the
nsBlockFrame::MarkLineDirty function in Mozilla Firefox
before 15.0, Firefox ESR 10.x before 10.0.7, Thunderbird
before 15.0, Thunderbird ESR 10.x before 10.0.7, and
SeaMonkey before 2.12 allows remote attackers to execute
arbitrary code via unspecified vectors. (CVE-2012-3957)

- Use-after-free vulnerability in the
nsHTMLEditRules::DeleteNonTableElements function in
Mozilla Firefox before 15.0, Firefox ESR 10.x before
10.0.7, Thunderbird before 15.0, Thunderbird ESR 10.x
before 10.0.7, and SeaMonkey before 2.12 allows remote
attackers to execute arbitrary code or cause a denial of
service (heap memory corruption) via unspecified
vectors. (CVE-2012-3958)

- Use-after-free vulnerability in the
nsRangeUpdater::SelAdjDeleteNode function in Mozilla
Firefox before 15.0, Firefox ESR 10.x before 10.0.7,
Thunderbird before 15.0, Thunderbird ESR 10.x before
10.0.7, and SeaMonkey before 2.12 allows remote
attackers to execute arbitrary code or cause a denial of
service (heap memory corruption) via unspecified
vectors. (CVE-2012-3959)

- Use-after-free vulnerability in the
mozSpellChecker::SetCurrentDictionary function in
Mozilla Firefox before 15.0, Firefox ESR 10.x before
10.0.7, Thunderbird before 15.0, Thunderbird ESR 10.x
before 10.0.7, and SeaMonkey before 2.12 allows remote
attackers to execute arbitrary code or cause a denial of
service (heap memory corruption) via unspecified
vectors. (CVE-2012-3960)

- Use-after-free vulnerability in the RangeData
implementation in Mozilla Firefox before 15.0, Firefox
ESR 10.x before 10.0.7, Thunderbird before 15.0,
Thunderbird ESR 10.x before 10.0.7, and SeaMonkey before
2.12 allows remote attackers to execute arbitrary code
or cause a denial of service (heap memory corruption)
via unspecified vectors. (CVE-2012-3961)

- Mozilla Firefox before 15.0, Firefox ESR 10.x before
10.0.7, Thunderbird before 15.0, Thunderbird ESR 10.x
before 10.0.7, and SeaMonkey before 2.12 do not properly
iterate through the characters in a text run, which
allows remote attackers to execute arbitrary code via a
crafted document. (CVE-2012-3962)

- Use-after-free vulnerability in the
js::gc::MapAllocToTraceKind function in Mozilla Firefox
before 15.0, Firefox ESR 10.x before 10.0.7, Thunderbird
before 15.0, Thunderbird ESR 10.x before 10.0.7, and
SeaMonkey before 2.12 allows remote attackers to execute
arbitrary code via unspecified vectors. (CVE-2012-3963)

- Use-after-free vulnerability in the
gfxTextRun::GetUserData function in Mozilla Firefox
before 15.0, Firefox ESR 10.x before 10.0.7, Thunderbird
before 15.0, Thunderbird ESR 10.x before 10.0.7, and
SeaMonkey before 2.12 allows remote attackers to execute
arbitrary code or cause a denial of service (heap memory
corruption) via unspecified vectors. (CVE-2012-3964)

- Mozilla Firefox before 15.0, Firefox ESR 10.x before
10.0.7, Thunderbird before 15.0, Thunderbird ESR 10.x
before 10.0.7, and SeaMonkey before 2.12 allow remote
attackers to execute arbitrary code or cause a denial of
service (memory corruption) via a negative height value
in a BMP image within a .ICO file, related to (1)
improper handling of the transparency bitmask by the
nsICODecoder component and (2) improper processing of
the alpha channel by the nsBMPDecoder component.
(CVE-2012-3966)

- The WebGL implementation in Mozilla Firefox before 15.0,
Firefox ESR 10.x before 10.0.7, Thunderbird before 15.0,
Thunderbird ESR 10.x before 10.0.7, and SeaMonkey before
2.12 on Linux, when a large number of sampler uniforms
are used, does not properly interact with Mesa drivers,
which allows remote attackers to execute arbitrary code
or cause a denial of service (stack memory corruption)
via a crafted web site. (CVE-2012-3967)

- Use-after-free vulnerability in the WebGL implementation
in Mozilla Firefox before 15.0, Firefox ESR 10.x before
10.0.7, Thunderbird before 15.0, Thunderbird ESR 10.x
before 10.0.7, and SeaMonkey before 2.12 allows remote
attackers to execute arbitrary code via vectors related
to deletion of a fragment shader by its accessor.
(CVE-2012-3968)

- Integer overflow in the nsSVGFEMorphologyElement::Filter
function in Mozilla Firefox before 15.0, Firefox ESR
10.x before 10.0.7, Thunderbird before 15.0, Thunderbird
ESR 10.x before 10.0.7, and SeaMonkey before 2.12 allows
remote attackers to execute arbitrary code via a crafted
SVG filter that triggers an incorrect sum calculation,
leading to a heap-based buffer overflow. (CVE-2012-3969)

- Use-after-free vulnerability in the
nsTArray_base::Length function in Mozilla Firefox before
15.0, Firefox ESR 10.x before 10.0.7, Thunderbird before
15.0, Thunderbird ESR 10.x before 10.0.7, and SeaMonkey
before 2.12 allows remote attackers to execute arbitrary
code or cause a denial of service (heap memory
corruption) via vectors involving movement of a
requiredFeatures attribute from one SVG document to
another. (CVE-2012-3970)

- The format-number functionality in the XSLT
implementation in Mozilla Firefox before 15.0, Firefox
ESR 10.x before 10.0.7, Thunderbird before 15.0,
Thunderbird ESR 10.x before 10.0.7, and SeaMonkey before
2.12 allows remote attackers to obtain sensitive
information via unspecified vectors that trigger a
heap-based buffer over-read. (CVE-2012-3972)

- Untrusted search path vulnerability in the installer in
Mozilla Firefox before 15.0, Firefox ESR 10.x before
10.0.7, Thunderbird before 15.0, and Thunderbird ESR
10.x before 10.0.7 on Windows allows local users to gain
privileges via a Trojan horse executable file in a root
directory. (CVE-2012-3974)

- Mozilla Firefox before 15.0, Firefox ESR 10.x before
10.0.7, and SeaMonkey before 2.12 do not properly handle
onLocationChange events during navigation between
different https sites, which allows remote attackers to
spoof the X.509 certificate information in the address
bar via a crafted web page. (CVE-2012-3976)

- The nsLocation::CheckURL function in Mozilla Firefox
before 15.0, Firefox ESR 10.x before 10.0.7, Thunderbird
before 15.0, Thunderbird ESR 10.x before 10.0.7, and
SeaMonkey before 2.12 does not properly follow the
security model of the location object, which allows
remote attackers to bypass intended content-loading
restrictions or possibly have unspecified other impact
via vectors involving chrome code. (CVE-2012-3978)

- The web console in Mozilla Firefox before 15.0, Firefox
ESR 10.x before 10.0.7, Thunderbird before 15.0, and
Thunderbird ESR 10.x before 10.0.7 allows user-assisted
remote attackers to execute arbitrary JavaScript code
with chrome privileges via a crafted web site that
injects this code and triggers an eval operation.
(CVE-2012-3980)

See also :

http://www.nessus.org/u?b5f8def1
http://www.nessus.org/u?09b23ad2

Solution :

Upgrade to Solaris 11.1.2.5.

Risk factor :

Critical / CVSS Base Score : 10.0
(CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C)