SuSE 10 Security Update : Mozilla XULRunner (ZYPP Patch Number 6866)
Critical Nessus Plugin ID 49900
SynopsisThe remote SuSE 10 host is missing a security-related patch.
DescriptionMozilla XUL Runner engine 1.9.0 was upgraded to version 22.214.171.124, fixing various bugs and security issues.
The following security issues have been fixed :
- Mozilla developers identified and fixed several stability bugs in the browser engine used in Firefox and other Mozilla-based products. Some of these crashes showed evidence of memory corruption under certain circumstances and we presume that with enough effort at least some of these could be exploited to run arbitrary code. (MFSA 2010-01 / CVE-2010-0159)
- Security researcher Orlando Barrera II reported via TippingPoint's Zero Day Initiative that Mozilla's implementation of Web Workers contained an error in its handling of array data types when processing posted messages. This error could be used by an attacker to corrupt heap memory and crash the browser, potentially running arbitrary code on a victim's computer. (MFSA 2010-02 / CVE-2010-0160)
- Security researcher Alin Rad Pop of Secunia Research reported that the HTML parser incorrectly freed used memory when insufficient space was available to process remaining input. Under such circumstances, memory occupied by in-use objects was freed and could later be filled with attacker-controlled text. These conditions could result in the execution or arbitrary code if methods on the freed objects were subsequently called.
(MFSA 2010-03 / CVE-2009-1571)
An anonymous security researcher, via TippingPoint's Zero Day Initiative, also independently reported this issue to Mozilla.
SolutionApply ZYPP patch number 6866.