SuSE 10 Security Update : mozilla-xulrunner191 (ZYPP Patch Number 7363)
Critical Nessus Plugin ID 52652
SynopsisThe remote SuSE 10 host is missing a security-related patch.
DescriptionMozilla XULRunner 1.9.1 has been updated to version 22.214.171.124, fixing the following security issues :
- Several memory safety bugs in the browser engine used in Firefox and other Mozilla-based products have been identified and fixed. Some of these bugs showed evidence of memory corruption under certain circumstances, and it is assumed that with enough effort at least some of these could be exploited to run arbitrary code. (MFSA 2010-74 / CVE-2010-3777)
- Several memory safety bugs in the browser engine used in Firefox and other Mozilla-based products have been identified and fixed. Some of these bugs showed evidence of memory corruption under certain circumstances, and it is assumed that with enough effort at least some of these could be exploited to run arbitrary code. (MFSA 2011-01 / CVE-2011-0053 / CVE-2011-0062)
- A recursive call to eval() wrapped in a try/catch statement places the browser into a inconsistent state.
Any dialog box opened in this state is displayed without text and with non-functioning buttons. Closing the window causes the dialog to evaluate to true. An attacker could use this issue to force a user into accepting any dialog, such as one granting elevated privileges to the page presenting the dialog. (MFSA 2011-02 / CVE-2011-0051)
- A method used by JSON.stringify contains a use-after-free error in which a currently in-use pointer was freed and subsequently dereferenced. This could lead to arbitrary code execution if an attacker is able to store malicious code in the freed section of memory.
(MFSA 2011-03 / CVE-2011-0055)
Subsequent calls through this deleted reference could cause attacker-controlled memory to be executed on a victim's computer. (MFSA 2011-06 / CVE-2011-0057)
- When very long strings are constructed and inserted into an HTML document, the browser incorrectly constructs the layout objects used to display the text. Under such conditions an incorrect length would be calculated for a text run resulting in too small of a memory buffer being allocated to store the text. This issue could be used by an attacker to write data past the end of the buffer and execute malicious code on a victim's computer. It affects only Mozilla browsers on Windows. (MFSA 2011-07 / CVE-2011-0058)
- When plugin-initiated requests receive a 307 redirect response, the plugin is not notified and the request is forwarded to the new location. This is true even for cross-site redirects, so any custom headers that were added as part of the initial request would be forwarded intact across origins. This poses a CSRF risk for web applications that rely on custom headers only being present in requests from their own origin. (MFSA 2011-10 / CVE-2011-0059)
SolutionApply ZYPP patch number 7363.