[MeeGo-security] [MeeGo-SA-10:12.Firefox] Multiple Vulnerabilities in Firefox

Fri Aug 27 16:21:59 PDT 2010

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
==
MeeGo-SA-10:12.Firefox                Security Advisory
                                                                MeeGo
Project

Topic:          Multiple Vulnerabilities in Firefox

Category:       Browser
Module:         firefox
Announced:      August 3, 2010
Affects:        MeeGo 1.0
Corrected:      August 3, 2010
MeeGo BID: 2568, 3601, 3607, 3608, 3609, 3610, 3611, 3614 & 3616
CVE:  CVE-2010-1990, CVE-2010-1206, CVE-2010-1200,
CVE-2010-1201, CVE-2010-1202, CVE-2010-1203, CVE-2010-1199,
CVE-2010-1198, CVE-2010-1197, CVE-2010-1196, CVE-2010-1125,
CVE-2008-5913

For general information regarding MeeGo Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit <URL:http://www.MeeGo.com/>.

I.   Background

Mozilla Firefox is an open-source web browser, designed for standards
compliance, performance and portability.

II.  Problem Description

CVE-2010-1990: Mozilla Firefox 3.6.x, 3.5.x, 3.0.19, and earlier, and
SeaMonkey, executes a mail application in situations where an IFRAME
element has a mailto: URL in its SRC attribute, which allows remote
attackers to cause a denial of service (excessive application
launches) via an HTML document with many IFRAME elements.
CVSS v2 Base: 5.0 (MEDIUM)
Access Vector: Network exploitable

CVE-2010-1206: The startDocumentLoad function in
browser/base/content/browser.js in Mozilla Firefox 3.5.x before 3.5.11
and 3.6.x before 3.6.7, and SeaMonkey before 2.0.6, does not properly
implement the Same Origin Policy in certain circumstances related to
the about:blank document and a document that is currently loading,
which allows (1) remote web servers to conduct spoofing attacks via
vectors involving a 204 (aka No Content) status code, and allows (2)
remote attackers to conduct spoofing attacks via vectors involving a
window.stop call.
CVSS v2 Base: 4.3 (MEDIUM)
Access Vector: Network exploitable; Victim must voluntarily interact
with attack mechanism

CVE-2010-1200, CVE-2010-1201, CVE-2010-1202, CVE-2010-1203: Multiple
unspecified vulnerabilities in the browser engine in Mozilla Firefox
3.5.x before 3.5.10 and 3.6.x before 3.6.4, Thunderbird before 3.0.5,
and SeaMonkey before 2.0.5 allow remote attackers to cause a denial of
service (memory corruption and application crash) or possibly execute
arbitrary code via unknown vectors.
CVSS v2 Base: 9.3 (HIGH)
Access Vector: Network explitable; Victim must voluntarily interact
with attack mechanism

CVE-2010-1199: Integer overflow in the XSLT node sorting
implementation in Mozilla Firefox 3.5.x before 3.5.10 and 3.6.x before
3.6.4, Thunderbird before 3.0.5, and SeaMonkey before 2.0.5 allows
remote attackers to execute arbitrary code via a large text value for
a node.
CVSS v2 Base: 9.3 (HIGH)
Access Vector: Network explitable; Victim must voluntarily interact
with attack mechanism

CVE-2010-1198: Use-after-free vulnerability in Mozilla Firefox 3.5.x
before 3.5.10 and 3.6.x before 3.6.4, and SeaMonkey before 2.0.5,
allows remote attackers to execute arbitrary code via vectors
involving multiple plugin instances.
CVSS v2 Base: 9.3 (HIGH)
Access Vector: Network explitable; Victim must voluntarily interact
with attack mechanism

CVE-2010-1197: Mozilla Firefox 3.5.x before 3.5.10 and 3.6.x before
3.6.4, and SeaMonkey before 2.0.5, does not properly handle situations
in which both "Content-Disposition: attachment" and "Content-Type:
multipart" are present in HTTP headers, which allows remote attackers
to conduct cross-site scripting (XSS) attacks via an uploaded HTML
document.
CVSS v2 Base: 4.3 (MEDIUM)
Access Vector: Network explitable; Victim must voluntarily interact
with attack mechanism

CVE-2010-1196: Integer overflow in the
nsGenericDOMDataNode::SetTextInternal function in Mozilla Firefox
3.5.x before 3.5.10 and 3.6.x before 3.6.4, Thunderbird before 3.0.5,
and SeaMonkey before 2.0.5 allows remote attackers to execute
arbitrary code via a DOM node with a long text value that triggers a
heap-based buffer overflow.
CVSS v2 Base: 9.3 (HIGH)
Access Vector: Network explitable; Victim must voluntarily interact
with attack mechanism

CVE-2010-1125: The JavaScript implementation in Mozilla Firefox 3.x
before 3.5.10 and 3.6.x before 3.6.4, and SeaMonkey before 2.0.5,
allows remote attackers to send selected keystrokes to a form field in
a hidden frame, instead of the intended form field in a visible frame,
via certain calls to the focus method.
CVSS v2 Base: 5.8 (MEDIUM)
Access Vector: Network explitable; Victim must voluntarily interact
with attack mechanism

CVE-2008-5913: The Math.random function in the JavaScript
implementation in Mozilla Firefox 3.5.x before 3.5.10 and 3.6.x before
3.6.4, and SeaMonkey before 2.0.5, uses a random number generator that
is seeded only once per browser session, which makes it easier for
remote attackers to track a user, or trick a user into acting upon a
spoofed pop-up message, by calculating the seed value, related to a
"temporary footprint" and an "in-session phishing attack."
CVSS v2 Base: 2.1 (LOW)
Access Vector: Network exploitable

III. Impact

CVE-2010-1990: Denial of service due to resource management errors
(CWE-399)

CVE-2010-1206: Spoofing attack due to incorrect permissions,
privileges and access controls (CWE-264)

CVE-2010-1200, CVE-2010-1201, CVE-2010-1202, CVE-2010-1203: Denial of
service or arbitrary code execution.

CVE-2010-1199: Arbitrary code execution due to numeric error (CWE-189)

CVE-2010-1198: Arbitrary code execution due to resource management
errors (CWE-399)

CVE-2010-1197: Cross-site scripting attacks (CWE-79)

CVE-2010-1196: Arbitrary code execution via DOM node due to numeric
errors (CWE-189)

CVE-2010-1125: Sending of selected keystrokes via an information leak
(CWE-200)

CVE-2008-5913: Information disclosure

IV.  Workaround

None

V.   Solution

Update to package firefox-3.6.7-4.1 or later.

VI. References

http://bugs.meego.com/show_bug.cgi?id=2568
http://bugs.meego.com/show_bug.cgi?id=3601
http://bugs.meego.com/show_bug.cgi?id=3607
http://bugs.meego.com/show_bug.cgi?id=3608
http://bugs.meego.com/show_bug.cgi?id=3609
http://bugs.meego.com/show_bug.cgi?id=3610
http://bugs.meego.com/show_bug.cgi?id=3611
http://bugs.meego.com/show_bug.cgi?id=3614
http://bugs.meego.com/show_bug.cgi?id=3616
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-1990
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-1206
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-1200
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-1201
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-1202
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-1203
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-1199
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-1198
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-1197
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-1196
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-1125
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-5913
http://cwe.mitre.org/data/definitions/399.html
http://cwe.mitre.org/data/definitions/264.html
http://cwe.mitre.org/data/definitions/189.html
http://cwe.mitre.org/data/definitions/79.html
http://cwe.mitre.org/data/definitions/200.html

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.13 (Darwin)

iQEcBAEBAgAGBQJMeEOMAAoJECxjfBlj7RcKHIUH/ibJE8Dows2qglh86CmN7lx7
3Bw33n/XWqra7ENyO7WkqNPYFmlNXU1alF2un1Ja2fuyg7jVHWfI6JenNEQUpAbS
YcsrdbbGSe+58kbAn0LmaFgpEffpPBdZ0EYKkaSl00nx8dzzppThQgw3LwqDP7ck
Z23/eV1ZLvNXmudHTuavy7WIZ3h/nK1JJMOK6iBEu/Ws4dC2KeXT3G2R3B77SHol
MeZyJxxIRGaSkcjw5mqNjiowRr9qvpLH65RviwjHGvGFB2QuGIYMaOZpAOGXVKDQ
84Vx4HCuWZ2R5hXOUnocb2oPyJD6rWyX3l3v094kN6grtAQTW4ZFjhSUb8Q3MtA=
=PWOp
-----END PGP SIGNATURE-----

-------------- next part --------------
A non-text attachment was scrubbed...
Name: MeeGo-SA-10-12.firefox.txt.asc
Type: application/octet-stream
Size: 7900 bytes
Desc: not available
URL: <http://lists.meego.com/pipermail/meego-security/attachments/20100827/c0990fc6/attachment-0001.obj>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 6711 bytes
Desc: not available
URL: <http://lists.meego.com/pipermail/meego-security/attachments/20100827/c0990fc6/attachment-0001.bin>