ubuntu-security-announce Digest, Vol 95, Issue 15

Send ubuntu-security-announce mailing list submissions to
ubuntu-security-announce@lists.ubuntu.com

To subscribe or unsubscribe via the World Wide Web, visit
https://lists.ubuntu.com/mailman/listinfo/ubuntu-security-announce
or, via email, send a message with subject or body 'help' to
ubuntu-security-announce-request@lists.ubuntu.com

You can reach the person managing the list at
ubuntu-security-announce-owner@lists.ubuntu.com

When replying, please edit your Subject line so it is more specific
than "Re: Contents of ubuntu-security-announce digest..."


Today's Topics:

1. [USN-1548-1] Firefox vulnerabilities (Micah Gersten)
2. [USN-1505-2] IcedTea-Web regression (Steve Beattie)


----------------------------------------------------------------------

Message: 1
Date: Wed, 29 Aug 2012 13:17:50 -0500
From: Micah Gersten <micah@canonical.com>
To: ubuntu-security-announce@lists.ubuntu.com
Subject: [USN-1548-1] Firefox vulnerabilities
Message-ID: <503E5CCE.4080901@canonical.com>
Content-Type: text/plain; charset="utf-8"

==========================================================================
Ubuntu Security Notice USN-1548-1
August 29, 2012

firefox vulnerabilities
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 12.04 LTS
- Ubuntu 11.10
- Ubuntu 11.04
- Ubuntu 10.04 LTS

Summary:

Multiple security issues were fixed in Firefox.

Software Description:
- firefox: Mozilla Open Source web browser

Details:

Gary Kwong, Christian Holler, Jesse Ruderman, Steve Fink, Bob Clary, Andrew
Sutherland, Jason Smith, John Schoenick, Vladimir Vukicevic and Daniel
Holbert discovered memory safety issues affecting Firefox. If the user were
tricked into opening a specially crafted page, an attacker could possibly
exploit these to cause a denial of service via application crash, or
potentially execute code with the privileges of the user invoking Firefox.
(CVE-2012-1970, CVE-2012-1971)

Abhishek Arya discovered multiple use-after-free vulnerabilities. If the
user were tricked into opening a specially crafted page, an attacker could
exploit these to cause a denial of service via application crash, or
potentially execute code with the privileges of the user invoking Firefox.
(CVE-2012-1972, CVE-2012-1973, CVE-2012-1974, CVE-2012-1975, CVE-2012-1976,
CVE-2012-3956, CVE-2012-3957, CVE-2012-3958, CVE-2012-3959, CVE-2012-3960,
CVE-2012-3961, CVE-2012-3962, CVE-2012-3963, CVE-2012-3964)

Mariusz Mlynsk discovered that it is possible to shadow the location object
using Object.defineProperty. This could potentially result in a cross-site
scripting (XSS) attack against plugins. With cross-site scripting
vulnerabilities, if a user were tricked into viewing a specially crafted
page, a remote attacker could exploit this to modify the contents or steal
confidential data within the same domain. (CVE-2012-1956)

Mariusz Mlynski discovered an escalation of privilege vulnerability through
about:newtab. This could possibly lead to potentially code execution with
the privileges of the user invoking Firefox. (CVE-2012-3965)

Fr?d?ric Hoguin discovered that bitmap format images with a negative height
could potentially result in memory corruption. If the user were tricked
into opening a specially crafted image, an attacker could exploit
this to cause a denial of service via application crash, or potentially
execute code with the privileges of the user invoking Firefox.
(CVE-2012-3966)

It was discovered that Firefox's WebGL implementation was vulnerable to
multiple memory safety issues. If the user were tricked into opening a
specially crafted page, an attacker could exploit these to cause a denial
of service via application crash, or potentially execute code with the
privileges of the user invoking Firefox. (CVE-2012-3967, CVE-2012-3968)

Arthur Gerkis discovered multiple memory safety issues in Firefox's
Scalable Vector Graphics (SVG) implementation. If the user were tricked
into opening a specially crafted image, an attacker could exploit these to
cause a denial of service via application crash, or potentially execute
code with the privileges of the user invoking Firefox. (CVE-2012-3969,
CVE-2012-3970)

Christoph Diehl discovered multiple memory safety issues in the bundled
Graphite 2 library. If the user were tricked into opening a specially
crafted page, an attacker could exploit these to cause a denial of service
via application crash, or potentially execute code with the privileges of
the user invoking Firefox. (CVE-2012-3971)

Nicolas Gr?goire discovered an out-of-bounds read in the format-number
feature of XSLT. This could potentially cause inaccurate formatting of
numbers and information leakage. (CVE-2012-3972)

Mark Goodwin discovered that under certain circumstances, Firefox's
developer tools could allow remote debugging even when disabled.
(CVE-2012-3973)

It was discovered that when the DOMParser is used to parse text/html data
in a Firefox extension, linked resources within this HTML data will be
loaded. If the data being parsed in the extension is untrusted, it could
lead to information leakage and potentially be combined with other attacks
to become exploitable. (CVE-2012-3975)

Mark Poticha discovered that under certain circumstances incorrect SSL
certificate information can be displayed on the addressbar, showing the SSL
data for a previous site while another has been loaded. This could
potentially be used for phishing attacks. (CVE-2012-3976)

It was discovered that, in some instances, certain security checks in the
location object could be bypassed. This could allow for the loading of
restricted content and can potentially be combined with other issues to
become exploitable. (CVE-2012-3978)

Colby Russell discovered that eval in the web console can execute injected
code with chrome privileges, leading to the running of malicious code in a
privileged context. If the user were tricked into opening a specially
crafted page, an attacker could exploit this to cause a denial of service
via application crash, or potentially execute code with the privileges of
the user invoking Firefox. (CVE-2012-3980)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 12.04 LTS:
firefox 15.0+build1-0ubuntu0.12.04.1

Ubuntu 11.10:
firefox 15.0+build1-0ubuntu0.11.10.1

Ubuntu 11.04:
firefox 15.0+build1-0ubuntu0.11.04.2

Ubuntu 10.04 LTS:
firefox 15.0+build1-0ubuntu0.10.04.1

After a standard system update you need to restart Firefox to make
all the necessary changes.

References:
http://www.ubuntu.com/usn/usn-1548-1
CVE-2012-1956, CVE-2012-1970, CVE-2012-1971, CVE-2012-1972,
CVE-2012-1973, CVE-2012-1974, CVE-2012-1975, CVE-2012-1976,
CVE-2012-3956, CVE-2012-3957, CVE-2012-3958, CVE-2012-3959,
CVE-2012-3960, CVE-2012-3961, CVE-2012-3962, CVE-2012-3963,
CVE-2012-3964, CVE-2012-3965, CVE-2012-3966, CVE-2012-3967,
CVE-2012-3968, CVE-2012-3969, CVE-2012-3970, CVE-2012-3971,
CVE-2012-3972, CVE-2012-3973, CVE-2012-3975, CVE-2012-3976,
CVE-2012-3978, CVE-2012-3980, https://launchpad.net/bugs/1041620

Package Information:
https://launchpad.net/ubuntu/+source/firefox/15.0+build1-0ubuntu0.12.04.1
https://launchpad.net/ubuntu/+source/firefox/15.0+build1-0ubuntu0.11.10.1
https://launchpad.net/ubuntu/+source/firefox/15.0+build1-0ubuntu0.11.04.2
https://launchpad.net/ubuntu/+source/firefox/15.0+build1-0ubuntu0.10.04.1





-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/ubuntu-security-announce/attachments/20120829/26e6cf3c/attachment-0001.pgp>

------------------------------

Message: 2
Date: Wed, 29 Aug 2012 17:11:29 -0700
From: Steve Beattie <sbeattie@ubuntu.com>
To: ubuntu-security-announce@lists.ubuntu.com
Subject: [USN-1505-2] IcedTea-Web regression
Message-ID: <20120830001129.GE11004@nxnw.org>
Content-Type: text/plain; charset="us-ascii"

==========================================================================
Ubuntu Security Notice USN-1505-2
August 30, 2012

icedtea-web regression
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 11.10
- Ubuntu 11.04

Summary:

USN 1505-1 introduced a regression in the IcedTea-Web Java web browser
plugin that prevented it from working with the Chromium web browser.

Software Description:
- icedtea-web: A web browser plugin to execute Java applets

Details:

USN-1505-1 fixed vulnerabilities in OpenJDK 6. As part of the update,
IcedTea-Web packages were upgraded to a new version. That upgrade
introduced a regression which prevented the IcedTea-Web plugin from
working with the Chromium web browser in Ubuntu 11.04 and Ubuntu 11.10.
This update fixes the problem.

We apologize for the inconvenience.

Original advisory details:

It was discovered that multiple flaws existed in the CORBA (Common
Object Request Broker Architecture) implementation in OpenJDK. An
attacker could create a Java application or applet that used these
flaws to bypass Java sandbox restrictions or modify immutable object
data. (CVE-2012-1711, CVE-2012-1719)

It was discovered that multiple flaws existed in the OpenJDK font
manager's layout lookup implementation. A attacker could specially
craft a font file that could cause a denial of service through
crashing the JVM (Java Virtual Machine) or possibly execute arbitrary
code. (CVE-2012-1713)

It was discovered that the SynthLookAndFeel class from Swing in
OpenJDK did not properly prevent access to certain UI elements
from outside the current application context. An attacker could
create a Java application or applet that used this flaw to cause a
denial of service through crashing the JVM or bypass Java sandbox
restrictions. (CVE-2012-1716)

It was discovered that OpenJDK runtime library classes could create
temporary files with insecure permissions. A local attacker could
use this to gain access to sensitive information. (CVE-2012-1717)

It was discovered that OpenJDK did not handle CRLs (Certificate
Revocation Lists) properly. A remote attacker could use this to gain
access to sensitive information. (CVE-2012-1718)

It was discovered that the OpenJDK HotSpot Virtual Machine did not
properly verify the bytecode of the class to be executed. A remote
attacker could create a Java application or applet that used this
to cause a denial of service through crashing the JVM or bypass Java
sandbox restrictions. (CVE-2012-1723, CVE-2012-1725)

It was discovered that the OpenJDK XML (Extensible Markup Language)
parser did not properly handle some XML documents. An attacker could
create an XML document that caused a denial of service in a Java
application or applet parsing the document. (CVE-2012-1724)

As part of this update, the IcedTea web browser applet plugin was
updated for Ubuntu 10.04 LTS, Ubuntu 11.04, and Ubuntu 11.10.

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 11.10:
icedtea-6-plugin 1.2-2ubuntu0.11.10.3

Ubuntu 11.04:
icedtea-6-plugin 1.2-2ubuntu0.11.04.3

After a standard system update you need to restart your web browser
to make all the necessary changes.

References:
http://www.ubuntu.com/usn/usn-1505-2
http://www.ubuntu.com/usn/usn-1505-1
https://launchpad.net/bugs/1025553

Package Information:
https://launchpad.net/ubuntu/+source/icedtea-web/1.2-2ubuntu0.11.10.3
https://launchpad.net/ubuntu/+source/icedtea-web/1.2-2ubuntu0.11.04.3

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: Digital signature
URL: <https://lists.ubuntu.com/archives/ubuntu-security-announce/attachments/20120829/dce5c221/attachment-0001.pgp>

------------------------------

--
ubuntu-security-announce mailing list
ubuntu-security-announce@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-security-announce


End of ubuntu-security-announce Digest, Vol 95, Issue 15
********************************************************