Home / mailings [USN-1222-2] Mozvoikko, ubufox, webfav update
Posted on 05 October 2011
Ubuntu Security==========================
==========================
========================
Ubuntu Security Notice USN-1222-2
October 04, 2011
mozvoikko, ubufox, webfav update
==========================
==========================
========================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 11.04
Summary:
This update provides packages compatible with Firefox 7.
Software Description:
- mozvoikko: Finnish spell-checker extension for Firefox
- ubufox: Ubuntu Firefox specific configuration defaults and apt support
- webfav: Firefox extension for saving web favorites (bookmarks)
Details:
USN-1222-1 fixed vulnerabilities in Firefox. This update provides updated=
packages for use with Firefox 7.
Original advisory details:
Benjamin Smedberg, Bob Clary, Jesse Ruderman, Bob Clary, Andrew McCreigh=
t,
Andreas Gal, Gary Kwong, Igor Bukanov, Jason Orendorff, Jesse Ruderman, =
and
Marcia Knous discovered multiple memory vulnerabilities in the browser
rendering engine. An attacker could use these to possibly execute arbitr=
ary
code with the privileges of the user invoking Firefox. (CVE-2011-2995,
CVE-2011-2997)
=20
Boris Zbarsky discovered that a frame named "location" could shadow the
window.location object unless a script in a page grabbed a reference to =
the
true object before the frame was created. This is in violation of the Sa=
me
Origin Policy. A malicious website could possibly use this to access
another website or the local file system. (CVE-2011-2999)
=20
Ian Graham discovered that when multiple Location headers were present,
Firefox would use the second one resulting in a possible CRLF injection
attack. CRLF injection issues can result in a wide variety of attacks, s=
uch
as XSS (Cross-Site Scripting) vulnerabilities, browser cache poisoning, =
and
cookie theft. (CVE-2011-3000)
=20
Mariusz Mlynski discovered that if the user could be convinced to hold d=
own
the enter key, a malicious website could potential pop up a download dia=
log
and the default open action would be selected or lead to the installatio=
n
of an arbitrary add-on. This would result in potentially malicious conte=
nt
being run with privileges of the user invoking Firefox. (CVE-2011-2372,
CVE-2011-3001)
=20
Michael Jordon and Ben Hawkes discovered flaws in WebGL. If a user were
tricked into opening a malicious page, an attacker could cause the brows=
er
to crash. (CVE-2011-3002, CVE-2011-3003)
=20
It was discovered that Firefox did not properly free memory when process=
ing
ogg files. If a user were tricked into opening a malicious page, an
attacker could cause the browser to crash. (CVE-2011-3005)
=20
David Rees and Aki Helin discovered a problems in the JavaScript engine.=
An
attacker could exploit this to crash the browser or potentially escalate=
privileges within the browser. (CVE-2011-3232)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 11.04:
xul-ext-mozvoikko 1.10.0-0ubuntu0.11.04.1
xul-ext-ubufox 0.9.2-0ubuntu0.11.04.1
xul-ext-webfav 1.17-0ubuntu5.2
After a standard system update you need to restart Firefox to make all th=
e
necessary changes.
References:
http://www.ubuntu.com/usn/usn-1222-2
http://www.ubuntu.com/usn/usn-1222-1
https://launchpad.net/bugs/857098
Package Information:
https://launchpad.net/ubuntu/+source/mozvoikko/1.10.0-0ubuntu0.11.04.1
https://launchpad.net/ubuntu/+source/ubufox/0.9.2-0ubuntu0.11.04.1
https://launchpad.net/ubuntu/+source/webfav/1.17-0ubuntu5.2
------------
