Home / mailings [USN-1192-3] Libvoikko regression
Posted on 19 October 2011
Ubuntu Security==========================
==========================
========================
Ubuntu Security Notice USN-1192-3
October 19, 2011
libvoikko regression
==========================
==========================
========================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 11.04
Summary:
A regression caused Firefox to crash while spell checking in Finnish.
Software Description:
- libvoikko: Library of Finnish language tools
Details:
USN-1192-1 provided Firefox 6 as a security upgrade. Unfortunately, this
caused a regression in libvoikko which caused Firefox to crash while spel=
l
checking words with hyphens. This update corrects the issue. We apologize=
for the inconvenience.
Original advisory details:
Aral Yaman discovered a vulnerability in the WebGL engine. An attacker
could potentially use this to crash Firefox or execute arbitrary code wi=
th
the privileges of the user invoking Firefox. (CVE-2011-2989)
=20
Vivekanand Bolajwar discovered a vulnerability in the JavaScript engine.=
An
attacker could potentially use this to crash Firefox or execute arbitrar=
y
code with the privileges of the user invoking Firefox. (CVE-2011-2991)
=20
Bert Hubert and Theo Snelleman discovered a vulnerability in the Ogg
reader. An attacker could potentially use this to crash Firefox or execu=
te
arbitrary code with the privileges of the user invoking Firefox.
(CVE-2011-2991)
=20
Robert Kaiser, Jesse Ruderman, Gary Kwong, Christoph Diehl, Martijn
Wargers, Travis Emmitt, Bob Clary, and Jonathan Watt discovered multiple=
memory vulnerabilities in the browser rendering engine. An attacker coul=
d
use these to possibly execute arbitrary code with the privileges of the
user invoking Firefox. (CVE-2011-2985)
=20
Rafael Gieschke discovered that unsigned JavaScript could call into a
script inside a signed JAR. This could allow an attacker to execute
arbitrary code with the identity and permissions of the signed JAR.
(CVE-2011-2993)
=20
Michael Jordon discovered that an overly long shader program could cause=
a
buffer overrun. An attacker could potentially use this to crash Firefox =
or
execute arbitrary code with the privileges of the user invoking Firefox.=
(CVE-2011-2988)
=20
Michael Jordon discovered a heap overflow in the ANGLE library used in
Firefox's WebGL implementation. An attacker could potentially use this t=
o
crash Firefox or execute arbitrary code with the privileges of the user
invoking Firefox. (CVE-2011-2987)
=20
It was discovered that an SVG text manipulation routine contained a
dangling pointer vulnerability. An attacker could potentially use this t=
o
crash Firefox or execute arbitrary code with the privileges of the user
invoking Firefox. (CVE-2011-0084)
=20
Mike Cardwell discovered that Content Security Policy violation reports
failed to strip out proxy authorization credentials from the list of
request headers. This could allow a malicious website to capture proxy
authorization credentials. Daniel Veditz discovered that redirecting to =
a
website with Content Security Policy resulted in the incorrect resolutio=
n
of hosts in the constructed policy. This could allow a malicious website=
to
circumvent the Content Security Policy of another website. (CVE-2011-299=
0)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 11.04:
libvoikko1 3.1-1ubuntu0.1
After a standard system update you need to restart Firefox to make
all the necessary changes.
References:
http://www.ubuntu.com/usn/usn-1192-3
http://www.ubuntu.com/usn/usn-1192-1
https://launchpad.net/bugs/832582
Package Information:
https://launchpad.net/ubuntu/+source/libvoikko/3.1-1ubuntu0.1
------------
