Home / mailings [USN-1400-2] ubufox update
Posted on 16 March 2012
Ubuntu Security==========================
==========================
========================
Ubuntu Security Notice USN-1400-2
March 16, 2012
ubufox update
==========================
==========================
========================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 11.10
- Ubuntu 11.04
- Ubuntu 10.10
- Ubuntu 10.04 LTS
Summary:
This update provides compatible ubufox packages for the latest Firefox.
Software Description:
- ubufox: Finnish spell-checker extension for Firefox
Details:
USN-1400-1 fixed vulnerabilities in Firefox. This update provides an
updated ubufox package for use with the latest Firefox.
Original advisory details:
Soroush Dalili discovered that Firefox did not adequately protect agains=
t
dropping JavaScript links onto a frame. A remote attacker could, through=
cross-site scripting (XSS), exploit this to modify the contents or steal=
confidential data. (CVE-2012-0455)
=20
Atte Kettunen discovered a use-after-free vulnerability in Firefox's
handling of SVG animations. An attacker could potentially exploit this t=
o
execute arbitrary code with the privileges of the user invoking Firefox.=
(CVE-2012-0457)
=20
Atte Kettunen discovered an out of bounds read vulnerability in Firefox'=
s
handling of SVG Filters. An attacker could potentially exploit this to m=
ake
data from the user's memory accessible to the page content. (CVE-2012-04=
56)
=20
Mike Brooks discovered that using carriage return line feed (CRLF)
injection, one could introduce a new Content Security Policy (CSP) rule
which allows for cross-site scripting (XSS) on sites with a separate hea=
der
injection vulnerability. With cross-site scripting vulnerabilities, if a=
user were tricked into viewing a specially crafted page, a remote attack=
er
could exploit this to modify the contents, or steal confidential data,
within the same domain. (CVE-2012-0451)
=20
Mariusz Mlynski discovered that the Home button accepted JavaScript link=
s
to set the browser Home page. An attacker could use this vulnerability t=
o
get the script URL loaded in the privileged about:sessionrestore context=
=2E
(CVE-2012-0458)
=20
Daniel Glazman discovered that the Cascading Style Sheets (CSS)
implementation is vulnerable to crashing due to modification of a keyfra=
me
followed by access to the cssText of the keyframe. If the user were tric=
ked
into opening a specially crafted web page, an attacker could exploit thi=
s
to cause a denial of service via application crash, or potentially execu=
te
code with the privileges of the user invoking Firefox. (CVE-2012-0459)
=20
Matt Brubeck discovered that Firefox did not properly restrict access to=
the window.fullScreen object. If the user were tricked into opening a
specially crafted web page, an attacker could potentially use this
vulnerability to spoof the user interface. (CVE-2012-0460)
=20
Bob Clary, Christian Holler, Jesse Ruderman, Nils, Michael Bebenita,
Dindog, David Anderson, Jeff Walden, Vincenzo Iozzo, and Willem Pinckaer=
s
discovered memory safety issues affecting Firefox. If the user were tric=
ked
into opening a specially crafted page, an attacker could exploit these t=
o
cause a denial of service via application crash, or potentially execute
code with the privileges of the user invoking Firefox. (CVE-2012-0461,
CVE-2012-0462, CVE-2012-0464)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 11.10:
xul-ext-ubufox 1.0.3-0ubuntu1
Ubuntu 11.04:
xul-ext-ubufox 0.9.4-0ubuntu1
Ubuntu 10.10:
xul-ext-ubufox 0.9.4-0ubuntu0.10.10.1
Ubuntu 10.04 LTS:
xul-ext-ubufox 0.9.4-0ubuntu0.10.04.1
After a standard system update you need to restart Firefox to make
all the necessary changes.
References:
http://www.ubuntu.com/usn/usn-1400-2
http://www.ubuntu.com/usn/usn-1400-1
https://launchpad.net/bugs/951250
Package Information:
https://launchpad.net/ubuntu/+source/ubufox/1.0.3-0ubuntu1
https://launchpad.net/ubuntu/+source/ubufox/0.9.4-0ubuntu1
https://launchpad.net/ubuntu/+source/ubufox/0.9.4-0ubuntu0.10.10.1
https://launchpad.net/ubuntu/+source/ubufox/0.9.4-0ubuntu0.10.04.1
------------
