Advisories ยป MGASA-2013-0329

Updated iceape packages fix many vulnerabilities

Publication date: 20 Nov 2013
Modification date: 20 Nov 2013
Type: security
Affected Mageia releases : 2 , 3
CVE: CVE-2013-1682 , CVE-2013-1683 , CVE-2013-1684 , CVE-2013-1685 , CVE-2013-1686 , CVE-2013-1687 , CVE-2013-1690 , CVE-2013-1692 , CVE-2013-1693 , CVE-2013-1694 , CVE-2013-1695 , CVE-2013-1696 , CVE-2013-1697 , CVE-2013-1699 , CVE-2013-1701 , CVE-2013-1702 , CVE-2013-1704 , CVE-2013-1705 , CVE-2013-1706 , CVE-2013-1707 , CVE-2013-1708 , CVE-2013-1709 , CVE-2013-1710 , CVE-2013-1711 , CVE-2013-1713 , CVE-2013-1714 , CVE-2013-1717 , CVE-2013-1718 , CVE-2013-1719 , CVE-2013-1720 , CVE-2013-1721 , CVE-2013-1722 , CVE-2013-1723 , CVE-2013-1724 , CVE-2013-1725 , CVE-2013-1728 , CVE-2013-1730 , CVE-2013-1732 , CVE-2013-1735 , CVE-2013-1736 , CVE-2013-1737 , CVE-2013-1738 , CVE-2013-5590 , CVE-2013-5591 , CVE-2013-5592 , CVE-2013-5593 , CVE-2013-5595 , CVE-2013-5596 , CVE-2013-5597 , CVE-2013-5599 , CVE-2013-5600 , CVE-2013-5601 , CVE-2013-5602 , CVE-2013-5603 , CVE-2013-5604

Description

Updated iceape packages fix security issues:

Multiple unspecified vulnerabilities in the browser engine in Mozilla
Firefox before 22.0, Firefox ESR 17.x before 17.0.7, Thunderbird before
17.0.7, and Thunderbird ESR 17.x before 17.0.7 allow remote attackers to
cause a denial of service (memory corruption and application crash) or
possibly execute arbitrary code via unknown vectors. (CVE-2013-1682)

Multiple unspecified vulnerabilities in the browser engine in Mozilla
Firefox before 22.0 allow remote attackers to cause a denial of service
(memory corruption and application crash) or possibly execute arbitrary
code via unknown vectors. (CVE-2013-1683)

Use-after-free vulnerability in the
mozilla::dom::HTMLMediaElement::LookupMediaElementURITable function in
Mozilla Firefox before 22.0, Firefox ESR 17.x before 17.0.7, Thunderbird
before 17.0.7, and Thunderbird ESR 17.x before 17.0.7 allows remote
attackers to execute arbitrary code or cause a denial of service (heap
memory corruption) via a crafted web site. (CVE-2013-1684)

Use-after-free vulnerability in the nsIDocument::GetRootElement function in
Mozilla Firefox before 22.0, Firefox ESR 17.x before 17.0.7, Thunderbird
before 17.0.7, and Thunderbird ESR 17.x before 17.0.7 allows remote
attackers to execute arbitrary code or cause a denial of service (heap
memory corruption) via a crafted web site. (CVE-2013-1685)

Use-after-free vulnerability in the mozilla::ResetDir function in Mozilla
Firefox before 22.0, Firefox ESR 17.x before 17.0.7, Thunderbird before
17.0.7, and Thunderbird ESR 17.x before 17.0.7 allows remote attackers to
execute arbitrary code or cause a denial of service (heap memory
corruption) via unspecified vectors. (CVE-2013-1686)

The System Only Wrapper (SOW) and Chrome Object Wrapper (COW)
implementations in Mozilla Firefox before 22.0, Firefox ESR 17.x before
17.0.7, Thunderbird before 17.0.7, and Thunderbird ESR 17.x before 17.0.7
do not properly restrict XBL user-defined functions, which allows remote
attackers to execute arbitrary JavaScript code with chrome privileges, or
conduct cross-site scripting (XSS) attacks, via a crafted web site.
(CVE-2013-1687)

Mozilla Firefox before 22.0, Firefox ESR 17.x before 17.0.7, Thunderbird
before 17.0.7, and Thunderbird ESR 17.x before 17.0.7 do not properly
handle onreadystatechange events in conjunction with page reloading, which
allows remote attackers to cause a denial of service (application crash) or
possibly execute arbitrary code via a crafted web site that triggers an
attempt to execute data at an unmapped memory location. (CVE-2013-1690)

Mozilla Firefox before 22.0, Firefox ESR 17.x before 17.0.7, Thunderbird
before 17.0.7, and Thunderbird ESR 17.x before 17.0.7 do not prevent the
inclusion of body data in an XMLHttpRequest HEAD request, which makes it
easier for remote attackers to conduct cross-site request forgery (CSRF)
attacks via a crafted web site. (CVE-2013-1692)

The SVG filter implementation in Mozilla Firefox before 22.0, Firefox ESR
17.x before 17.0.7, Thunderbird before 17.0.7, and Thunderbird ESR 17.x
before 17.0.7 allows remote attackers to read pixel values, and possibly
bypass the Same Origin Policy and read text from a different domain, by
observing timing differences in execution of filter code. (CVE-2013-1693)

The PreserveWrapper implementation in Mozilla Firefox before 22.0, Firefox
ESR 17.x before 17.0.7, Thunderbird before 17.0.7, and Thunderbird ESR 17.x
before 17.0.7 does not properly handle the lack of a wrapper, which allows
remote attackers to cause a denial of service (application crash) or
possibly execute arbitrary code by leveraging unintended clearing of the
wrapper cache's preserved-wrapper flag. (CVE-2013-1694)

Mozilla Firefox before 22.0 does not properly implement certain DocShell
inheritance behavior for the sandbox attribute of an IFRAME element, which
allows remote attackers to bypass intended access restrictions via a FRAME
element within an IFRAME element. (CVE-2013-1695)

Mozilla Firefox before 22.0 does not properly enforce the X-Frame-Options
protection mechanism, which allows remote attackers to conduct clickjacking
attacks via a crafted web site that uses the HTTP server push feature with
multipart responses. (CVE-2013-1696)

The XrayWrapper implementation in Mozilla Firefox before 22.0, Firefox ESR
17.x before 17.0.7, Thunderbird before 17.0.7, and Thunderbird ESR 17.x
before 17.0.7 does not properly restrict use of DefaultValue for method
calls, which allows remote attackers to execute arbitrary JavaScript code
with chrome privileges via a crafted web site that triggers use of a
user-defined (1) toString or (2) valueOf method. (CVE-2013-1697)

The Internationalized Domain Name (IDN) display algorithm in Mozilla
Firefox before 22.0 does not properly handle the .com, .name, and .net
top-level domains, which allows remote attackers to spoof the address bar
via unspecified homograph characters. (CVE-2013-1699)

Multiple unspecified vulnerabilities in the browser engine in Mozilla
Firefox before 23.0, Firefox ESR 17.x before 17.0.8, Thunderbird before
17.0.8, Thunderbird ESR 17.x before 17.0.8, and SeaMonkey before 2.20 allow
remote attackers to cause a denial of service (memory corruption and
application crash) or possibly execute arbitrary code via unknown vectors.
(CVE-2013-1701)

Multiple unspecified vulnerabilities in the browser engine in Mozilla
Firefox before 23.0 and SeaMonkey before 2.20 allow remote attackers to
cause a denial of service (memory corruption and application crash) or
possibly execute arbitrary code via unknown vectors. (CVE-2013-1702)

Use-after-free vulnerability in the nsINode::GetParentNode function in
Mozilla Firefox before 23.0 and SeaMonkey before 2.20 allows remote
attackers to execute arbitrary code or cause a denial of service (heap
memory corruption and application crash) via vectors involving a DOM
modification at the time of a SetBody mutation event. (CVE-2013-1704)

Heap-based buffer underflow in the cryptojs_interpret_key_gen_type function
in Mozilla Firefox before 23.0 and SeaMonkey before 2.20 allows remote
attackers to execute arbitrary code or cause a denial of service
(application crash) via a crafted Certificate Request Message Format (CRMF)
request. (CVE-2013-1705)

Stack-based buffer overflow in maintenanceservice.exe in the Mozilla
Maintenance Service in Mozilla Firefox before 23.0, Firefox ESR 17.x before
17.0.8, Thunderbird before 17.0.8, and Thunderbird ESR 17.x before 17.0.8
allows local users to gain privileges via a long pathname on the command
line. (CVE-2013-1706)

Stack-based buffer overflow in Mozilla Updater in Mozilla Firefox before
23.0, Firefox ESR 17.x before 17.0.8, Thunderbird before 17.0.8, and
Thunderbird ESR 17.x before 17.0.8 allows local users to gain privileges
via a long pathname on the command line to the Mozilla Maintenance Service.
(CVE-2013-1707)

Mozilla Firefox before 23.0 and SeaMonkey before 2.20 allow remote
attackers to cause a denial of service (application crash) via a crafted
WAV file that is not properly handled by the nsCString::CharAt function.
(CVE-2013-1708)

Mozilla Firefox before 23.0, Firefox ESR 17.x before 17.0.8, Thunderbird
before 17.0.8, Thunderbird ESR 17.x before 17.0.8, and SeaMonkey before
2.20 do not properly handle the interaction between FRAME elements and
history, which allows remote attackers to conduct cross-site scripting
(XSS) attacks via vectors involving spoofing a relative location in a
previously visited document. (CVE-2013-1709)

The crypto.generateCRMFRequest function in Mozilla Firefox before 23.0,
Firefox ESR 17.x before 17.0.8, Thunderbird before 17.0.8, Thunderbird ESR
17.x before 17.0.8, and SeaMonkey before 2.20 allows remote attackers to
execute arbitrary JavaScript code or conduct cross-site scripting (XSS)
attacks via vectors related to Certificate Request Message Format (CRMF)
request generation. (CVE-2013-1710)

The XrayWrapper implementation in Mozilla Firefox before 23.0 and SeaMonkey
before 2.20 does not properly address the possibility of an XBL scope
bypass resulting from non-native arguments in XBL function calls, which
makes it easier for remote attackers to conduct cross-site scripting (XSS)
attacks by leveraging access to an unprivileged object. (CVE-2013-1711)

Mozilla Firefox before 23.0, Firefox ESR 17.x before 17.0.8, Thunderbird
before 17.0.8, Thunderbird ESR 17.x before 17.0.8, and SeaMonkey before
2.20 use an incorrect URI within unspecified comparisons during enforcement
of the Same Origin Policy, which allows remote attackers to conduct
cross-site scripting (XSS) attacks or install arbitrary add-ons via a
crafted web site. (CVE-2013-1713)

The Web Workers implementation in Mozilla Firefox before 23.0, Firefox ESR
17.x before 17.0.8, Thunderbird before 17.0.8, Thunderbird ESR 17.x before
17.0.8, and SeaMonkey before 2.20 does not properly restrict XMLHttpRequest
calls, which allows remote attackers to bypass the Same Origin Policy and
conduct cross-site scripting (XSS) attacks via unspecified vectors.
(CVE-2013-1714)

Mozilla Firefox before 23.0, Firefox ESR 17.x before 17.0.8, Thunderbird
before 17.0.8, Thunderbird ESR 17.x before 17.0.8, and SeaMonkey before
2.20 do not properly restrict local-filesystem access by Java applets,
which allows user-assisted remote attackers to read arbitrary files by
leveraging a download to a fixed pathname or other predictable pathname.
(CVE-2013-1717)

Multiple unspecified vulnerabilities in the browser engine in Mozilla
Firefox before 24.0, Firefox ESR 17.x before 17.0.9, Thunderbird before
24.0, Thunderbird ESR 17.x before 17.0.9, and SeaMonkey before 2.21 allow
remote attackers to cause a denial of service (memory corruption and
application crash) or possibly execute arbitrary code via unknown vectors.
(CVE-2013-1718)

Multiple unspecified vulnerabilities in the browser engine in Mozilla
Firefox before 24.0, Thunderbird before 24.0, and SeaMonkey before 2.21
allow remote attackers to cause a denial of service (memory corruption and
application crash) or possibly execute arbitrary code via unknown vectors.
(CVE-2013-1719)

The nsHtml5TreeBuilder::resetTheInsertionMode function in the HTML5 Tree
Builder in Mozilla Firefox before 24.0, Thunderbird before 24.0, and
SeaMonkey before 2.21 does not properly maintain the state of the
insertion-mode stack for template elements, which allows remote attackers
to execute arbitrary code or cause a denial of service (heap-based buffer
over-read) by triggering use of this stack in its empty state.
(CVE-2013-1720)

Integer overflow in the drawLineLoop function in the libGLESv2 library in
Almost Native Graphics Layer Engine (ANGLE), as used in Mozilla Firefox
before 24.0 and SeaMonkey before 2.21, allows remote attackers to execute
arbitrary code via a crafted web site. (CVE-2013-1721)

Use-after-free vulnerability in the nsAnimationManager::BuildAnimations
function in the Animation Manager in Mozilla Firefox before 24.0, Firefox
ESR 17.x before 17.0.9, Thunderbird before 24.0, Thunderbird ESR 17.x
before 17.0.9, and SeaMonkey before 2.21 allows remote attackers to execute
arbitrary code or cause a denial of service (heap memory corruption) via
vectors involving stylesheet cloning. (CVE-2013-1722)

The NativeKey widget in Mozilla Firefox before 24.0, Thunderbird before
24.0, and SeaMonkey before 2.21 processes key messages after destruction by
a dispatched event listener, which allows remote attackers to cause a
denial of service (application crash) by leveraging incorrect event usage
after widget-memory reallocation. (CVE-2013-1723)

Use-after-free vulnerability in the
mozilla::dom::HTMLFormElement::IsDefaultSubmitElement function in Mozilla
Firefox before 24.0, Thunderbird before 24.0, and SeaMonkey before 2.21
allows remote attackers to execute arbitrary code or cause a denial of
service (heap memory corruption) via vectors involving a destroyed SELECT
element. (CVE-2013-1724)

Mozilla Firefox before 24.0, Firefox ESR 17.x before 17.0.9, Thunderbird
before 24.0, Thunderbird ESR 17.x before 17.0.9, and SeaMonkey before 2.21
do not ensure that initialization occurs for JavaScript objects with
compartments, which allows remote attackers to execute arbitrary code by
leveraging incorrect scope handling. (CVE-2013-1725)

The IonMonkey JavaScript engine in Mozilla Firefox before 24.0, Thunderbird
before 24.0, and SeaMonkey before 2.21, when Valgrind mode is used, does
not properly initialize memory, which makes it easier for remote attackers
to obtain sensitive information via unspecified vectors. (CVE-2013-1728)

Mozilla Firefox before 24.0, Firefox ESR 17.x before 17.0.9, Thunderbird
before 24.0, Thunderbird ESR 17.x before 17.0.9, and SeaMonkey before 2.21
do not properly handle movement of XBL-backed nodes between documents,
which allows remote attackers to execute arbitrary code or cause a denial
of service (JavaScript compartment mismatch, or assertion failure and
application exit) via a crafted web site. (CVE-2013-1730)

Buffer overflow in the nsFloatManager::GetFlowArea function in Mozilla
Firefox before 24.0, Firefox ESR 17.x before 17.0.9, Thunderbird before
24.0, Thunderbird ESR 17.x before 17.0.9, and SeaMonkey before 2.21 allows
remote attackers to execute arbitrary code via crafted use of lists and
floats within a multi-column layout. (CVE-2013-1732)

Use-after-free vulnerability in the mozilla::layout::ScrollbarActivity
function in Mozilla Firefox before 24.0, Firefox ESR 17.x before 17.0.9,
Thunderbird before 24.0, Thunderbird ESR 17.x before 17.0.9, and SeaMonkey
before 2.21 allows remote attackers to execute arbitrary code via vectors
related to image-document scrolling. (CVE-2013-1735)

The nsGfxScrollFrameInner::IsLTR function in Mozilla Firefox before 24.0,
Firefox ESR 17.x before 17.0.9, Thunderbird before 24.0, Thunderbird ESR
17.x before 17.0.9, and SeaMonkey before 2.21 allows remote attackers to
execute arbitrary code or cause a denial of service (memory corruption) via
vectors related to improperly establishing parent-child relationships of
range-request nodes. (CVE-2013-1736)

Mozilla Firefox before 24.0, Firefox ESR 17.x before 17.0.9, Thunderbird
before 24.0, Thunderbird ESR 17.x before 17.0.9, and SeaMonkey before 2.21
do not properly identify the "this" object during use of user-defined
getter methods on DOM proxies, which might allow remote attackers to bypass
intended access restrictions via vectors involving an expando object.
(CVE-2013-1737)

Use-after-free vulnerability in the JS_GetGlobalForScopeChain function in
Mozilla Firefox before 24.0, Thunderbird before 24.0, and SeaMonkey before
2.21 allows remote attackers to execute arbitrary code by leveraging
incorrect garbage collection in situations involving default compartments
and frame-chain restoration. (CVE-2013-1738)

Multiple unspecified vulnerabilities in the browser engine in Mozilla
Firefox before 25.0 allow remote attackers to cause a denial of service
(memory corruption and application crash) or possibly execute arbitrary
code via unknown vectors. (CVE-2013-5592)

Unspecified vulnerability in the browser engine in Mozilla Firefox before
25.0, Firefox ESR 24.x before 24.1, Thunderbird before 24.1, and SeaMonkey
before 2.22 allows remote attackers to cause a denial of service (memory
corruption and application crash) or possibly execute arbitrary code via
unknown vectors. (CVE-2013-5591)

Multiple unspecified vulnerabilities in the browser engine in Mozilla
Firefox before 25.0, Firefox ESR 17.x before 17.0.10 and 24.x before 24.1,
Thunderbird before 24.1, Thunderbird ESR 17.x before 17.0.10, and SeaMonkey
before 2.22 allow remote attackers to cause a denial of service (memory
corruption and application crash) or possibly execute arbitrary code via
unknown vectors. (CVE-2013-5590)

The SELECT element implementation in Mozilla Firefox before 25.0, Firefox
ESR 24.x before 24.1, Thunderbird before 24.1, and SeaMonkey before 2.22
does not properly restrict the nature or placement of HTML within a
dropdown menu, which allows remote attackers to spoof the address bar or
conduct clickjacking attacks via vectors that trigger navigation off of a
page containing this element. (CVE-2013-5593)

The txXPathNodeUtils::getBaseURI function in the XSLT processor in Mozilla
Firefox before 25.0, Firefox ESR 17.x before 17.0.10 and 24.x before 24.1,
Thunderbird before 24.1, Thunderbird ESR 17.x before 17.0.10, and SeaMonkey
before 2.22 does not properly initialize data, which allows remote
attackers to execute arbitrary code or cause a denial of service
(stack-based buffer overflow and application crash) via crafted documents.
(CVE-2013-5604)

The JavaScript engine in Mozilla Firefox before 25.0, Firefox ESR 17.x
before 17.0.10 and 24.x before 24.1, Thunderbird before 24.1, Thunderbird
ESR 17.x before 17.0.10, and SeaMonkey before 2.22 does not properly
allocate memory for unspecified functions, which allows remote attackers to
conduct buffer overflow attacks via a crafted web page. (CVE-2013-5595)

The cycle collection (CC) implementation in Mozilla Firefox before 25.0,
Firefox ESR 24.x before 24.1, Thunderbird before 24.1, and SeaMonkey before
2.22 does not properly determine the thread for release of an image object,
which allows remote attackers to execute arbitrary code or cause a denial
of service (race condition and application crash) via a large HTML document
containing IMG elements, as demonstrated by the Never-Ending Reddit on
reddit.com. (CVE-2013-5596)

Use-after-free vulnerability in the nsDocLoader::doStopDocumentLoad
function in Mozilla Firefox before 25.0, Firefox ESR 17.x before 17.0.10
and 24.x before 24.1, Thunderbird before 24.1, Thunderbird ESR 17.x before
17.0.10, and SeaMonkey before 2.22 allows remote attackers to execute
arbitrary code or cause a denial of service (heap memory corruption) via
vectors involving a state-change event during an update of the offline
cache. (CVE-2013-5597)

Use-after-free vulnerability in the nsIPresShell::GetPresContext function
in the PresShell (aka presentation shell) implementation in Mozilla Firefox
before 25.0, Firefox ESR 17.x before 17.0.10 and 24.x before 24.1,
Thunderbird before 24.1, Thunderbird ESR 17.x before 17.0.10, and SeaMonkey
before 2.22 allows remote attackers to execute arbitrary code or cause a
denial of service (heap memory corruption and application crash) via
vectors involving a CANVAS element, a mozTextStyle attribute, and an
onresize event. (CVE-2013-5599)

Use-after-free vulnerability in the
nsIOService::NewChannelFromURIWithProxyFlags function in Mozilla Firefox
before 25.0, Firefox ESR 17.x before 17.0.10 and 24.x before 24.1,
Thunderbird before 24.1, Thunderbird ESR 17.x before 17.0.10, and SeaMonkey
before 2.22 allows remote attackers to execute arbitrary code via vectors
involving a blob: URL. (CVE-2013-5600)

Use-after-free vulnerability in the nsEventListenerManager::SetEventHandler
function in Mozilla Firefox before 25.0, Firefox ESR 17.x before 17.0.10
and 24.x before 24.1, Thunderbird before 24.1, Thunderbird ESR 17.x before
17.0.10, and SeaMonkey before 2.22 allows remote attackers to execute
arbitrary code via vectors related to a memory allocation through the
garbage collection (GC) API. (CVE-2013-5601)

The Worker::SetEventListener function in the Web workers implementation in
Mozilla Firefox before 25.0, Firefox ESR 17.x before 17.0.10 and 24.x
before 24.1, Thunderbird before 24.1, Thunderbird ESR 17.x before 17.0.10,
and SeaMonkey before 2.22 allows remote attackers to execute arbitrary code
or cause a denial of service (memory corruption) via vectors related to
direct proxies. (CVE-2013-5602)

Use-after-free vulnerability in the
nsContentUtils::ContentIsHostIncludingDescendantOf function in Mozilla
Firefox before 25.0, Firefox ESR 24.x before 24.1, Thunderbird before 24.1,
and SeaMonkey before 2.22 allows remote attackers to execute arbitrary code
or cause a denial of service (heap memory corruption) via vectors involving
HTML document templates. (CVE-2013-5603)
                

References

SRPMS

2/core

3/core