=====================================================================
                                   CERT-Renater

                        Note d'Information No. 2010/VULN234
_____________________________________________________________________

DATE                      : 25/06/2010

HARDWARE PLATFORM(S)      : /

OPERATING SYSTEM(S)       : Systems running Firefox versions prior to 3.6.4, 3.5.10,
                             Thunderbird versions prior to 3.0.5,
                             SeaMonkey versions prior to 2.0.5.

======================================================================
http://www.mozilla.org/security/announce/2010/mfsa2010-30.html
http://www.mozilla.org/security/announce/2010/mfsa2010-29.html
http://www.mozilla.org/security/announce/2010/mfsa2010-28.html
http://www.mozilla.org/security/announce/2010/mfsa2010-27.html
http://www.mozilla.org/security/announce/2010/mfsa2010-26.html
http://www.mozilla.org/security/announce/2010/mfsa2010-31.html
http://www.mozilla.org/security/announce/2010/mfsa2010-32.html
http://www.mozilla.org/security/announce/2010/mfsa2010-33.html
______________________________________________________________________

Mozilla Foundation Security Advisory 2010-30

Title: Integer Overflow in XSLT Node Sorting
Impact: Critical
Announced: June 22, 2010
Reporter: Martin Barbella
Products: Firefox, Thunderbird, SeaMonkey

Fixed in: Firefox 3.6.4
  Firefox 3.5.10
  Thunderbird 3.0.5
  SeaMonkey 2.0.5

Description

Security researcher Martin Barbella reported via TippingPoint's
Zero Day Initiative that an XSLT node sorting routine contained an
integer overflow vulnerability. In cases where one of the nodes to
be sorted contained a very large text value, the integer used to
allocate a memory buffer to store its value would overflow, resulting
in too small a buffer being created. An attacker could use this
vulnerability to write data past the end of the buffer, causing
the browser to crash and potentially running arbitrary code on a
victim's computer.

References

    * https://bugzilla.mozilla.org/show_bug.cgi?id=554255
    * CVE-2010-1199

Portions of this content are ©1998–2010 by individual mozilla.org contributors.
Content available under a Creative Commons license.

_______________________________________________________________________

Mozilla Foundation Security Advisory 2010-29

Title: Heap buffer overflow in nsGenericDOMDataNode::SetTextInternal
Impact: Critical
Announced: June 22, 2010
Reporter: Nils (MWR InfoSecurity)
Products: Firefox, Thunderbird, SeaMonkey

Fixed in: Firefox 3.6.4
  Firefox 3.5.10
  Thunderbird 3.0.5
  SeaMonkey 2.0.5

Description

Security researcher Nils of MWR InfoSecurity reported that the routine
for setting the text value for certain types of DOM nodes contained an
integer overflow vulnerability. When a very long string was passed to
this routine, the integer value used in creating a new memory buffer to
hold the string would overflow, resulting in too small a buffer being
allocated. An attacker could use this vulnerability to write data past
the end of the buffer, causing a crash and potentially running arbitrary
code on a victim's computer.


References

    * https://bugzilla.mozilla.org/show_bug.cgi?id=534666
    * CVE-2010-1196
__________________________________________________________________________

Mozilla Foundation Security Advisory 2010-28

Title: Freed object reuse across plugin instances
Impact: Critical
Announced: June 22, 2010
Reporter: Microsoft Vulnerability Research
Products: Firefox, SeaMonkey

Fixed in: Firefox 3.6.4
  Firefox 3.5.10
  SeaMonkey 2.0.5

Description

Microsoft Vulnerability Research reported that two plugin instances
could interact in a way in which one plugin gets a reference to an
object owned by a second plugin and continues to hold that reference
after the second plugin is unloaded and its object is destroyed. In
these cases, the first plugin would contain a pointer to freed memory
which, if accessed, could be used by an attacker to execute arbitrary
code on a victim's computer.

References

    * https://bugzilla.mozilla.org/show_bug.cgi?id=532246
    * CVE-2010-1198
_______________________________________________________________________

Mozilla Foundation Security Advisory 2010-27

Title: Use-after-free error in nsCycleCollector::MarkRoots()
Impact: Critical
Announced: June 22, 2010
Reporter: wushi
Products: Firefox, SeaMonkey

Fixed in: Firefox 3.5.10
  SeaMonkey 2.0.5

Description

Security researcher wushi of team509 reported that the frame construction
process for certain types of menus could result in a menu containing a
pointer to a previously freed menu item. During the cycle collection process,
this freed item could be accessed, resulting in the execution of a section
of code potentially controlled by an attacker.

References

    * https://bugzilla.mozilla.org/show_bug.cgi?id=557174
    * CVE-2010-0183

_______________________________________________________________________
Mozilla Foundation Security Advisory 2010-26

Title: Crashes with evidence of memory corruption (rv:1.9.2.4/ 1.9.1.10)
Impact: Critical
Announced: June 22, 2010
Reporter: Mozilla developers and community
Products: Firefox, Thunderbird, SeaMonkey

Fixed in: Firefox 3.6.4
  Firefox 3.5.10
  Thunderbird 3.0.5
  SeaMonkey 2.0.5

Description

Mozilla developers identified and fixed several stability bugs in the
browser engine used in Firefox and other Mozilla-based products. Some
of these crashes showed evidence of memory corruption under certain
circumstances, and we presume that with enough effort at least some of
these could be exploited to run arbitrary code.

References

Olli Pettay, Martijn Wargers, Justin Lebar, Jesse Ruderman, Ben Turner,
Jonathan Kew and David Humphrey reported crashes in the browser engine
that affected Firefox 3.6 and Firefox 3.5.

    * Browser crashes - Firefox 3.5, Firefox 3.6
    * CVE-2010-1200

boardraider and stedenon reported a crash in the browser engine that
affected Firefox 3.5 only.

    * https://bugzilla.mozilla.org/show_bug.cgi?id=524921
    * CVE-2010-1201

Bob Clary, Igor Bukanov, Gary Kwong and Andreas Gal reported crashes in
the JavaScript engine that affected Firefox 3.6 and Firefox 3.5.

    * JavaScript engine crashes - Firefox 3.5, Firefox 3.6
    * CVE-2010-1202

Gary Kwong and David Anderson reported crashes in the JavaScript engine
that affected Firefox 3.6 only.

    * JavaScript engine crashes - Firefox 3.6
    * CVE-2010-1203
_________________________________________________________________________

Mozilla Foundation Security Advisory 2010-31

Title: focus() behavior can be used to inject or steal keystrokes
Impact: Moderate
Announced: June 22, 2010
Reporter: Michal Zalewski
Products: Firefox, SeaMonkey

Fixed in: Firefox 3.6.4
  Firefox 3.5.10
  SeaMonkey 2.0.5

Description

Google security researcher Michal Zalewski reported that focus() could be
used to change a user's cursor focus while they are typing, potentially
directing their keyboard input to an unintended location. This behavior
was also present across origins when content from one domain was embedded
within another via an iframe. A malicious web page could use this behavior
to steal keystrokes from a victim while they were typing sensitive
information such as a password.

References

    * https://bugzilla.mozilla.org/show_bug.cgi?id=552255
    * CVE-2010-1125
______________________________________________________________________

Mozilla Foundation Security Advisory 2010-32

Title: Content-Disposition: attachment ignored if Content-Type: multipart also present
Impact: Moderate
Announced: June 22, 2010
Reporter: Ilja van Sprundel
Products: Firefox, SeaMonkey

Fixed in: Firefox 3.6.4
  Firefox 3.5.10
  SeaMonkey 2.0.5

Description

Security researcher Ilja van Sprundel of IOActive reported that the
Content-Disposition: attachment HTTP header was ignored when Content-Type: multipart
was also present. This issue could potentially lead to XSS problems in
sites that allow users to upload arbitrary files and specify a Content-Type
but rely on Content-Disposition: attachment to prevent the content from being
displayed inline.

References

    * https://bugzilla.mozilla.org/show_bug.cgi?id=537120
    * CVE-2010-1197
________________________________________________________________________
Mozilla Foundation Security Advisory 2010-33

Title: User tracking across sites using Math.random()
Impact: Low
Announced: June 22, 2010
Reporter: Amit Klein
Products: Firefox, SeaMonkey

Fixed in: Firefox 3.6.4
  Firefox 3.5.10
  SeaMonkey 2.0.5

Description

Security researcher Amit Klein reported that it was possible to reverse
engineer the value used to seed Math.random(). Since the pseudo-random
number generator was only seeded once per browsing session, this seed value
could be used as a unique token to identify and track users across different
web sites.

References

    * https://bugzilla.mozilla.org/show_bug.cgi?id=475585
    * CVE-2008-5913

======================================================================

          =========================================================
          Les serveurs de référence du CERT-Renater
          http://www.urec.fr/securite
          http://www.cru.fr/securite
          http://www.renater.fr
          =========================================================
          + CERT-RENATER          | tel : 01-53-94-20-44          +
          + 151 bd de l'Hopital   | fax : 01-53-94-20-41          +
          + 75013 Paris           | email: certsvp@renater.fr     +
          =========================================================