Hash: SHA1

                         AUSCERT Security Bulletin

        Mozilla has released versions 3.6.14 and 3.5.17 of Firefox
                               2 March 2011


        AusCERT Security Bulletin Summary

Product:              Firefox
Operating System:     Windows
                      UNIX variants (UNIX, Linux, OSX)
Impact/Access:        Execute Arbitrary Code/Commands -- Remote with User Interaction
                      Increased Privileges            -- Remote with User Interaction
                      Cross-site Request Forgery      -- Remote with User Interaction
Resolution:           Patch/Upgrade
CVE Names:            CVE-2011-0061 CVE-2011-0059 CVE-2011-0058
                      CVE-2011-0057 CVE-2011-0056 CVE-2011-0055
                      CVE-2011-0054 CVE-2011-0053 CVE-2011-0051
Member content until: Friday, April  1 2011


        Mozilla has released versions 3.6.14 and 3.5.17 of the Firefox web 
        browser, correcting multiple security vulnerabilities.


        The vendor has supplied the following information regarding these 
        CVE-2011-0053: "Mozilla developers identified and fixed several memory 
        safety bugs in the browser engine used in Firefox and other Mozilla-
        based products. Some of these bugs showed evidence of memory corruption 
        under certain circumstances, and we presume that with enough effort at 
        least some of these could be exploited to run arbitrary code." [1]
        CVE-2011-0051: "Security researcher Zach Hoffman reported that a 
        recursive call to eval() wrapped in a try/catch statement places the 
        browser into a inconsistent state. Any dialog box opened in this state 
        is displayed without text and with non-functioning buttons. Closing 
        the window causes the dialog to evaluate to true. An attacker could 
        use this issue to force a user into accepting any dialog, such as one 
        granting elevated privileges to the page presenting the dialog." [2]
        CVE-2011-0055: "Security researcher regenrecht reported via 
        TippingPoint's Zero Day Initiative that a method used by 
        JSON.stringify contained a use-after-free error in which a currently 
        in-use pointer was freed and subsequently dereferenced. This could 
        lead to arbitrary code execution if an attacker was able to store 
        malicious code in the freed section of memory." [3]
        CVE-2011-0054: "Security researcher Christian Holler reported that 
        the JavaScript engine's internal memory mapping of non-local JS 
        variables contained a buffer overflow which could potentially be used 
        by an attacker to run arbitrary code on a victim's computer." [4]
        CVE-2011-0056: "Security researcher Christian Holler reported that 
        the JavaScript engine's internal mapping of string values contained 
        an error in cases where the number of values being stored was above 
        64K. In such cases an offset pointer was manually moved forwards and 
        backwards to access the larger address space. If an exception was 
        thrown between the time that the offset pointer was moved forward and 
        the time it was reset, then the exception object would be read from 
        an invalid memory address, potentially executing attacker-controlled 
        memory." [5]
        CVE-2011-0057: "Daniel Kozlowski reported that a JavaScript Worker 
        could be used to keep a reference to an object that could be freed 
        during garbage collection. Subsequent calls through this deleted 
        reference could cause attacker-controlled memory to be executed on a 
        victim's computer." [6]
        CVE-2011-0058: "Alex Miller reported that when very long strings were 
        constructed and inserted into an HTML document, the browser would 
        incorrectly construct the layout objects used to display the text. 
        Under such conditions an incorrect length would be calculated for a 
        text run resulting in too small of a memory buffer being allocated to 
        store the text. This issue could be used by an attacker to write data 
        past the end of the buffer and execute malicious code on a victim's 
        computer." [7]
        CVE-2010-1585: "Mozilla security developer Roberto Suggi Liverani 
        reported that ParanoidFragmentSink, a class used to sanitize 
        potentially unsafe HTML for display, allows javascript: URLs and 
        other inline JavaScript when the embedding document is a chrome 
        document. While there are no unsafe uses of this class in any 
        released products, extension code could have potentially used it in an 
        unsafe manner." [8]
        CVE-2011-0061: "Security researcher Jordi Chancel reported that a JPEG 
        image could be constructed that would be decoded incorrectly, causing 
        data to be written past the end of a buffer created to store the image. 
        An attacker could potentially craft such an image that would cause 
        malicious code to be stored in memory and then later executed on a 
        victim's computer." [9]
        CVE-2011-0059: "Adobe security researcher Peleus Uhley reported that 
        when plugin-initiated requests receive a 307 redirect response, the 
        plugin is not notified and the request is forwarded to the new 
        location. This is true even for cross-site redirects, so any custom 
        headers that were added as part of the initial request would be 
        forwarded intact across origins. This poses a CSRF risk for web 
        applications that rely on custom headers only being present in 
        requests from their own origin." [10]


        It is recommended that users of Firefox upgrade to the latest version.


        [1] Mozilla Foundation Security Advisory 2011-01

        [2] Mozilla Foundation Security Advisory 2011-02

        [3] Mozilla Foundation Security Advisory 2011-03

        [4] Mozilla Foundation Security Advisory 2011-04

        [5] Mozilla Foundation Security Advisory 2011-05

        [6] Mozilla Foundation Security Advisory 2011-06

        [7] Mozilla Foundation Security Advisory 2011-07

        [8] Mozilla Foundation Security Advisory 2011-08

        [9] Mozilla Foundation Security Advisory 2011-09

        [10] Mozilla Foundation Security Advisory 2011-10

AusCERT has made every effort to ensure that the information contained
in this document is accurate.  However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.

Australian Computer Emergency Response Team
The University of Queensland
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours 
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
Comment: http://www.auscert.org.au/render.html?it=1967