Mageia Bugzilla – Bug 7563
Security issues for iceape fixed in version 2.12
Last modified: 2012-09-30 23:40:29 CEST
Several vulnerabilities have been found for iceape 2.11 which is currently in mga2 as well as mga1. They have been fixed in (seamonkey) version 2.12.
Updated packages are available for testing. Source RPMS: iceape-2.12.1-1.mga1.src.rpm iceape-2.12.1-1.mga2.src.rpm Binary RPMS for Mageia 1: iceape-2.12.1-1.mga1 Binary RPMS for Mageia 2: iceape-2.12.1-1.mga2 Proposed advisory: Updated iceape packages fix security issues: Multiple unspecified vulnerabilities in the browser engine in Mozilla Firefox before 15.0, Firefox ESR 10.x before 10.0.7, Thunderbird before 15.0, Thunderbird ESR 10.x before 10.0.7, and SeaMonkey before 2.12 allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unknown vectors. (CVE-2012-1970) Multiple unspecified vulnerabilities in the browser engine in Mozilla Firefox before 15.0, Thunderbird before 15.0, and SeaMonkey before 2.12 allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via vectors related to garbage collection after certain MethodJIT execution, and unknown other vectors. (CVE-2012-1971) Use-after-free vulnerability in the nsHTMLEditor::CollapseAdjacentTextNodes function in Mozilla Firefox before 15.0, Firefox ESR 10.x before 10.0.7, Thunderbird before 15.0, Thunderbird ESR 10.x before 10.0.7, and SeaMonkey before 2.12 allows remote attackers to execute arbitrary code or cause a denial of service (heap memory corruption) via unspecified vectors. (CVE-2012-1972) Use-after-free vulnerability in the nsObjectLoadingContent::LoadObject function in Mozilla Firefox before 15.0, Firefox ESR 10.x before 10.0.7, Thunderbird before 15.0, Thunderbird ESR 10.x before 10.0.7, and SeaMonkey before 2.12 allows remote attackers to execute arbitrary code or cause a denial of service (heap memory corruption) via unspecified vectors. (CVE-2012-1973) Use-after-free vulnerability in the gfxTextRun::CanBreakLineBefore function in Mozilla Firefox before 15.0, Firefox ESR 10.x before 10.0.7, Thunderbird before 15.0, Thunderbird ESR 10.x before 10.0.7, and SeaMonkey before 2.12 allows remote attackers to execute arbitrary code or cause a denial of service (heap memory corruption) via unspecified vectors. (CVE-2012-1974) Use-after-free vulnerability in the PresShell::CompleteMove function in Mozilla Firefox before 15.0, Firefox ESR 10.x before 10.0.7, Thunderbird before 15.0, Thunderbird ESR 10.x before 10.0.7, and SeaMonkey before 2.12 allows remote attackers to execute arbitrary code or cause a denial of service (heap memory corruption) via unspecified vectors. (CVE-2012-1975) Use-after-free vulnerability in the nsHTMLSelectElement::SubmitNamesValues function in Mozilla Firefox before 15.0, Firefox ESR 10.x before 10.0.7, Thunderbird before 15.0, Thunderbird ESR 10.x before 10.0.7, and SeaMonkey before 2.12 allows remote attackers to execute arbitrary code or cause a denial of service (heap memory corruption) via unspecified vectors. (CVE-2012-1976) Use-after-free vulnerability in the MediaStreamGraphThreadRunnable::Run function in Mozilla Firefox before 15.0, Firefox ESR 10.x before 10.0.7, Thunderbird before 15.0, Thunderbird ESR 10.x before 10.0.7, and SeaMonkey before 2.12 allows remote attackers to execute arbitrary code or cause a denial of service (heap memory corruption) via unspecified vectors. (CVE-2012-3956) Heap-based buffer overflow in the nsBlockFrame::MarkLineDirty function in Mozilla Firefox before 15.0, Firefox ESR 10.x before 10.0.7, Thunderbird before 15.0, Thunderbird ESR 10.x before 10.0.7, and SeaMonkey before 2.12 allows remote attackers to execute arbitrary code via unspecified vectors. (CVE-2012-3957) Use-after-free vulnerability in the nsHTMLEditRules::DeleteNonTableElements function in Mozilla Firefox before 15.0, Firefox ESR 10.x before 10.0.7, Thunderbird before 15.0, Thunderbird ESR 10.x before 10.0.7, and SeaMonkey before 2.12 allows remote attackers to execute arbitrary code or cause a denial of service (heap memory corruption) via unspecified vectors. (CVE-2012-3958) Use-after-free vulnerability in the nsRangeUpdater::SelAdjDeleteNode function in Mozilla Firefox before 15.0, Firefox ESR 10.x before 10.0.7, Thunderbird before 15.0, Thunderbird ESR 10.x before 10.0.7, and SeaMonkey before 2.12 allows remote attackers to execute arbitrary code or cause a denial of service (heap memory corruption) via unspecified vectors. (CVE-2012-3959) Use-after-free vulnerability in the mozSpellChecker::SetCurrentDictionary function in Mozilla Firefox before 15.0, Firefox ESR 10.x before 10.0.7, Thunderbird before 15.0, Thunderbird ESR 10.x before 10.0.7, and SeaMonkey before 2.12 allows remote attackers to execute arbitrary code or cause a denial of service (heap memory corruption) via unspecified vectors. (CVE-2012-3960) Use-after-free vulnerability in the RangeData implementation in Mozilla Firefox before 15.0, Firefox ESR 10.x before 10.0.7, Thunderbird before 15.0, Thunderbird ESR 10.x before 10.0.7, and SeaMonkey before 2.12 allows remote attackers to execute arbitrary code or cause a denial of service (heap memory corruption) via unspecified vectors. (CVE-2012-3961) Mozilla Firefox before 15.0, Firefox ESR 10.x before 10.0.7, Thunderbird before 15.0, Thunderbird ESR 10.x before 10.0.7, and SeaMonkey before 2.12 do not properly iterate through the characters in a text run, which allows remote attackers to execute arbitrary code via a crafted document. (CVE-2012-3962) Use-after-free vulnerability in the js::gc::MapAllocToTraceKind function in Mozilla Firefox before 15.0, Firefox ESR 10.x before 10.0.7, Thunderbird before 15.0, Thunderbird ESR 10.x before 10.0.7, and SeaMonkey before 2.12 allows remote attackers to execute arbitrary code via unspecified vectors. (CVE-2012-3963) Use-after-free vulnerability in the gfxTextRun::GetUserData function in Mozilla Firefox before 15.0, Firefox ESR 10.x before 10.0.7, Thunderbird before 15.0, Thunderbird ESR 10.x before 10.0.7, and SeaMonkey before 2.12 allows remote attackers to execute arbitrary code or cause a denial of service (heap memory corruption) via unspecified vectors. (CVE-2012-3964) Mozilla Firefox before 15.0, Thunderbird before 15.0, and SeaMonkey before 2.12 do not prevent use of the Object.defineProperty method to shadow the location object (aka window.location), which makes it easier for remote attackers to conduct cross-site scripting (XSS) attacks via vectors involving a plugin. (CVE-2012-1956) Mozilla Firefox before 15.0, Firefox ESR 10.x before 10.0.7, Thunderbird before 15.0, Thunderbird ESR 10.x before 10.0.7, and SeaMonkey before 2.12 allow remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a negative height value in a BMP image within a .ICO file, related to (1) improper handling of the transparency bitmask by the nsICODecoder component and (2) improper processing of the alpha channel by the nsBMPDecoder component. (CVE-2012-3966) The WebGL implementation in Mozilla Firefox before 15.0, Firefox ESR 10.x before 10.0.7, Thunderbird before 15.0, Thunderbird ESR 10.x before 10.0.7, and SeaMonkey before 2.12 on Linux, when a large number of sampler uniforms are used, does not properly interact with Mesa drivers, which allows remote attackers to execute arbitrary code or cause a denial of service (stack memory corruption) via a crafted web site. (CVE-2012-3967) Use-after-free vulnerability in the WebGL implementation in Mozilla Firefox before 15.0, Firefox ESR 10.x before 10.0.7, Thunderbird before 15.0, Thunderbird ESR 10.x before 10.0.7, and SeaMonkey before 2.12 allows remote attackers to execute arbitrary code via vectors related to deletion of a fragment shader by its accessor. (CVE-2012-3968) Integer overflow in the nsSVGFEMorphologyElement::Filter function in Mozilla Firefox before 15.0, Firefox ESR 10.x before 10.0.7, Thunderbird before 15.0, Thunderbird ESR 10.x before 10.0.7, and SeaMonkey before 2.12 allows remote attackers to execute arbitrary code via a crafted SVG filter that triggers an incorrect sum calculation, leading to a heap-based buffer overflow. (CVE-2012-3969) Use-after-free vulnerability in the nsTArray_base::Length function in Mozilla Firefox before 15.0, Firefox ESR 10.x before 10.0.7, Thunderbird before 15.0, Thunderbird ESR 10.x before 10.0.7, and SeaMonkey before 2.12 allows remote attackers to execute arbitrary code or cause a denial of service (heap memory corruption) via vectors involving movement of a requiredFeatures attribute from one SVG document to another. (CVE-2012-3970) Summer Institute of Linguistics (SIL) Graphite 2, as used in Mozilla Firefox before 15.0, Thunderbird before 15.0, and SeaMonkey before 2.12, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via vectors related to the (1) Silf::readClassMap and (2) Pass::readPass functions. (CVE-2012-3971) The format-number functionality in the XSLT implementation in Mozilla Firefox before 15.0, Firefox ESR 10.x before 10.0.7, Thunderbird before 15.0, Thunderbird ESR 10.x before 10.0.7, and SeaMonkey before 2.12 allows remote attackers to obtain sensitive information via unspecified vectors that trigger a heap-based buffer over-read. (CVE-2012-3972) The DOMParser component in Mozilla Firefox before 15.0, Thunderbird before 15.0, and SeaMonkey before 2.12 loads subresources during parsing of text/html data within an extension, which allows remote attackers to obtain sensitive information by providing crafted data to privileged extension code. (CVE-2012-3975) Mozilla Firefox before 15.0, Firefox ESR 10.x before 10.0.7, and SeaMonkey before 2.12 do not properly handle onLocationChange events during navigation between different https sites, which allows remote attackers to spoof the X.509 certificate information in the address bar via a crafted web page. (CVE-2012-3976) The nsLocation::CheckURL function in Mozilla Firefox before 15.0, Firefox ESR 10.x before 10.0.7, Thunderbird before 15.0, Thunderbird ESR 10.x before 10.0.7, and SeaMonkey before 2.12 does not properly follow the security model of the location object, which allows remote attackers to bypass intended content-loading restrictions or possibly have unspecified other impact via vectors involving chrome code. (CVE-2012-3978) SPDY's request header compression leads to information leakage, which can allow the extraction of private data such as session cookies, even over an encrypted SSL connection. (MFSA 2012-73) References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1970 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1971 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1972 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1973 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1974 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1975 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1976 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3956 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3957 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3958 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3959 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3960 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3961 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3962 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3963 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3964 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1956 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3966 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3967 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3968 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3969 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3970 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3971 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3972 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3975 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3976 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3978 http://www.mozilla.org/security/announce/2012/mfsa2012-73.html
Testing complete on Mageia 1 i586, Mageia 2 i586, and Mageia 2 x86-64. Just testing for regressions using general web browsing, pop email, and an nntp account. My Mageia 1 x86-64 install was corrupted during the installation of iceape, as reported in bug 7582. I'll reinstall it and test Mageia 1 x86-64 tomorrow, if no-one else tests this before then.
Tested on Mageia2 586 on a real install (not a virtualbox) OK !
Testing mga1 64
Java causes a crash in Navigator - Buffer overflow detected. I'll attach the console output. I _think_ this is a regression but will need to check.
Created attachment 2864 [details] iceape.txt the console output from java crash. Icedtea-web is installed and can be seen as a plugin in iceape. All packages up to date.
Everything else seems fine, address book, emails, composer, spelling, chatzilla, https, flash, flash over https, bookmarks, etc. I'll test whether the java crash occurs mga1 32 also.
Confirmed the crash happens mga1 32 also and that it is not a regression. I haven't checked mga2 for the crash. I used diff on the console output before and after the update and they appear to be identical. Christiaan, is this something you want to tackle now or should I create a new bug for it?
Hmmm the reason they were identical is that they were empty :\ They do differ but the backtrace is the same. $ head iceape-2.11-mga1-32.txt *** buffer overflow detected ***: /usr/lib/iceape-2.11/iceape-bin terminated ======= Backtrace: ========= /lib/i686/libc.so.6(__fortify_fail+0x50)[0xb769b7e0] /lib/i686/libc.so.6(+0xeb81a)[0xb769981a] /usr/lib/IcedTeaPlugin.so(NP_Initialize+0x1a3)[0xa439c173] ======= Memory map: ======== 08048000-0805f000 r-xp 00000000 08:01 548851 /usr/lib/iceape-2.11/iceape-bin 0805f000-08060000 r--p 00016000 08:01 548851 /usr/lib/iceape-2.11/iceape-bin 08060000-08061000 rw-p 00017000 08:01 548851 /usr/lib/iceape-2.11/iceape-bin 99f00000-9a000000 rw-p 00000000 00:00 0 $ head iceape-2.12-mga1-32.txt *** buffer overflow detected ***: /usr/lib/iceape-2.12.1/iceape-bin terminated ======= Backtrace: ========= /lib/i686/libc.so.6(__fortify_fail+0x50)[0xb77027e0] /lib/i686/libc.so.6(+0xeb81a)[0xb770081a] /usr/lib/IcedTeaPlugin.so(NP_Initialize+0x1a3)[0xade23173] ======= Memory map: ======== 08048000-0805f000 r-xp 00000000 08:01 549094 /usr/lib/iceape-2.12.1/iceape-bin 0805f000-08060000 r--p 00016000 08:01 549094 /usr/lib/iceape-2.12.1/iceape-bin 08060000-08061000 rw-p 00017000 08:01 549094 /usr/lib/iceape-2.12.1/iceape-bin 96695000-96696000 ---p 00000000 00:00 0
No crash with Java in Mageia2 586 ... everything is OK ! NB 1 : there are different versions of icedtea-web in Mageia1 : 1.1.6-1 (last update 1st august 2012) in Mageia2 : 1.3-1 (last update 7th september 2012) Perhaps you found an icedtea-web bug instead of an iceape one !!! NB 2 : I use Iceape with imported adressbook, bookmarks, mails from Mandriva 2010.2 Seamonkey (I got no problem to import the whole and huge stuff) Only need to know that Iceape is Seamonkey ! Only need to know that the directory is /home/username/.mozilla/seamonkey ... and not /home/username/.mozilla/iceape as we may think (even if the package name is different now in Mageia, with little cosmetic changes about the icons, the internal structure is fortunately the same !!!) Hope this will help to diagnose the bug you encountered Regards Philippe
The java crash doesn't occur in mga2 64 either, but it does in both arch's mga1 for me in virtualbox. Java works fine in Firefox and Midori mga1 so this is definitely an iceape problem. Could you let us know how you want to proceed Christiaan please. Is this something you want to tackle now or should I create a new bug for it? Thanks
The java plugin crashes because icedtea-web is built against the older xulrunner/firefox in mga1 and apparently can't handle the new info it gets from iceape. [It tries to copy a larger struct it gets from iceape completely into its own smaller struct => buffer overflow. I think it could just copy the part it knows about and ignore the rest but I couldn't find lib64xulrunner-devel 10.0.6 on the mirror I use to build a modified icedtea-web package.] AFAICT this is a problem in icedtea-web that I can't fix in iceape, so it should not block this security update.
Thanks Christiaan, bug 7596 created for the java crash in mga1 Validating Srpm's and advisory in comment 1 Could sysadmin please push from core/updates_testing to core/updates Thanks!
Update pushed: https://wiki.mageia.org/en/Support/Advisories/MGASA-2012-0279