Bug 7563 - Security issues for iceape fixed in version 2.12
: Security issues for iceape fixed in version 2.12
Status: RESOLVED FIXED
Product: Mageia
Classification: Unclassified
Component: Security
: 2
: All Linux
: Normal Severity: normal
: ---
Assigned To: QA Team
:
: http://www.mozilla.org/security/known...
: MGA1TOO MGA2-64-OK MGA2-32-OK MGA1-32...
: Security, validated_update
:
:
  Show dependency treegraph
 
Reported: 2012-09-24 18:00 CEST by Christiaan Welvaart
Modified: 2012-09-30 23:40 CEST (History)
4 users (show)

See Also:
Source RPM: iceape-2.11-1.src.rpm
CVE:
Status comment:


Attachments
iceape.txt the console output from java crash. (11.92 KB, text/plain)
2012-09-26 17:09 CEST, claire robinson
Details

Description Christiaan Welvaart 2012-09-24 18:00:57 CEST
Several vulnerabilities have been found for iceape 2.11 which is currently in mga2 as well as mga1. They have been fixed in (seamonkey) version 2.12.
Comment 1 Christiaan Welvaart 2012-09-24 18:46:28 CEST
Updated packages are available for testing.

Source RPMS:
iceape-2.12.1-1.mga1.src.rpm
iceape-2.12.1-1.mga2.src.rpm

Binary RPMS for Mageia 1:
iceape-2.12.1-1.mga1

Binary RPMS for Mageia 2:
iceape-2.12.1-1.mga2

Proposed advisory:



Updated iceape packages fix security issues:

Multiple unspecified vulnerabilities in the browser engine in Mozilla Firefox before 15.0, Firefox ESR 10.x before 10.0.7, Thunderbird before 15.0, Thunderbird ESR 10.x before 10.0.7, and SeaMonkey before 2.12 allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unknown vectors. (CVE-2012-1970)

Multiple unspecified vulnerabilities in the browser engine in Mozilla Firefox before 15.0, Thunderbird before 15.0, and SeaMonkey before 2.12 allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via vectors related to garbage collection after certain MethodJIT execution, and unknown other vectors. (CVE-2012-1971)

Use-after-free vulnerability in the nsHTMLEditor::CollapseAdjacentTextNodes function in Mozilla Firefox before 15.0, Firefox ESR 10.x before 10.0.7, Thunderbird before 15.0, Thunderbird ESR 10.x before 10.0.7, and SeaMonkey before 2.12 allows remote attackers to execute arbitrary code or cause a denial of service (heap memory corruption) via unspecified vectors. (CVE-2012-1972)

Use-after-free vulnerability in the nsObjectLoadingContent::LoadObject function in Mozilla Firefox before 15.0, Firefox ESR 10.x before 10.0.7, Thunderbird before 15.0, Thunderbird ESR 10.x before 10.0.7, and SeaMonkey before 2.12 allows remote attackers to execute arbitrary code or cause a denial of service (heap memory corruption) via unspecified vectors. (CVE-2012-1973)

Use-after-free vulnerability in the gfxTextRun::CanBreakLineBefore function in Mozilla Firefox before 15.0, Firefox ESR 10.x before 10.0.7, Thunderbird before 15.0, Thunderbird ESR 10.x before 10.0.7, and SeaMonkey before 2.12 allows remote attackers to execute arbitrary code or cause a denial of service (heap memory corruption) via unspecified vectors. (CVE-2012-1974)

Use-after-free vulnerability in the PresShell::CompleteMove function in Mozilla Firefox before 15.0, Firefox ESR 10.x before 10.0.7, Thunderbird before 15.0, Thunderbird ESR 10.x before 10.0.7, and SeaMonkey before 2.12 allows remote attackers to execute arbitrary code or cause a denial of service (heap memory corruption) via unspecified vectors. (CVE-2012-1975)

Use-after-free vulnerability in the nsHTMLSelectElement::SubmitNamesValues function in Mozilla Firefox before 15.0, Firefox ESR 10.x before 10.0.7, Thunderbird before 15.0, Thunderbird ESR 10.x before 10.0.7, and SeaMonkey before 2.12 allows remote attackers to execute arbitrary code or cause a denial of service (heap memory corruption) via unspecified vectors. (CVE-2012-1976)

Use-after-free vulnerability in the MediaStreamGraphThreadRunnable::Run function in Mozilla Firefox before 15.0, Firefox ESR 10.x before 10.0.7, Thunderbird before 15.0, Thunderbird ESR 10.x before 10.0.7, and SeaMonkey before 2.12 allows remote attackers to execute arbitrary code or cause a denial of service (heap memory corruption) via unspecified vectors. (CVE-2012-3956)

Heap-based buffer overflow in the nsBlockFrame::MarkLineDirty function in Mozilla Firefox before 15.0, Firefox ESR 10.x before 10.0.7, Thunderbird before 15.0, Thunderbird ESR 10.x before 10.0.7, and SeaMonkey before 2.12 allows remote attackers to execute arbitrary code via unspecified vectors. (CVE-2012-3957)

Use-after-free vulnerability in the nsHTMLEditRules::DeleteNonTableElements function in Mozilla Firefox before 15.0, Firefox ESR 10.x before 10.0.7, Thunderbird before 15.0, Thunderbird ESR 10.x before 10.0.7, and SeaMonkey before 2.12 allows remote attackers to execute arbitrary code or cause a denial of service (heap memory corruption) via unspecified vectors. (CVE-2012-3958)

Use-after-free vulnerability in the nsRangeUpdater::SelAdjDeleteNode function in Mozilla Firefox before 15.0, Firefox ESR 10.x before 10.0.7, Thunderbird before 15.0, Thunderbird ESR 10.x before 10.0.7, and SeaMonkey before 2.12 allows remote attackers to execute arbitrary code or cause a denial of service (heap memory corruption) via unspecified vectors. (CVE-2012-3959)

Use-after-free vulnerability in the mozSpellChecker::SetCurrentDictionary function in Mozilla Firefox before 15.0, Firefox ESR 10.x before 10.0.7, Thunderbird before 15.0, Thunderbird ESR 10.x before 10.0.7, and SeaMonkey before 2.12 allows remote attackers to execute arbitrary code or cause a denial of service (heap memory corruption) via unspecified vectors. (CVE-2012-3960)

Use-after-free vulnerability in the RangeData implementation in Mozilla Firefox before 15.0, Firefox ESR 10.x before 10.0.7, Thunderbird before 15.0, Thunderbird ESR 10.x before 10.0.7, and SeaMonkey before 2.12 allows remote attackers to execute arbitrary code or cause a denial of service (heap memory corruption) via unspecified vectors. (CVE-2012-3961)

Mozilla Firefox before 15.0, Firefox ESR 10.x before 10.0.7, Thunderbird before 15.0, Thunderbird ESR 10.x before 10.0.7, and SeaMonkey before 2.12 do not properly iterate through the characters in a text run, which allows remote attackers to execute arbitrary code via a crafted document. (CVE-2012-3962)

Use-after-free vulnerability in the js::gc::MapAllocToTraceKind function in Mozilla Firefox before 15.0, Firefox ESR 10.x before 10.0.7, Thunderbird before 15.0, Thunderbird ESR 10.x before 10.0.7, and SeaMonkey before 2.12 allows remote attackers to execute arbitrary code via unspecified vectors. (CVE-2012-3963)

Use-after-free vulnerability in the gfxTextRun::GetUserData function in Mozilla Firefox before 15.0, Firefox ESR 10.x before 10.0.7, Thunderbird before 15.0, Thunderbird ESR 10.x before 10.0.7, and SeaMonkey before 2.12 allows remote attackers to execute arbitrary code or cause a denial of service (heap memory corruption) via unspecified vectors. (CVE-2012-3964)

Mozilla Firefox before 15.0, Thunderbird before 15.0, and SeaMonkey before 2.12 do not prevent use of the Object.defineProperty method to shadow the location object (aka window.location), which makes it easier for remote attackers to conduct cross-site scripting (XSS) attacks via vectors involving a plugin. (CVE-2012-1956)

Mozilla Firefox before 15.0, Firefox ESR 10.x before 10.0.7, Thunderbird before 15.0, Thunderbird ESR 10.x before 10.0.7, and SeaMonkey before 2.12 allow remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a negative height value in a BMP image within a .ICO file, related to (1) improper handling of the transparency bitmask by the nsICODecoder component and (2) improper processing of the alpha channel by the nsBMPDecoder component. (CVE-2012-3966)

The WebGL implementation in Mozilla Firefox before 15.0, Firefox ESR 10.x before 10.0.7, Thunderbird before 15.0, Thunderbird ESR 10.x before 10.0.7, and SeaMonkey before 2.12 on Linux, when a large number of sampler uniforms are used, does not properly interact with Mesa drivers, which allows remote attackers to execute arbitrary code or cause a denial of service (stack memory corruption) via a crafted web site. (CVE-2012-3967)

Use-after-free vulnerability in the WebGL implementation in Mozilla Firefox before 15.0, Firefox ESR 10.x before 10.0.7, Thunderbird before 15.0, Thunderbird ESR 10.x before 10.0.7, and SeaMonkey before 2.12 allows remote attackers to execute arbitrary code via vectors related to deletion of a fragment shader by its accessor. (CVE-2012-3968)

Integer overflow in the nsSVGFEMorphologyElement::Filter function in Mozilla Firefox before 15.0, Firefox ESR 10.x before 10.0.7, Thunderbird before 15.0, Thunderbird ESR 10.x before 10.0.7, and SeaMonkey before 2.12 allows remote attackers to execute arbitrary code via a crafted SVG filter that triggers an incorrect sum calculation, leading to a heap-based buffer overflow. (CVE-2012-3969)

Use-after-free vulnerability in the nsTArray_base::Length function in Mozilla Firefox before 15.0, Firefox ESR 10.x before 10.0.7, Thunderbird before 15.0, Thunderbird ESR 10.x before 10.0.7, and SeaMonkey before 2.12 allows remote attackers to execute arbitrary code or cause a denial of service (heap memory corruption) via vectors involving movement of a requiredFeatures attribute from one SVG document to another. (CVE-2012-3970)

Summer Institute of Linguistics (SIL) Graphite 2, as used in Mozilla Firefox before 15.0, Thunderbird before 15.0, and SeaMonkey before 2.12, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via vectors related to the (1) Silf::readClassMap and (2) Pass::readPass functions. (CVE-2012-3971)

The format-number functionality in the XSLT implementation in Mozilla Firefox before 15.0, Firefox ESR 10.x before 10.0.7, Thunderbird before 15.0, Thunderbird ESR 10.x before 10.0.7, and SeaMonkey before 2.12 allows remote attackers to obtain sensitive information via unspecified vectors that trigger a heap-based buffer over-read. (CVE-2012-3972)

The DOMParser component in Mozilla Firefox before 15.0, Thunderbird before 15.0, and SeaMonkey before 2.12 loads subresources during parsing of text/html data within an extension, which allows remote attackers to obtain sensitive information by providing crafted data to privileged extension code. (CVE-2012-3975)

Mozilla Firefox before 15.0, Firefox ESR 10.x before 10.0.7, and SeaMonkey before 2.12 do not properly handle onLocationChange events during navigation between different https sites, which allows remote attackers to spoof the X.509 certificate information in the address bar via a crafted web page. (CVE-2012-3976)

The nsLocation::CheckURL function in Mozilla Firefox before 15.0, Firefox ESR 10.x before 10.0.7, Thunderbird before 15.0, Thunderbird ESR 10.x before 10.0.7, and SeaMonkey before 2.12 does not properly follow the security model of the location object, which allows remote attackers to bypass intended content-loading restrictions or possibly have unspecified other impact via vectors involving chrome code. (CVE-2012-3978)

SPDY's request header compression leads to information leakage, which can allow the extraction of private data such as session cookies, even over an encrypted SSL connection. (MFSA 2012-73)
 
References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1970
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1971
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1972
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1973
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1974
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1975
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1976
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3956
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3957
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3958
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3959
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3960
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3961
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3962
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3963
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3964
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1956
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3966
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3967
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3968
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3969
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3970
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3971
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3972
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3975
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3976
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3978
http://www.mozilla.org/security/announce/2012/mfsa2012-73.html
Comment 2 Dave Hodgins 2012-09-26 04:00:18 CEST
Testing complete on Mageia 1 i586, Mageia 2 i586, and Mageia 2 x86-64.

Just testing for regressions using general web browsing, pop email, and
an nntp account.

My Mageia 1 x86-64 install was corrupted during the installation of iceape,
as reported in bug 7582.  I'll reinstall it and test Mageia 1 x86-64
tomorrow, if no-one else tests this before then.
Comment 3 Philippe Didier 2012-09-26 13:06:28 CEST
Tested on Mageia2 586
on a real install (not a virtualbox)

OK !
Comment 4 claire robinson 2012-09-26 16:40:50 CEST
Testing mga1 64
Comment 5 claire robinson 2012-09-26 17:08:09 CEST
Java causes a crash in Navigator - Buffer overflow detected. I'll attach the console output. I _think_ this is a regression but will need to check.
Comment 6 claire robinson 2012-09-26 17:09:40 CEST
Created attachment 2864 [details]
iceape.txt the console output from java crash.

Icedtea-web is installed and can be seen as a plugin in iceape.
All packages up to date.
Comment 7 claire robinson 2012-09-26 17:16:22 CEST
Everything else seems fine, address book, emails, composer, spelling, chatzilla, https, flash, flash over https, bookmarks, etc.


I'll test whether the java crash occurs mga1 32 also.
Comment 8 claire robinson 2012-09-26 17:39:30 CEST
Confirmed the crash happens mga1 32 also and that it is not a regression. I haven't checked mga2 for the crash.

I used diff on the console output before and after the update and they appear to be identical.

Christiaan, is this something you want to tackle now or should I create a new bug for it?
Comment 9 claire robinson 2012-09-26 17:44:40 CEST
Hmmm the reason they were identical is that they were empty :\

They do differ but the backtrace is the same.

$ head iceape-2.11-mga1-32.txt 
*** buffer overflow detected ***: /usr/lib/iceape-2.11/iceape-bin terminated
======= Backtrace: =========
/lib/i686/libc.so.6(__fortify_fail+0x50)[0xb769b7e0]
/lib/i686/libc.so.6(+0xeb81a)[0xb769981a]
/usr/lib/IcedTeaPlugin.so(NP_Initialize+0x1a3)[0xa439c173]
======= Memory map: ========
08048000-0805f000 r-xp 00000000 08:01 548851     /usr/lib/iceape-2.11/iceape-bin
0805f000-08060000 r--p 00016000 08:01 548851     /usr/lib/iceape-2.11/iceape-bin
08060000-08061000 rw-p 00017000 08:01 548851     /usr/lib/iceape-2.11/iceape-bin
99f00000-9a000000 rw-p 00000000 00:00 0 

$ head iceape-2.12-mga1-32.txt 
*** buffer overflow detected ***: /usr/lib/iceape-2.12.1/iceape-bin terminated
======= Backtrace: =========
/lib/i686/libc.so.6(__fortify_fail+0x50)[0xb77027e0]
/lib/i686/libc.so.6(+0xeb81a)[0xb770081a]
/usr/lib/IcedTeaPlugin.so(NP_Initialize+0x1a3)[0xade23173]
======= Memory map: ========
08048000-0805f000 r-xp 00000000 08:01 549094     /usr/lib/iceape-2.12.1/iceape-bin
0805f000-08060000 r--p 00016000 08:01 549094     /usr/lib/iceape-2.12.1/iceape-bin
08060000-08061000 rw-p 00017000 08:01 549094     /usr/lib/iceape-2.12.1/iceape-bin
96695000-96696000 ---p 00000000 00:00 0
Comment 10 Philippe Didier 2012-09-26 18:35:02 CEST
No crash with Java in Mageia2 586 ... everything is OK !

NB 1 :
there are different versions of icedtea-web 
in Mageia1 : 1.1.6-1 (last update 1st august 2012)
in Mageia2 : 1.3-1 (last update 7th september 2012)

Perhaps you found an icedtea-web bug instead of an iceape one !!!


NB 2 :
I use Iceape with imported adressbook, bookmarks, mails from Mandriva 2010.2 Seamonkey (I got no problem to import the whole and huge stuff) 
Only need to know that Iceape is Seamonkey !
Only need to know that the directory is /home/username/.mozilla/seamonkey ...
and not /home/username/.mozilla/iceape as we may think
(even if the package name is different now in Mageia, with little cosmetic changes about the icons, the internal structure is fortunately the same !!!)

Hope this will help to diagnose the bug you encountered

Regards
Philippe
Comment 11 claire robinson 2012-09-26 18:46:45 CEST
The java crash doesn't occur in mga2 64 either, but it does in both arch's mga1 for me in virtualbox.

Java works fine in Firefox and Midori mga1 so this is definitely an iceape problem.

Could you let us know how you want to proceed Christiaan please. Is this something you want to tackle now or should I create a new bug for it?

Thanks
Comment 12 Christiaan Welvaart 2012-09-27 04:12:48 CEST
The java plugin crashes because icedtea-web is built against the older xulrunner/firefox in mga1 and apparently can't handle the new info it gets from iceape.

[It tries to copy a larger struct it gets from iceape completely into its own smaller struct => buffer overflow. I think it could just copy the part it knows about and ignore the rest but I couldn't find lib64xulrunner-devel 10.0.6 on the mirror I use to build a modified icedtea-web package.]

AFAICT this is a problem in icedtea-web that I can't fix in iceape, so it should not block this security update.
Comment 13 claire robinson 2012-09-27 10:05:20 CEST
Thanks Christiaan, bug 7596 created for the java crash in mga1

Validating

Srpm's and advisory in comment 1

Could sysadmin please push from core/updates_testing to core/updates

Thanks!
Comment 14 Thomas Backlund 2012-09-30 23:40:29 CEST
Update pushed:
https://wiki.mageia.org/en/Support/Advisories/MGASA-2012-0279

Note You need to log in before you can comment on or make changes to this bug.