Bug 7800 - firefox new security issue CVE-2012-4193 fixed in 10.0.9
: firefox new security issue CVE-2012-4193 fixed in 10.0.9
Status: RESOLVED FIXED
Product: Mageia
Classification: Unclassified
Component: Security
: 2
: i586 Linux
: Normal Severity: critical
: ---
Assigned To: QA Team
:
:
: MGA1TOO mga2-64-OK MGA2-32-OK MGA1-64...
: validated_update
:
:
  Show dependency treegraph
 
Reported: 2012-10-15 14:24 CEST by David Walser
Modified: 2012-10-16 01:08 CEST (History)
4 users (show)

See Also:
Source RPM: firefox
CVE:
Status comment:


Attachments

Description David Walser 2012-10-15 14:24:14 CEST
Mandriva has issued an advisory on October 13:
http://www.mandriva.com/en/support/security/advisories/?dis=mes5&name=MDVSA-2012:167

Updated packages uploaded for Mageia 1 and Mageia 2.

Advisory:
========================

Updated firefox packages fix security vulnerability:

Mozilla security researcher moz_bug_r_a4 reported a regression where
security wrappers are unwrapped without doing a security check in
defaultValue(). This can allow for improper access access to the
Location object. In versions 15 and earlier of affected products, there
was also the potential for arbitrary code execution (CVE-2012-4193).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4193
http://www.mozilla.org/security/announce/2012/mfsa2012-89.html
http://www.mandriva.com/en/support/security/advisories/?dis=mes5&name=MDVSA-2012:167
========================

Updated packages in core/updates_testing:
========================
firefox-10.0.9-1.mga1
firefox-devel-10.0.9-1.mga1
firefox-af-10.0.9-1.mga1
firefox-ar-10.0.9-1.mga1
firefox-ast-10.0.9-1.mga1
firefox-be-10.0.9-1.mga1
firefox-bg-10.0.9-1.mga1
firefox-bn_IN-10.0.9-1.mga1
firefox-bn_BD-10.0.9-1.mga1
firefox-br-10.0.9-1.mga1
firefox-bs-10.0.9-1.mga1
firefox-ca-10.0.9-1.mga1
firefox-cs-10.0.9-1.mga1
firefox-cy-10.0.9-1.mga1
firefox-da-10.0.9-1.mga1
firefox-de-10.0.9-1.mga1
firefox-el-10.0.9-1.mga1
firefox-en_GB-10.0.9-1.mga1
firefox-en_ZA-10.0.9-1.mga1
firefox-eo-10.0.9-1.mga1
firefox-es_AR-10.0.9-1.mga1
firefox-es_CL-10.0.9-1.mga1
firefox-es_ES-10.0.9-1.mga1
firefox-es_MX-10.0.9-1.mga1
firefox-et-10.0.9-1.mga1
firefox-eu-10.0.9-1.mga1
firefox-fa-10.0.9-1.mga1
firefox-fi-10.0.9-1.mga1
firefox-fr-10.0.9-1.mga1
firefox-fy-10.0.9-1.mga1
firefox-ga_IE-10.0.9-1.mga1
firefox-gd-10.0.9-1.mga1
firefox-gl-10.0.9-1.mga1
firefox-gu_IN-10.0.9-1.mga1
firefox-he-10.0.9-1.mga1
firefox-hi-10.0.9-1.mga1
firefox-hr-10.0.9-1.mga1
firefox-hu-10.0.9-1.mga1
firefox-hy-10.0.9-1.mga1
firefox-id-10.0.9-1.mga1
firefox-is-10.0.9-1.mga1
firefox-it-10.0.9-1.mga1
firefox-ja-10.0.9-1.mga1
firefox-kk-10.0.9-1.mga1
firefox-ko-10.0.9-1.mga1
firefox-kn-10.0.9-1.mga1
firefox-ku-10.0.9-1.mga1
firefox-lg-10.0.9-1.mga1
firefox-lt-10.0.9-1.mga1
firefox-lv-10.0.9-1.mga1
firefox-mai-10.0.9-1.mga1
firefox-mk-10.0.9-1.mga1
firefox-ml-10.0.9-1.mga1
firefox-mr-10.0.9-1.mga1
firefox-nb_NO-10.0.9-1.mga1
firefox-nl-10.0.9-1.mga1
firefox-nn_NO-10.0.9-1.mga1
firefox-nso-10.0.9-1.mga1
firefox-or-10.0.9-1.mga1
firefox-pa_IN-10.0.9-1.mga1
firefox-pl-10.0.9-1.mga1
firefox-pt_BR-10.0.9-1.mga1
firefox-pt_PT-10.0.9-1.mga1
firefox-ro-10.0.9-1.mga1
firefox-ru-10.0.9-1.mga1
firefox-si-10.0.9-1.mga1
firefox-sk-10.0.9-1.mga1
firefox-sl-10.0.9-1.mga1
firefox-sq-10.0.9-1.mga1
firefox-sr-10.0.9-1.mga1
firefox-sv_SE-10.0.9-1.mga1
firefox-ta-10.0.9-1.mga1
firefox-ta_LK-10.0.9-1.mga1
firefox-te-10.0.9-1.mga1
firefox-th-10.0.9-1.mga1
firefox-tr-10.0.9-1.mga1
firefox-uk-10.0.9-1.mga1
firefox-vi-10.0.9-1.mga1
firefox-zh_CN-10.0.9-1.mga1
firefox-zh_TW-10.0.9-1.mga1
firefox-zu-10.0.9-1.mga1
firefox-10.0.9-1.mga2
firefox-devel-10.0.9-1.mga2
firefox-af-10.0.9-1.mga2
firefox-ar-10.0.9-1.mga2
firefox-ast-10.0.9-1.mga2
firefox-be-10.0.9-1.mga2
firefox-bg-10.0.9-1.mga2
firefox-bn_IN-10.0.9-1.mga2
firefox-bn_BD-10.0.9-1.mga2
firefox-br-10.0.9-1.mga2
firefox-bs-10.0.9-1.mga2
firefox-ca-10.0.9-1.mga2
firefox-cs-10.0.9-1.mga2
firefox-cy-10.0.9-1.mga2
firefox-da-10.0.9-1.mga2
firefox-de-10.0.9-1.mga2
firefox-el-10.0.9-1.mga2
firefox-en_GB-10.0.9-1.mga2
firefox-en_ZA-10.0.9-1.mga2
firefox-eo-10.0.9-1.mga2
firefox-es_AR-10.0.9-1.mga2
firefox-es_CL-10.0.9-1.mga2
firefox-es_ES-10.0.9-1.mga2
firefox-es_MX-10.0.9-1.mga2
firefox-et-10.0.9-1.mga2
firefox-eu-10.0.9-1.mga2
firefox-fa-10.0.9-1.mga2
firefox-fi-10.0.9-1.mga2
firefox-fr-10.0.9-1.mga2
firefox-fy-10.0.9-1.mga2
firefox-ga_IE-10.0.9-1.mga2
firefox-gd-10.0.9-1.mga2
firefox-gl-10.0.9-1.mga2
firefox-gu_IN-10.0.9-1.mga2
firefox-he-10.0.9-1.mga2
firefox-hi-10.0.9-1.mga2
firefox-hr-10.0.9-1.mga2
firefox-hu-10.0.9-1.mga2
firefox-hy-10.0.9-1.mga2
firefox-id-10.0.9-1.mga2
firefox-is-10.0.9-1.mga2
firefox-it-10.0.9-1.mga2
firefox-ja-10.0.9-1.mga2
firefox-kk-10.0.9-1.mga2
firefox-ko-10.0.9-1.mga2
firefox-kn-10.0.9-1.mga2
firefox-ku-10.0.9-1.mga2
firefox-lg-10.0.9-1.mga2
firefox-lt-10.0.9-1.mga2
firefox-lv-10.0.9-1.mga2
firefox-mai-10.0.9-1.mga2
firefox-mk-10.0.9-1.mga2
firefox-ml-10.0.9-1.mga2
firefox-mr-10.0.9-1.mga2
firefox-nb_NO-10.0.9-1.mga2
firefox-nl-10.0.9-1.mga2
firefox-nn_NO-10.0.9-1.mga2
firefox-nso-10.0.9-1.mga2
firefox-or-10.0.9-1.mga2
firefox-pa_IN-10.0.9-1.mga2
firefox-pl-10.0.9-1.mga2
firefox-pt_BR-10.0.9-1.mga2
firefox-pt_PT-10.0.9-1.mga2
firefox-ro-10.0.9-1.mga2
firefox-ru-10.0.9-1.mga2
firefox-si-10.0.9-1.mga2
firefox-sk-10.0.9-1.mga2
firefox-sl-10.0.9-1.mga2
firefox-sq-10.0.9-1.mga2
firefox-sr-10.0.9-1.mga2
firefox-sv_SE-10.0.9-1.mga2
firefox-ta-10.0.9-1.mga2
firefox-ta_LK-10.0.9-1.mga2
firefox-te-10.0.9-1.mga2
firefox-th-10.0.9-1.mga2
firefox-tr-10.0.9-1.mga2
firefox-uk-10.0.9-1.mga2
firefox-vi-10.0.9-1.mga2
firefox-zh_CN-10.0.9-1.mga2
firefox-zh_TW-10.0.9-1.mga2
firefox-zu-10.0.9-1.mga2

from SRPMS:
firefox-10.0.9-1.mga1.src.rpm
firefox-l10n-10.0.9-1.mga1.src.rpm
firefox-10.0.9-1.mga2.src.rpm
firefox-l10n-10.0.9-1.mga2.src.rpm
Comment 1 claire robinson 2012-10-15 15:01:00 CEST
Tested OK mga2 64

Java, https, flash, flash over https, spelling, bookmarks etc
Comment 2 David GEIGER 2012-10-15 21:48:53 CEST
Testing complete for firefox-10.0.9-1.mga2 and firefox-fr-10.0.9-1.mga2 on Mageia release 2 (Official) for x86_64 ,for me it's Ok ,it works fine and nothind to report.
Comment 3 Dave Hodgins 2012-10-16 00:01:09 CEST
Testing complete Mageia 2 i586, Mageia 1 i586 and x86-64.

Could someone from the sysadmin team push the srpms
firefox-10.0.9-1.mga2.src.rpm
firefox-l10n-10.0.9-1.mga2.src.rpm
from Mageia 2 Core Updates Testing to Core Updates and the srpms
firefox-10.0.9-1.mga1.src.rpm
firefox-l10n-10.0.9-1.mga1.src.rpm
from Mageia 1 Core Updates Testing to Core Updates.

Advisory: Updated firefox packages fix security vulnerability:

Mozilla security researcher moz_bug_r_a4 reported a regression where
security wrappers are unwrapped without doing a security check in
defaultValue(). This can allow for improper access access to the
Location object. In versions 15 and earlier of affected products, there
was also the potential for arbitrary code execution (CVE-2012-4193).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4193
http://www.mozilla.org/security/announce/2012/mfsa2012-89.html
http://www.mandriva.com/en/support/security/advisories/?dis=mes5&name=MDVSA-2012:167

https://bugs.mageia.org/show_bug.cgi?id=7800
Comment 4 Thomas Backlund 2012-10-16 01:08:56 CEST
Update pushed:
https://wiki.mageia.org/en/Support/Advisories/MGASA-2012-0295

Note You need to log in before you can comment on or make changes to this bug.