Home / mailings [USN-1355-2] Mozvoikko update
Posted on 03 February 2012
Ubuntu Security==========================
==========================
========================
Ubuntu Security Notice USN-1355-2
February 03, 2012
mozvoikko update
==========================
==========================
========================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 11.10
- Ubuntu 11.04
- Ubuntu 10.10
- Ubuntu 10.04 LTS
Summary:
This update provides compatible Mozvoikko packages for the latest Firefox=
=2E
Software Description:
- mozvoikko: Finnish spell-checker extension for Firefox
Details:
USN-1355-1 fixed vulnerabilities in Firefox. This update provides an
updated Mozvoikko package for use with the latest Firefox.
Original advisory details:
It was discovered that if a user chose to export their Firefox Sync key
the "Firefox Recovery Key.html" file is saved with incorrect permissions=
,
making the file contents potentially readable by other users.
(CVE-2012-0450)
=20
Nicolas Gregoire and Aki Helin discovered that when processing a malform=
ed
embedded XSLT stylesheet, Firefox can crash due to memory corruption. If=
the user were tricked into opening a specially crafted page, an attacker=
could exploit this to cause a denial of service via application crash, o=
r
potentially execute code with the privileges of the user invoking Firefo=
x.
(CVE-2012-0449)
=20
It was discovered that memory corruption could occur during the decoding=
of
Ogg Vorbis files. If the user were tricked into opening a specially craf=
ted
file, an attacker could exploit this to cause a denial of service via
application crash, or potentially execute code with the privileges of th=
e
user invoking Firefox. (CVE-2012-0444)
=20
Tim Abraldes discovered that when encoding certain images types the
resulting data was always a fixed size. There is the possibility of
sensitive data from uninitialized memory being appended to these images.=
(CVE-2012-0447)
=20
It was discovered that Firefox did not properly perform XPConnect securi=
ty
checks. An attacker could exploit this to conduct cross-site scripting
(XSS) attacks through web pages and Firefox extensions. With cross-site
scripting vulnerabilities, if a user were tricked into viewing a special=
ly
crafted page, a remote attacker could exploit this to modify the content=
s,
or steal confidential data, within the same domain. (CVE-2012-0446)
=20
It was discovered that Firefox did not properly handle node removal in t=
he
DOM. If the user were tricked into opening a specially crafted page, an
attacker could exploit this to cause a denial of service via application=
crash, or potentially execute code with the privileges of the user invok=
ing
Firefox. (CVE-2011-3659)
=20
Alex Dvorov discovered that Firefox did not properly handle sub-frames i=
n
form submissions. An attacker could exploit this to conduct phishing
attacks using HTML5 frames. (CVE-2012-0445)
=20
Ben Hawkes, Christian Holler, Honza Bombas, Jason Orendorff, Jesse
Ruderman, Jan Odvarko, Peter Van Der Beken, Bob Clary, and Bill McCloske=
y
discovered memory safety issues affecting Firefox. If the user were tric=
ked
into opening a specially crafted page, an attacker could exploit these t=
o
cause a denial of service via application crash, or potentially execute
code with the privileges of the user invoking Firefox. (CVE-2012-0442,
CVE-2012-0443)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 11.10:
xul-ext-mozvoikko 2.0.1-0ubuntu0.11.10.1
Ubuntu 11.04:
xul-ext-mozvoikko 2.0.1-0ubuntu0.11.04.1
Ubuntu 10.10:
xul-ext-mozvoikko 2.0.1-0ubuntu0.10.10.1
Ubuntu 10.04 LTS:
xul-ext-mozvoikko 2.0.1-0ubuntu0.10.04.1
After a standard system update you need to restart Firefox to make
all the necessary changes.
References:
http://www.ubuntu.com/usn/usn-1355-2
http://www.ubuntu.com/usn/usn-1355-1
https://launchpad.net/bugs/923319
Package Information:
https://launchpad.net/ubuntu/+source/mozvoikko/2.0.1-0ubuntu0.11.10.1
https://launchpad.net/ubuntu/+source/mozvoikko/2.0.1-0ubuntu0.11.04.1
https://launchpad.net/ubuntu/+source/mozvoikko/2.0.1-0ubuntu0.10.10.1
https://launchpad.net/ubuntu/+source/mozvoikko/2.0.1-0ubuntu0.10.04.1
------------
