LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

LWN.net Weekly Edition for May 16, 2013

A look at the PyPy 2.0 release

PostgreSQL 9.3 beta: Federated databases and more

LWN.net Weekly Edition for May 9, 2013

(Nearly) full tickless operation in 3.10

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

mozilla: multiple vulnerabilities

Package(s):firefox, thunderbird CVE #(s):CVE-2012-0467 CVE-2012-0470 CVE-2012-0471 CVE-2012-0477 CVE-2012-0479
Created:April 25, 2012 Updated:July 23, 2012
Description: From the CVE entries:

Multiple unspecified vulnerabilities in the browser engine in Mozilla Firefox 4.x through 11.0, Firefox ESR 10.x before 10.0.4, Thunderbird 5.0 through 11.0, Thunderbird ESR 10.x before 10.0.4, and SeaMonkey before 2.9 allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unknown vectors. (CVE-2012-0467)

Heap-based buffer overflow in the nsSVGFEDiffuseLightingElement::LightPixel function in Mozilla Firefox 4.x through 11.0, Firefox ESR 10.x before 10.0.4, Thunderbird 5.0 through 11.0, Thunderbird ESR 10.x before 10.0.4, and SeaMonkey before 2.9 allows remote attackers to cause a denial of service (invalid gfxImageSurface free operation) or possibly execute arbitrary code by leveraging the use of "different number systems." (CVE-2012-0470)

Cross-site scripting (XSS) vulnerability in Mozilla Firefox 4.x through 11.0, Firefox ESR 10.x before 10.0.4, Thunderbird 5.0 through 11.0, Thunderbird ESR 10.x before 10.0.4, and SeaMonkey before 2.9 allows remote attackers to inject arbitrary web script or HTML via a multibyte character set. (CVE-2012-0471)

Multiple cross-site scripting (XSS) vulnerabilities in Mozilla Firefox 4.x through 11.0, Firefox ESR 10.x before 10.0.4, Thunderbird 5.0 through 11.0, Thunderbird ESR 10.x before 10.0.4, and SeaMonkey before 2.9 allow remote attackers to inject arbitrary web script or HTML via the (1) ISO-2022-KR or (2) ISO-2022-CN character set. (CVE-2012-0477)

Mozilla Firefox 4.x through 11.0, Firefox ESR 10.x before 10.0.4, Thunderbird 5.0 through 11.0, Thunderbird ESR 10.x before 10.0.4, and SeaMonkey before 2.9 allow remote attackers to spoof the address bar via an https URL for invalid (1) RSS or (2) Atom XML content. (CVE-2012-0479)

Alerts:
Debian DSA-2457-1 2012-04-24
Debian DSA-2458-1 2012-04-24
Red Hat RHSA-2012:0515-01 2012-04-24
Red Hat RHSA-2012:0516-01 2012-04-24
CentOS CESA-2012:0515 2012-04-25
CentOS CESA-2012:0515 2012-04-25
CentOS CESA-2012:0516 2012-04-24
CentOS CESA-2012:0516 2012-04-25
Scientific Linux SL-thun-20120425 2012-04-25
Scientific Linux SL-fire-20120425 2012-04-25
Oracle ELSA-2012-0515 2012-04-25
Oracle ELSA-2012-0515 2012-04-25
Oracle ELSA-2012-0516 2012-04-25
Mandriva MDVSA-2012:066 2012-04-27
openSUSE openSUSE-SU-2012:0567-1 2012-04-27
Ubuntu USN-1430-1 2012-04-27
Ubuntu USN-1430-2 2012-04-27
SUSE SUSE-SU-2012:0580-1 2012-05-02
Debian DSA-2464-1 2012-05-03
Ubuntu USN-1430-3 2012-05-04
Debian DSA-2464-2 2012-05-08
Debian DSA-2457-2 2012-05-13
Mandriva MDVSA-2012:081 2012-05-24
SUSE SUSE-SU-2012:0688-1 2012-06-02
Ubuntu USN-1430-4 2012-06-12
Mageia MGASA-2012-0176 2012-07-21
Gentoo 201301-01 2013-01-07
(Log in to post comments)

Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds