LinuxSecurity.com: Security issues were identified and fixed in firefox 3.0.x and 3.5.x:Mozilla developers identified and fixed several stability bugs in thebrowser engine used in Firefox and other Mozilla-based products. Someof these crashes showed evidence of memory corruption under certaincircumstances and we presume that with enough effort at least someof these could be exploited to run arbitrary code (CVE-2010-0159).Security researcher Orlando Barrera II reported via TippingPoint's ZeroDay Initiative that Mozilla's implementation of Web Workers containedan error in its handling of array data types when processing postedmessages. This error could be used by an attacker to corrupt heapmemory and crash the browser, potentially running arbitrary code ona victim's computer (CVE-2010-0160).Security researcher Alin Rad Pop of Secunia Research reported thatthe HTML parser incorrectly freed used memory when insufficient spacewas available to process remaining input. Under such circumstances,memory occupied by in-use objects was freed and could later be filledwith attacker-controlled text. These conditions could result in theexecution or arbitrary code if methods on the freed objects weresubsequently called (CVE-2009-1571).Security researcher Hidetake Jo of Microsoft Vulnerability Researchreported that the properties set on an object passed to showModalDialogwere readable by the document contained in the dialog, even whenthe document was from a different domain. This is a violation of thesame-origin policy and could result in a website running untrustedJavaScript if it assumed the dialogArguments could not be initializedby another site. An anonymous security researcher, via TippingPoint'sZero Day Initiative, also independently reported this issue to Mozilla(CVE-2009-3988).Mozilla security researcher Georgi Guninski reported that when a SVGdocument which is served with Content-Type: application/octet-streamis embedded into another document via an tag withtype=image/svg+xml, the Content-Type is ignored and the SVG documentis processed normally. A website which allows arbitrary binary data tobe uploaded but which relies on Content-Type: application/octet-streamto prevent script execution could have such protection bypassed. Anattacker could upload a SVG document containing JavaScript as a binaryfile to a website, embed the SVG document into a malicous page onanother site, and gain access to the script environment from theSVG-serving site, bypassing the same-origin policy (CVE-2010-0162).Packages for 2008.0 are provided for Corporate Desktop 2008.0customers.Additionally, some packages which require so, have been rebuilt andare being provided as updates.
More...
