1. Ubuntu Security Notices
  2. USN-1251-1

USN-1251-1: Firefox and Xulrunner vulnerabilities

Publication date

10 November 2011

Overview

Multiple vulnerabilities have been fixed in Firefox and Xulrunner.

Releases

Packages

Details

It was discovered that CVE-2011-3004, which addressed possible privilege
escalation in addons, also affected Firefox 3.6. An attacker could
potentially exploit Firefox when an add-on was installed that used
loadSubscript in vulnerable ways. (CVE-2011-3647)

Yosuke Hasegawa discovered that the Mozilla browser engine mishandled
invalid sequences in the Shift-JIS encoding. A malicious website could
possibly use this flaw this to steal data or inject malicious scripts into
web content. (CVE-2011-3648)

Marc Schoenefeld discovered that using Firebug to profile a JavaScript file
with many functions would cause Firefox to crash. An attacker might be able
to exploit this without using the debugging APIs which would potentially
allow an attacker to remotely crash the browser. (CVE-2011-3650)

It was discovered that CVE-2011-3004, which addressed possible privilege
escalation in addons, also affected Firefox 3.6. An attacker could
potentially exploit Firefox when an add-on was installed that used
loadSubscript in vulnerable ways. (CVE-2011-3647)

Yosuke Hasegawa discovered that the Mozilla browser engine mishandled
invalid sequences in the Shift-JIS encoding. A malicious website could
possibly use this flaw this to steal data or inject malicious scripts into
web content. (CVE-2011-3648)

Marc Schoenefeld discovered that using Firebug to profile a JavaScript file
with many functions would cause Firefox to crash. An attacker might be able
to exploit this without using the debugging APIs which would potentially
allow an attacker to remotely crash the browser. (CVE-2011-3650)

Update instructions

After a standard system upgrade you need to restart Firefox and any applications that use Xulrunner to effect the necessary changes.

Learn more about how to get the fixes.

The problem can be corrected by updating your system to the following package versions:

Ubuntu Release Package Version
10.10 maverick firefox –  3.6.24+build2+nobinonly-0ubuntu0.10.10.1
xulrunner-1.9.2 –  1.9.2.24+build2+nobinonly-0ubuntu0.10.10.1
10.04 lucid firefox –  3.6.24+build2+nobinonly-0ubuntu0.10.04.1
xulrunner-1.9.2 –  1.9.2.24+build2+nobinonly-0ubuntu0.10.04.1

Reduce your security exposure

Ubuntu Pro provides ten-year security coverage to 25,000+ packages in Main and Universe repositories, and it is free for up to five machines.

Get Ubuntu Pro

References

Have additional questions?

Talk to a member of the team ›