Silk Road forums
Discussion => Security => Topic started by: sourman on February 17, 2012, 09:45 pm
-
http://blog.mozilla.com/security/2012/02/17/mozilla-releases-to-address-cve-2011-3026/
The libpng graphics library, used by Firefox and Thunderbird as well as many other software packages, contains an exploitable integer overflow bug. An attacker could craft malicious images which exploit this bug, and deliver them to users through websites or email messages.
Impact to users
This bug is remotely exploitable and can lead to arbitrary code execution. Firefox, Thunderbird and Seamonkey users could be attacked simply by displaying a maliciously crafted image.
I'm reading up on the details now, but this bug looks like something SR users would want to patch quickly. Unfortunately the tor browser bundle hasn't been updated with the newly released FF 10.0.2 yet. They better get on that. Until then, you can disable image loading if you're paranoid: Go to tools > options > content and uncheck "load images automatically".
-
The Tor Browser Bundles have all been updated to the latest Firefox 10.0.2.
https://www.torproject.org/download
Tor Browser Bundle (2.2.35-7)
Update Firefox to 10.0.2
Linux updates
Update libpng to 1.5.8 (closes: #5144)
UPDATE: The wrong version of Firefox got into the OS X 64-bit and Windows bundles. These have now been updated properly and are online with version number 2.2.35-7.1.