Mozilla Foundation Security Advisory 2006-32

Fixes for crashes with potential memory corruption (rv:1.8.0.4)

Announced

June 1, 2006

Reporter

Mozilla Developers

Impact

Critical

Products

Firefox, SeaMonkey, Thunderbird

Fixed in

• Firefox 1.5.0.4
• SeaMonkey 1.0.2
• Thunderbird 1.5.0.4

Description

Mozilla team members discovered several crashes during testing of the browser engine showing evidence of memory corruption that we presume is exploitable.

Thunderbird shares the browser engine with Firefox and could be vulnerable if JavaScript were to be enabled in mail. This is not the default setting and we strongly discourage users from running JavaScript in mail.

Workaround

Disable Javascript until you can upgrade to a fixed version.

References

Removing nested <option>s from a select (Jesse Ruderman)

• https://bugzilla.mozilla.org/show_bug.cgi?id=324918

Crashes during DOMNodeRemoved mutation event

• https://bugzilla.mozilla.org/show_bug.cgi?id=325730
• https://bugzilla.mozilla.org/show_bug.cgi?id=329982

Content-implemented tree views can corrupt memory (Boris Zbarsky)

• https://bugzilla.mozilla.org/show_bug.cgi?id=326501

Memory corruption involving BoxObjects (Boris Zbarsky, Neil Rashbrook, Georgi Guninski)

• https://bugzilla.mozilla.org/show_bug.cgi?id=326931
• https://bugzilla.mozilla.org/show_bug.cgi?id=329219
• https://bugzilla.mozilla.org/show_bug.cgi?id=330818

XBL implementation doesn't root temporaries correctly (L. David Baron)

• https://bugzilla.mozilla.org/show_bug.cgi?id=327712

crash with iframe removing itself (Georgi Guninski)

• https://bugzilla.mozilla.org/show_bug.cgi?id=332971
• CVE-2006-2779

potential integer overflow in jsstr tagify (Georgi Guninski)

• https://bugzilla.mozilla.org/show_bug.cgi?id=335535
• CVE-2006-2780