Mozilla Foundation Security Advisory 2006-55

Crashes with evidence of memory corruption (rv:1.8.0.5)

Announced

July 25, 2006

Reporter

Mozilla Developers

Impact

Critical

Products

Firefox, SeaMonkey, Thunderbird

Fixed in

• Firefox 1.5.0.5
• SeaMonkey 1.0.3
• Thunderbird 1.5.0.5

Description

As part of the Firefox 1.5.0.5 stability and security release, developers in the Mozilla community looked for and fixed several crash bugs to improve the stability of Mozilla clients. Some of these crashes showed evidence of memory corruption that we presume could be exploited to run arbitrary code with enough effort.

Thunderbird shares the browser engine with Firefox and would be vulnerable if JavaScript were to be enabled in mail. This is not the default setting and we strongly discourage users from enabling JavaScript in mail.

Workaround

Disable JavaScript until you can upgrade to a fixed version. Do not enable JavaScript in mail clients such as Thunderbird.

References

nsListControlFrame::FireMenuItemActiveEvent called at unsafe times (Boris Zbarsky)

• https://bugzilla.mozilla.org/show_bug.cgi?id=336162

Potential string class buffer overruns in out-of-memory case (Darin Fisher, Daniel Veditz)

• https://bugzilla.mozilla.org/show_bug.cgi?id=284219

Crashes involving table row and column groups (Jesse Ruderman, Martijn Wargers)

• https://bugzilla.mozilla.org/show_bug.cgi?id=331679
• https://bugzilla.mozilla.org/show_bug.cgi?id=329900

Disable anonymous box selectors outside of UA stylesheets (Jesse Ruderman)

• https://bugzilla.mozilla.org/show_bug.cgi?id=331883

Crashes referencing removed nodes (Jesse Ruderman, Martijn Wargers)

• https://bugzilla.mozilla.org/show_bug.cgi?id=338391
• https://bugzilla.mozilla.org/show_bug.cgi?id=340733
• https://bugzilla.mozilla.org/show_bug.cgi?id=338129

crypto.generateCRMFRequest callback can run on deleted context (shutdown)

• https://bugzilla.mozilla.org/show_bug.cgi?id=337462
  CVE-2006-3811