Mozilla Foundation Security Advisory 2008-37

UTF-8 URL stack buffer overflow

Announced
September 23, 2008
Reporter
Justin Schuh, Tom Cross, Peter William
Impact
Critical
Products
Firefox, SeaMonkey, Thunderbird
Fixed in
  • Firefox 2.0.0.17
  • SeaMonkey 1.1.12
  • Thunderbird 2.0.0.17

Description

Justin Schuh and Tom Cross of the IBM X-Force and Peter Williams of IBM Watson Labs reported errors in Mozilla URL parsing routines. These errors could be exploited using a specially crafted UTF-8 URL in a hyperlink which could overflow a stack buffer and allow an attacker to execute arbitrary code.

Firefox 3 is not affected by this issue

References