Mozilla Foundation Security Advisory 2011-55

nsSVGValue out-of-bounds access

Announced
December 20, 2011
Reporter
regenrecht via TippingPoint's ZDI
Impact
Critical
Products
Firefox, SeaMonkey, Thunderbird
Fixed in
  • Firefox 3.6.28
  • Firefox 9
  • SeaMonkey 2.6
  • Thunderbird 9

Description

Security researcher regenrecht reported via TippingPoint's Zero Day Initiative that a flaw in the Mozilla SVG implementation could result in an out-of-bounds memory access if SVG elements were removed during a DOMAttrModified event handler.

This vulnerability does not affect products prior to Firefox 8 and SeaMonkey 2.5. Thunderbird 8 users would be vulnerable only if using a browser-like feature that allowed scripts to run; users are not at risk while reading mail.

References