Mozilla Foundation Security Advisory 2006-32

Fixes for crashes with potential memory corruption (rv:1.8.0.4)

Announced
June 1, 2006
Reporter
Mozilla Developers
Impact
Critical
Products
Firefox, SeaMonkey, Thunderbird
Fixed in
  • Firefox 1.5.0.4
  • SeaMonkey 1.0.2
  • Thunderbird 1.5.0.4

Description

Mozilla team members discovered several crashes during testing of the browser engine showing evidence of memory corruption that we presume is exploitable.

Thunderbird shares the browser engine with Firefox and could be vulnerable if JavaScript were to be enabled in mail. This is not the default setting and we strongly discourage users from running JavaScript in mail.

Workaround

Disable Javascript until you can upgrade to a fixed version.

References

Removing nested <option>s from a select (Jesse Ruderman)

Crashes during DOMNodeRemoved mutation event

Content-implemented tree views can corrupt memory (Boris Zbarsky)

Memory corruption involving BoxObjects (Boris Zbarsky, Neil Rashbrook, Georgi Guninski)

XBL implementation doesn't root temporaries correctly (L. David Baron)

crash with iframe removing itself (Georgi Guninski)

potential integer overflow in jsstr tagify (Georgi Guninski)