Mozilla Foundation Security Advisory 2011-55
Title: nsSVGValue out-of-bounds access
Announced: December 20, 2011
Reporter: regenrecht via TippingPoint's ZDI
Products: Firefox, Thunderbird, SeaMonkey
Fixed in: Firefox 9.0
Security researcher regenrecht reported via TippingPoint's Zero Day Initiative that a flaw in the Mozilla SVG implementation could result in an out-of-bounds memory access if SVG elements were removed during a DOMAttrModified event handler.
This vulnerability does not affect products prior to Firefox 8 and SeaMonkey 2.5. Thunderbird 8 users would be vulnerable only if using a browser-like feature that allowed scripts to run; users are not at risk while reading mail.