You are here: Security Center > Mozilla Foundation Security Advisories > MFSA 2012-10

Mozilla Foundation Security Advisory 2012-10

Title: use after free in nsXBLDocumentInfo::ReadPrototypeBindings
Impact: Critical
Announced: February 10, 2012
Reporter: Andrew McCreight, Olli Pettay
Products: Firefox, Thunderbird, SeaMonkey

Fixed in: Firefox 10.0.1
  Firefox ESR 10.0.1
  Thunderbird 10.0.1
  Thunderbird ESR 10.0.1
  SeaMonkey 2.7.1

Description

Mozilla developers Andrew McCreight and Olli Pettay found that ReadPrototypeBindings will leave a XBL binding in a hash table even when the function fails. If this occurs, when the cycle collector reads this hash table and attempts to do a virtual method on this binding a crash will occur. This crash may be potentially exploitable.

Firefox 9 and earlier are not affected by this vulnerability.

References