• Security Center
  • Security Advisories
  • Known Vulnerabilities
  • Bug Bounty
  • Security Blog

You are here: Security Center > Mozilla Foundation Security Advisories > MFSA 2013-07

Mozilla Foundation Security Advisory 2013-07

Title: Crash due to handling of SSL on threads
Impact: High
Announced: January 8, 2013
Reporter: Jerry Baker
Products: Firefox, Thunderbird, SeaMonkey

Fixed in: Firefox 18.0
  Firefox ESR 17.0.2
  Thunderbird 17.0.2
  Thunderbird ESR 17.0.2
  SeaMonkey 2.15

Description

Mozilla community member Jerry Baker reported a crashing issue found through Thunderbird when downloading messages over a Secure Sockets Layer (SSL) connection. This was caused by a bug in the networking code assuming that secure connections were entirely handled on the socket transport thread when they can occur on a variety of threads. The resulting crash was potentially exploitable.

While the initial issue was found through Thunderbird, the affected networking library is common to Mozilla code.

References

• Crash [@ nsSOCKSSocketInfo::ConnectToProxy(PRFileDesc*) ] clicking "Download the rest of the message" (CVE-2013-0764)