Mozilla Foundation Security Advisory 2006-01

JavaScript garbage-collection hazards

Announced
February 1, 2006
Reporter
Igor Bukanov
Impact
Moderate
Products
Firefox, Mozilla Suite, SeaMonkey, Thunderbird
Fixed in
  • Firefox 1.0.8
  • Firefox 1.5.0.1
  • Mozilla Suite 1.7.13
  • SeaMonkey 1
  • Thunderbird 1.0.8
  • Thunderbird 1.5.0.2

Description

Garbage collection hazards have been found in the JavaScript engine where some routines used temporary variables that were not properly protected (rooted). Specially crafted objects could contain a user-defined method that would be called during the lifetime of these temporaries. If this method triggered garbage collection the engine would operate on the unexpectedly freed temporary object when it returned from the user-defined routine.

The risk appears remote, but this type of memory corruption could potentially be used by an attacker to run arbitrary code.

CVE-2006-0293 was introduced during Firefox 1.5 development and does not affect Firefox 1.0. CVE-2006-0292 affects all versions of Firefox.

Thunderbird shares the JavaScript engine with Firefox and could be vulnerable if JavaScript is enabled in mail. This is not the default setting; we strongly discourage users from running JavaScript in mail.

Update (13 April 2006)
This flaw has been fixed in Thunderbird 1.5.0.2

Updated versions of Firefox 1.0, Thunderbird 1.0, and the Mozilla Suite 1.7 have been released containing this fix.

Workaround

Upgrade to the fixed versions. Do not enable JavaScript in Thunderbird or Mozilla Suite mail.

References