Mozilla Foundation Security Advisory 2006-55
Crashes with evidence of memory corruption (rv:1.8.0.5)
- Announced
- July 25, 2006
- Reporter
- Mozilla Developers
- Impact
- Critical
- Products
- Firefox, SeaMonkey, Thunderbird
- Fixed in
- 
        - Firefox 1.5.0.5
- SeaMonkey 1.0.3
- Thunderbird 1.5.0.5
 
Description
As part of the Firefox 1.5.0.5 stability and security release, developers in the Mozilla community looked for and fixed several crash bugs to improve the stability of Mozilla clients. Some of these crashes showed evidence of memory corruption that we presume could be exploited to run arbitrary code with enough effort.
Thunderbird shares the browser engine with Firefox and would be vulnerable if JavaScript were to be enabled in mail. This is not the default setting and we strongly discourage users from enabling JavaScript in mail.
Workaround
Disable JavaScript until you can upgrade to a fixed version. Do not enable JavaScript in mail clients such as Thunderbird.
References
nsListControlFrame::FireMenuItemActiveEvent called at unsafe times (Boris Zbarsky)
Potential string class buffer overruns in out-of-memory case (Darin Fisher, Daniel Veditz)
Crashes involving table row and column groups (Jesse Ruderman, Martijn Wargers)
- https://bugzilla.mozilla.org/show_bug.cgi?id=331679
- https://bugzilla.mozilla.org/show_bug.cgi?id=329900
Disable anonymous box selectors outside of UA stylesheets (Jesse Ruderman)
Crashes referencing removed nodes (Jesse Ruderman, Martijn Wargers)
- https://bugzilla.mozilla.org/show_bug.cgi?id=338391
- https://bugzilla.mozilla.org/show_bug.cgi?id=340733
- https://bugzilla.mozilla.org/show_bug.cgi?id=338129
crypto.generateCRMFRequest callback can run on deleted context (shutdown)
- 
https://bugzilla.mozilla.org/show_bug.cgi?id=337462
 CVE-2006-3811