Mozilla Foundation Security Advisory 2006-55

Crashes with evidence of memory corruption (rv:1.8.0.5)

Announced
July 25, 2006
Reporter
Mozilla Developers
Impact
Critical
Products
Firefox, SeaMonkey, Thunderbird
Fixed in
  • Firefox 1.5.0.5
  • SeaMonkey 1.0.3
  • Thunderbird 1.5.0.5

Description

As part of the Firefox 1.5.0.5 stability and security release, developers in the Mozilla community looked for and fixed several crash bugs to improve the stability of Mozilla clients. Some of these crashes showed evidence of memory corruption that we presume could be exploited to run arbitrary code with enough effort.

Thunderbird shares the browser engine with Firefox and would be vulnerable if JavaScript were to be enabled in mail. This is not the default setting and we strongly discourage users from enabling JavaScript in mail.

Workaround

Disable JavaScript until you can upgrade to a fixed version. Do not enable JavaScript in mail clients such as Thunderbird.

References

nsListControlFrame::FireMenuItemActiveEvent called at unsafe times (Boris Zbarsky)

Potential string class buffer overruns in out-of-memory case (Darin Fisher, Daniel Veditz)

Crashes involving table row and column groups (Jesse Ruderman, Martijn Wargers)

Disable anonymous box selectors outside of UA stylesheets (Jesse Ruderman)

Crashes referencing removed nodes (Jesse Ruderman, Martijn Wargers)

crypto.generateCRMFRequest callback can run on deleted context (shutdown)