Mozilla Foundation Security Advisory 2006-55

Crashes with evidence of memory corruption (rv:

July 25, 2006
Mozilla Developers
Firefox, SeaMonkey, Thunderbird
Fixed in
  • Firefox
  • SeaMonkey 1.0.3
  • Thunderbird


As part of the Firefox stability and security release, developers in the Mozilla community looked for and fixed several crash bugs to improve the stability of Mozilla clients. Some of these crashes showed evidence of memory corruption that we presume could be exploited to run arbitrary code with enough effort.

Thunderbird shares the browser engine with Firefox and would be vulnerable if JavaScript were to be enabled in mail. This is not the default setting and we strongly discourage users from enabling JavaScript in mail.


Disable JavaScript until you can upgrade to a fixed version. Do not enable JavaScript in mail clients such as Thunderbird.


nsListControlFrame::FireMenuItemActiveEvent called at unsafe times (Boris Zbarsky)

Potential string class buffer overruns in out-of-memory case (Darin Fisher, Daniel Veditz)

Crashes involving table row and column groups (Jesse Ruderman, Martijn Wargers)

Disable anonymous box selectors outside of UA stylesheets (Jesse Ruderman)

Crashes referencing removed nodes (Jesse Ruderman, Martijn Wargers)

crypto.generateCRMFRequest callback can run on deleted context (shutdown)