nsSVGValue out-of-bounds access
- December 20, 2011
- regenrecht via TippingPoint's ZDI
- Firefox, SeaMonkey, Thunderbird
- Fixed in
- Firefox 3.6.28
- Firefox 9
- SeaMonkey 2.6
- Thunderbird 9
Security researcher regenrecht reported via TippingPoint's Zero Day Initiative that a flaw in the Mozilla SVG implementation could result in an out-of-bounds memory access if SVG elements were removed during a DOMAttrModified event handler.
This vulnerability does not affect products prior to Firefox 8 and SeaMonkey 2.5. Thunderbird 8 users would be vulnerable only if using a browser-like feature that allowed scripts to run; users are not at risk while reading mail.