Miscellaneous use-after-free issues found through ASAN fuzzing
- October 29, 2013
- Firefox, Firefox ESR, SeaMonkey, Thunderbird, Thunderbird ESR
- Fixed in
- Firefox 25
- Firefox ESR 17.0.10
- Firefox ESR 24.1
- SeaMonkey 2.22
- Thunderbird 24.1
- Thunderbird ESR 17.0.10
Security researcher Nils used the Address Sanitizer tool while fuzzing to discover missing strong references in browsing engine leading to use-after-frees. This can lead to a potentially exploitable crash.
In general these flaws cannot be exploited through email in the Thunderbird and Seamonkey products because scripting is disabled, but are potentially a risk in browser or browser-like contexts.
- ASAN heap-use-after-free in nsIPresShell::GetPresContext() with canvas, onresize and mozTextStyle (CVE-2013-5599)
- ASAN use-after-free in nsIOService::NewChannelFromURIWithProxyFlags with Blob URL (CVE-2013-5600)
- ASAN use-after free in GC allocation in nsEventListenerManager::SetEventHandler (CVE-2013-5601)