Mozilla Foundation Security Advisory 2013-77

Improper state in HTML5 Tree Builder with templates

Announced
September 17, 2013
Reporter
Atte Kettunen
Impact
Moderate
Products
Firefox, SeaMonkey, Thunderbird
Fixed in
  • Firefox 24
  • SeaMonkey 2.21
  • Thunderbird 24

Description

Using the Address Sanitizer tool, security researcher Atte Kettunen from OUSPG found that the HTML5 Tree Builder does not properly store state when interacting with template elements. Because some stack information is incorrectly stored, the template insertion mode stack can be used when it is empty. This could possibly lead to code execution in some circumstances.

In general this flaw cannot be exploited through email in the Thunderbird product because scripting is disabled, but is potentially a risk in browser or browser-like contexts.

References