Mozilla Foundation Security Advisory 2009-63
Title: Upgrade media libraries to fix memory safety bugs
Announced: October 27, 2009
Reporter: Mozilla community and developers
Fixed in: Firefox 3.5.4
Mozilla upgraded several third party libraries used in media
rendering to address multiple memory safety and stability bugs
identified by members of the Mozilla community. Some of the bugs
discovered could potentially be used by an attacker to crash a
victim's browser and execute arbitrary code on their
liboggplay were all upgraded to address these
Audio and video capabilities were added in Firefox 3.5 so prior releases of Firefox were not affected.
Georgi Guninski reported a crash in liboggz.
Lucas Adamski, Matthew Gregan, David Keeler, and Dan Kaminsky reported crashes in libvorbis.
Juan Becerra reported a crash in liboggplay.
The original version of this advisory incorrectly included bug 500254 as part of CVE-2009-3370. That bug was actually fixed in Firefox 3.5.2 as CVE-2009-2663