The http-index-format MIME type parser (nsDirIndexParser) in Firefox 3.x before 3.0.4, Firefox 2.x before 2.0.0.18, and SeaMonkey 1.x before 1.1.13 does not check for an allocation failure, which allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via an HTTP index response with a crafted 200 header, which triggers memory corruption and a buffer overflow.
lists.opensuse.org/opensuse-security-announce/2008-11/msg00004.html
secunia.com/advisories/32684
secunia.com/advisories/32693
secunia.com/advisories/32694
secunia.com/advisories/32695
secunia.com/advisories/32713
secunia.com/advisories/32714
secunia.com/advisories/32721
secunia.com/advisories/32778
secunia.com/advisories/32845
secunia.com/advisories/32853
secunia.com/advisories/33433
secunia.com/advisories/34501
sunsolve.sun.com/search/document.do?assetkey=1-26-256408-1
ubuntu.com/usn/usn-667-1
www.debian.org/security/2008/dsa-1669
www.debian.org/security/2008/dsa-1671
www.debian.org/security/2009/dsa-1697
www.iss.net/threats/311.html
www.mandriva.com/security/advisories?name=MDVSA-2008:228
www.mandriva.com/security/advisories?name=MDVSA-2008:230
www.mozilla.org/security/announce/2008/mfsa2008-54.html
www.redhat.com/support/errata/RHSA-2008-0977.html
www.redhat.com/support/errata/RHSA-2008-0978.html
www.securityfocus.com/bid/32281
www.securitytracker.com/id?1021185
www.us-cert.gov/cas/techalerts/TA08-319A.html
www.vupen.com/english/advisories/2008/3146
www.vupen.com/english/advisories/2009/0977
bugzilla.mozilla.org/show_bug.cgi?id=443299
oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A11005
www.redhat.com/archives/fedora-package-announce/2008-November/msg00366.html
www.redhat.com/archives/fedora-package-announce/2008-November/msg00385.html