Mozilla Foundation Security Advisory 2010-40

2010-07-24T00:00:00
ID SECURITYVULNS:DOC:24313
Type securityvulns
Reporter Securityvulns
Modified 2010-07-24T00:00:00

Description

Mozilla Foundation Security Advisory 2010-40

Title: nsTreeSelection dangling pointer remote code execution vulnerability Impact: Critical Announced: July 20, 2010 Reporter: regenrecht (via TippingPoint's Zero Day Initiative) Products: Firefox, Thunderbird, SeaMonkey

Fixed in: Firefox 3.6.7 Firefox 3.5.11 Thunderbird 3.1.1 Thunderbird 3.0.6 SeaMonkey 2.0.6 Description

Security researcher regenrecht reported via TippingPoint's Zero Day Initiative an integer overflow vulnerability in the implementation of the XUL <tree> element's selection attribute. When the size of a new selection is sufficiently large the integer used in calculating the length of the selection can overflow, resulting in a bogus range being marked selected. When adjustSelection is then called on the bogus range the range is deleted leaving dangling references to the ranges which could be used by an attacker to call into deleted memory and run arbitrary code on a victim's computer. References

* https://bugzilla.mozilla.org/show_bug.cgi?id=571106
* CVE-2010-2753