Bug 194440

Summary: CVE-2006-2779 Multiple Mozilla, Firefox issues (CVE-2006-2781, CVE-2006-2788)
Product: [Retired] Fedora Legacy Reporter: David Eisenstein <deisenst>
Component: mozillaAssignee: Fedora Legacy Bugs <bugs>
Status: CLOSED CANTFIX QA Contact: Ben Levenson <benl>
Severity: urgent Docs Contact:
Priority: urgent    
Version: unspecifiedCC: jpdalbec, mcepl
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard: impact=critical, LEGACY, rh73, rh90, 1, 2, 3
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2007-06-01 04:40:19 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 193906    
Bug Blocks:    

Description David Eisenstein 2006-06-08 06:57:34 UTC 
+++ This bug was initially created as a clone of Bug #193906 +++

Text stolen from MITRE:

CVE-2006-2781
Double-free vulnerability in Mozilla Thunderbird before 1.5.0.4 and
SeaMonkey before 1.0.2 allows remote attackers to cause a denial of
service (hang) and possibly execute arbitrary code via a VCard that
contains invalid base64 characters.

CVE-2006-2779
Mozilla Firefox and Thunderbird before 1.5.0.4 allow remote attackers
to cause a denial of service (crash) and possibly execute arbitrary
code via (1) nested <option> tags in a select tag, (2) a
DOMNodeRemoved mutation event, (3) "Content-implemented tree views,"
(4) BoxObjects, (5) the XBL implementation, (6) an iframe that
attempts to remove itself, which leads to memory corruption.

-- Additional comment from bressers on 2006-06-02 16:22 EST --
These issues also affect RHEL2.1 and RHEL3

-- Additional comment from bressers on 2006-06-02 16:34 EST --
Also this issue:

CVE-2006-2788
Double-free vulnerability in the getRawDER function for nsIX509Cert in
Firefox allows remote attackers to cause a denial of service (hang)
and possibly execute arbitrary code via certain Javascript code.
Comment 1 David Eisenstein 2006-06-14 16:12:11 UTC 
------- Additional Comments From deisenst  2006-06-09 11:13 EST -------
These  also affects Firefox and Thunderbird, though in Thunderbird these bugs 
are likely not critical.  Normally javascript is turned off in Thunderbird, and
these vulnerabilities seem to be tied to having javascript turned on.
Comment 2 John Dalbec 2006-08-09 17:56:53 UTC 
06.30.29 CVE:
CVE-2006-3812,CVE-2006-3811,CVE-2006-3810,CVE-2006-3809,CVE-2006-3808,
CVE-2006-3807,CVE-2006-3806,CVE-2006-3805,CVE-2006-3804,CVE-2006-3803,
CVE-2006-3802,CVE-2006-3801,CVE-2006-3113,CVE-2006-3677
Platform: Cross Platform
Title: Mozilla Firefox Javascript Navigator Object Remote Code
Execution
Description: Mozilla Firefox is prone to a remote code execution
vulnerability. The application fails to properly sanitize
user-supplied input  before using it to create a new Javascript
object. The vulnerability exists when assigning unspecified parameters
to the "window.navigator" object. An attacker may replace the
navigator object before Java starts to trigger this vulnerability.
Mozilla Firefox versions 1.5.0 to 1.5.0.4 are vulnerable to this
issue.
Ref: http://www.mozilla.org/security/announce/2006
______________________________________________________________________

06.30.30 CVE: CVE-2006-3113
Platform: Cross Platform
Title: Mozilla Foundation Products XPCOM Memory Corruption
Description: Mozilla Foundation products Firefox, Thunderbird and
SeaMonkey are vulnerable to a memory corruption issue due to
insufficient handling of simultaneous XPCOM events. See the referenced
advisory for further details.
Ref: http://www.mozilla.org/security/announce/2006/mfsa2006-46.html
Comment 3 David Eisenstein 2006-10-07 13:01:44 UTC 
Please see Bug #209167 for further discussion related to this bug.
Comment 4 Matěj Cepl 2007-05-30 23:19:05 UTC 
Reporter, could you close this bug please now when Fedora Legacy was shutdown?
Or do you have any other idea what to do with it?
Comment 5 David Eisenstein 2007-06-01 04:40:19 UTC 
Matej, you are right.  This bug should be closed.

Closing CANTFIX.  -David