Bug 219682

Summary: CVE-2006-6497 Multiple Firefox issues (CVE-2006-6498, CVE-2006-6501, CVE-2006-6502, CVE-2006-6503, CVE-2006-6504)
Product: Red Hat Enterprise Linux 4 Reporter: Josh Bressers <bressers>
Component: firefoxAssignee: Christopher Aillon <caillon>
Status: CLOSED ERRATA QA Contact:
Severity: urgent Docs Contact:
Priority: medium    
Version: 4.0CC: security-response-team
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard: impact=critical,source=mozilla,reported=20061212,public=20061219
Fixed In Version: RHSA-2006-0758 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2006-12-19 17:40:43 EST Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Description Josh Bressers 2006-12-14 14:11:18 EST
The Mozilla project is releasing Firefox to fix several flaws:


    As part of the Firefox and update releases we fixed several 
    bugs to improve the stability of the product. Some of these were crashes 
    that showed evidence of memory corruption and we presume that at least some 
    of these could be exploited to run arbitrary code with enough effort.

    Andrew Miller, David Baron, Georgi Guninski, Jesse Ruderman, Olli Pettay and 
    Vladimir Vukicevic reported crashes in the layout engine

    Igor Bukanov, Jesse Ruderman and moz_bug_r_a4 reported potential memory 
    corruption in the JavaScript engine


    Shutdown demonstrated that it was possible to use a JavaScript watch() to 
    gain elevated privilege. This could be used to compromise the user's 
    computer and install malware.


    Steven Michaud reported a crash in LiveConnect, the bridge code that allows 
    Java applets and web JavaScript to communicate. The crash is due to re-use 
    of an already-freed object and we presume this could be exploited with 
    enough effort.


    moz_bug_r_a4 reported that the src attribute of an IMG element loaded in a 
    frame could be changed to a javascript: URI that was able to bypass the 
    protections against cross-site script (XSS) injection. The injected script 
    could steal credentials and financial data, or perform destructive actions 
    on behalf of a logged-in user.


    An anonymous researcher for TippingPoint and the Zero Day Initiative reports 
    that attempting to append an SVG comment DOM node from one document into 
    another type of document results in memory corruption that can be exploited 
    to run arbitrary code.
Comment 3 Josh Bressers 2006-12-19 13:52:06 EST
Lifting embargo
Comment 4 Red Hat Bugzilla 2006-12-19 17:40:43 EST
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.