Bug 530164 (CVE-2009-3384)

Summary: CVE-2009-3384 Firefox integer underflow in FTP directory list parser
Product: [Other] Security Response Reporter: Josh Bressers <bressers>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: urgent Docs Contact:
Priority: urgent    
Version: unspecifiedCC: mjc, security-response-team, vdanen
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard: impact=critical,source=mozilla,reported=20091021,public=20091027,cvss2=6.8/AV:N/AC:M/Au:N/C:P/I:P/A:P,cwe=CWE-190[auto]
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2011-10-03 11:18:18 EDT Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
Bug Depends On:    
Bug Blocks: 733423    

Description Josh Bressers 2009-10-21 14:37:38 EDT
Security researcher Michal Zalewski reported that the parser for FTP
directory listings was improperly checking for the end of a string buffer,
resulting in an integer underflow of a counter variable. This counter would
later be used as an array index and could result in the execution of an
arbitrary memory location. An attacker could potentially use this
vulnerability to crash a victim's browser and run arbitrary code on their
computer.
Comment 2 Josh Bressers 2010-12-16 10:41:17 EST
The Mozilla bug is here:
https://bugzilla.mozilla.org/show_bug.cgi?id=515583
Comment 3 Huzaifa S. Sidhpurwala 2011-08-17 02:38:28 EDT
Here is the relevant mozilla patch:

http://hg.mozilla.org/mozilla-central/rev/cade5b705114

This was fixed in:

Seamonkey:
Patch: mozilla-515583-x.patch
* Mon Oct 12 2009 Martin Stransky <stransky@redhat.com> - 1.0.9-50.el4
- Added fixes from 1.9.0.15
Errata: RHSA-2009:1531

Firefox:
RHSA-2009:1530
Comment 4 Josh Bressers 2011-10-03 09:26:27 EDT
The upstream bug is now public. I'm opening this up.
Comment 5 Josh Bressers 2011-10-03 11:18:18 EDT
We fixed this bug in RHSA-2009:1530, RHSA-2009:1531, RHSA-2010:0153, RHSA-2010:0154