Bug 714581 (CVE-2011-0083, CVE-2011-0085, CVE-2011-2363)

Summary: CVE-2011-0083 CVE-2011-0085 CVE-2011-2363 Mozilla Multiple dangling pointer vulnerabilities (MFSA 2011-23)
Product: [Other] Security Response Reporter: Huzaifa S. Sidhpurwala <huzaifas>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: urgent Docs Contact:
Priority: urgent    
Version: unspecifiedCC: casmls, ddumas, gecko-bugs-nobody, jlieskov, security-response-team, stransky
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard: public=20110621,reported=20110618,source=mozilla,impact=critical,cvss2=6.8/AV:N/AC:M/Au:N/C:P/I:P/A:P,rhel-4.9/firefox=affected,rhel-5.7/firefox=affected,rhel-6.2/firefox=affected,rhel-4.9/thunderbird=affected,rhel-5.7/thunderbird=affected,rhel-6.2/thunderbird=affected,rhel-4.9/seamonkey=affected
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-04-12 12:10:10 EDT Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Description Huzaifa S. Sidhpurwala 2011-06-20 03:05:12 EDT
Multiple dangling pointer vulnerabilities were reported by regenrecht via
TippingPoint's Zero Day Initiative.
 
Firefox 4 and newer products were not affected by these issues.
Comment 1 Jan Lieskovsky 2011-06-21 08:37:50 EDT
Public now via:
[1] http://www.mozilla.org/security/announce/2011/mfsa2011-23.html
Comment 2 Jan Lieskovsky 2011-06-21 08:39:35 EDT
Further flaws description (from [1]):
=====================================

Security researcher regenrecht reported via TippingPoint's Zero Day Initiative
two instances of code which modifies SVG element lists failed to account for
changes made to the list by user-supplied callbacks before accessing list
elements. If a user-supplied callback deleted such an object, the element-
modifying code could wind up accessing deleted memory and potentially executing
attacker-controlled memory.

regenrecht also reported via TippingPoint's Zero Day Initiative that a XUL
document could force the nsXULCommandDispatcher to remove all command updaters
from the queue, including the one currently in use. This could result in the
execution of deleted memory which an attacker could use to run arbitrary code
on a victim's computer.

Firefox 4 and newer products were not affected by these issues.
Comment 3 errata-xmlrpc 2011-06-21 18:28:51 EDT
This issue has been addressed in following products:

  Red Hat Enterprise Linux 4
  Red Hat Enterprise Linux 5

Via RHSA-2011:0887 https://rhn.redhat.com/errata/RHSA-2011-0887.html
Comment 4 errata-xmlrpc 2011-06-21 18:39:18 EDT
This issue has been addressed in following products:

  Red Hat Enterprise Linux 6

Via RHSA-2011:0886 https://rhn.redhat.com/errata/RHSA-2011-0886.html
Comment 5 errata-xmlrpc 2011-06-21 18:50:19 EDT
This issue has been addressed in following products:

  Red Hat Enterprise Linux 4

Via RHSA-2011:0888 https://rhn.redhat.com/errata/RHSA-2011-0888.html
Comment 6 errata-xmlrpc 2011-06-21 18:50:50 EDT
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5
  Red Hat Enterprise Linux 6
  Red Hat Enterprise Linux 4

Via RHSA-2011:0885 https://rhn.redhat.com/errata/RHSA-2011-0885.html