Bug 840215 (CVE-2012-1962)

Summary: CVE-2012-1962 Mozilla: JSDependentString::undepend string conversion results in memory corruption (MFSA 2012-52)
Product: [Other] Security Response Reporter: Huzaifa S. Sidhpurwala <huzaifas>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: urgent Docs Contact:
Priority: urgent    
Version: unspecifiedCC: security-response-team
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard: impact=critical,public=20120717,reported=20120714,source=mozilla,cvss2=6.8/AV:N/AC:M/Au:N/C:P/I:P/A:P,rhel-5/firefox=affected,rhel-5/thunderbird=affected,rhel-6/firefox=affected,rhel-6/thunderbird=affected
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-07-18 03:30:09 EDT Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
Bug Depends On:    
Bug Blocks: 835033    

Description Huzaifa S. Sidhpurwala 2012-07-14 08:27:31 EDT
Security researcher Bill Keese reported a memory corruption. This is caused by JSDependentString::undepend changing a dependent string into a fixed string when there are additional dependent strings relying on the same base. When the undepend occurs during conversion, the base data is freed, leaving other dependent strings with dangling pointers. This can lead to a potentially exploitable crash. 

Reference:
http://www.mozilla.org/security/announce/2012/mfsa2012-52.html 

Acknowledgements:

Red Hat would like to thank the Mozilla project for reporting this issue. Upstream acknowledges Security researcher Bill Keese as the original reporter of this issue.
Comment 1 errata-xmlrpc 2012-07-17 14:57:57 EDT
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5
  Red Hat Enterprise Linux 6

Via RHSA-2012:1089 https://rhn.redhat.com/errata/RHSA-2012-1089.html
Comment 2 errata-xmlrpc 2012-07-17 15:28:20 EDT
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5
  Red Hat Enterprise Linux 6

Via RHSA-2012:1088 https://rhn.redhat.com/errata/RHSA-2012-1088.html