152831 – Mozilla Multiple Memory Corruption Vulnerabilities

Bug 152831 - Mozilla Multiple Memory Corruption Vulnerabilities

Summary: Mozilla Multiple Memory Corruption Vulnerabilities

Keywords:
Status:	CLOSED DUPLICATE of bug 2040112
Alias:	None
Product:	Fedora Legacy
Classification:	Retired
Component:	Package request
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Fedora Legacy Bugs
QA Contact:
Docs Contact:
URL:	http://www.securityfocus.com/archive/...
Whiteboard:	LEGACY
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2004-10-29 06:55 UTC by John Dalbec
Modified:	2008-05-01 15:38 UTC (History)
CC List:	2 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2006-02-21 19:08:18 UTC
Embargoed:

Attachments	(Terms of Use)

Description David Lawrence 2005-03-30 23:28:59 UTC

04.42.18 CVE: Not Available
Platform: Cross Platform
Title: Mozilla Multiple Memory Corruption Vulnerabilities
Description: Multiple memory corruption vulnerabilities have been
reported in Mozilla. These issues are related to malformed HTML
involving the TEXTAREA, INPUT, FRAMESET, and IMG tags. Mozilla
versions 1.0 through 1.8 are affected.
Ref: http://www.securityfocus.com/archive/1/378632



------- Additional Comments From jpdalbec 2004-12-08 10:14:11 ----

RHL 7.3:
gallery/mozilla_die1.html produces:
Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 1024 (LWP 31881)]
0x40c813f1 in RuleProcessorData::RuleProcessorData ()
   from /usr/lib/mozilla-1.4.3/components/libgklayout.so
gallery/mozilla_die2.html does not crash mozilla.



------- Additional Comments From jpdalbec 2004-12-08 10:27:24 ----

backtrace:
#0  0x40c813f1 in RuleProcessorData::RuleProcessorData ()
   from /usr/lib/mozilla-1.4.3/components/libgklayout.so
#1  0x40b56409 in StyleSetImpl::ResolveStyleFor ()
   from /usr/lib/mozilla-1.4.3/components/libgklayout.so
#2  0x40add204 in nsPresContext::ResolveStyleContextFor ()
   from /usr/lib/mozilla-1.4.3/components/libgklayout.so
#3  0x40a4a91e in nsCSSFrameConstructor::ResolveStyleContext ()
   from /usr/lib/mozilla-1.4.3/components/libgklayout.so
#4  0x40a4b315 in nsCSSFrameConstructor::ConstructFrame ()
   from /usr/lib/mozilla-1.4.3/components/libgklayout.so
#5  0x40a4e3ee in nsCSSFrameConstructor::ContentAppended ()
   from /usr/lib/mozilla-1.4.3/components/libgklayout.so
#6  0x40b572ad in StyleSetImpl::ContentAppended ()
   from /usr/lib/mozilla-1.4.3/components/libgklayout.so
#7  0x409fcc7a in PresShell::ContentAppended ()
   from /usr/lib/mozilla-1.4.3/components/libgklayout.so
#8  0x40affca5 in nsDocument::ContentAppended ()
   from /usr/lib/mozilla-1.4.3/components/libgklayout.so
#9  0x40c2e166 in nsHTMLDocument::ContentAppended ()
   from /usr/lib/mozilla-1.4.3/components/libgklayout.so
#10 0x40c26d2d in HTMLContentSink::NotifyAppend ()
   from /usr/lib/mozilla-1.4.3/components/libgklayout.so
#11 0x40c1f3f3 in SinkContext::FlushTags ()
   from /usr/lib/mozilla-1.4.3/components/libgklayout.so
#12 0x40c21858 in HTMLContentSink::CloseBody ()
   from /usr/lib/mozilla-1.4.3/components/libgklayout.so
#13 0x4131f855 in CNavDTD::CloseBody ()
   from /usr/lib/mozilla-1.4.3/components/libhtmlpars.so
#14 0x4131fee1 in CNavDTD::CloseContainer ()
   from /usr/lib/mozilla-1.4.3/components/libhtmlpars.so
#15 0x4131ffc8 in CNavDTD::CloseContainersTo ()
   from /usr/lib/mozilla-1.4.3/components/libhtmlpars.so
#16 0x413203b9 in CNavDTD::CloseContainersTo ()
   from /usr/lib/mozilla-1.4.3/components/libhtmlpars.so
#17 0x4131b542 in CNavDTD::DidBuildModel ()
   from /usr/lib/mozilla-1.4.3/components/libhtmlpars.so
#18 0x4132ecea in nsParser::DidBuildModel ()
   from /usr/lib/mozilla-1.4.3/components/libhtmlpars.so
#19 0x4132f9c0 in nsParser::ResumeParse ()
   from /usr/lib/mozilla-1.4.3/components/libhtmlpars.so
#20 0x41331813 in nsParser::OnStopRequest ()
   from /usr/lib/mozilla-1.4.3/components/libhtmlpars.so
#21 0x41461e79 in nsDocumentOpenInfo::OnStopRequest ()
   from /usr/lib/mozilla-1.4.3/components/libdocshell.so
#22 0x408872f5 in nsStreamListenerTee::OnStopRequest ()
   from /usr/lib/mozilla-1.4.3/components/libnecko.so
#23 0x408ebf8f in nsHttpChannel::OnStopRequest ()
   from /usr/lib/mozilla-1.4.3/components/libnecko.so
#24 0x4086f8a9 in nsInputStreamPump::OnStateStop ()
   from /usr/lib/mozilla-1.4.3/components/libnecko.so
#25 0x4086f5c1 in nsInputStreamPump::OnInputStreamReady ()
   from /usr/lib/mozilla-1.4.3/components/libnecko.so
#26 0x4073164a in nsInputStreamReadyEvent::EventHandler ()
   from /usr/lib/mozilla-1.4.3/libxpcom.so
#27 0x40749873 in PL_HandleEvent () from /usr/lib/mozilla-1.4.3/libxpcom.so
#28 0x40749c75 in PL_ProcessEventsBeforeID ()
   from /usr/lib/mozilla-1.4.3/libxpcom.so
#29 0x4149318b in processQueue ()
   from /usr/lib/mozilla-1.4.3/components/libwidget_gtk.so
#30 0x4071b09b in nsVoidArray::EnumerateForwards ()
   from /usr/lib/mozilla-1.4.3/libxpcom.so
#31 0x414931c8 in nsAppShell::ProcessBeforeID ()
   from /usr/lib/mozilla-1.4.3/components/libwidget_gtk.so
#32 0x4149bd2f in handle_gdk_event ()
   from /usr/lib/mozilla-1.4.3/components/libwidget_gtk.so
#33 0x40225d6f in gdk_event_dispatch () from /usr/lib/libgdk-1.2.so.0
#34 0x40257773 in g_main_dispatch () from /usr/lib/libglib-1.2.so.0
#35 0x40257d39 in g_main_iterate () from /usr/lib/libglib-1.2.so.0
#36 0x40257eec in g_main_run () from /usr/lib/libglib-1.2.so.0
#37 0x401732e3 in gtk_main () from /usr/lib/libgtk-1.2.so.0
#38 0x41492f0d in nsAppShell::Run ()
   from /usr/lib/mozilla-1.4.3/components/libwidget_gtk.so
#39 0x412d6aaa in nsAppShellService::Run ()
   from /usr/lib/mozilla-1.4.3/components/libnsappshell.so
#40 0x08059415 in main1 ()
#41 0x08059c2b in main ()
#42 0x42017589 in __libc_start_main () from /lib/i686/libc.so.6



------- Additional Comments From jpdalbec 2004-12-13 12:31:52 ----

04.49.17 CVE: Not Available
Platform: Cross Platform
Title: Multiple Browsers JavaScript IFRAME Rendering Denial of
Service
Description: Mozilla/Netscape and Firefox browsers are reported to be
vulnerable to a denial of service issue. The issue presents itself
when a javascript function attempts to print an IFRAME that is
embedded in the page.
Ref: https://bugzilla.mozilla.org/show_bug.cgi?id=272381 



------- Additional Comments From jpdalbec 2004-12-13 12:33:09 ----

04.49.22 CVE: CAN-2004-1156
Platform: Cross Platform
Title: Remote Window Hijacking Vulnerability Affecting Multiple
Browsers
Description: Multiple browsers are affected by a remote window
hijacking issue. A website can inject content into another site's
window if the target name of the window is known. This can be
exploited by a malicious website to spoof the content of a pop-up
window opened on a trusted website. All current versions of Opera,
Netscape, Internet Explorer, Apple Safari, Mozilla and Firefox are
affected.
Ref: http://secunia.com/secunia_research/2004-13/advisory/ 



------- Additional Comments From pekkas 2004-12-20 11:23:56 ----

Two other CANs I found, which are probably relevant for the next update..

CAN-2004-0909  Mozilla Firefox before the Preview Release, Mozilla before 1.7.3,
and Thunderbird before 0.8 may allow remote attackers to trick users into
performing unexpected actions, including installing software, via signed scripts
that request enhanced abilities using the enablePrivilege parameter, then modify
the meaning of certain security-relevant dialog messages.  

 -- this is http://bugzilla.mozilla.org/show_bug.cgi?id=253942 

CAN-2004-1200  Firefox and Mozilla allow remote attackers to cause a denial of
service (application crash from memory consumption), as demonstrated using
Javascript code that continuously creates nested arrays and then sorts the newly
created arrays.  





------- Additional Comments From pekkas 2005-03-01 06:01:56 ----

I'll close this as a duplicate of #2380, so we can track the mozilla issues in
just one bug number.

*** This bug has been marked as a duplicate of 2380 ***



------- Bug moved to this database by dkl 2005-03-30 18:28 -------

This bug previously known as bug 2214 at https://bugzilla.fedora.us/
https://bugzilla.fedora.us/show_bug.cgi?id=2214
Originally filed under the Fedora Legacy product and Package request component.

Unknown priority P2. Setting to default priority "normal".
Unknown platform PC. Setting to default platform "All".
Setting qa contact to the default for this product.
   This bug either had no qa contact or an invalid one.

Comment 1 Red Hat Bugzilla 2006-02-21 19:08:18 UTC

Changed to 'CLOSED' state since 'RESOLVED' has been deprecated.

Note You need to log in before you can comment on or make changes to this bug.