Bug 195241 - CVE-2006-2779 Multiple Mozilla issues (CVE-2006-2781, CVE-2006-2788)
Summary: CVE-2006-2779 Multiple Mozilla issues (CVE-2006-2781, CVE-2006-2788)
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: firefox
Version: 5
Hardware: All
OS: Linux
urgent
medium
Target Milestone: ---
Assignee: Christopher Aillon
QA Contact:
URL:
Whiteboard: impact=critical,source=mozilla,report...
: 195315 (view as bug list)
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2006-06-14 15:56 UTC by David Eisenstein
Modified: 2007-11-30 22:11 UTC (History)
8 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2006-06-16 18:02:40 UTC
Type: ---
Embargoed:

Attachments (Terms of Use)

Description David Eisenstein 2006-06-14 15:56:27 UTC 
This was originally bug 194617, until Bugzilla barfed yesterday.  Entering
it again...

           Summary: CVE-2006-2779 Multiple Mozilla issues (CVE-2006-2781,
                    CVE-2006-2788)
           Product: Fedora Core
           Version: fc5
          Platform: All
        OS/Version: Linux
            Status: NEW
          Severity: urgent
          Priority: normal
         Component: firefox
        AssignedTo: caillon
        ReportedBy: mattdm
                CC: deisenst,wtogami

This issue also affects Fedora Core 5. A lot of the problems fixed in 1.5.0.4
don't seem that severe, but a few of these are serious enough to at least turn
some heads. And it's been public for a quite a while now.

+++ This bug was initially created as a clone of Bug #193906 +++

Text stolen from MITRE:

CVE-2006-2781
Double-free vulnerability in Mozilla Thunderbird before 1.5.0.4 and
SeaMonkey before 1.0.2 allows remote attackers to cause a denial of
service (hang) and possibly execute arbitrary code via a VCard that
contains invalid base64 characters.

CVE-2006-2779
Mozilla Firefox and Thunderbird before 1.5.0.4 allow remote attackers
to cause a denial of service (crash) and possibly execute arbitrary
code via (1) nested <option> tags in a select tag, (2) a
DOMNodeRemoved mutation event, (3) "Content-implemented tree views,"
(4) BoxObjects, (5) the XBL implementation, (6) an iframe that
attempts to remove itself, which leads to memory corruption.

-- Additional comment from bressers on 2006-06-02 16:22 EST --
These issues also affect RHEL2.1 and RHEL3

-- Additional comment from bressers on 2006-06-02 16:34 EST --
Also this issue:

CVE-2006-2788
Double-free vulnerability in the getRawDER function for nsIX509Cert in
Firefox allows remote attackers to cause a denial of service (hang)
and possibly execute arbitrary code via certain Javascript code.
Comment 1 David Eisenstein 2006-06-14 15:59:54 UTC 
------- Additional Comments From mattdm  2006-06-12 10:39 EST -------
Removing dependency on bug #193906, since that's really a separate issue since
it requires backports.

I still don't see an update for this even in the testing tree.
Comment 2 David Eisenstein 2006-06-14 16:07:25 UTC 
Kai, Dennis -- I understand you were working on rolling firefox &/or thunderbird
packages yesterday for 1.5.0.4.   How is that coming along?
Comment 3 Kai Engert (:kaie) (inactive account) 2006-06-14 22:03:48 UTC 
some trouble with build system, hope to have it done by tomorrow.
tb is already out on rawhide
Comment 4 David Juran 2006-06-15 18:29:38 UTC 
*** Bug 195315 has been marked as a duplicate of this bug. ***
Comment 5 Kai Engert (:kaie) (inactive account) 2006-06-16 18:02:40 UTC 
ff and tb 1.5.0.4 have been released on fc5 and rawhide
Comment 6 Matthew Miller 2006-06-16 18:07:27 UTC 
thanks!
Note You need to log in before you can comment on or make changes to this bug.