Bug 503579 (CVE-2009-1837) - CVE-2009-1837 Firefox Race condition while accessing the private data of a NPObject JS wrapper class object
Summary: CVE-2009-1837 Firefox Race condition while accessing the private data of a NP...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2009-1837
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
urgent
urgent
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL: http://web.nvd.nist.gov/view/vuln/det...
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2009-06-01 19:01 UTC by Josh Bressers
Modified: 2019-09-29 12:30 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2012-06-21 09:34:56 UTC
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2009:1095 0 normal SHIPPED_LIVE Critical: firefox security update 2009-06-11 22:45:59 UTC

Description Josh Bressers 2009-06-01 19:01:53 UTC
Jakob Balle and Carsten Eiram of Secunia Research reported a race condition
in NPObjWrapper_NewResolve when accessing the properties of a NPObject, a
wrapped JSObject. Balle and Eiram demonstrated that this condition could be
reached by navigating away from a web page during the loading of a Java
applet. Under such conditions the Java object would be destroyed but later
called into resulting in a free memory read. An attacker could potentially
write to the freed memory before it is reused and run arbitrary code on the
victim's computer.

Comment 2 errata-xmlrpc 2009-06-11 22:46:14 UTC
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5
  Red Hat Enterprise Linux 4

Via RHSA-2009:1095 https://rhn.redhat.com/errata/RHSA-2009-1095.html

Comment 3 Fedora Update System 2009-06-16 02:18:05 UTC
firefox-3.0.11-1.fc10, xulrunner-1.9.0.11-1.fc10, epiphany-2.24.3-7.fc10, epiphany-extensions-2.24.3-2.fc10, blam-1.8.5-11.fc10, devhelp-0.22-9.fc10, galeon-2.0.7-11.fc10, gecko-sharp2-0.13-9.fc10, gnome-python2-extras-2.19.1-31.fc10, gnome-web-photo-0.3-19.fc10, google-gadgets-0.10.5-7.fc10, kazehakase-0.5.6-4.fc10.3, Miro-2.0.3-5.fc10, mozvoikko-0.9.5-11.fc10, mugshot-1.2.2-10.fc10, pcmanx-gtk2-0.3.8-10.fc10, perl-Gtk2-MozEmbed-0.08-6.fc10.2, ruby-gnome2-0.18.1-5.fc10.3, yelp-2.24.0-10.fc10 has been pushed to the Fedora 10 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 4 Fedora Update System 2009-06-16 02:31:21 UTC
firefox-3.0.11-1.fc9, xulrunner-1.9.0.11-1.fc9, epiphany-2.22.2-12.fc9, epiphany-extensions-2.22.1-12.fc9, blam-1.8.5-10.fc9.1, chmsee-1.0.1-13.fc9, devhelp-0.19.1-13.fc9, evolution-rss-0.1.0-12.fc9, galeon-2.0.7-11.fc9, gnome-python2-extras-2.19.1-28.fc9, gnome-web-photo-0.3-22.fc9, google-gadgets-0.10.5-7.fc9, gtkmozembedmm-1.4.2.cvs20060817-30.fc9, kazehakase-0.5.6-4.fc9.3, Miro-2.0.3-5.fc9, mozvoikko-0.9.5-11.fc9, mugshot-1.2.2-10.fc9, ruby-gnome2-0.17.0-10.fc9, totem-2.23.2-17.fc9, yelp-2.22.1-13.fc9 has been pushed to the Fedora 9 stable repository.  If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.