Bug 530164 - (CVE-2009-3384) CVE-2009-3384 Firefox integer underflow in FTP directory list parser
CVE-2009-3384 Firefox integer underflow in FTP directory list parser
Status: CLOSED ERRATA
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
urgent Severity urgent
: ---
: ---
Assigned To: Red Hat Product Security
impact=critical,source=mozilla,report...
: Security
Depends On:
Blocks: 733423
  Show dependency treegraph
 
Reported: 2009-10-21 14:37 EDT by Josh Bressers
Modified: 2016-03-04 06:09 EST (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2011-10-03 11:18:18 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Josh Bressers 2009-10-21 14:37:38 EDT
Security researcher Michal Zalewski reported that the parser for FTP
directory listings was improperly checking for the end of a string buffer,
resulting in an integer underflow of a counter variable. This counter would
later be used as an array index and could result in the execution of an
arbitrary memory location. An attacker could potentially use this
vulnerability to crash a victim's browser and run arbitrary code on their
computer.
Comment 2 Josh Bressers 2010-12-16 10:41:17 EST
The Mozilla bug is here:
https://bugzilla.mozilla.org/show_bug.cgi?id=515583
Comment 3 Huzaifa S. Sidhpurwala 2011-08-17 02:38:28 EDT
Here is the relevant mozilla patch:

http://hg.mozilla.org/mozilla-central/rev/cade5b705114

This was fixed in:

Seamonkey:
Patch: mozilla-515583-x.patch
* Mon Oct 12 2009 Martin Stransky <stransky@redhat.com> - 1.0.9-50.el4
- Added fixes from 1.9.0.15
Errata: RHSA-2009:1531

Firefox:
RHSA-2009:1530
Comment 4 Josh Bressers 2011-10-03 09:26:27 EDT
The upstream bug is now public. I'm opening this up.
Comment 5 Josh Bressers 2011-10-03 11:18:18 EDT
We fixed this bug in RHSA-2009:1530, RHSA-2009:1531, RHSA-2010:0153, RHSA-2010:0154

Note You need to log in before you can comment on or make changes to this bug.