Security researcher Michal Zalewski reported that the parser for FTP directory listings was improperly checking for the end of a string buffer, resulting in an integer underflow of a counter variable. This counter would later be used as an array index and could result in the execution of an arbitrary memory location. An attacker could potentially use this vulnerability to crash a victim's browser and run arbitrary code on their computer.
The Mozilla bug is here: https://bugzilla.mozilla.org/show_bug.cgi?id=515583
Here is the relevant mozilla patch: http://hg.mozilla.org/mozilla-central/rev/cade5b705114 This was fixed in: Seamonkey: Patch: mozilla-515583-x.patch * Mon Oct 12 2009 Martin Stransky <stransky> - 1.0.9-50.el4 - Added fixes from 1.9.0.15 Errata: RHSA-2009:1531 Firefox: RHSA-2009:1530
The upstream bug is now public. I'm opening this up.
We fixed this bug in RHSA-2009:1530, RHSA-2009:1531, RHSA-2010:0153, RHSA-2010:0154