This service will be undergoing maintenance at 00:00 UTC, 2016-08-01. It is expected to last about 1 hours
Bug 714581 - (CVE-2011-0083, CVE-2011-0085, CVE-2011-2363) CVE-2011-0083 CVE-2011-0085 CVE-2011-2363 Mozilla Multiple dangling pointer vulnerabilities (MFSA 2011-23)
CVE-2011-0083 CVE-2011-0085 CVE-2011-2363 Mozilla Multiple dangling pointer v...
Status: CLOSED ERRATA
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
urgent Severity urgent
: ---
: ---
Assigned To: Red Hat Product Security
public=20110621,reported=20110618,sou...
: Security
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2011-06-20 03:05 EDT by Huzaifa S. Sidhpurwala
Modified: 2013-04-12 12:10 EDT (History)
6 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2013-04-12 12:10:10 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)

  None (edit)
Description Huzaifa S. Sidhpurwala 2011-06-20 03:05:12 EDT
Multiple dangling pointer vulnerabilities were reported by regenrecht via
TippingPoint's Zero Day Initiative.
 
Firefox 4 and newer products were not affected by these issues.
Comment 1 Jan Lieskovsky 2011-06-21 08:37:50 EDT
Public now via:
[1] http://www.mozilla.org/security/announce/2011/mfsa2011-23.html
Comment 2 Jan Lieskovsky 2011-06-21 08:39:35 EDT
Further flaws description (from [1]):
=====================================

Security researcher regenrecht reported via TippingPoint's Zero Day Initiative
two instances of code which modifies SVG element lists failed to account for
changes made to the list by user-supplied callbacks before accessing list
elements. If a user-supplied callback deleted such an object, the element-
modifying code could wind up accessing deleted memory and potentially executing
attacker-controlled memory.

regenrecht also reported via TippingPoint's Zero Day Initiative that a XUL
document could force the nsXULCommandDispatcher to remove all command updaters
from the queue, including the one currently in use. This could result in the
execution of deleted memory which an attacker could use to run arbitrary code
on a victim's computer.

Firefox 4 and newer products were not affected by these issues.
Comment 3 errata-xmlrpc 2011-06-21 18:28:51 EDT
This issue has been addressed in following products:

  Red Hat Enterprise Linux 4
  Red Hat Enterprise Linux 5

Via RHSA-2011:0887 https://rhn.redhat.com/errata/RHSA-2011-0887.html
Comment 4 errata-xmlrpc 2011-06-21 18:39:18 EDT
This issue has been addressed in following products:

  Red Hat Enterprise Linux 6

Via RHSA-2011:0886 https://rhn.redhat.com/errata/RHSA-2011-0886.html
Comment 5 errata-xmlrpc 2011-06-21 18:50:19 EDT
This issue has been addressed in following products:

  Red Hat Enterprise Linux 4

Via RHSA-2011:0888 https://rhn.redhat.com/errata/RHSA-2011-0888.html
Comment 6 errata-xmlrpc 2011-06-21 18:50:50 EDT
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5
  Red Hat Enterprise Linux 6
  Red Hat Enterprise Linux 4

Via RHSA-2011:0885 https://rhn.redhat.com/errata/RHSA-2011-0885.html

Note You need to log in before you can comment on or make changes to this bug.