Multiple dangling pointer vulnerabilities were reported by regenrecht via TippingPoint's Zero Day Initiative. Firefox 4 and newer products were not affected by these issues.
Public now via: [1] http://www.mozilla.org/security/announce/2011/mfsa2011-23.html
Further flaws description (from [1]): ===================================== Security researcher regenrecht reported via TippingPoint's Zero Day Initiative two instances of code which modifies SVG element lists failed to account for changes made to the list by user-supplied callbacks before accessing list elements. If a user-supplied callback deleted such an object, the element- modifying code could wind up accessing deleted memory and potentially executing attacker-controlled memory. regenrecht also reported via TippingPoint's Zero Day Initiative that a XUL document could force the nsXULCommandDispatcher to remove all command updaters from the queue, including the one currently in use. This could result in the execution of deleted memory which an attacker could use to run arbitrary code on a victim's computer. Firefox 4 and newer products were not affected by these issues.
This issue has been addressed in following products: Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 Via RHSA-2011:0887 https://rhn.redhat.com/errata/RHSA-2011-0887.html
This issue has been addressed in following products: Red Hat Enterprise Linux 6 Via RHSA-2011:0886 https://rhn.redhat.com/errata/RHSA-2011-0886.html
This issue has been addressed in following products: Red Hat Enterprise Linux 4 Via RHSA-2011:0888 https://rhn.redhat.com/errata/RHSA-2011-0888.html
This issue has been addressed in following products: Red Hat Enterprise Linux 5 Red Hat Enterprise Linux 6 Red Hat Enterprise Linux 4 Via RHSA-2011:0885 https://rhn.redhat.com/errata/RHSA-2011-0885.html