I tried the provided URL [1] with our mozilla-firefox-bin 1.5.0.1 and it crashes. I haven't tried with mozilla-firefox (without -bin) [1] Online-demo: http://morph3us.org/security/pen-testing/firefox/firefox1501-nsBlockFrame.html Extract from http://morph3us.org/advisories/20060412-firefox-1501.txt : ------------------------------------------------------------------------- Following HTML source forces Firefox <= 1.5.0.1 to crash: > <legend> > <kbd> > <object> > <h4> > </object> > </kbd> Online-demo: http://morph3us.org/security/pen-testing/firefox/firefox1501-nsBlockFrame.html The access violation results in a non-exploitable Null Pointer Dereference. o Disclosure Timeline: ===================== 01 Oct 05 - DoS vulnerability discovered. 15 Dec 05 - Vendor contacted. 15 Dec 05 - Vendor confirmed vulnerability. 02 Feb 06 - Fixed on 1.x branches. 12 Apr 06 - Public release.
Thanks DerCorny. I just want to add that i had QA notices while emerging mozilla-firefox-bin-1.5.0.1 and -bin-1.0.7 : (i don't know whether Moz'team wants a new bug or not) 1.5.0.1 : /var/tmp/portage/mozilla-firefox-bin-1.5.0.1/temp/scanelf-textrel.log TEXTREL opt/firefox/extensions/talkback@mozilla.org/components/libqfaservices.so /var/tmp/portage/mozilla-firefox-bin-1.5.0.1/temp/scanelf-execstack.log RWX --- --- opt/firefox/extensions/talkback@mozilla.org/components/libqfaservices.so and with mozilla-firefox-bin-1.0.7 (stable) /var/tmp/portage/mozilla-firefox-bin-1.0.7/temp/scanelf-textrel.log TEXTREL opt/firefox/components/libqfaservices.so /var/tmp/portage/mozilla-firefox-bin-1.0.7/temp/scanelf-execstack.log RWX --- --- opt/firefox/xpicleanup RWX --- --- opt/firefox/libssl3.so RWX --- --- opt/firefox/libmozjs.so RWX --- --- opt/firefox/libnspr4.so RWX --- --- opt/firefox/libsoftokn3.so RWX --- --- opt/firefox/components/libjsd.so RWX --- --- opt/firefox/components/libjar50.so RWX --- --- opt/firefox/components/libqfaservices.so RWX --- --- opt/firefox/components/libmozgnome.so RWX --- --- opt/firefox/components/libinspector.so RWX --- --- opt/firefox/components/libnkgnomevfs.so RWX --- --- opt/firefox/components/libnegotiateauth.so RWX --- --- opt/firefox/components/libxpinstall.so RWX --- --- opt/firefox/libnss3.so RWX --- --- opt/firefox/libplds4.so RWX --- --- opt/firefox/libnssckbi.so RWX --- --- opt/firefox/libplc4.so RWX --- --- opt/firefox/libxpcom_compat.so RWX --- --- opt/firefox/libxpistub.so RWX --- --- opt/firefox/libxpcom.so RWX --- --- opt/firefox/firefox-bin RWX --- --- opt/firefox/mozilla-xremote-client RWX --- --- opt/firefox/plugins/libnullplugin.so RWX --- --- opt/firefox/libsmime3.so emerge --info follows : Portage 2.1_pre7-r5 (default-linux/x86/2005.0, gcc-3.4.5, glibc-2.3.5-r3, 2.6.17-rc1-lufs i686) ================================================================= System uname: 2.6.17-rc1-lufs i686 Intel(R) Pentium(R) M processor 1400MHz Gentoo Base System version 1.12.0_pre17 distcc 2.18.3 i686-pc-linux-gnu (protocols 1 and 2) (default port 3632) [disabled] ccache version 2.3 [disabled] dev-lang/python: 2.4.2 sys-apps/sandbox: 1.2.12 sys-devel/autoconf: 2.13, 2.59-r7 sys-devel/automake: 1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r1 sys-devel/binutils: 2.16.1 sys-devel/libtool: 1.5.22 virtual/os-headers: 2.6.11-r2 ACCEPT_KEYWORDS="x86" AUTOCLEAN="yes" CBUILD="i686-pc-linux-gnu" CFLAGS="-Os -march=pentium3 -pipe -fomit-frame-pointer -frename-registers" CHOST="i686-pc-linux-gnu" CONFIG_PROTECT="/etc /usr/kde/2/share/config /usr/kde/3.4/env /usr/kde/3.4/share/config /usr/kde/3.4/shutdown /usr/kde/3.5/env /usr/kde/3.5/share/config /usr/kde/3.5/shutdown /usr/kde/3/share/config /usr/lib/X11/xkb /usr/share/config /usr/share/texmf/dvipdfm/config/ /usr/share/texmf/dvips/config/ /usr/share/texmf/tex/generic/config/ /usr/share/texmf/tex/platex/config/ /usr/share/texmf/xdvi/ /var/qmail/control" CONFIG_PROTECT_MASK="/etc/eselect/compiler /etc/gconf /etc/terminfo /etc/env.d" CXXFLAGS="-Os -march=pentium3 -pipe -fomit-frame-pointer -frename-registers" DISTDIR="/usr/portage/distfiles" FEATURES="autoconfig distlocks metadata-transfer sandbox sfperms strict stricter userpriv" GENTOO_MIRRORS="http://gentoo.mirror.sdv.fr/ http://trumpetti.atm.tut.fi/gentoo/ http://gentoo.oregonstate.edu http://www.ibiblio.org/pub/Linux/distributions/gentoo" MAKEOPTS="-j1" PKGDIR="/usr/portage/packages" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" PORTDIR_OVERLAY="/usr/local/portage" SYNC="rsync://rsync.europe.gentoo.org/gentoo-portage" USE="x86 X alsa apm avi bitmap-fonts crypt cups dri eds emboss encode foomaticdb fortran gdbm gpm gstreamer gtk gtk2 imap imlib isdnlog jpeg kde libg++ libwww mad maildir mbox mikmod mmx motif mp3 mpeg nas ncurses nls ogg oggvorbis opengl oss pam pcmcia pdflib perl png pppd python qt quicktime readline sdl socks5 spell sse ssl tcpd truetype truetype-fonts type1-fonts vorbis xinerama xml2 xmms xv zlib elibc_glibc kernel_linux userland_GNU" Unset: ASFLAGS, CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LANG, LC_ALL, LDFLAGS, LINGUAS
Has already been fixed upstream in 1.5.0.2 which I have commited to the tree already.
