+++ This bug was initially created as a clone of Bug #271865 +++ CVE-2009-1233 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-1233): Apple Safari 3.2.2 and 4 Beta on Windows allows remote attackers to cause a denial of service (application crash) via an XML document containing many nested A elements. ^^^ Above is from bug 271865 ^^^ While testing this exploit (http://www.milw0rm.com/exploits/8325) in webkit-gtk, I also tried it on firefox for the heck of it, and that caused the crash of firefox instead (denial of service). Backtrace seems to be corrupted, and the interesting thread has only this (there are 8 worker threads that are uninteresting and sitting in conditional wait): (gdb) bt full #0 nsCSSRuleProcessor::GetRuleCascade (this=0x318f370, aPresContext=0x27010e0) at nsCSSRuleProcessor.cpp:2176 cascadep = (RuleCascadeData **) Cannot access memory at address 0x7fff14385ee8 I don't know if this bug is known by anyone, or if this should be considered a security bug or not, etc. Don't have the time right now to go search and do all the proper dance, so I hope you guys can check into it meanwhile. Restricting to be safe until research or time has found it to be public knowledge.
reported upstream, Mart is cc'ed on the bug.
Upstream is tracking this publicly now and states that it is only a crasher. Client crash bugs are not treated as vulnerabilities by Gentoo Security. If it crashes your browser, do not visit the page again. Reassigning to mozilla.
mozilla@gentoo.org has been CCed on the upstream bug, let's track it there...