Bug 246001 (CVE-2008-2786)

Summary:	www-client/mozilla-firefox<=3.? Buffer Overflow (CVE-2008-2786)
Product:	Gentoo Security	Reporter:	Stefan Behte (RETIRED) <craig>
Component:	Vulnerabilities	Assignee:	Gentoo Security <security>
Status:	RESOLVED INVALID
Severity:	normal	CC:	glua
Priority:	High
Version:	unspecified
Hardware:	All
OS:	Linux
URL:	http://xforce.iss.net/xforce/xfdb/43317
Whiteboard:	~1 [upstream]
Package list:		Runtime testing required:	---

Description Stefan Behte (RETIRED) gentoo-dev

2008-11-07 21:03:20 UTC

CVE-2008-2786 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-2786):
  Buffer overflow in Firefox 3.0 and 2.0.x has unknown impact and
  attack vectors.  NOTE: due to lack of details as of 20080619, it is
  not clear whether this is the same issue as CVE-2008-2785.  A CVE
  identifier has been assigned for tracking purposes.

Comment 1 Stefan Behte (RETIRED) gentoo-dev

2008-11-07 21:06:33 UTC

It seems there is no public information available, I just opened this issue for tracking purposes.

Comment 2 Anton Bolshakov 2008-12-24 02:10:01 UTC

That exploit published today could be related
http://www.milw0rm.com/exploits/7554

Comment 3 Stefan Behte (RETIRED) gentoo-dev

2009-01-25 15:06:20 UTC

It might still be 0day as the source for this was a "uh look I have an exploit for firefox 3 and this is the hash"-post on http://lists.grok.org.uk/pipermail/full-disclosure/2008-June/062832.html

Comment 4 Pierre-Yves Rofes (RETIRED) gentoo-dev

2009-04-08 18:07:28 UTC

we should probably contact upstream to sort this out.

Comment 5 Jory A. Pratt gentoo-dev

2010-09-16 13:07:24 UTC

Mozilla has nothing to do here.

Comment 6 Sean Amoss (RETIRED) gentoo-dev

2012-02-09 15:14:23 UTC

Upstream's bug report:
https://bugzilla.mozilla.org/show_bug.cgi?id=402735

The crash was caused due to a 3rd party extension (Download accelerator plus) and so it is invalid.