A memory corruption flaw leading to code execution was reported by security researcher Nils of MWR InfoSecurity during the 2010 Pwn2Own contest sponsored by TippingPoint's Zero Day Initiative. By moving DOM nodes between documents Nils found a case where the moved node incorrectly retained its old scope. If garbage collection could be triggered at the right time then Firefox would later use this freed object.
firefox/xulrunner/firefox-bin all in tree, will be a few days on icecat.
all packages are in tree, we just have to wait on a few other packages before we push forward with finishing this up.
@security: I would suggest not waiting for hppa before releasing the GLSAs. We already have a newer security bug to be tackled as well: bug 324735
Removing gnome-doc-utils/yelp from dependencies since only hppa is left for those, and they're listed in the deps of bug 314025 anyway.
Please note that a www-client/mozilla-firefox -> www-client/firefox pkgmove was just done.
Nothing for mozilla team to do here, none of the affected versions/packages are in-tree anymore.
Added to existing mozilla GLSA request.
Mozilla Firefox 3.6.x before 3.6.3 does not properly manage the scopes of
DOM nodes that are moved from one document to another, which allows remote
attackers to conduct use-after-free attacks and execute arbitrary code via
unspecified vectors involving improper interaction with garbage collection,
as demonstrated by Nils during a Pwn2Own competition at CanSecWest 2010.
This issue was resolved and addressed in
GLSA 201301-01 at http://security.gentoo.org/glsa/glsa-201301-01.xml
by GLSA coordinator Sean Amoss (ackle).