Package Instance

Mozilla developers identified and fixed several memory safety bugs
in the browser engine used in Firefox and other Mozilla-based
products. Some of these bugs showed evidence of memory corruption
under certain circumstances, and we presume that with enough effort at
least some of these could be exploited to run arbitrary code.In general these flaws cannot be exploited through email in the Thunderbird
and SeaMonkey products because scripting is disabled, but are potentially a risk
in browser or browser-like contexts in those products.

Security researcher Abhishek Arya of Google used the Address
Sanitizer tool to uncover several issues: two heap buffer overflow bugs and a
use-after-free problem. The first heap buffer overflow was found in conversion
from unicode to native character sets when the function fails. The
use-after-free occurs in nsFrameList when working with column layout with
absolute positioning in a container that changes size. The second buffer
overflow occurs in nsHTMLReflowState when a window is resized on a page with
nested columns and a combination of absolute and relative positioning. All three
of these issues are potentially exploitable.

Mozilla developers identified and fixed several memory safety bugs
in the browser engine used in Firefox and other Mozilla-based
products. Some of these bugs showed evidence of memory corruption
under certain circumstances, and we presume that with enough effort at
least some of these could be exploited to run arbitrary code.In general these flaws cannot be exploited through email in the Thunderbird
and SeaMonkey products because scripting is disabled, but are potentially a risk
in browser or browser-like contexts in those products.

Security researcher Abhishek Arya of Google used the Address
Sanitizer tool to uncover several issues: two heap buffer overflow bugs and a
use-after-free problem. The first heap buffer overflow was found in conversion
from unicode to native character sets when the function fails. The
use-after-free occurs in nsFrameList when working with column layout with
absolute positioning in a container that changes size. The second buffer
overflow occurs in nsHTMLReflowState when a window is resized on a page with
nested columns and a combination of absolute and relative positioning. All three
of these issues are potentially exploitable.

Security researcher Adam Barth found that inline event handlers, such as onclick, were no longer blocked by Content Security
Policy's (CSP) inline-script blocking feature. Web applications relying on this feature of CSP to protect against cross-site scripting (XSS) were not fully protected.

Security researcher Arthur Gerkis used the Address Sanitizer
tool to find a use-after-free while replacing/inserting a node in a document.
This use-after-free could possibly allow for remote code execution.

Mozilla developers identified and fixed several memory safety bugs
in the browser engine used in Firefox and other Mozilla-based
products. Some of these bugs showed evidence of memory corruption
under certain circumstances, and we presume that with enough effort at
least some of these could be exploited to run arbitrary code.In general these flaws cannot be exploited through email in the Thunderbird
and SeaMonkey products because scripting is disabled, but are potentially a risk
in browser or browser-like contexts in those products.

Security researcher Paul Stone reported an attack where an
HTML page hosted on a Windows share and then loaded could then load Windows
shortcut files (.lnk) in the same share. These shortcut files could then link to
arbitrary locations on the local file system of the individual loading the HTML
page. That page could show the contents of these linked files or directories
from the local file system in an iframe, causing information disclosure.
This issue could potentially affect Linux machines with samba
shares enabled.

Mozilla developers identified and fixed several memory safety bugs
in the browser engine used in Firefox and other Mozilla-based
products. Some of these bugs showed evidence of memory corruption
under certain circumstances, and we presume that with enough effort at
least some of these could be exploited to run arbitrary code.In general these flaws cannot be exploited through email in the Thunderbird
and SeaMonkey products because scripting is disabled, but are potentially a risk
in browser or browser-like contexts in those products.

Security researcher Abhishek Arya of Google used the Address
Sanitizer tool to uncover several issues: two heap buffer overflow bugs and a
use-after-free problem. The first heap buffer overflow was found in conversion
from unicode to native character sets when the function fails. The
use-after-free occurs in nsFrameList when working with column layout with
absolute positioning in a container that changes size. The second buffer
overflow occurs in nsHTMLReflowState when a window is resized on a page with
nested columns and a combination of absolute and relative positioning. All three
of these issues are potentially exploitable.