Package Instance

Security researcher Christian Holler reported that
the JavaScript engine's internal memory mapping of non-local JS
variables contained a buffer overflow which could potentially be used
by an attacker to run arbitrary code on a victim's computer.

Mozilla developers identified and fixed several memory safety bugs
in the browser engine used in Firefox and other Mozilla-based
products. Some of these bugs showed evidence of memory corruption
under certain circumstances, and we presume that with enough effort at
least some of these could be exploited to run arbitrary code.

Independent security researcher Kuza55 and
Microsoft security researcher Tom Gallagher reported
that when plugin-initiated requests receive a 307 redirect response,
the plugin is not notified and the request is forwarded to the new
location.  This is true even for cross-site redirects, so any custom
headers that were added as part of the initial request would be
forwarded intact across origins.  This poses a CSRF risk for web
applications that rely on custom headers only being present in
requests from their own origin.

Alex Miller reported that when very long strings
were constructed and inserted into an HTML document, the browser would
incorrectly construct the layout objects used to display the text.
Under such conditions an incorrect length would be calculated for a
text run resulting in too small of a memory buffer being allocated to
store the text.  This issue could be used by an attacker to write data
past the end of the buffer and execute malicious code on a victim's
computer.

Security researcher Zach Hoffman reported that a
recursive call to eval() wrapped in
a try/catch statement places the browser into a
inconsistent state.  Any dialog box opened in this state is displayed
without text and with non-functioning buttons.  Closing the window
causes the dialog to evaluate to true.  An attacker could use this
issue to force a user into accepting any dialog, such as one granting
elevated privileges to the page presenting the dialog.

Security researcher Roberto Suggi Liverani
reported that ParanoidFragmentSink, a class used to
sanitize potentially unsafe HTML for display,
allows javascript: URLs and other inline JavaScript when
the embedding document is a chrome document.  While there are no
unsafe uses of this class in any released products, extension code
could have potentially used it in an unsafe manner.

Security researcher Christian Holler reported that
the JavaScript engine's internal mapping of string values contained an
error in cases where the number of values being stored was above 64K.
In such cases an offset pointer was manually moved forwards and
backwards to access the larger address space.  If an exception was
thrown between the time that the offset pointer was moved forward and
the time it was reset, then the exception object would be read from an
invalid memory address, potentially executing attacker-controlled
memory.

Daniel Kozlowski reported that a
JavaScript Worker could be used to keep a reference to an
object that could be freed during garbage collection.  Subsequent
calls through this deleted reference could cause attacker-controlled
memory to be executed on a victim's computer.

Security researcher regenrecht reported via
TippingPoint's Zero Day Initiative that a method used
by JSON.stringify contained a use-after-free error in
which a currently in-use pointer was freed and subsequently
dereferenced.  This could lead to arbitrary code execution if an
attacker was able to store malicious code in the freed section of
memory.Mozilla developer Igor Bukanov also independently
discovered and reported this issue two weeks after the initial
report was received.