Your message dated Fri, 1 May 2009 18:51:46 +0200
with message-id <[email protected]>
and subject line Re: CVE-2008-2419: possible heap corruption and browser crash
has caused the Debian Bug report #484484,
regarding CVE-2008-2419: possible heap corruption and browser crash
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
484484: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=484484
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: iceweasel
Version: 2.0.0.14-2
Severity: important
Tags: security
Hi
The following CVE[0] has been issued against Firefox.
CVE-2008-2419:
Mozilla Firefox 2.0.0.14 allows remote attackers to cause a denial of
service (heap corruption and application crash) or possibly execute
arbitrary code by triggering an error condition during certain Iframe
operations between a JSframe write and a JSframe close, as demonstrated
by an error in loading an empty Java applet defined by a
'src="javascript:"' sequence.
A more detailed explanation can be found here[1]. Not quite sure to what
extend arbitrary code execution is possible or if it is just mainly a
browser crash (thus the severity important).
It would be great, if you could investigate this a bit.
If you fix this issue by an upload, please mention the CVE id in your
changelog.
Thanks a lot for your efforts.
Cheers
Steffen
[0]: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2419
[1]: http://www.0x000000.com/?i=576
--- End Message ---
--- Begin Message ---
On Wed, Jun 04, 2008 at 08:33:36PM +1000, Steffen Joeris wrote:
> Package: iceweasel
> Version: 2.0.0.14-2
> Severity: important
> Tags: security
>
> Hi
>
> The following CVE[0] has been issued against Firefox.
>
> CVE-2008-2419:
>
> Mozilla Firefox 2.0.0.14 allows remote attackers to cause a denial of
> service (heap corruption and application crash) or possibly execute
> arbitrary code by triggering an error condition during certain Iframe
> operations between a JSframe write and a JSframe close, as demonstrated
> by an error in loading an empty Java applet defined by a
> 'src="javascript:"' sequence.
>
> A more detailed explanation can be found here[1]. Not quite sure to what
> extend arbitrary code execution is possible or if it is just mainly a
> browser crash (thus the severity important).
This is Mozilla bug 435130, which is not reproducible for upstream.
Cheers,
Moritz
--- End Message ---
