CVE-2006-4253

Publication date 21 August 2006

Last updated 24 July 2024

Ubuntu priority

Concurrency vulnerability in Mozilla Firefox 1.5.0.6 and earlier allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via multiple Javascript timed events that load a deeply nested XML file, followed by redirecting the browser to another page, which leads to a concurrency failure that causes structures to be freed incorrectly, as demonstrated by (1) ffoxdie and (2) ffoxdie3. NOTE: it has been reported that Netscape 8.1 and K-Meleon 1.0.1 are also affected by ffoxdie. Mozilla confirmed to CVE that ffoxdie and ffoxdie3 trigger the same underlying vulnerability. NOTE: it was later reported that Firefox 2.0 RC2 and 1.5.0.7 are also affected.

Status

Show unmaintained releases

Package	Ubuntu Release	Status
firefox	7.10 gutsy	Not affected
	7.04 feisty	Not affected
	6.10 edgy	Not affected
	6.06 LTS dapper	Fixed 1.5.dfsg+1.5.0.13~prepatch070731-0ubuntu1
firefox-3.0	7.10 gutsy	Fixed 3.0~alpha7-0ubuntu6
	7.04 feisty	Not in release
	6.10 edgy	Not in release
	6.06 LTS dapper	Not in release
lightning-sunbird	7.10 gutsy	Fixed 0.5-0ubuntu4
	7.04 feisty	Not in release
	6.10 edgy	Not in release
	6.06 LTS dapper	Not in release
midbrowser	7.10 gutsy	Fixed 0.1.6b-0ubuntu2
	7.04 feisty	Not in release
	6.10 edgy	Not in release
	6.06 LTS dapper	Not in release
mozilla-thunderbird	7.10 gutsy	Not in release
	7.04 feisty	Fixed 1.5.0.13-0ubuntu0.7.04
	6.10 edgy	Fixed 1.5.0.13-0ubuntu0.6.10
	6.06 LTS dapper	Fixed 1.5.0.13-0ubuntu0.6.06
xulrunner	7.10 gutsy	Fixed 1.8.0.10-3ubuntu1
	7.04 feisty	Fixed 1.8.0.10-3ubuntu1
	6.10 edgy	Ignored end of life, was needed
	6.06 LTS dapper	Not in release

References

Related Ubuntu Security Notices (USN)

USN-351-1
firefox vulnerabilities
23 September 2006

USN-350-1
Thunderbird vulnerabilities
22 September 2006

USN-352-1
Thunderbird vulnerabilities
25 September 2006

Other references

https://www.cve.org/CVERecord?id=CVE-2006-4253