Vulnerabilities > CVE-2008-1380 - Resource Management Errors vulnerability in Mozilla Firefox, Seamonkey and Thunderbird
Attack vector
UNKNOWN Attack complexity
UNKNOWN Privileges required
UNKNOWN Confidentiality impact
UNKNOWN Integrity impact
UNKNOWN Availability impact
UNKNOWN Summary
The JavaScript engine in Mozilla Firefox before 2.0.0.14, Thunderbird before 2.0.0.14, and SeaMonkey before 1.1.10 allows remote attackers to cause a denial of service (garbage collector crash) and possibly have other impacts via a crafted web page. NOTE: this is due to an incorrect fix for CVE-2008-1237.
Vulnerable Configurations
Common Weakness Enumeration (CWE)
Nessus
NASL family Windows NASL id SEAMONKEY_1110.NASL description The installed version of SeaMonkey is affected by various security issues : - A stability problem that could result in a crash during JavaScript garbage collection (MFSA 2008-20). - Several stability bugs leading to crashes which, in some cases, show traces of memory corruption (MFSA 2008-21). - A vulnerability involving violation of the same-origin policy could allow for cross-site scripting attacks (MFSA 2008-22). - JavaScript can be injected into the context of signed JARs and executed under the context of the JAR last seen 2020-06-01 modified 2020-06-02 plugin id 33394 published 2008-07-02 reporter This script is Copyright (C) 2008-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/33394 title SeaMonkey < 1.1.10 Multiple Vulnerabilities code # # (C) Tenable Network Security, Inc. # if (NASL_LEVEL < 3000) exit(0); include("compat.inc"); if (description) { script_id(33394); script_version("1.17"); script_cve_id("CVE-2008-1380", "CVE-2008-2798", "CVE-2008-2799", "CVE-2008-2800", "CVE-2008-2801", "CVE-2008-2802", "CVE-2008-2803", "CVE-2008-2805", "CVE-2008-2806", "CVE-2008-2807", "CVE-2008-2808", "CVE-2008-2809", "CVE-2008-2810", "CVE-2008-2811"); script_bugtraq_id(30038); script_name(english:"SeaMonkey < 1.1.10 Multiple Vulnerabilities"); script_summary(english:"Checks version of SeaMonkey"); script_set_attribute(attribute:"synopsis", value: "A web browser on the remote host is affected by multiple vulnerabilities." ); script_set_attribute(attribute:"description", value: "The installed version of SeaMonkey is affected by various security issues : - A stability problem that could result in a crash during JavaScript garbage collection (MFSA 2008-20). - Several stability bugs leading to crashes which, in some cases, show traces of memory corruption (MFSA 2008-21). - A vulnerability involving violation of the same-origin policy could allow for cross-site scripting attacks (MFSA 2008-22). - JavaScript can be injected into the context of signed JARs and executed under the context of the JAR's signer (MFSA 2008-23). - By taking advantage of the privilege level stored in the pre-compiled 'fastload' file. an attacker may be able to run arbitrary JavaScript code with chrome privileges (MFSA 2008-24). - Arbitrary code execution is possible in 'mozIJSSubScriptLoader.loadSubScript()' (MFSA 2008-25). - Several function calls in the MIME handling code use unsafe versions of string routines (MFSA 2008-26). - An attacker can steal files from known locations on a victim's computer via originalTarget and DOM Range (MFSA 2008-27). - It is possible for a malicious Java applet to bypass the same-origin policy and create arbitrary socket connections to other domains (MFSA 2008-28). - An improperly encoded '.properties' file in an add-on can result in uninitialized memory being used, which could lead to data formerly used by other programs being exposed to the add-on code (MFSA 2008-29). - File URLs in directory listings are not properly HTML- escaped when the filenames contained particular characters (MFSA 2008-30). - A weakness in the trust model regarding alt names on peer-trusted certs could lead to spoofing secure connections to any other site (MFSA 2008-31). - URL shortcut files on Windows (for example, saved IE favorites) could be interpreted as if they were in the local file context when opened by SeaMonkey, although the referenced remote content would be downloaded and displayed (MFSA 2008-32). - A crash in Mozilla's block reflow code could be used by an attacker to crash the browser and run arbitrary code on the victim's computer (MFSA 2008-33)." ); script_set_attribute(attribute:"see_also", value:"https://www.mozilla.org/en-US/security/advisories/mfsa2008-20/" ); script_set_attribute(attribute:"see_also", value:"https://www.mozilla.org/en-US/security/advisories/mfsa2008-21/" ); script_set_attribute(attribute:"see_also", value:"https://www.mozilla.org/en-US/security/advisories/mfsa2008-22/" ); script_set_attribute(attribute:"see_also", value:"https://www.mozilla.org/en-US/security/advisories/mfsa2008-23/" ); script_set_attribute(attribute:"see_also", value:"https://www.mozilla.org/en-US/security/advisories/mfsa2008-24/" ); script_set_attribute(attribute:"see_also", value:"https://www.mozilla.org/en-US/security/advisories/mfsa2008-25/" ); script_set_attribute(attribute:"see_also", value:"https://www.mozilla.org/en-US/security/advisories/mfsa2008-26/" ); script_set_attribute(attribute:"see_also", value:"https://www.mozilla.org/en-US/security/advisories/mfsa2008-27/" ); script_set_attribute(attribute:"see_also", value:"https://www.mozilla.org/en-US/security/advisories/mfsa2008-28/" ); script_set_attribute(attribute:"see_also", value:"https://www.mozilla.org/en-US/security/advisories/mfsa2008-29/" ); script_set_attribute(attribute:"see_also", value:"https://www.mozilla.org/en-US/security/advisories/mfsa2008-30/" ); script_set_attribute(attribute:"see_also", value:"https://www.mozilla.org/en-US/security/advisories/mfsa2008-31/" ); script_set_attribute(attribute:"see_also", value:"https://www.mozilla.org/en-US/security/advisories/mfsa2008-32/" ); script_set_attribute(attribute:"see_also", value:"https://www.mozilla.org/en-US/security/advisories/mfsa2008-33/" ); script_set_attribute(attribute:"solution", value: "Upgrade to SeaMonkey 1.1.10 or later." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"exploit_framework_canvas", value:"true"); script_set_attribute(attribute:"canvas_package", value:'CANVAS'); script_cwe_id(20, 79, 200, 264, 287, 399); script_set_attribute(attribute:"plugin_publication_date", value: "2008/07/02"); script_cvs_date("Date: 2018/07/27 18:38:15"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"cpe:/a:mozilla:seamonkey"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"Windows"); script_copyright(english:"This script is Copyright (C) 2008-2018 Tenable Network Security, Inc."); script_dependencies("mozilla_org_installed.nasl"); script_require_keys("SeaMonkey/Version"); exit(0); } include("mozilla_version.inc"); port = get_kb_item("SMB/transport"); if (!port) port = 445; installs = get_kb_list("SMB/SeaMonkey/*"); if (isnull(installs)) audit(AUDIT_NOT_INST, "SeaMonkey"); mozilla_check_version(installs:installs, product:'seamonkey', fix:'1.1.10', severity:SECURITY_HOLE);
NASL family Fedora Local Security Checks NASL id FEDORA_2008-3557.NASL description Mozilla Thunderbird is a standalone mail and newsgroup client. Several flaws were found in the processing of some malformed HTML mail content. An HTML mail message containing such malicious content could cause Thunderbird to crash or, potentially, execute arbitrary code as the user running Thunderbird. (CVE-2008-1233, CVE-2008-1235, CVE-2008-1236, CVE-2008-1237) Several flaws were found in the display of malformed web content. An HTML mail message containing specially crafted content could, potentially, trick a user into surrendering sensitive information. (CVE-2008-1234) A flaw was found in the processing of malformed JavaScript content. An HTML mail message containing such malicious content could cause Thunderbird to crash or, potentially, execute arbitrary code as the user running Thunderbird. (CVE-2008-1380) Note: JavaScript support is disabled by default in Thunderbird; the above issue is not exploitable unless JavaScript is enabled. All Thunderbird users should upgrade to these updated packages, which contain backported patches to resolve these issues. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 32206 published 2008-05-11 reporter This script is Copyright (C) 2008-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/32206 title Fedora 8 : thunderbird-2.0.0.14-1.fc8 (2008-3557) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Fedora Security Advisory 2008-3557. # include("compat.inc"); if (description) { script_id(32206); script_version ("1.18"); script_cvs_date("Date: 2019/08/02 13:32:27"); script_cve_id("CVE-2008-1233", "CVE-2008-1234", "CVE-2008-1235", "CVE-2008-1236", "CVE-2008-1237", "CVE-2008-1380"); script_bugtraq_id(28448, 28818); script_xref(name:"FEDORA", value:"2008-3557"); script_name(english:"Fedora 8 : thunderbird-2.0.0.14-1.fc8 (2008-3557)"); script_summary(english:"Checks rpm output for the updated package."); script_set_attribute( attribute:"synopsis", value:"The remote Fedora host is missing a security update." ); script_set_attribute( attribute:"description", value: "Mozilla Thunderbird is a standalone mail and newsgroup client. Several flaws were found in the processing of some malformed HTML mail content. An HTML mail message containing such malicious content could cause Thunderbird to crash or, potentially, execute arbitrary code as the user running Thunderbird. (CVE-2008-1233, CVE-2008-1235, CVE-2008-1236, CVE-2008-1237) Several flaws were found in the display of malformed web content. An HTML mail message containing specially crafted content could, potentially, trick a user into surrendering sensitive information. (CVE-2008-1234) A flaw was found in the processing of malformed JavaScript content. An HTML mail message containing such malicious content could cause Thunderbird to crash or, potentially, execute arbitrary code as the user running Thunderbird. (CVE-2008-1380) Note: JavaScript support is disabled by default in Thunderbird; the above issue is not exploitable unless JavaScript is enabled. All Thunderbird users should upgrade to these updated packages, which contain backported patches to resolve these issues. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues." ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.redhat.com/show_bug.cgi?id=438713" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.redhat.com/show_bug.cgi?id=438715" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.redhat.com/show_bug.cgi?id=438717" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.redhat.com/show_bug.cgi?id=438718" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.redhat.com/show_bug.cgi?id=438721" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.redhat.com/show_bug.cgi?id=440518" ); # https://lists.fedoraproject.org/pipermail/package-announce/2008-May/009726.html script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?27a0ff25" ); script_set_attribute( attribute:"solution", value:"Update the affected thunderbird package." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_cwe_id(79, 94, 399); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:thunderbird"); script_set_attribute(attribute:"cpe", value:"cpe:/o:fedoraproject:fedora:8"); script_set_attribute(attribute:"patch_publication_date", value:"2008/05/09"); script_set_attribute(attribute:"plugin_publication_date", value:"2008/05/11"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2008-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Fedora Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/RedHat/release"); if (isnull(release) || "Fedora" >!< release) audit(AUDIT_OS_NOT, "Fedora"); os_ver = eregmatch(pattern: "Fedora.*release ([0-9]+)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Fedora"); os_ver = os_ver[1]; if (! ereg(pattern:"^8([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Fedora 8.x", "Fedora " + os_ver); if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Fedora", cpu); flag = 0; if (rpm_check(release:"FC8", reference:"thunderbird-2.0.0.14-1.fc8")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get()); else security_hole(0); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "thunderbird"); }
NASL family CentOS Local Security Checks NASL id CENTOS_RHSA-2008-0222.NASL description Updated firefox packages that fix a security bug are now available for Red Hat Enterprise Linux 4 and 5. This update has been rated as having critical security impact by the Red Hat Security Response Team. Mozilla Firefox is an open source Web browser. A flaw was found in the processing of malformed JavaScript content. A web page containing such malicious content could cause Firefox to crash or, potentially, execute arbitrary code as the user running Firefox. (CVE-2008-1380) All Firefox users should upgrade to these updated packages, which contain backported patches that correct these issues. last seen 2020-06-01 modified 2020-06-02 plugin id 31998 published 2008-04-22 reporter This script is Copyright (C) 2008-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/31998 title CentOS 4 / 5 : firefox (CESA-2008:0222) NASL family Gentoo Local Security Checks NASL id GENTOO_GLSA-200805-18.NASL description The remote host is affected by the vulnerability described in GLSA-200805-18 (Mozilla products: Multiple vulnerabilities) The following vulnerabilities were reported in all mentioned Mozilla products: Jesse Ruderman, Kai Engert, Martijn Wargers, Mats Palmgren, and Paul Nickerson reported browser crashes related to JavaScript methods, possibly triggering memory corruption (CVE-2008-0412). Carsten Book, Wesley Garland, Igor Bukanov, moz_bug_r_a4, shutdown, Philip Taylor, and tgirmann reported crashes in the JavaScript engine, possibly triggering memory corruption (CVE-2008-0413). David Bloom discovered a vulnerability in the way images are treated by the browser when a user leaves a page, possibly triggering memory corruption (CVE-2008-0419). moz_bug_r_a4, Boris Zbarsky, and Johnny Stenback reported a series of privilege escalation vulnerabilities related to JavaScript (CVE-2008-1233, CVE-2008-1234, CVE-2008-1235). Mozilla developers identified browser crashes caused by the layout and JavaScript engines, possibly triggering memory corruption (CVE-2008-1236, CVE-2008-1237). moz_bug_r_a4 and Boris Zbarsky discovered that pages could escape from its sandboxed context and run with chrome privileges, and inject script content into another site, violating the browser last seen 2020-06-01 modified 2020-06-02 plugin id 32416 published 2008-05-22 reporter This script is Copyright (C) 2008-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/32416 title GLSA-200805-18 : Mozilla products: Multiple vulnerabilities NASL family Gentoo Local Security Checks NASL id GENTOO_GLSA-200808-03.NASL description The remote host is affected by the vulnerability described in GLSA-200808-03 (Mozilla products: Multiple vulnerabilities) The following vulnerabilities were reported in all mentioned Mozilla products: TippingPoint last seen 2020-06-01 modified 2020-06-02 plugin id 33833 published 2008-08-07 reporter This script is Copyright (C) 2008-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/33833 title GLSA-200808-03 : Mozilla products: Multiple vulnerabilities NASL family SuSE Local Security Checks NASL id SUSE_MOZILLAFIREFOX-5219.NASL description This update brings Mozilla Firefox to security update version 2.0.0.14 Following security problems were fixed : - MFSA 2008-20/CVE-2008-1380: Fixes for security problems in the JavaScript engine described in MFSA 2008-15 (CVE-2008-1237) introduced a stability problem, where some users experienced frequent crashes during JavaScript garbage collection. These crashes may be exploitable if someone finds a reliable way to trigger the crash. last seen 2020-06-01 modified 2020-06-02 plugin id 32114 published 2008-05-01 reporter This script is Copyright (C) 2008-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/32114 title openSUSE 10 Security Update : MozillaFirefox (MozillaFirefox-5219) NASL family Fedora Local Security Checks NASL id FEDORA_2008-3283.NASL description Mozilla Firefox is an open source Web browser. A flaw was found in the processing of malformed JavaScript content. A web page containing such malicious content could cause Firefox to crash or, potentially, execute arbitrary code as the user running Firefox. (CVE-2008-1380) All Firefox users should upgrade to these updated packages, which contain backported patches that correct these issues. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 32044 published 2008-04-25 reporter This script is Copyright (C) 2008-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/32044 title Fedora 8 : Miro-1.2-2.fc8 / chmsee-1.0.0-2.30.fc8 / devhelp-0.16.1-7.fc8 / epiphany-2.20.3-3.fc8 / etc (2008-3283) NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2008-0224.NASL description Updated thunderbird packages that fix a security issue are now available for Red Hat Enterprise Linux 4 and 5. This update has been rated as having moderate security impact by the Red Hat Security Response Team. Mozilla Thunderbird is a standalone mail and newsgroup client. A flaw was found in the processing of malformed JavaScript content. An HTML mail message containing such malicious content could cause Thunderbird to crash or, potentially, execute arbitrary code as the user running Thunderbird. (CVE-2008-1380) Note: JavaScript support is disabled by default in Thunderbird; the above issue is not exploitable unless JavaScript is enabled. All Thunderbird users should upgrade to these updated packages, which contain backported patches to resolve these issues. last seen 2020-06-01 modified 2020-06-02 plugin id 32112 published 2008-05-01 reporter This script is Copyright (C) 2008-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/32112 title RHEL 4 / 5 : thunderbird (RHSA-2008:0224) NASL family CentOS Local Security Checks NASL id CENTOS_RHSA-2008-0224.NASL description Updated thunderbird packages that fix a security issue are now available for Red Hat Enterprise Linux 4 and 5. This update has been rated as having moderate security impact by the Red Hat Security Response Team. Mozilla Thunderbird is a standalone mail and newsgroup client. A flaw was found in the processing of malformed JavaScript content. An HTML mail message containing such malicious content could cause Thunderbird to crash or, potentially, execute arbitrary code as the user running Thunderbird. (CVE-2008-1380) Note: JavaScript support is disabled by default in Thunderbird; the above issue is not exploitable unless JavaScript is enabled. All Thunderbird users should upgrade to these updated packages, which contain backported patches to resolve these issues. last seen 2020-06-01 modified 2020-06-02 plugin id 43680 published 2010-01-06 reporter This script is Copyright (C) 2010-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/43680 title CentOS 4 / 5 : thunderbird (CESA-2008:0224) NASL family Oracle Linux Local Security Checks NASL id ORACLELINUX_ELSA-2008-0224.NASL description From Red Hat Security Advisory 2008:0224 : Updated thunderbird packages that fix a security issue are now available for Red Hat Enterprise Linux 4 and 5. This update has been rated as having moderate security impact by the Red Hat Security Response Team. Mozilla Thunderbird is a standalone mail and newsgroup client. A flaw was found in the processing of malformed JavaScript content. An HTML mail message containing such malicious content could cause Thunderbird to crash or, potentially, execute arbitrary code as the user running Thunderbird. (CVE-2008-1380) Note: JavaScript support is disabled by default in Thunderbird; the above issue is not exploitable unless JavaScript is enabled. All Thunderbird users should upgrade to these updated packages, which contain backported patches to resolve these issues. last seen 2020-06-01 modified 2020-06-02 plugin id 67682 published 2013-07-12 reporter This script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/67682 title Oracle Linux 4 : thunderbird (ELSA-2008-0224) NASL family Debian Local Security Checks NASL id DEBIAN_DSA-1696.NASL description Several remote vulnerabilities have been discovered in the Icedove mail client, an unbranded version of the Thunderbird mail client. The Common Vulnerabilities and Exposures project identifies the following problems : - CVE-2008-0016 Justin Schuh, Tom Cross and Peter Williams discovered a buffer overflow in the parser for UTF-8 URLs, which may lead to the execution of arbitrary code. (MFSA 2008-37) - CVE-2008-1380 It was discovered that crashes in the JavaScript engine could potentially lead to the execution of arbitrary code. (MFSA 2008-20) - CVE-2008-3835 last seen 2020-06-01 modified 2020-06-02 plugin id 35313 published 2009-01-08 reporter This script is Copyright (C) 2009-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/35313 title Debian DSA-1696-1 : icedove - several vulnerabilities NASL family Oracle Linux Local Security Checks NASL id ORACLELINUX_ELSA-2008-0222.NASL description From Red Hat Security Advisory 2008:0222 : Updated firefox packages that fix a security bug are now available for Red Hat Enterprise Linux 4 and 5. This update has been rated as having critical security impact by the Red Hat Security Response Team. Mozilla Firefox is an open source Web browser. A flaw was found in the processing of malformed JavaScript content. A web page containing such malicious content could cause Firefox to crash or, potentially, execute arbitrary code as the user running Firefox. (CVE-2008-1380) All Firefox users should upgrade to these updated packages, which contain backported patches that correct these issues. last seen 2020-06-01 modified 2020-06-02 plugin id 67680 published 2013-07-12 reporter This script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/67680 title Oracle Linux 4 / 5 : firefox (ELSA-2008-0222) NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2008-0223.NASL description Updated SeaMonkey packages that fix a security issues are now available for Red Hat Enterprise Linux 2.1, Red Hat Enterprise Linux 3, and Red Hat Enterprise Linux 4. This update has been rated as having critical security impact by the Red Hat Security Response Team. SeaMonkey is an open source Web browser, advanced email and newsgroup client, IRC chat client, and HTML editor. A flaw was found in the processing of malformed JavaScript content. A web page containing such malicious content could cause SeaMonkey to crash or, potentially, execute arbitrary code as the user running SeaMonkey. (CVE-2008-1380) All SeaMonkey users should upgrade to these updated packages, which contain backported patches to resolve these issues. last seen 2020-06-01 modified 2020-06-02 plugin id 31987 published 2008-04-18 reporter This script is Copyright (C) 2008-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/31987 title RHEL 2.1 / 3 / 4 : seamonkey (RHSA-2008:0223) NASL family Debian Local Security Checks NASL id DEBIAN_DSA-1558.NASL description It was discovered that crashes in the JavaScript engine of xulrunner, the Gecko engine library, could potentially lead to the execution of arbitrary code. last seen 2020-06-01 modified 2020-06-02 plugin id 32059 published 2008-04-28 reporter This script is Copyright (C) 2008-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/32059 title Debian DSA-1558-1 : xulrunner - programming error NASL family Fedora Local Security Checks NASL id FEDORA_2008-3519.NASL description Mozilla Thunderbird is a standalone mail and newsgroup client. Several flaws were found in the processing of some malformed HTML mail content. An HTML mail message containing such malicious content could cause Thunderbird to crash or, potentially, execute arbitrary code as the user running Thunderbird. (CVE-2008-1233, CVE-2008-1235, CVE-2008-1236, CVE-2008-1237) Several flaws were found in the display of malformed web content. An HTML mail message containing specially crafted content could, potentially, trick a user into surrendering sensitive information. (CVE-2008-1234) A flaw was found in the processing of malformed JavaScript content. An HTML mail message containing such malicious content could cause Thunderbird to crash or, potentially, execute arbitrary code as the user running Thunderbird. (CVE-2008-1380) Note: JavaScript support is disabled by default in Thunderbird; the above issue is not exploitable unless JavaScript is enabled. All Thunderbird users should upgrade to these updated packages, which contain backported patches to resolve these issues. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 32204 published 2008-05-11 reporter This script is Copyright (C) 2008-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/32204 title Fedora 7 : thunderbird-2.0.0.14-1.fc7 (2008-3519) NASL family Scientific Linux Local Security Checks NASL id SL_20080416_FIREFOX_ON_SL4_X.NASL description A flaw was found in the processing of malformed JavaScript content. A web page containing such malicious content could cause Firefox to crash or, potentially, execute arbitrary code as the user running Firefox. (CVE-2008-1380) last seen 2020-06-01 modified 2020-06-02 plugin id 60383 published 2012-08-01 reporter This script is Copyright (C) 2012-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/60383 title Scientific Linux Security Update : firefox on SL4.x, SL5.x i386/x86_64 NASL family SuSE Local Security Checks NASL id SUSE_MOZILLATHUNDERBIRD-5280.NASL description MozillaThunderbird was updated to version 2.0.0.14, fixing various bugs including 1 security bug : + MFSA 2008-20/CVE-2008-1380: Crash in JavaScript garbage collector JavaScript is not default enabled in our Thunderbird builds though. last seen 2020-06-01 modified 2020-06-02 plugin id 33119 published 2008-06-09 reporter This script is Copyright (C) 2008-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/33119 title openSUSE 10 Security Update : MozillaThunderbird (MozillaThunderbird-5280) NASL family Oracle Linux Local Security Checks NASL id ORACLELINUX_ELSA-2008-0223.NASL description From Red Hat Security Advisory 2008:0223 : Updated SeaMonkey packages that fix a security issues are now available for Red Hat Enterprise Linux 2.1, Red Hat Enterprise Linux 3, and Red Hat Enterprise Linux 4. This update has been rated as having critical security impact by the Red Hat Security Response Team. SeaMonkey is an open source Web browser, advanced email and newsgroup client, IRC chat client, and HTML editor. A flaw was found in the processing of malformed JavaScript content. A web page containing such malicious content could cause SeaMonkey to crash or, potentially, execute arbitrary code as the user running SeaMonkey. (CVE-2008-1380) All SeaMonkey users should upgrade to these updated packages, which contain backported patches to resolve these issues. last seen 2020-06-01 modified 2020-06-02 plugin id 67681 published 2013-07-12 reporter This script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/67681 title Oracle Linux 3 / 4 : seamonkey (ELSA-2008-0223) NASL family Mandriva Local Security Checks NASL id MANDRIVA_MDVSA-2008-110.NASL description Security vulnerabilities have been discovered and corrected in the latest Mozilla Firefox program, version 2.0.0.14. This update provides the latest Firefox to correct these issues. last seen 2020-06-01 modified 2020-06-02 plugin id 36687 published 2009-04-23 reporter This script is Copyright (C) 2009-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/36687 title Mandriva Linux Security Advisory : mozilla-firefox (MDVSA-2008:110) NASL family Fedora Local Security Checks NASL id FEDORA_2008-3264.NASL description Security update: fix memory corrupting crash and possibly code execution in JavaScript garbage collection (CVE-2008-1380, #440518). Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 32043 published 2008-04-25 reporter This script is Copyright (C) 2008-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/32043 title Fedora 8 : seamonkey-1.1.9-2.fc8 (2008-3264) NASL family Slackware Local Security Checks NASL id SLACKWARE_SSA_2008-108-01.NASL description New mozilla-firefox packages are available for Slackware 10.2, 11.0, 12.0, and -current to fix a possible security bug. last seen 2020-06-01 modified 2020-06-02 plugin id 31994 published 2008-04-22 reporter This script is Copyright (C) 2008-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/31994 title Slackware 10.2 / 11.0 / 12.0 / current : mozilla-firefox (SSA:2008-108-01) NASL family Scientific Linux Local Security Checks NASL id SL_20080416_SEAMONKEY_ON_SL3_X.NASL description A flaw was found in the processing of malformed JavaScript content. A web page containing such malicious content could cause SeaMonkey to crash or, potentially, execute arbitrary code as the user running SeaMonkey. (CVE-2008-1380) last seen 2020-06-01 modified 2020-06-02 plugin id 60385 published 2012-08-01 reporter This script is Copyright (C) 2012-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/60385 title Scientific Linux Security Update : seamonkey on SL3.x, SL4.x i386/x86_64 NASL family Ubuntu Local Security Checks NASL id UBUNTU_USN-602-1.NASL description Flaws were discovered in Firefox which could lead to crashes during JavaScript garbage collection. If a user were tricked into opening a malicious web page, an attacker may be able to crash the browser or possibly execute arbitrary code with the user last seen 2020-06-01 modified 2020-06-02 plugin id 32053 published 2008-04-25 reporter Ubuntu Security Notice (C) 2008-2019 Canonical, Inc. / NASL script (C) 2018 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/32053 title Ubuntu 6.06 LTS / 6.10 / 7.04 / 7.10 : firefox vulnerabilities (USN-602-1) NASL family SuSE Local Security Checks NASL id SUSE_MOZILLAFIREFOX-5218.NASL description This update brings Mozilla Firefox to security update version 2.0.0.14 - Fixes for security problems in the JavaScript engine described in MFSA 2008-15 (CVE-2008-1237) introduced a stability problem, where some users experienced frequent crashes during JavaScript garbage collection. These crashes may be exploitable if someone finds a reliable way to trigger the crash. (MFSA 2008-20 / CVE-2008-1380) last seen 2020-06-01 modified 2020-06-02 plugin id 32113 published 2008-05-01 reporter This script is Copyright (C) 2008-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/32113 title SuSE 10 Security Update : MozillaFirefox (ZYPP Patch Number 5218) NASL family CentOS Local Security Checks NASL id CENTOS_RHSA-2008-0223.NASL description Updated SeaMonkey packages that fix a security issues are now available for Red Hat Enterprise Linux 2.1, Red Hat Enterprise Linux 3, and Red Hat Enterprise Linux 4. This update has been rated as having critical security impact by the Red Hat Security Response Team. SeaMonkey is an open source Web browser, advanced email and newsgroup client, IRC chat client, and HTML editor. A flaw was found in the processing of malformed JavaScript content. A web page containing such malicious content could cause SeaMonkey to crash or, potentially, execute arbitrary code as the user running SeaMonkey. (CVE-2008-1380) All SeaMonkey users should upgrade to these updated packages, which contain backported patches to resolve these issues. last seen 2020-06-01 modified 2020-06-02 plugin id 31999 published 2008-04-22 reporter This script is Copyright (C) 2008-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/31999 title CentOS 3 / 4 : firefox / seamonkey (CESA-2008:0223) NASL family Windows NASL id MOZILLA_FIREFOX_20014.NASL description The installed version of Firefox contains a stability problem that could result in a crash during JavaScript garbage collection. Although there are no examples of this extending beyond a crash, similar issues in the past have been shown to allow arbitrary code execution. last seen 2020-06-01 modified 2020-06-02 plugin id 31864 published 2008-04-17 reporter This script is Copyright (C) 2008-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/31864 title Firefox < 2.0.0.14 Javascript Garbage Collector DoS NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2008-0222.NASL description Updated firefox packages that fix a security bug are now available for Red Hat Enterprise Linux 4 and 5. This update has been rated as having critical security impact by the Red Hat Security Response Team. Mozilla Firefox is an open source Web browser. A flaw was found in the processing of malformed JavaScript content. A web page containing such malicious content could cause Firefox to crash or, potentially, execute arbitrary code as the user running Firefox. (CVE-2008-1380) All Firefox users should upgrade to these updated packages, which contain backported patches that correct these issues. last seen 2020-06-01 modified 2020-06-02 plugin id 31986 published 2008-04-18 reporter This script is Copyright (C) 2008-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/31986 title RHEL 4 / 5 : firefox (RHSA-2008:0222) NASL family Fedora Local Security Checks NASL id FEDORA_2008-3231.NASL description Security update: fix memory corrupting crash and possibly code execution in JavaScript garbage collection (CVE-2008-1380, #440518). Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 32039 published 2008-04-25 reporter This script is Copyright (C) 2008-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/32039 title Fedora 7 : seamonkey-1.1.9-2.fc7 (2008-3231) NASL family FreeBSD Local Security Checks NASL id FREEBSD_PKG_67BD39BA12B511DDBAB70016179B2DD5.NASL description Mozilla Foundation reports : Fixes for security problems in the JavaScript engine described in MFSA 2008-15 introduced a stability problem, where some users experienced crashes during JavaScript garbage collection. This is being fixed primarily to address stability concerns. We have no demonstration that this particular crash is exploitable but are issuing this advisory because some crashes of this type have been shown to be exploitable in the past. last seen 2020-06-01 modified 2020-06-02 plugin id 32064 published 2008-04-28 reporter This script is Copyright (C) 2008-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/32064 title FreeBSD : firefox -- javascript garbage collector vulnerability (67bd39ba-12b5-11dd-bab7-0016179b2dd5) NASL family SuSE Local Security Checks NASL id SUSE_EPIPHANY-5293.NASL description mozilla-xulrunner181 was updated to version 1.8.1.14, fixing various bugs including 1 security bug : + MFSA 2008-20/CVE-2008-1380: Crash in JavaScript garbage collector last seen 2020-06-01 modified 2020-06-02 plugin id 33121 published 2008-06-09 reporter This script is Copyright (C) 2008-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/33121 title openSUSE 10 Security Update : epiphany (epiphany-5293) NASL family Debian Local Security Checks NASL id DEBIAN_DSA-1555.NASL description It was discovered that crashes in the JavaScript engine of Iceweasel, an unbranded version of the Firefox browser, could potentially lead to the execution of arbitrary code. last seen 2020-06-01 modified 2020-06-02 plugin id 32035 published 2008-04-25 reporter This script is Copyright (C) 2008-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/32035 title Debian DSA-1555-1 : iceweasel - programming error NASL family Debian Local Security Checks NASL id DEBIAN_DSA-1562.NASL description It was discovered that crashes in the JavaScript engine of Iceape, an unbranded version of the SeaMonkey internet suite could potentially lead to the execution of arbitrary code. last seen 2020-06-01 modified 2020-06-02 plugin id 32086 published 2008-05-01 reporter This script is Copyright (C) 2008-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/32086 title Debian DSA-1562-1 : iceape - programming error NASL family Slackware Local Security Checks NASL id SLACKWARE_SSA_2008-191-03.NASL description New seamonkey packages are available for Slackware 11.0, 12.0, 12.1, and -current to fix security issues. last seen 2020-06-01 modified 2020-06-02 plugin id 33466 published 2008-07-10 reporter This script is Copyright (C) 2008-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/33466 title Slackware 11.0 / 12.0 / 12.1 / current : seamonkey (SSA:2008-191-03) NASL family Fedora Local Security Checks NASL id FEDORA_2008-3249.NASL description Mozilla Firefox is an open source Web browser. A flaw was found in the processing of malformed JavaScript content. A web page containing such malicious content could cause Firefox to crash or, potentially, execute arbitrary code as the user running Firefox. (CVE-2008-1380) All Firefox users should upgrade to these updated packages, which contain backported patches that correct these issues. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 32040 published 2008-04-25 reporter This script is Copyright (C) 2008-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/32040 title Fedora 7 : Miro-1.2-2.fc7 / chmsee-1.0.0-2.30.fc7 / devhelp-0.13-16.fc7 / epiphany-2.18.3-9.fc7 / etc (2008-3249)
Oval
accepted | 2013-04-29T04:08:22.944-04:00 | ||||||||||||||||||||||||||||||||
class | vulnerability | ||||||||||||||||||||||||||||||||
contributors |
| ||||||||||||||||||||||||||||||||
definition_extensions |
| ||||||||||||||||||||||||||||||||
description | The JavaScript engine in Mozilla Firefox before 2.0.0.14, Thunderbird before 2.0.0.14, and SeaMonkey before 1.1.10 allows remote attackers to cause a denial of service (garbage collector crash) and possibly have other impacts via a crafted web page. NOTE: this is due to an incorrect fix for CVE-2008-1237. | ||||||||||||||||||||||||||||||||
family | unix | ||||||||||||||||||||||||||||||||
id | oval:org.mitre.oval:def:10752 | ||||||||||||||||||||||||||||||||
status | accepted | ||||||||||||||||||||||||||||||||
submitted | 2010-07-09T03:56:16-04:00 | ||||||||||||||||||||||||||||||||
title | The JavaScript engine in Mozilla Firefox before 2.0.0.14, Thunderbird before 2.0.0.14, and SeaMonkey before 1.1.10 allows remote attackers to cause a denial of service (garbage collector crash) and possibly have other impacts via a crafted web page. NOTE: this is due to an incorrect fix for CVE-2008-1237. | ||||||||||||||||||||||||||||||||
version | 27 |
Redhat
advisories |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
rpms |
|
Seebug
bulletinFamily | exploit |
description | BUGTRAQ ID: 28818 CVE(CAN) ID: CVE-2008-1380 Firefox是一款开放源码的WEB浏览器。 Firefox所使用的JavaScript引擎在执行JavaScript垃圾收集期间可能会触发内存破坏,如果用户受骗访问了带有恶意JavaScript的网页的话就可以触发这个漏洞,但该漏洞无法被可靠的利用,只能导致拒绝服务类的稳定性问题。由于代码共享的关系这个漏洞也影响SeaMonkey。 Mozilla Firefox <= 2.0.0.13 Mozilla Thunderbird <= 2.0.0.13 Mozilla SeaMonkey <= 1.1.9 Mozilla ------- 目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载: <a href=http://www.mozilla.org/ target=_blank>http://www.mozilla.org/</a> RedHat ------ RedHat已经为此发布了安全公告(RHSA-2008:0222-02/RHSA-2008:0223-02)以及相应补丁: RHSA-2008:0222-02:Critical: firefox security update 链接:<a href=https://www.redhat.com/support/errata/RHSA-2008-0222.html target=_blank>https://www.redhat.com/support/errata/RHSA-2008-0222.html</a> RHSA-2008:0223-02:Critical: seamonkey security update 链接:<a href=https://www.redhat.com/support/errata/RHSA-2008-0223.html target=_blank>https://www.redhat.com/support/errata/RHSA-2008-0223.html</a> |
id | SSV:3190 |
last seen | 2017-11-19 |
modified | 2008-04-19 |
published | 2008-04-19 |
reporter | Root |
title | Mozilla Firefox JavaScript垃圾收集器内存破坏漏洞 |
References
- https://bugzilla.mozilla.org/show_bug.cgi?id=425576
- http://www.mozilla.org/security/announce/2008/mfsa2008-20.html
- http://www.securityfocus.com/bid/28818
- http://www.securitytracker.com/id?1019873
- http://secunia.com/advisories/29787
- http://secunia.com/advisories/29860
- http://www.redhat.com/support/errata/RHSA-2008-0222.html
- http://www.redhat.com/support/errata/RHSA-2008-0223.html
- http://www.kb.cert.org/vuls/id/441529
- https://www.redhat.com/archives/fedora-package-announce/2008-April/msg00407.html
- https://www.redhat.com/archives/fedora-package-announce/2008-April/msg00463.html
- http://secunia.com/advisories/29912
- http://secunia.com/advisories/29908
- http://www.debian.org/security/2008/dsa-1555
- http://www.debian.org/security/2008/dsa-1558
- http://www.debian.org/security/2008/dsa-1562
- http://www.redhat.com/support/errata/RHSA-2008-0224.html
- http://slackware.com/security/viewer.php?l=slackware-security&y=2008&m=slackware-security.391769
- http://lists.opensuse.org/opensuse-security-announce/2008-05/msg00000.html
- http://www.ubuntu.com/usn/usn-602-1
- http://secunia.com/advisories/29883
- http://secunia.com/advisories/29911
- http://secunia.com/advisories/29947
- http://secunia.com/advisories/29793
- http://secunia.com/advisories/29828
- http://secunia.com/advisories/30012
- http://secunia.com/advisories/30029
- http://secunia.com/advisories/30327
- http://secunia.com/advisories/31377
- http://security.gentoo.org/glsa/glsa-200808-03.xml
- http://secunia.com/advisories/31023
- http://slackware.com/security/viewer.php?l=slackware-security&y=2008&m=slackware-security.383152
- http://secunia.com/advisories/30717
- http://www.novell.com/linux/security/advisories/2008_13_sr.html
- http://www.gentoo.org/security/en/glsa/glsa-200805-18.xml
- http://secunia.com/advisories/30192
- https://www.redhat.com/archives/fedora-package-announce/2008-May/msg00058.html
- https://www.redhat.com/archives/fedora-package-announce/2008-May/msg00074.html
- http://sunsolve.sun.com/search/document.do?assetkey=1-26-238492-1
- http://secunia.com/advisories/30620
- http://www.mandriva.com/security/advisories?name=MDVSA-2008:110
- http://secunia.com/advisories/33434
- http://www.debian.org/security/2009/dsa-1696
- http://www.vupen.com/english/advisories/2008/1251/references
- http://www.vupen.com/english/advisories/2008/1793/references
- https://exchange.xforce.ibmcloud.com/vulnerabilities/41857
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10752
- http://www.securityfocus.com/archive/1/491838/100/0/threaded