CVE-2008-2785

Mozilla Firefox before 2.0.0.16 and 3.x before 3.0.1, Thunderbird before 2.0.0.16, and SeaMonkey before 1.1.11 use an incorrect integer data type as a CSS object reference counter in the CSSValue array (aka nsCSSValue:Array) data structure, which allows remote attackers to execute arbitrary code via a large number of references to a common CSS object, leading to a counter overflow and a free of in-use memory, aka ZDI-CAN-349.

🔗 References (120)

• cve@mitrehttp://blog.mozilla.com/security/2008/06/18/new-security-issue-under-investigation/
• cve@mitrehttp://dvlabs.tippingpoint.com/blog/2008/06/18/vulnerability-in-mozilla-firefox-30
• cve@mitrehttp://rhn.redhat.com/errata/RHSA-2008-0616.html
• cve@mitrehttp://secunia.com/advisories/30761
• cve@mitrehttp://secunia.com/advisories/31121
• cve@mitrehttp://secunia.com/advisories/31122
• cve@mitrehttp://secunia.com/advisories/31129
• cve@mitrehttp://secunia.com/advisories/31144
• cve@mitrehttp://secunia.com/advisories/31145
• cve@mitrehttp://secunia.com/advisories/31154
• cve@mitrehttp://secunia.com/advisories/31157
• cve@mitrehttp://secunia.com/advisories/31176
• cve@mitrehttp://secunia.com/advisories/31183
• cve@mitrehttp://secunia.com/advisories/31195
• cve@mitrehttp://secunia.com/advisories/31220