Comment 2 for bug 11652

Message-ID: <email address hidden>
Date: Fri, 31 Dec 2004 15:31:32 -0500
From: Joey Hess <email address hidden>
To: Debian Bug Tracking System <email address hidden>
Subject: CAN-2004-1316: DOS due to Heap-based buffer overflow in MSG_UnEscapeSearchUrl in
 nsNNTPProtocol.cpp

--fdj2RfSjLxBAspz7
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

Package: mozilla-browser
Version: 2:1.7.3-5
Severity: grave

Our mozilla is vulnerable to CAN-2004-1316:

  Heap-based buffer overflow in MSG_UnEscapeSearchUrl in nsNNTPProtocol.cpp=
 for
  Mozilla 1.7.3 and earlier allows remote attackers to cause a denial of se=
rvice
  (application crash) via an NNTP URL (news:) with a trailing '\' (backslas=
h)
  character, which prevents a string from being NULL terminated.

Apparently the hole can only be used to crash mozilla, not execute arbitary
code. Details here.
http://marc.theaimsgroup.com/?l=3Dbugtraq&m=3D110436284718949&w=3D2

--=20
see shy jo

--fdj2RfSjLxBAspz7
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (GNU/Linux)

iD8DBQFB1bcjd8HHehbQuO8RAhheAJ48MXlvsqkbhTMzA0giky0XkwZjjgCfVZ9Z
+NaztONXrCuc6JlEMb9yLS0=
=w+Gg
-----END PGP SIGNATURE-----

--fdj2RfSjLxBAspz7--