[VIM] Red Hat dispute of Firefox IE-style script handler issue

Steven M. Christey coley at mitre.org
Thu Mar 23 21:17:56 EST 2006


Looks like CVE was the only RVI that decided to create something out
of a followup to the MSIE script handler problem that mentioned
Firefox, but word just came down from Red Hat that it looks like an
IE-specific component in Mozilla.  I don't have enough information to
concur with either party, although currently available information
suggests concurrence with the vendor.  If so, then I would merge with
IE's CVE-2006-1245.

- Steve


======================================================
Name: CVE-2006-1273
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1273
Reference: BUGTRAQ:20060317 Re: Re: Remote overflow in MSIE script action handlers (mshtml.dll)
Reference: URL:http://www.securityfocus.com/archive/1/archive/1/427977/100/0/threaded
Reference: BUGTRAQ:20060318 Re: Re: Remote overflow in MSIE script action handlers (mshtml.dll)
Reference: URL:http://www.securityfocus.com/archive/1/archive/1/428159/100/0/threaded

** DISPUTED **

Mozilla Firefox 1.0.7 and 1.5.0.1 allows remote attackers to cause a
denial of service (crash) via an HTML tag with a large number of
script action handlers such as onload and onmouseover, which triggers
the crash when the user views the page source.  NOTE: Red Hat has
disputed this issue, suggesting that "It is likely the reporter was
running the IE Tab extension," and Mozilla also confirmed that this is
not an issue in Firefox itself.




More information about the VIM mailing list