CVE-2008-0017

Name of the Vulnerable Software and Affected Versions Firefox versions 3.x before 3.0.4 Firefox versions 2.x before 2.0.0.18 SeaMonkey versions 1.x before 1.1.13

Description The issue is related to the http-index-format MIME type parser (nsDirIndexParser) in Firefox and SeaMonkey, which does not check for an allocation failure. This allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via an HTTP index response with a crafted 200 header, triggering memory corruption and a buffer overflow. Multiple vulnerabilities in various Debian GNU/Linux packages, including libxul0d-dbg, libxul-dev, libsmjs1, libmozjs0d-dbg, libmozjs0d, libxul0d, libnss3-0d-dbg, libsmjs-dev, libnss3-0d, and libxul-common, can lead to disruption of confidentiality, integrity, and availability of protected information, and can be exploited remotely.

Recommendations For Firefox versions 3.x before 3.0.4, update to version 3.0.4 or later. For Firefox versions 2.x before 2.0.0.18, update to version 2.0.0.18 or later. For SeaMonkey versions 1.x before 1.1.13, update to version 1.1.13 or later. As a temporary workaround, consider disabling the nsDirIndexParser function until a patch is available. Restrict access to the vulnerable HTTP index response to minimize the risk of exploitation. Avoid using the crafted 200 header in the affected HTTP index response until the issue is resolved.