I had a proof of concept exploit for this vulnerability a month ago, but it was lost due to HDD crash. bug 355478 have reminded me of it. TB22649748Q
Created attachment 241357 [details] testcase Salvaged proof of concept exploit. works on: Mozilla/5.0 (Windows; U; Win98; en-US; rv:220.127.116.11pre) Gecko/20061005 Firefox/18.104.22.168pre TB24181017Q Mozilla/5.0 (Windows; U; Win98; en-US; rv:1.8.1) Gecko/20061005 BonEcho/2.0 TB24181079Q FIREFOX caused an exception 03H in module unknown at 0000:12030108 Registers: EAX=deadfeed CS=015f EIP=12030108 EFLGS=00000206 EBX=deadfeed SS=0167 ESP=00d8ec00 EBP=00d8ec20 ECX=deadfeed DS=0167 ESI=1203008c FS=1987 EDX=deadfeed ES=0167 EDI=12030084 GS=0000 Bytes at CS:EIP: 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 Stack dump: 6013c26d 02adfc00 12030084 00000003 12030084 00000000 02adfc00 1203008c 00d8ec5c 60113000 02adfc00 12030084 00000003 00d8eca8 12030010 00d8ecc0
Marking this bug blocking; patch is in bug 355478. /be
Blocking for Fx2 RC3
Cover bug is fixed on the 1.8 branch. /be
Created attachment 241706 [details] e4x/Regress/regress-355569.js couldn't reproduce the crash, so verification will not have much meaning. shutdown, can you please test in trunk and 1.8 and marked verified? thanks.
no crash with 20061009 1.8 windows/linux/mac* 1.9 windows/linux on e4x/Regress/regress-355569.js, but since I couldn't initially reproduce am not verifying.
bug 355478 has been checked into the 1.8.0 branch
Not applicable to the aviary/moz1.7 branch
This has been assigned CVE-2006-5747
/cvsroot/mozilla/js/tests/e4x/Regress/regress-355569.js,v <-- regress-355569.js initial revision: 1.1