DescriptionMozilla Firefox before 0.10, Mozilla 5.0, and Gecko 20040913 allows remote attackers to cause a denial of service (application crash or memory consumption) via a large binary file with a .html extension.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
firefox (PTS)sid127.0-1vulnerable

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs


This is not a real security issue; it just describes the fact that the Gecko
engine of the Mozillae may be lead into a crash if you feed it with large chunks
of arbitrary binary data and label it as HTML. As the parsing garbage is displayed
during transfer any user will cancel the transfer and if you load it from the
hard disc, well than you have "DoSed" yourself, congratulations.
It's reproducable with 1.0.2, but I doubt it will ever be "fixed", as HTML parsers
generally try to make sense of anything even remotely resembling HTML.

Search for package or bug name: Reporting problems