CVE-2013-5596

NameCVE-2013-5596
DescriptionThe cycle collection (CC) implementation in Mozilla Firefox before 25.0, Firefox ESR 24.x before 24.1, Thunderbird before 24.1, and SeaMonkey before 2.22 does not properly determine the thread for release of an image object, which allows remote attackers to execute arbitrary code or cause a denial of service (race condition and application crash) via a large HTML document containing IMG elements, as demonstrated by the Never-Ending Reddit on reddit.com.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
NVD severitymedium (attack range: remote)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
icedove (PTS)jessie1:52.3.0-4~deb8u2fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
iceapesource(unstable)(not affected)
icedovesource(unstable)(not affected)
iceweaselsource(unstable)24.1.0esr-1medium
iceweaselsourcesqueeze(unfixed)end-of-life
iceweaselsourcewheezy(not affected)

Notes

[wheezy] - iceweasel <not-affected> (Only affects Firefox > 17)
- icedove <not-affected> (Only affects Firefox > 17)
- iceape <not-affected> (Only affects Firefox > 17)

Search for package or bug name: Reporting problems