Bug#557752: webkit: CVE-2009-2953 high cpu consuption

Michael Gilbert michael.s.gilbert at gmail.com
Tue Nov 24 04:58:07 UTC 2009


Package: xulrunner
Version: 1.1.16-3
Severity: normal
Tags: security

Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for xulrunner.

CVE-2009-2953[0]:
| Mozilla Firefox 3.0.6 through 3.0.13, and 3.5.x, allows remote
| attackers to cause a denial of service (CPU consumption) via
| JavaScript code with a long string value for the hash property (aka
| location.hash), a related issue to CVE-2008-5715.

I've tested this on webkit, and it does cause quite a bit of cpu
consumption for about a minute or so, but doesn't cause a crash or
anything bad.

If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.

For further information see:

[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2953
    http://security-tracker.debian.org/tracker/CVE-2009-2953





More information about the pkg-mozilla-maintainers mailing list