Update: [TZO-26-2009] Firefox (all?) Denial of Service through unclamped loop (SVG)

Update:
-------
Patch was ineffective,  Length2 was fixed and both
SVGNumber and SVGNumber2, but no SVGLength.

Affected products :
- All firefox versions below 3.5





Replies to this exploit:

From: Neil Dickey neil@geol.niu.edu
Sent: Mon 13. Jul 2009 09:55
>Update:
>-------
>Patch was ineffective,  Length2 was fixed and both
>SVGNumber and SVGNumber2, but no SVGLength.
>
>Affected products :
>- All firefox versions below 3.5

If this bug includes version 3.5, there is a workaround:
Set your cache size to zero until an effective patch is
published.

When this bug kicked in on my copy of Ff3.5 I thought
the hard drive had blown a bearing from the noise it
made.  It hadnt ( whew ), and the workaround has
worked fine.

Best regards,

Neil Dickey, Ph.D.
email: neil@geol.niu.edu
Research Associate/Sysop
Geology Department
Northern Illinois University
DeKalb, Illinois, U.S.A.
60115


From: Neil Dickey neil@geol.niu.edu
Sent: Mon 13. Jul 2009 09:55
>Update:
>-------
>Patch was ineffective,  Length2 was fixed and both
>SVGNumber and SVGNumber2, but no SVGLength.
>
>Affected products :
>- All firefox versions below 3.5

If this bug includes version 3.5, there is a workaround:
Set your cache size to zero until an effective patch is
published.

When this bug kicked in on my copy of Ff3.5 I thought
the hard drive had blown a bearing from the noise it
made.  It hadnt ( whew ), and the workaround has
worked fine.

Best regards,

Neil Dickey, Ph.D.
email: neil@geol.niu.edu
Research Associate/Sysop
Geology Department
Northern Illinois University
DeKalb, Illinois, U.S.A.
60115


From: Neil Dickey neil@geol.niu.edu
Sent: Mon 13. Jul 2009 09:55
>Update:
>-------
>Patch was ineffective,  Length2 was fixed and both
>SVGNumber and SVGNumber2, but no SVGLength.
>
>Affected products :
>- All firefox versions below 3.5

If this bug includes version 3.5, there is a workaround:
Set your cache size to zero until an effective patch is
published.

When this bug kicked in on my copy of Ff3.5 I thought
the hard drive had blown a bearing from the noise it
made.  It hadnt ( whew ), and the workaround has
worked fine.

Best regards,

Neil Dickey, Ph.D.
email: neil@geol.niu.edu
Research Associate/Sysop
Geology Department
Northern Illinois University
DeKalb, Illinois, U.S.A.
60115


From: Neil Dickey neil@geol.niu.edu
Sent: Mon 13. Jul 2009 09:55
>Update:
>-------
>Patch was ineffective,  Length2 was fixed and both
>SVGNumber and SVGNumber2, but no SVGLength.
>
>Affected products :
>- All firefox versions below 3.5

If this bug includes version 3.5, there is a workaround:
Set your cache size to zero until an effective patch is
published.

When this bug kicked in on my copy of Ff3.5 I thought
the hard drive had blown a bearing from the noise it
made.  It hadnt ( whew ), and the workaround has
worked fine.

Best regards,

Neil Dickey, Ph.D.
email: neil@geol.niu.edu
Research Associate/Sysop
Geology Department
Northern Illinois University
DeKalb, Illinois, U.S.A.
60115


From: Neil Dickey neil@geol.niu.edu
Sent: Mon 13. Jul 2009 09:55
>Update:
>-------
>Patch was ineffective,  Length2 was fixed and both
>SVGNumber and SVGNumber2, but no SVGLength.
>
>Affected products :
>- All firefox versions below 3.5

If this bug includes version 3.5, there is a workaround:
Set your cache size to zero until an effective patch is
published.

When this bug kicked in on my copy of Ff3.5 I thought
the hard drive had blown a bearing from the noise it
made.  It hadnt ( whew ), and the workaround has
worked fine.

Best regards,

Neil Dickey, Ph.D.
email: neil@geol.niu.edu
Research Associate/Sysop
Geology Department
Northern Illinois University
DeKalb, Illinois, U.S.A.
60115


From: Neil Dickey neil@geol.niu.edu
Sent: Mon 13. Jul 2009 09:55
>Update:
>-------
>Patch was ineffective,  Length2 was fixed and both
>SVGNumber and SVGNumber2, but no SVGLength.
>
>Affected products :
>- All firefox versions below 3.5

If this bug includes version 3.5, there is a workaround:
Set your cache size to zero until an effective patch is
published.

When this bug kicked in on my copy of Ff3.5 I thought
the hard drive had blown a bearing from the noise it
made.  It hadnt ( whew ), and the workaround has
worked fine.

Best regards,

Neil Dickey, Ph.D.
email: neil@geol.niu.edu
Research Associate/Sysop
Geology Department
Northern Illinois University
DeKalb, Illinois, U.S.A.
60115


From: Neil Dickey neil@geol.niu.edu
Sent: Mon 13. Jul 2009 09:55
>Update:
>-------
>Patch was ineffective,  Length2 was fixed and both
>SVGNumber and SVGNumber2, but no SVGLength.
>
>Affected products :
>- All firefox versions below 3.5

If this bug includes version 3.5, there is a workaround:
Set your cache size to zero until an effective patch is
published.

When this bug kicked in on my copy of Ff3.5 I thought
the hard drive had blown a bearing from the noise it
made.  It hadnt ( whew ), and the workaround has
worked fine.

Best regards,

Neil Dickey, Ph.D.
email: neil@geol.niu.edu
Research Associate/Sysop
Geology Department
Northern Illinois University
DeKalb, Illinois, U.S.A.
60115


From: Neil Dickey neil@geol.niu.edu
Sent: Mon 13. Jul 2009 09:55
>Update:
>-------
>Patch was ineffective,  Length2 was fixed and both
>SVGNumber and SVGNumber2, but no SVGLength.
>
>Affected products :
>- All firefox versions below 3.5

If this bug includes version 3.5, there is a workaround:
Set your cache size to zero until an effective patch is
published.

When this bug kicked in on my copy of Ff3.5 I thought
the hard drive had blown a bearing from the noise it
made.  It hadnt ( whew ), and the workaround has
worked fine.

Best regards,

Neil Dickey, Ph.D.
email: neil@geol.niu.edu
Research Associate/Sysop
Geology Department
Northern Illinois University
DeKalb, Illinois, U.S.A.
60115


From: Neil Dickey neil@geol.niu.edu
Sent: Mon 13. Jul 2009 09:55
>Update:
>-------
>Patch was ineffective,  Length2 was fixed and both
>SVGNumber and SVGNumber2, but no SVGLength.
>
>Affected products :
>- All firefox versions below 3.5

If this bug includes version 3.5, there is a workaround:
Set your cache size to zero until an effective patch is
published.

When this bug kicked in on my copy of Ff3.5 I thought
the hard drive had blown a bearing from the noise it
made.  It hadnt ( whew ), and the workaround has
worked fine.

Best regards,

Neil Dickey, Ph.D.
email: neil@geol.niu.edu
Research Associate/Sysop
Geology Department
Northern Illinois University
DeKalb, Illinois, U.S.A.
60115


From: Neil Dickey neil@geol.niu.edu
Sent: Mon 13. Jul 2009 09:55
>Update:
>-------
>Patch was ineffective,  Length2 was fixed and both
>SVGNumber and SVGNumber2, but no SVGLength.
>
>Affected products :
>- All firefox versions below 3.5

If this bug includes version 3.5, there is a workaround:
Set your cache size to zero until an effective patch is
published.

When this bug kicked in on my copy of Ff3.5 I thought
the hard drive had blown a bearing from the noise it
made.  It hadnt ( whew ), and the workaround has
worked fine.

Best regards,

Neil Dickey, Ph.D.
email: neil@geol.niu.edu
Research Associate/Sysop
Geology Department
Northern Illinois University
DeKalb, Illinois, U.S.A.
60115


From: Neil Dickey neil@geol.niu.edu
Sent: Mon 13. Jul 2009 09:55
>Update:
>-------
>Patch was ineffective,  Length2 was fixed and both
>SVGNumber and SVGNumber2, but no SVGLength.
>
>Affected products :
>- All firefox versions below 3.5

If this bug includes version 3.5, there is a workaround:
Set your cache size to zero until an effective patch is
published.

When this bug kicked in on my copy of Ff3.5 I thought
the hard drive had blown a bearing from the noise it
made.  It hadnt ( whew ), and the workaround has
worked fine.

Best regards,

Neil Dickey, Ph.D.
email: neil@geol.niu.edu
Research Associate/Sysop
Geology Department
Northern Illinois University
DeKalb, Illinois, U.S.A.
60115


From: Neil Dickey neil@geol.niu.edu
Sent: Mon 13. Jul 2009 09:55
>Update:
>-------
>Patch was ineffective,  Length2 was fixed and both
>SVGNumber and SVGNumber2, but no SVGLength.
>
>Affected products :
>- All firefox versions below 3.5

If this bug includes version 3.5, there is a workaround:
Set your cache size to zero until an effective patch is
published.

When this bug kicked in on my copy of Ff3.5 I thought
the hard drive had blown a bearing from the noise it
made.  It hadnt ( whew ), and the workaround has
worked fine.

Best regards,

Neil Dickey, Ph.D.
email: neil@geol.niu.edu
Research Associate/Sysop
Geology Department
Northern Illinois University
DeKalb, Illinois, U.S.A.
60115


From: Neil Dickey neil@geol.niu.edu
Sent: Mon 13. Jul 2009 09:55
>Update:
>-------
>Patch was ineffective,  Length2 was fixed and both
>SVGNumber and SVGNumber2, but no SVGLength.
>
>Affected products :
>- All firefox versions below 3.5

If this bug includes version 3.5, there is a workaround:
Set your cache size to zero until an effective patch is
published.

When this bug kicked in on my copy of Ff3.5 I thought
the hard drive had blown a bearing from the noise it
made.  It hadnt ( whew ), and the workaround has
worked fine.

Best regards,

Neil Dickey, Ph.D.
email: neil@geol.niu.edu
Research Associate/Sysop
Geology Department
Northern Illinois University
DeKalb, Illinois, U.S.A.
60115


From: Neil Dickey neil@geol.niu.edu
Sent: Mon 13. Jul 2009 09:55
>Update:
>-------
>Patch was ineffective,  Length2 was fixed and both
>SVGNumber and SVGNumber2, but no SVGLength.
>
>Affected products :
>- All firefox versions below 3.5

If this bug includes version 3.5, there is a workaround:
Set your cache size to zero until an effective patch is
published.

When this bug kicked in on my copy of Ff3.5 I thought
the hard drive had blown a bearing from the noise it
made.  It hadnt ( whew ), and the workaround has
worked fine.

Best regards,

Neil Dickey, Ph.D.
email: neil@geol.niu.edu
Research Associate/Sysop
Geology Department
Northern Illinois University
DeKalb, Illinois, U.S.A.
60115


From: Neil Dickey neil@geol.niu.edu
Sent: Mon 13. Jul 2009 09:55
>Update:
>-------
>Patch was ineffective,  Length2 was fixed and both
>SVGNumber and SVGNumber2, but no SVGLength.
>
>Affected products :
>- All firefox versions below 3.5

If this bug includes version 3.5, there is a workaround:
Set your cache size to zero until an effective patch is
published.

When this bug kicked in on my copy of Ff3.5 I thought
the hard drive had blown a bearing from the noise it
made.  It hadnt ( whew ), and the workaround has
worked fine.

Best regards,

Neil Dickey, Ph.D.
email: neil@geol.niu.edu
Research Associate/Sysop
Geology Department
Northern Illinois University
DeKalb, Illinois, U.S.A.
60115


From: Neil Dickey neil@geol.niu.edu
Sent: Mon 13. Jul 2009 09:55
>Update:
>-------
>Patch was ineffective,  Length2 was fixed and both
>SVGNumber and SVGNumber2, but no SVGLength.
>
>Affected products :
>- All firefox versions below 3.5

If this bug includes version 3.5, there is a workaround:
Set your cache size to zero until an effective patch is
published.

When this bug kicked in on my copy of Ff3.5 I thought
the hard drive had blown a bearing from the noise it
made.  It hadnt ( whew ), and the workaround has
worked fine.

Best regards,

Neil Dickey, Ph.D.
email: neil@geol.niu.edu
Research Associate/Sysop
Geology Department
Northern Illinois University
DeKalb, Illinois, U.S.A.
60115