Several security issues Fixed in Firefox 3.5.2
MFSA 2009-46 Chrome privilege escalation due to incorrectly cached wrapper
MFSA 2009-45 Crashes with evidence of memory corruption (rv:1.9.1.2/1.9.0.13)
MFSA 2009-44 Location bar and SSL indicator spoofing via window.open() on invalid URL
MFSA 2009-38 Data corruption with SOCKS5 reply containing DNS name longer than 15 characters
Images with ICC profiles now render properly on all monitors.
71 bugs found.
| ID | Sev | Pri | OS | Assignee | Status | Resolution | Summary |
|---|---|---|---|---|---|---|---|
| 479667 | enh | -- | Wind | benjamin@smedbergs.us | RESO | FIXE | Firefox should use SetProcessDEPPolicy to enable NX on XP SP3 |
| 501657 | nor | -- | Linu | benjamin@smedbergs.us | RESO | FIXE | xulrunner-1.9.1 will fail to build if system ply <2.5 is found |
| 503886 | nor | -- | All | bugzilla@standard8.plus.com | RESO | FIXE | Allow non-mozilla central applications to use automation-build.mk |
| 495798 | nor | -- | Wind | bzbarsky@mit.edu | RESO | FIXE | background-color:transparent on button not honored in high contrast mode |
| 504032 | nor | -- | Mac | bzbarsky@mit.edu | RESO | FIXE | [FIX]Cloning media lists needs to copy mIsEmpty |
| 500254 | blo | -- | Mac | chris.double@double.co.nz | RESO | FIXE | Crash in vorbis_book_decodevv_add at vorbis_codebook.c:483 |
| 500978 | nor | -- | All | dao@mozilla.com | RESO | FIXE | Download Manager treats search terms as regular expressions |
| 495224 | min | -- | All | dtownsend@mozilla.com | RESO | FIXE | Builds involving symlinks in the source dir fail to find config/config.mk |
| 504706 | nor | -- | Mac | dvander@alliedmods.net | RESO | FIXE | bug 502604 fix had bumpy landing on 1.9.1 |
| 493440 | tri | -- | All | ehsan.akhgari@gmail.com | RESO | FIXE | URI elements in the Properties dialog should always be LTR |
| 495495 | cri | -- | All | ehsan.akhgari@gmail.com | RESO | FIXE | Entering Private Browsing mode prohibits keyboard focus on URL location bar |
| 501596 | maj | -- | Wind | filmil@gmail.com | RESO | FIXE | Problem with Serbian localization when click on "check for updates" |
| 492200 | nor | -- | All | glennrp+bmo@gmail.com | RESO | FIXE | Upgrade libpng to 1.2.37 |
| 497355 | blo | -- | All | igor@mir2.org | RESO | FIXE | Assertion failure: STOBJ_GET_CLASS(obj) != &js_BlockClass, at /Users/moztest/comm/main/src/mozilla/js/src/jsscope.cpp:79 |
| 497363 | maj | -- | Wind | jmuizelaar@mozilla.com | RESO | FIXE | qcms renders wrong colors on some "good" monitors |
| 502574 | min | -- | All | john.p.baker@bristol.ac.uk | RESO | FIXE | Defunct loop in onTitleChanged |
| 502832 | nor | -- | All | jorendorff@mozilla.com | RESO | FIXE | TM: Crash [@ memcpy] |
| 502890 | nor | -- | All | jorendorff@mozilla.com | RESO | FIXE | Assigning to a called method on trace does not change the object's shape |
| 497172 | enh | -- | All | kaie@kuix.de | RESO | FIXE | Add default OCSP responder for globalsign |
| 497184 | nor | -- | All | kaie@kuix.de | RESO | FIXE | Add default OCSP responder for trustwave |
| 498500 | nor | -- | Mac | kairo@kairo.at | RESO | FIXE | Mac DMG unpackaging is unreliable |
| 493837 | nor | -- | All | l10n@mozilla.com | RESO | FIXE | JarMaker fails when using ../configure directly |
| 504043 | cri | -- | Sola | leon.sha@sun.com | RESO | FIXE | Firefox will crash on sparc platform when some website. |
| 505416 | nor | -- | Sola | leon.sha@sun.com | RESO | FIXE | http://www.usatoday.com/ crash on sparc. |
| 507963 | nor | -- | Linu | mak77@bonardo.net | RESO | FIXE | Intermittent failure of browser_privatebrowsing_findbar.js |
| 502273 | nor | -- | Wind | masayuki@d-toybox.com | RESO | FIXE | contentEditable is disabled if an attribute is removed from the node |
| 500931 | nor | -- | Wind | mrbkap@gmail.com | RESO | FIXE | xpcIJSWeakReference.get() unwraps XPCNativeWrapper |
| 501270 | nor | -- | Mac | mrbkap@gmail.com | RESO | FIXE | Assertion failure: !fp->fun || !(fp->fun->flags & JSFUN_HEAVYWEIGHT) || fp->callobj |
| 501577 | nor | -- | Linu | mrbkap@gmail.com | RESO | FIXE | Possible leak in nsXPCWrappedJS::GetNewOrUsed |
| 502449 | cri | -- | Mac | mrbkap@gmail.com | RESO | FIXE | Crash [@ __memcpy] |
| 503817 | cri | -- | All | mrbkap@gmail.com | RESO | FIXE | Assertion failure: original == thisv || original == OBJECT_TO_JSVAL(obj) |
| 502723 | nor | -- | Wind | nick.kreeger@park.edu | RESO | FIXE | updater checks the wrong MAX_PATH define |
| 496534 | nor | -- | All | nobody@mozilla.org | RESO | FIXE | [Packaged build+tests] mochitest-browser-chrome: browser_pluginnotification.js fails (and times out) |
| 499429 | nor | -- | All | nobody@mozilla.org | RESO | FIXE | [Packaged build+tests] mochitest-browser-chrome: "browser_tabs_owner.js | 4 tabs are open - Got 5, expected 4" |
| 495098 | cri | -- | All | Olli.Pettay@gmail.com | RESO | FIXE | Crash when using single XMLHttpRequest object for two simultaneous requests; test case included [@ nsXMLHttpRequest::StreamReaderFunc ] |
| 496308 | cri | -- | Mac | Olli.Pettay@gmail.com | RESO | FIXE | Crash [@ nsDOMPopupBlockedEvent::GetRequestingWindow] |
| 500822 | nor | -- | All | paul@oshannessy.com | RESO | FIXE | Importing passwords to mozstorage can fail when signons3.txt is corrupted. |
| 498897 | maj | -- | Wind | peterv@propagandism.org | RESO | FIXE | Web code gets "permission denied" error if a content policy is present |
| 499770 | nor | -- | All | robert.bugzilla@gmail.com | RESO | FIXE | um.activeUpdate is null in onStopRequest for some edgecases |
| 503468 | nor | -- | All | roc@ocallahan.org | RESO | FIXE | canPlayType should return "", not "no" |
| 453689 | nor | -- | Linu | stransky@redhat.com | RESO | FIXE | Firefox needs to register the proper name with session management for restart |
| 491910 | nor | -- | All | ted.mielczarek@gmail.com | RESO | FIXE | [Packaged build+tests] mochitest-plain: "test_bug391728.html | Test plugin was not found" |
| 472097 | nor | -- | Wind | timeless@bemail.org | RESO | FIXE | xul!nsMemoryImpl::IsLowMemory is broken on systems w/ lots of vm |
| 488210 | cri | -- | Mac | tnikkel@gmail.com | RESO | FIXE | "ASSERTION: Going to destroy a frame we didn't remove. Prepare to crash" with XUL listbox |
| 504275 | nor | -- | Linu | ventnor.bugzilla@gmail.com | RESO | FIXE | Bookmark favicon images with menus_have_icons=false |
| 504647 | nor | -- | All | wes@page.ca | RESO | FIXE | JITted regular expressions crash SPARC Nanojit |
| 496917 | blo | P1 | All | dtownsend@mozilla.com | RESO | FIXE | Can't include an arbitrary version name in the version field of the update xml |
| 501275 | maj | P1 | All | gal@uci.edu | RESO | FIXE | TM: Crash [@ nanojit::Assembler::nPatchBranch] |
| 501605 | cri | P1 | Wind | nelson@bolyard.me | RESO | FIXE | very slow startup for Firefox 3.5 due to accessing IE Internet Temporary Files and Windows Temp folder |
| 504456 | cri | P1 | All | nelson@bolyard.me | RESO | FIXE | Exploitable heap overflow in NSS shell expression (filename globbing) parsing |
| 492720 | nor | P2 | All | ginn.chen@sun.com | RESO | FIXE | libgjs failed to compile with jsopcode.h of Firefox 3.5 beta 4 |
| 451898 | nor | -- | All | bzbarsky@mit.edu | VERI | FIXE | URL spoofing bug involving Firefox's error pages and document.write |
| 495297 | nor | -- | All | catlee@mozilla.com | VERI | FIXE | Unnecessary relinking of libxul |
| 495058 | nor | -- | All | dao@mozilla.com | VERI | FIXE | Location bar emptyText not shown when deteaching blank tab or about:privatebrowsing into a new window |
| 496832 | nor | -- | All | dolske@mozilla.com | VERI | FIXE | Disable media entries in context menu when media source is invalid |
| 503750 | cri | -- | All | doug.turner@gmail.com | VERI | FIXE | Crash when parameters of navigator.geolocation.getCurrentPosition are null [@ nsGeolocationRequest::SendLocation(nsIDOMGeoPosition*) ] |
| 496287 | nor | -- | All | dtownsend@mozilla.com | VERI | FIXE | App update incompatible list should not warn about disabled/blocklisted items |
| 454047 | nor | -- | All | ehsan.akhgari@gmail.com | VERI | FIXE | Pop-up locationbar is editable after session restore |
| 501124 | cri | -- | Wind | gal@uci.edu | VERI | FIXE | Missing strtointeger path in js_StringToInt32 |
| 496097 | nor | -- | All | gijskruitbosch+bugs@gmail.com | VERI | FIXE | Handlers dialog list items have no accessible names. |
| 393832 | nor | -- | All | longsonr@gmail.com | VERI | FIXE | svg circle with infinite radius causes hang |
| 495184 | nor | -- | Linu | mozbugz@karlt.net | VERI | FIXE | current drag operation (dropEffect) is not updated while dragging outside the application |
| 497723 | nor | -- | Mac | mstange@themasta.com | VERI | FIXE | [Mac] Alltabs dropdown lacks scroll arrows |
| 478528 | nor | -- | All | Olli.Pettay@gmail.com | VERI | FIXE | mochitest-plain: test_bug419527.xhtml (and test_bug375314.html) intermittently leaks 300 kB, after using |document.addBinding()| |
| 490253 | nor | -- | All | robert.bugzilla@gmail.com | VERI | FIXE | TestAUSReadStrings.cpp: fix nits in result reports |
| 490258 | nor | -- | Wind | robert.bugzilla@gmail.com | VERI | FIXE | TestXREMakeCommandLineWin: fix nits in result reports |
| 503308 | nor | -- | Linu | robert.bugzilla@gmail.com | VERI | FIXE | Debug build failure in toolkit/mozapps/update/TestAUSReadStrings.cpp: undefined reference to `NS_DebugBreak' |
| 397185 | nor | -- | Wind | sgautherie.bz@free.fr | VERI | FIXE | test_textbox_number.xul fails when decimal separator set in Regional Settings is comma |
| 475383 | nor | -- | All | ted.mielczarek@gmail.com | VERI | FIXE | load plugins from $profile/plugins |
| 479995 | nor | P1 | Linu | mozbugz@karlt.net | VERI | FIXE | [linux] mozUserCancelled isn't implemented on gtk / pressing ESC while dragging a tab doesn't cancel the drag (bug 465608 isn't fixed) |
| 487567 | cri | P2 | OS/2 | mozilla@Weilbacher.org | VERI | FIXE | OS/2 cannot sign softokn3.dll after upgrade to nss-3.12.3 |