CVE-2011-2986
Published: 18 August 2011
Mozilla Firefox 4.x through 5, Thunderbird before 6, SeaMonkey 2.x before 2.3, and possibly other products, when the Direct2D (aka D2D) API is used on Windows, allows remote attackers to bypass the Same Origin Policy, and obtain sensitive image data from a different domain, by inserting this data into a canvas.
Notes
Author | Note |
---|---|
jdstrand | Only Firefox/TBird 5 and Windows only |
Priority
Status
Package | Release | Status |
---|---|---|
firefox Launchpad, Ubuntu, Debian |
hardy |
Ignored
(end of life)
|
lucid |
Ignored
|
|
maverick |
Ignored
|
|
natty |
Released
(6.0+build1+nobinonly-0ubuntu0.11.04.1)
|
|
upstream |
Released
(3.6.20, 6.0)
|
|
seamonkey Launchpad, Ubuntu, Debian |
hardy |
Ignored
(end of life)
|
lucid |
Ignored
|
|
maverick |
Ignored
|
|
natty |
Ignored
|
|
upstream |
Needs triage
|
|
thunderbird Launchpad, Ubuntu, Debian |
hardy |
Ignored
(end of life)
|
lucid |
Ignored
|
|
maverick |
Ignored
|
|
natty |
Ignored
|
|
upstream |
Released
(3.1.12)
|
|
xulrunner-1.9.2 Launchpad, Ubuntu, Debian |
hardy |
Ignored
(end of life)
|
lucid |
Ignored
|
|
maverick |
Ignored
|
|
natty |
Ignored
|
|
upstream |
Released
(1.9.2.20)
|
|
xulrunner-2.0 Launchpad, Ubuntu, Debian |
hardy |
Does not exist
|
lucid |
Does not exist
|
|
maverick |
Does not exist
|
|
natty |
Ignored
|
|
upstream |
Needs triage
|