The line-breaking implementation in Mozilla Firefox before 3.5.16 and 3.6.x before 3.6.13, Thunderbird before 3.0.11 and 3.1.x before 3.1.7, and SeaMonkey before 2.0.11 on Windows does not properly handle long strings, which allows remote attackers to execute arbitrary code via a crafted document.write call that triggers a buffer over-read.
lists.fedoraproject.org/pipermail/package-announce/2010-December/052502.html
lists.fedoraproject.org/pipermail/package-announce/2010-December/052504.html
lists.opensuse.org/opensuse-security-announce/2011-01/msg00002.html
osvdb.org/69771
secunia.com/advisories/42716
secunia.com/advisories/42818
www.debian.org/security/2010/dsa-2132
www.mandriva.com/security/advisories?name=MDVSA-2010:251
www.mandriva.com/security/advisories?name=MDVSA-2010:258
www.mozilla.org/security/announce/2010/mfsa2010-75.html
www.securityfocus.com/bid/45345
www.securitytracker.com/id?1024846
www.securitytracker.com/id?1024848
www.vupen.com/english/advisories/2011/0030
bugzilla.mozilla.org/show_bug.cgi?id=608336
oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A12342