Closed Bug 1434580 Opened 6 years ago Closed 6 years ago

Testcase for bug 1423159 fails in different place on esr52

Categories

(Core :: DOM: Events, defect)

Product:
Core
Component:
DOM: Events
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla60
Tracking Flags:
Tracking Status
firefox-esr52 59+ fixed
firefox58 --- wontfix
firefox59 + fixed
firefox60 + fixed

People

(Reporter: smaug, Assigned: smaug)

Details

(Keywords: csectype-uaf, sec-high, Whiteboard: [post-critsmash-triage][adv-main59+][adv-esr52.7+])

Attachments

(1 file)

esm_crash.diff
1.20 KB, patch
masayuki
: review+
abillings
: approval-mozilla-beta+
RyanVM
: approval-mozilla-esr52+
abillings
: sec-approval+
Details | Diff | Splinter Review 
nsCOMPtr<nsIContent> is enough to fix the issue, but ESM should be kept alive too.

The patch seems to apply to trunk and esr52
Assignee: nobody → bugs
Comment on attachment 8947067 [details] [diff] [review]
esm_crash.diff

[Security approval request comment]
How easily could an exploit be constructed based on the patch?
Crash isn't too hard, I guess

Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem?
commit message could be
-m "Bug 1434580, ensure proper mouseover handling, r=masayuki"

Which older supported branches are affected by this flaw?
all

Do you have backports for the affected branches? If not, how different, hard to create, and risky will they be?
the patch is actually written for esr52, but applies to trunk too

How likely is this patch to cause regressions; how much testing does it need?
Should be very safe. Just keeping objects alive a bit longer.
Attachment #8947067 - Flags: sec-approval?
Attachment #8947067 - Flags: review?(masayuki)
Attachment #8947067 - Flags: approval-mozilla-esr52?
Attachment #8947067 - Flags: approval-mozilla-beta?
Attachment #8947067 - Flags: review?(masayuki) → review+
Comment on attachment 8947067 [details] [diff] [review]
esm_crash.diff

sec-approval+ and beta+.
Attachment #8947067 - Flags: sec-approval?
Attachment #8947067 - Flags: sec-approval+
Attachment #8947067 - Flags: approval-mozilla-beta?
Attachment #8947067 - Flags: approval-mozilla-beta+
https://hg.mozilla.org/mozilla-central/rev/bfd4bdfd40b4
Status: NEW → RESOLVED
Closed: 6 years ago
status-firefox60: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla60
Comment on attachment 8947067 [details] [diff] [review]
esm_crash.diff

sec-high fix being shipped in 59, ESR 52.7 needs it too
Attachment #8947067 - Flags: approval-mozilla-esr52? → approval-mozilla-esr52+
Ryan, given smaug's vacation this week, is it easy for you to try landing this on esr52? Previous comments seem to indicate it should apply cleanly.
Flags: needinfo?(ryanvm)
Yeah, I'll take care of landing it. ESR52's a bit busted at the moment, but it's on the radar :)
Flags: needinfo?(ryanvm)
Group: dom-core-security → core-security-release
Flags: qe-verify-
Whiteboard: [post-critsmash-triage]
Whiteboard: [post-critsmash-triage] → [post-critsmash-triage][adv-main59+][adv-esr52.7+]
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: