Closed
Bug 762920
Opened 12 years ago
Closed 12 years ago
Bug 754202 regressed IsCapabilityEnabled
Categories
(Core :: Security, defect)
Tracking
()
RESOLVED
FIXED
| Tracking | Status | |
|---|---|---|
| firefox15 | --- | unaffected |
| firefox16 | + | fixed |
| firefox-esr10 | --- | unaffected |
People
(Reporter: moz_bug_r_a4, Assigned: bholley)
References
Details
(Keywords: regression, sec-critical, testcase, Whiteboard: [advisory-tracking-] new in Fx 16)
When there is no frame, the result of IsCapabilityEnabled is always true. This is not good since event listeners can be called with no frame.
|
Reporter | |
Comment 1•12 years ago
|
||
This uses bug 344495's trick. This works on trunk.
|
||
Comment 3•12 years ago
|
||
mmmm... did we have no tests for this?
|
||
Comment 4•12 years ago
|
||
Hmm, the testcase doesn't work for me on trunk...
|
Assignee | |
Comment 5•12 years ago
|
||
(In reply to Boris Zbarsky (:bz) from comment #3) > mmmm... did we have no tests for this? That used moz_bug_r_a4's stack frame trick? I wasn't sure those were ever checked in.
|
||
Comment 6•12 years ago
|
||
We don't want to check in tests demonstrating the exploit, but often the specific problem can be demonstrated without using that trick (sometimes requires a chrome testcase to show the wrong thing is getting used/returned in places).
Blocks: 754202
|
|
||
Updated•12 years ago
|
Severity: normal → blocker
status-firefox-esr10:
--- → unaffected
status-firefox15:
--- → unaffected
status-firefox16:
--- → affected
tracking-firefox16:
--- → +
|
|
||
Updated•12 years ago
|
Blocks: CVE-2012-1967
|
|
||
Comment 7•12 years ago
|
||
This should be fixed by the backout in bug 754202 comment 41 right? I don't think it makes sense to leave open in case we reland it, but of course we should test it again.
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
Whiteboard: new in Fx 16
|
||
Comment 8•12 years ago
|
||
I can't get this testcase to do anything on pre-fix trunk builds. The only thing I see that is different pre and post fix on my mozilla central builds is that pre-fix has the following in the webconsole: [12:02:01.330] Error: Permission denied for <https://bug762920.bugzilla.mozilla.org> to get property XPCComponents.utils I see the same whether I load it locally or from bugzilla, as in above. Do we have something that repros that issue?
|
|
Assignee | |
Comment 9•12 years ago
|
||
There should be a specific window, between when bug 754202 landed and when it was backed out, where you should get an alert popup (indicating that the exploit was successful).
|
|
||
Comment 10•12 years ago
|
||
Yeah, I thought I had it. I'll keep digging.
|
|
||
Comment 11•12 years ago
|
||
All right. I was a day off last time. Bug repro's in 6/9 Mozilla Central build and was fixed after back out off bug 754202.
Status: RESOLVED → VERIFIED
|
|
||
Comment 12•12 years ago
|
||
bug 754202 has relanded so it'd be safest to reverify this bug.
Status: VERIFIED → RESOLVED
Closed: 12 years ago → 12 years ago
|
|
||
Updated•12 years ago
|
|
|
||
Updated•12 years ago
|
Whiteboard: new in Fx 16 → [advisory-tracking+] new in Fx 16
|
|
||
Updated•12 years ago
|
Whiteboard: [advisory-tracking+] new in Fx 16 → [advisory-tracking-] new in Fx 16
|
|
||
Updated•11 years ago
|
Group: core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•