Closed
Bug 1035007
Opened 10 years ago
Closed 10 years ago
nsStandardURL::SetHost called net_ToLowerCase with a bogus pointer, #4
Categories
(Core :: Networking, defect)
Tracking
()
VERIFIED
FIXED
mozilla34
People
(Reporter: jruderman, Assigned: valentin)
References
(Blocks 1 open bug)
Details
(Keywords: crash, sec-critical, testcase, Whiteboard: [adv-main32+][adv-esr31.1+])
Attachments
(4 files)
178 bytes,
text/html
|
Details | |
9.14 KB,
text/plain
|
Details | |
1.60 KB,
patch
|
mcmanus
:
review+
Sylvestre
:
approval-mozilla-aurora+
Sylvestre
:
approval-mozilla-beta+
Sylvestre
:
approval-mozilla-esr31+
abillings
:
sec-approval+
|
Details | Diff | Splinter Review |
997 bytes,
patch
|
Details | Diff | Splinter Review |
No description provided.
Reporter | ||
Comment 1•10 years ago
|
||
Reporter | ||
Updated•10 years ago
|
Group: core-security
Assignee | ||
Comment 2•10 years ago
|
||
I'll take this.
It seems the problem comes up when setting a path containing a colon on a URL with no hostname.
Assignee: nobody → valentin.gosu
Updated•10 years ago
|
status-firefox30:
--- → ?
status-firefox31:
--- → ?
status-firefox32:
--- → ?
status-firefox33:
--- → affected
status-firefox-esr24:
--- → ?
tracking-firefox33:
--- → +
Assignee | ||
Comment 3•10 years ago
|
||
It seems this crash is somewhat my fault (Bug 991471, changeset 178001:8e20983ae82d).
Note that while this patch does fix the crash, the behaviour we get in the end isn't exactly correct. For example:
var url = new URL("e:");
url.pathname = "";
url.protocol = "https:"; // We now have a url with no host
url.pathname = "1:\\2";
// this calls SetSpec with the pathname appended at the end
// SetSpec fails, because there is no hostname
// When it fails, all of the fields are cleared, so we now have an empty url
url.host = "mozilla.org";
// This doesn't crash anymore, but the url is "mozilla.org" instead of "https://mozilla.org"
Bug 1009648 would somewhat fix this issue by reverting the url in case SetSpec fails. I was reluctant to push the patch until we fixed all of the ways the url could get to an "unparsable" state, because those would easily lead to a recursive loop & stack overflow.
Attachment #8454175 -
Flags: review?(mcmanus)
Updated•10 years ago
|
Group: network-core-security
Comment 4•10 years ago
|
||
Comment on attachment 8454175 [details] [diff] [review]
url_sethost.patch
Review of attachment 8454175 [details] [diff] [review]:
-----------------------------------------------------------------
this seems like a reasonable workaround while we wait for 1009648
Attachment #8454175 -
Flags: review?(mcmanus) → review+
Assignee | ||
Comment 5•10 years ago
|
||
Comment on attachment 8454175 [details] [diff] [review]
url_sethost.patch
[Security approval request comment]
How easily could an exploit be constructed based on the patch?
While the fix is pretty obvious, figuring out how to exploit it using content code would be quite difficult.
Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem?
No. The crash depends on creating a URL with no host, and then doing something that clears the URL. There is nothing to suggest this in the patch.
Which older supported branches are affected by this flaw?
All branches which integrated Bug 991471 are affected by this. So firefox29 and later.
If not all supported branches, which bug introduced the flaw?
It was introduced by Bug 991471
Do you have backports for the affected branches? If not, how different, hard to create, and risky will they be?
How likely is this patch to cause regressions; how much testing does it need?
Unlikely. It deals with very specific edge cases which it fixes. Passes existing unit tests.
Attachment #8454175 -
Flags: sec-approval?
Comment 6•10 years ago
|
||
This is going to be delayed for checkin for a few weeks because we just made the Firefox 31 builds for release on this coming tuesday.
sec-approval+ for checkin on trunk after 8/5
Whiteboard: [checkin on 8/5]
Updated•10 years ago
|
Attachment #8454175 -
Flags: sec-approval? → sec-approval+
Updated•10 years ago
|
status-b2g-v1.3:
--- → affected
status-b2g-v1.3T:
--- → affected
status-b2g-v1.4:
--- → affected
status-b2g-v2.0:
--- → affected
status-b2g-v2.1:
--- → affected
Updated•10 years ago
|
status-firefox34:
--- → affected
tracking-firefox34:
--- → +
Comment 7•10 years ago
|
||
Do we need this on ESR31 as well? It is a critical rated security bug.
status-firefox-esr31:
--- → affected
Assignee | ||
Updated•10 years ago
|
Flags: needinfo?(valentin.gosu)
Keywords: checkin-needed
Comment 9•10 years ago
|
||
You are going to need a try run linked in the bug to get checked in.
Whiteboard: [checkin on 8/5]
Assignee | ||
Comment 10•10 years ago
|
||
Sure thing. I think I did at some point, but I can't find it anymore :)
Thanks for the heads up.
Assignee | ||
Comment 11•10 years ago
|
||
Comment 12•10 years ago
|
||
Keywords: checkin-needed
Updated•10 years ago
|
tracking-firefox32:
--- → +
Status: NEW → RESOLVED
Closed: 10 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla34
Assignee | ||
Comment 14•10 years ago
|
||
Assignee | ||
Comment 15•10 years ago
|
||
Comment on attachment 8451391 [details]
testcase
Approval Request Comment
[Feature/regressing bug #]: Bug 991471
[User impact if declined]: Potential crash and security concerns
[Describe test coverage new/current, TBPL]: On m-c, all green on try, fixes attached test and testcase
[Risks and why]: Fixing this crash allows nsStandardURL to have slightly incorrect values at times. Also fixing Bug 1009648 would eliminate this concern.
[String/UUID change made/needed]: none
Attachment #8451391 -
Flags: approval-mozilla-beta?
Attachment #8451391 -
Flags: approval-mozilla-aurora?
Comment 16•10 years ago
|
||
Comment on attachment 8451391 [details]
testcase
Let's move the request over to the actual patch :-)
Attachment #8451391 -
Flags: approval-mozilla-beta?
Attachment #8451391 -
Flags: approval-mozilla-aurora?
Updated•10 years ago
|
Attachment #8454175 -
Flags: approval-mozilla-esr31?
Attachment #8454175 -
Flags: approval-mozilla-beta?
Attachment #8454175 -
Flags: approval-mozilla-aurora?
Assignee | ||
Comment 17•10 years ago
|
||
Oops. Thanks Ryan!
Updated•10 years ago
|
Attachment #8454175 -
Flags: approval-mozilla-esr31?
Attachment #8454175 -
Flags: approval-mozilla-esr31+
Attachment #8454175 -
Flags: approval-mozilla-beta?
Attachment #8454175 -
Flags: approval-mozilla-beta+
Attachment #8454175 -
Flags: approval-mozilla-aurora?
Attachment #8454175 -
Flags: approval-mozilla-aurora+
Comment 18•10 years ago
|
||
https://hg.mozilla.org/releases/mozilla-aurora/rev/9306dcf4eb39
https://hg.mozilla.org/releases/mozilla-beta/rev/e6cee3b7907e
https://hg.mozilla.org/releases/mozilla-esr31/rev/ebefe851e8a1
https://hg.mozilla.org/releases/mozilla-b2g30_v1_4/rev/bef95cbe17be
https://hg.mozilla.org/releases/mozilla-b2g28_v1_3/rev/17060408fc3f
Comment 19•10 years ago
|
||
Updated•10 years ago
|
tracking-firefox-esr31:
--- → 32+
Updated•10 years ago
|
Whiteboard: [adv-main32+][adv-esr31.1+]
Comment 20•10 years ago
|
||
Confirmed crash on Fx33, 2014-07-02.
Verified fixed in Fx32, Fx33 and Fx34, 2014-08-22.
Verified fixed in Fx31.1.0esr, release.
Status: RESOLVED → VERIFIED
Updated•10 years ago
|
Group: network-core-security
Updated•9 years ago
|
Group: core-security → core-security-release
Updated•8 years ago
|
Group: core-security-release
You need to log in
before you can comment on or make changes to this bug.
Description
•