copy SVGSVGElement.currentTranslate if we insert it into an SVGPointList

RESOLVED FIXED in Firefox 32, Firefox OS v2.0

Status

()

Core
SVG
RESOLVED FIXED
4 years ago
2 years ago

People

(Reporter: heycam, Assigned: heycam)

Tracking

({sec-other})

Trunk
mozilla34
sec-other
Points:
---
Bug Flags:
in-testsuite +
qe-verify -

Firefox Tracking Flags

(firefox31 wontfix, firefox32 fixed, firefox33 fixed, firefox34 fixed, firefox-esr24 unaffected, firefox-esr31 fixed, b2g-v1.3 unaffected, b2g-v1.3T unaffected, b2g-v1.4 unaffected, b2g-v2.0 fixed, b2g-v2.1 fixed)

Details

(Whiteboard: [adv-main32-][adv-esr32-] hidden while bug 1018524 is)

Attachments

(2 attachments)

(Assignee)

Description

4 years ago
Created attachment 8458436 [details] [diff] [review]
patch

While looking at bug 1018524 I noticed that we also don't make a copy of SVGSVGElement.currentTranslate, an SVGPoint, if we try to insert it into a list.  I don't think this results in anything harmful (we don't have a tearoff table for SVGPoints) other than an odd coupling of currentTranslate and say a <polyline points=""> attribute, but I'm hiding this bug while bug 1018524 is still hidden.

I've changed Clone to Copy, to match the naming on SVGLengthList, and changed it to always return an SVGDOMPoint as it looks like the return-the-same-concrete-class behaviour isn't being relied upon.
Attachment #8458436 - Flags: review?(longsonr)
Attachment #8458436 - Flags: review?(longsonr) → review+
(Assignee)

Comment 1

4 years ago
Created attachment 8459098 [details] [diff] [review]
test

Meant to include this test too.
(Assignee)

Updated

4 years ago
Attachment #8459098 - Flags: review?(longsonr)
Attachment #8459098 - Flags: review?(longsonr) → review+
Keywords: sec-other
Whiteboard: hidden while bug 1018524 is
Landed at longsonr's request in bug 1018524. Should we backport this to the release branches as well or is it OK landing on trunk only?

https://hg.mozilla.org/integration/mozilla-inbound/rev/b4d871044fe8
Flags: needinfo?(longsonr)
Flags: in-testsuite+
It wants landing everywhere we land bug 1018524 it's potentially a similar hole although we've no known exploit so if you know about one (and everyone does now) you just might be able to use that knowledge here.
Flags: needinfo?(longsonr)
Comment on attachment 8458436 [details] [diff] [review]
patch

Approval Request Comment
[Feature/regressing bug #]: bug 886416 (31+)
[User impact if declined]: see comment 3
[Describe test coverage new/current, TBPL]: includes a test
[Risks and why]: low
[String/UUID change made/needed]: none
Attachment #8458436 - Flags: approval-mozilla-esr31?
Attachment #8458436 - Flags: approval-mozilla-beta?
Attachment #8458436 - Flags: approval-mozilla-aurora?
Given that this is rated sec-other, let's let this land on m-c before uplift.
https://hg.mozilla.org/mozilla-central/rev/b4d871044fe8
Status: ASSIGNED → RESOLVED
Last Resolved: 4 years ago
status-firefox34: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla34
status-firefox31: --- → wontfix
status-firefox32: --- → affected
status-firefox33: --- → affected
status-firefox-esr31: --- → affected
Attachment #8458436 - Flags: approval-mozilla-esr31?
Attachment #8458436 - Flags: approval-mozilla-esr31+
Attachment #8458436 - Flags: approval-mozilla-beta?
Attachment #8458436 - Flags: approval-mozilla-beta+
Attachment #8458436 - Flags: approval-mozilla-aurora?
Attachment #8458436 - Flags: approval-mozilla-aurora+
https://hg.mozilla.org/releases/mozilla-aurora/rev/4c6fff1b1200
https://hg.mozilla.org/releases/mozilla-beta/rev/4da65dc7d057
https://hg.mozilla.org/releases/mozilla-esr31/rev/e52d2055fbb2
status-b2g-v1.3: --- → unaffected
status-b2g-v1.3T: --- → unaffected
status-b2g-v1.4: --- → unaffected
status-b2g-v2.0: --- → affected
status-b2g-v2.1: --- → fixed
status-firefox32: affected → fixed
status-firefox33: affected → fixed
status-firefox-esr24: --- → unaffected
status-firefox-esr31: affected → fixed
There's no poc code or an exploitable bug that can be used for testing and verification. If there's something QE can do to test/verify this issue, please let us know and needinfo! Marking this as qe-verify- for the time being. (also as per comment #3, we currently don't have a known exploit)
Flags: qe-verify-
Whiteboard: hidden while bug 1018524 is → [adv-main32-][adv-esr32-] hidden while bug 1018524 is

Updated

3 years ago
Group: core-security → core-security-release
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.