Closed
Bug 1040575
Opened 10 years ago
Closed 10 years ago
copy SVGSVGElement.currentTranslate if we insert it into an SVGPointList
Categories
(Core :: SVG, defect)
Core
SVG
Tracking
()
RESOLVED
FIXED
mozilla34
| Tracking | Status | |
|---|---|---|
| firefox31 | --- | wontfix |
| firefox32 | --- | fixed |
| firefox33 | --- | fixed |
| firefox34 | --- | fixed |
| firefox-esr24 | --- | unaffected |
| firefox-esr31 | --- | fixed |
| b2g-v1.3 | --- | unaffected |
| b2g-v1.3T | --- | unaffected |
| b2g-v1.4 | --- | unaffected |
| b2g-v2.0 | --- | fixed |
| b2g-v2.1 | --- | fixed |
People
(Reporter: heycam, Assigned: heycam)
Details
(Keywords: sec-other, Whiteboard: [adv-main32-][adv-esr32-] hidden while bug 1018524 is)
Attachments
(2 files)
|
9.28 KB,
patch
|
longsonr
:
review+
Sylvestre
:
approval-mozilla-aurora+
Sylvestre
:
approval-mozilla-beta+
Sylvestre
:
approval-mozilla-esr31+
|
Details | Diff | Splinter Review |
|
4.12 KB,
patch
|
longsonr
:
review+
|
Details | Diff | Splinter Review |
While looking at bug 1018524 I noticed that we also don't make a copy of SVGSVGElement.currentTranslate, an SVGPoint, if we try to insert it into a list. I don't think this results in anything harmful (we don't have a tearoff table for SVGPoints) other than an odd coupling of currentTranslate and say a <polyline points=""> attribute, but I'm hiding this bug while bug 1018524 is still hidden. I've changed Clone to Copy, to match the naming on SVGLengthList, and changed it to always return an SVGDOMPoint as it looks like the return-the-same-concrete-class behaviour isn't being relied upon.
Attachment #8458436 -
Flags: review?(longsonr)
|
||
Updated•10 years ago
|
Attachment #8458436 -
Flags: review?(longsonr) → review+
|
Assignee | |
Comment 1•10 years ago
|
||
Meant to include this test too.
|
|
Assignee | |
Updated•10 years ago
|
Attachment #8459098 -
Flags: review?(longsonr)
|
|
||
Updated•10 years ago
|
Attachment #8459098 -
Flags: review?(longsonr) → review+
|
||
Updated•10 years ago
|
Whiteboard: hidden while bug 1018524 is
|
||
Comment 2•10 years ago
|
||
Landed at longsonr's request in bug 1018524. Should we backport this to the release branches as well or is it OK landing on trunk only? https://hg.mozilla.org/integration/mozilla-inbound/rev/b4d871044fe8
Flags: needinfo?(longsonr)
Flags: in-testsuite+
|
|
||
Comment 3•10 years ago
|
||
It wants landing everywhere we land bug 1018524 it's potentially a similar hole although we've no known exploit so if you know about one (and everyone does now) you just might be able to use that knowledge here.
Flags: needinfo?(longsonr)
|
|
||
Comment 4•10 years ago
|
||
Comment on attachment 8458436 [details] [diff] [review] patch Approval Request Comment [Feature/regressing bug #]: bug 886416 (31+) [User impact if declined]: see comment 3 [Describe test coverage new/current, TBPL]: includes a test [Risks and why]: low [String/UUID change made/needed]: none
Attachment #8458436 -
Flags: approval-mozilla-esr31?
Attachment #8458436 -
Flags: approval-mozilla-beta?
Attachment #8458436 -
Flags: approval-mozilla-aurora?
|
||
Comment 5•10 years ago
|
||
Given that this is rated sec-other, let's let this land on m-c before uplift.
https://hg.mozilla.org/mozilla-central/rev/b4d871044fe8
Status: ASSIGNED → RESOLVED
Closed: 10 years ago
status-firefox34:
--- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla34
|
||
Updated•10 years ago
|
status-firefox31:
--- → wontfix
status-firefox32:
--- → affected
status-firefox33:
--- → affected
status-firefox-esr31:
--- → affected
|
|
||
Updated•10 years ago
|
Attachment #8458436 -
Flags: approval-mozilla-esr31?
Attachment #8458436 -
Flags: approval-mozilla-esr31+
Attachment #8458436 -
Flags: approval-mozilla-beta?
Attachment #8458436 -
Flags: approval-mozilla-beta+
Attachment #8458436 -
Flags: approval-mozilla-aurora?
Attachment #8458436 -
Flags: approval-mozilla-aurora+
|
|
||
Comment 7•10 years ago
|
||
https://hg.mozilla.org/releases/mozilla-aurora/rev/4c6fff1b1200 https://hg.mozilla.org/releases/mozilla-beta/rev/4da65dc7d057 https://hg.mozilla.org/releases/mozilla-esr31/rev/e52d2055fbb2
status-b2g-v1.3:
--- → unaffected
status-b2g-v1.3T:
--- → unaffected
status-b2g-v1.4:
--- → unaffected
status-b2g-v2.0:
--- → affected
status-b2g-v2.1:
--- → fixed
status-firefox-esr24:
--- → unaffected
|
||
Comment 9•10 years ago
|
||
There's no poc code or an exploitable bug that can be used for testing and verification. If there's something QE can do to test/verify this issue, please let us know and needinfo! Marking this as qe-verify- for the time being. (also as per comment #3, we currently don't have a known exploit)
Flags: qe-verify-
|
||
Updated•10 years ago
|
Whiteboard: hidden while bug 1018524 is → [adv-main32-][adv-esr32-] hidden while bug 1018524 is
|
||
Updated•9 years ago
|
Group: core-security → core-security-release
|
|
||
Updated•8 years ago
|
Group: core-security-release
You need to log in
before you can comment on or make changes to this bug.
Description
•