Closed Bug 1125483 Opened 10 years ago Closed 10 years ago

Arbitrary code execution using bug 1120261 and bug 1110614

Categories

(Core :: XPConnect, defect)

Product:
Core
Component:
XPConnect
Version:
31 Branch
Platform:
x86
Windows 7
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla35
Tracking Flags:
Tracking Status
firefox35 --- fixed
firefox-esr31 --- fixed
b2g-v1.4 --- unaffected
b2g-v2.0 --- fixed
b2g-v2.0M --- fixed
b2g-v2.1 --- fixed
b2g-v2.1S --- fixed

People

(Reporter: moz_bug_r_a4, Assigned: bholley)

References

Details

(Keywords: reporter-external, sec-high, verifyme, Whiteboard: [b2g-adv-main2.2-])

I'm filing this bug to attach a testcase that is a combination of bug 1120261 and bug 1110614. The reason the remote code execution PoC in bug 1120261 does not work on 31.4.0esr is that bug 1092388 is fixed on 31.4.0esr, so the remote code execution PoC can work on 31.4.0esr by using bug 1110614 instead of bug 1092388.
This works on 31.4.0esr.
status-firefox-esr31: --- → affected
Flags: sec-bounty?
Keywords: sec-high
This is great, and will be very helpful for QA - thanks moz_bug_r_a4. Al, this isn't a new bug - it's just a more useful testcase for esr31 for the bugs we have on file already. Either bug 1125015 or bug 1110614 should fix this (and we plan to land both).
Depends on: 1125015, 1110614
Flags: sec-bounty? → sec-bounty-
We'll consider some bounty here based on the work when the committee meets. We do appreciate the continued attention on these issues.
Flags: sec-bounty- → sec-bounty?
Group: dom-core-security
Bobby, I can close this, right?
Assignee: nobody → bobbyholley
status-firefox35: --- → fixed
Flags: needinfo?(bobbyholley)
(In reply to Andrew McCreight [:mccr8] from comment #4) > Bobby, I can close this, right? Yep. We should definitely verify it though.
Flags: needinfo?(bobbyholley)
Keywords: verifyme
Status: NEW → RESOLVED
Closed: 10 years ago
status-firefox-esr31: affectedfixed
Resolution: --- → FIXED
Component: Security → XPConnect
Flags: sec-bounty? → sec-bounty+
Group: dom-core-security
status-b2g-v1.4: --- → unaffected
status-b2g-v2.0: --- → fixed
status-b2g-v2.0M: --- → fixed
status-b2g-v2.1: --- → fixed
status-b2g-v2.1S: --- → fixed
status-b2g-v2.2: --- → fixed
Target Milestone: --- → mozilla35
Whiteboard: [b2g-adv-main2.2?]
Ryan, this bug has status-b2g-v2.2 fixed despite both dependencies having status-b2g-v2.2 unaffected. Could you shed some light on this?
Flags: needinfo?(ryanvm)
Whiteboard: [b2g-adv-main2.2?] → [b2g-adv-main2.2-]
status-b2g-v2.2: fixed → ---
Flags: needinfo?(ryanvm)
Group: core-security → core-security-release
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.