Closed Bug 1167888 (CVE-2015-2736) Opened 5 years ago Closed 5 years ago
Zip Archive::Build File List has memory-safety bug
Component: Untriaged → Networking: JAR
Product: Firefox → Core
Comment on attachment 8610176 [details] [diff] [review] zip2.patch This needs to land very late in a cycle :/
Attachment #8610176 - Flags: review?(bugs) → review+
Comment on attachment 8610176 [details] [diff] [review] zip2.patch [Security approval request comment] How easily could an exploit be constructed based on the patch? A malformed zip file can cause this issue. Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem? Yes. Which older supported branches are affected by this flaw? This code landed in 2009. All the branches are effected. If not all supported branches, which bug introduced the flaw? bug 511754 Do you have backports for the affected branches? If not, how different, hard to create, and risky will they be? It's easy to create a backport patch. And it's not risky at all. How likely is this patch to cause regressions; how much testing does it need? No regressions.
Status: UNCONFIRMED → NEW
Ever confirmed: true
Comment on attachment 8610176 [details] [diff] [review] zip2.patch This patch (especially combined with the other similar one) draws attention to overflow math in this file so we need to fix the similar problems a few lines down while we're here. (namelen is sanity checked, but extralen and commentlen aren't, and addition of small values could overflow anyway under the right circumstances). One possible check would be to compare (endp - buf) to the sizes.
I guess we can combine this patch with the other one. I asked a review for the other patch and in that patch I fix what you suggest here.
dveditz, when can we land these 2 patches?
Comment on attachment 8610176 [details] [diff] [review] zip2.patch a=dveditz and sec-approval for all the branches, to land on June 4
Attachment #8610176 - Flags: sec-approval-
Attachment #8610176 - Flags: sec-approval+
Attachment #8610176 - Flags: review-
Attachment #8610176 - Flags: approval-mozilla-esr38+
Attachment #8610176 - Flags: approval-mozilla-esr31+
Attachment #8610176 - Flags: approval-mozilla-beta+
Attachment #8610176 - Flags: approval-mozilla-aurora+
Whiteboard: [wait until June 4 to land] → [checkin on 6/4]
https://hg.mozilla.org/releases/mozilla-esr38/rev/fcb018657fb6 https://hg.mozilla.org/releases/mozilla-b2g37_v2_2/rev/f2157a04d75b https://hg.mozilla.org/releases/mozilla-b2g34_v2_1/rev/25ae62aef2c1 https://hg.mozilla.org/releases/mozilla-b2g34_v2_1s/rev/25ae62aef2c1 https://hg.mozilla.org/releases/mozilla-b2g32_v2_0/rev/5e363e84b661 https://hg.mozilla.org/releases/mozilla-b2g32_v2_0m/rev/5e363e84b661 https://hg.mozilla.org/releases/mozilla-esr31/rev/917d8e07d42b
Andrea, is manual verification needed for this fix? If yes, could you provide us with some testing details?
I don't think this can be test manually.
(In reply to Andrea Marchesini (:baku) from comment #16) > I don't think this can be test manually. Thank you Andrea! Setting as qe-verify- then.
You need to log in before you can comment on or make changes to this bug.