Closed
Bug 1242322
(CVE-2016-1969)
Opened 9 years ago
Closed 9 years ago
Crash - Out of Bounds Write in Graphite setAttr Function
Categories
(Core :: Graphics: Text, defect)
Tracking
()
People
(Reporter: temp66, Unassigned)
References
Details
(Keywords: csectype-bounds, reporter-external, sec-critical, Whiteboard: [adv-main45+][adv-ESR38.6+] fixed in 1243843, on ESR in bug 1246093)
Attachments
(3 files)
User Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:43.0) Gecko/20100101 Firefox/43.0
Build ID: 20160106234723
Steps to reproduce:
Loaded a page that used a malicious/corrupt Graphite font file.
The ASAN build of firefox 46.0a1, downloaded from https://ftp.mozilla.org/pub/firefox/tinderbox-builds/mozilla-central-linux64-asan/1453669987/ was used.
Actual results:
The tab crashed with ASAN reporting an out of bounds write on the heap.
See the attached stack trace.
Expected results:
No crash.
|
Reporter | |
Comment 1•9 years ago
|
||
|
|
Reporter | |
Comment 2•9 years ago
|
||
|
||
Updated•9 years ago
|
Group: firefox-core-security → core-security
|
|
||
Updated•9 years ago
|
Component: Untriaged → Graphics
Product: Firefox → Core
|
|
||
Updated•9 years ago
|
Flags: sec-bounty?
|
||
Updated•9 years ago
|
Component: Graphics → Graphics: Text
|
|
||
Updated•9 years ago
|
Keywords: csectype-bounds
|
||
Comment 3•9 years ago
|
||
Tyson was able to reproduce using ASAN. This testcase doesn't crash without ASAN but that doesn't mean there's not a problem.
Group: core-security → gfx-core-security
Status: UNCONFIRMED → NEW
Ever confirmed: true
Keywords: sec-critical
|
|
||
Updated•9 years ago
|
status-firefox45:
--- → ?
status-firefox46:
--- → affected
status-firefox47:
--- → affected
tracking-firefox46:
--- → +
tracking-firefox47:
--- → +
|
||
Comment 5•9 years ago
|
||
Jonathan (or anyone) can you also check to see if this also affects 45?
Flags: needinfo?(jfkthame)
|
||
Comment 6•9 years ago
|
||
Tyson, can you look into comment 5 for us, please?
Flags: needinfo?(jfkthame) → needinfo?(twsmith)
|
|
||
Comment 7•9 years ago
|
||
Martin, can you confirm if this one is fixed upstream? Which rev?
|
||
Comment 8•9 years ago
|
||
fixed upstream in a8b3ac2aed0eb132cd80efe7de88f8153e73c829
Flags: needinfo?(martin_hosken)
|
|
||
Comment 10•9 years ago
|
||
(In reply to martin_hosken from comment #8)
> fixed upstream in a8b3ac2aed0eb132cd80efe7de88f8153e73c829
For anybody who is curious, the full link seems to be:
https://github.com/silnrsi/graphite/commit/a8b3ac2aed0eb132cd80efe7de88f8153e73c829
|
|
Reporter | |
Comment 11•9 years ago
|
||
I was able to reproduce this on the 44.0.1 release asan build (found here: https://ftp.mozilla.org/pub/firefox/tinderbox-builds/mozilla-release-linux64-asan/1455041027/firefox-44.0.1.en-US.linux-x86_64-asan.tar.bz2).
|
|
||
Comment 12•9 years ago
|
||
I believe this should be fixed in the latest inbound/aurora/beta builds. Could you confirm whether it can still be reproduced with any of these -- thanks.
http://archive.mozilla.org/pub/firefox/tinderbox-builds/mozilla-inbound-linux64-asan/1455125082/
http://archive.mozilla.org/pub/firefox/tinderbox-builds/mozilla-aurora-linux64-asan/1455106701/
http://archive.mozilla.org/pub/firefox/tinderbox-builds/mozilla-beta-linux64-asan/1455107601/
|
||
Comment 13•9 years ago
|
||
(In reply to Jonathan Kew (:jfkthame) from comment #12)
> I believe this should be fixed in the latest inbound/aurora/beta builds.
> Could you confirm whether it can still be reproduced with any of these --
> thanks.
>
> http://archive.mozilla.org/pub/firefox/tinderbox-builds/mozilla-inbound-
> linux64-asan/1455125082/
> http://archive.mozilla.org/pub/firefox/tinderbox-builds/mozilla-aurora-
> linux64-asan/1455106701/
> http://archive.mozilla.org/pub/firefox/tinderbox-builds/mozilla-beta-linux64-
> asan/1455107601/
Seems to be fixed. No repro on any of these builds.
|
|
||
Comment 14•9 years ago
|
||
Marking this as fixed for 45, 46, and 47. So this may still affect 44?
|
|
||
Comment 15•9 years ago
|
||
I'm marking this fixed because 47 is fixed.
Status: NEW → RESOLVED
Closed: 9 years ago
Resolution: --- → FIXED
|
|
||
Comment 16•9 years ago
|
||
(In reply to Liz Henry (:lizzard) (needinfo? me) from comment #14)
> Marking this as fixed for 45, 46, and 47. So this may still affect 44?
I expect so, as 44 is still on graphite 1.3.4.
|
|
||
Updated•9 years ago
|
Flags: sec-bounty? → sec-bounty+
|
|
||
Updated•9 years ago
|
Group: gfx-core-security → core-security-release
|
|
||
Comment 18•9 years ago
|
||
(In reply to Andrew McCreight [:mccr8] from comment #17)
> I'll assume ESR is also affected...
The same fixes landed on ESR38 in bug 1246093.
|
|
||
Updated•9 years ago
|
See Also: → CVE-2016-2799
Updating ESR38 status to Fixed based on comment 18 (and status from bug 1246093).
|
|
||
Updated•9 years ago
|
tracking-firefox-esr38:
--- → 44+
Depends on: 1243843, CVE-2016-1523
Whiteboard: fixed in 1243843, on ESR in bug 1246093
|
||
Comment 20•9 years ago
|
||
I was able to reproduce this issue on Firefox 46.0a1 asan build (specified in Description) using Ubuntu 12.02 64-bit and Ubuntu 13.10 64-bit.
Verified fixed on Firefox 47.0a1 (2016-02-29), Firefox 46.0a2 (2016-02-29), Firefox 45 beta 10 (20160225145837) and Firefox 38.6.1esrpre tinderbox-build (20160229210832) under Ubuntu 13.10 64-bit, Mac OS X 10.11 and Windows 10 64-bit.
Status: RESOLVED → VERIFIED
|
|
||
Comment 21•9 years ago
|
||
(In reply to Vasilica Mihasca, QA [:vasilica_mihasca] from comment #20)
> I was able to reproduce this issue on Firefox 46.0a1 asan build (specified
> in Description) using Ubuntu 12.02 64-bit and Ubuntu 13.10 64-bit.
>
> Verified fixed on Firefox 47.0a1 (2016-02-29), Firefox 46.0a2 (2016-02-29),
> Firefox 45 beta 10 (20160225145837) and Firefox 38.6.1esrpre
> tinderbox-build (20160229210832) under Ubuntu 13.10 64-bit, Mac OS X 10.11
> and Windows 10 64-bit.
This should be fixed in 46 and 45. Are you saying that you reproduced the original bug in 46?
Flags: needinfo?(vasilica.mihasca)
|
|
||
Updated•9 years ago
|
Whiteboard: fixed in 1243843, on ESR in bug 1246093 → [adv-main45+][adv-ESR38.6+] fixed in 1243843, on ESR in bug 1246093
|
|
||
Updated•9 years ago
|
Alias: CVE-2016-1969
|
|
||
Comment 22•9 years ago
|
||
(In reply to Al Billings [:abillings] from comment #21)
> This should be fixed in 46 and 45. Are you saying that you reproduced the
> original bug in 46?
I reproduced the initial issue using the firefox asan build specified by the reporter (https://ftp.mozilla.org/pub/firefox/tinderbox-builds/mozilla-central-linux64-asan/1453669987/).
In order to verify an issue I initially have to reproduce it using the affected build mentioned in Description and only after that to test it on latest versions.
So, as I specified in Comment 20, this issue is no longer reproducible on Firefox 47.0a1 (2016-02-29), Firefox 46.0a2 (2016-02-29), Firefox 45 beta 10 (20160225145837) and Firefox 38.6.1esrpre tinderbox-build (20160229210832).
Flags: needinfo?(vasilica.mihasca)
|
|
||
Updated•8 years ago
|
Group: core-security-release
|
||
Updated•9 months ago
|
Keywords: reporter-external
You need to log in
before you can comment on or make changes to this bug.
Description
•