Closed
Bug 1279413
(CVE-2014-9766)
Opened 9 years ago
Closed 9 years ago
pixman: integer overflow in create_bits function
Categories
(Core :: Graphics, defect)
Tracking
()
People
(Reporter: huzaifas, Assigned: jrmuizel)
Details
(Keywords: csectype-intoverflow, sec-low, Whiteboard: [post-critsmash-triage][adv-main48-][adv-esr45.3-])
Attachments
(1 file)
996 bytes,
patch
|
milan
:
review+
Sylvestre
:
approval-mozilla-aurora+
Sylvestre
:
approval-mozilla-beta+
dveditz
:
approval-mozilla-esr45+
|
Details | Diff | Splinter Review |
User Agent: Mozilla/5.0 (X11; Fedora; Linux x86_64; rv:46.0) Gecko/20100101 Firefox/46.0
Build ID: 20160503092137
Steps to reproduce:
CVE-2014-9766 is related to pixman: integer overflow in create_bits function, which Firefox seems to embed.
Details at:
In create_bits() both height and stride are ints, so the result is
also an int, which will overflow if height or stride are big enough
and size_t is bigger than int.
http://lists.freedesktop.org/archives/pixman/2014-April/003244.html
I find similar code in the version of pixman embedded in firefox. But i dont really have the skills to figure out, if Firefox is indeed affected.
Would appreciate if you could look, thanks!
Comment 1•9 years ago
|
||
Jeff, looks like the fix is from pixman 0.32.6, and we're running 0.29.2 on nightly. Is that right?
Group: firefox-core-security → core-security
Component: Untriaged → Graphics
Flags: needinfo?(jmuizelaar)
Product: Firefox → Core
Updated•9 years ago
|
Group: core-security → gfx-core-security
Reporter | ||
Comment 2•9 years ago
|
||
dveditz,
This is a code execution bug, remote ACE for firefox, and its already public, can you accelerate this a bit?
Thanks!
Comment 4•9 years ago
|
||
(In reply to Huzaifa Sidhpurwala from comment #2)
> This is a code execution bug, remote ACE for firefox,
Is it? Gecko imposes image size limits that should kick in before this code is called. Without a testcase this is still an investigatory bug (though I agree we ought to update our libraries)
status-firefox47:
--- → affected
status-firefox48:
--- → affected
status-firefox49:
--- → affected
status-firefox50:
--- → affected
status-firefox-esr45:
--- → affected
tracking-firefox48:
--- → +
tracking-firefox49:
--- → +
tracking-firefox50:
--- → +
tracking-firefox-esr45:
--- → 48+
Flags: needinfo?(dveditz) → needinfo?(huzaifas)
Reporter | ||
Comment 5•9 years ago
|
||
You could be right, as i said, i have not investigated this from a mozilla pov, but am generally worried about getting it fixed there.
Flags: needinfo?(huzaifas)
Comment 6•9 years ago
|
||
Status: NEW → RESOLVED
Closed: 9 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla50
Comment 7•9 years ago
|
||
Jeff, could you fill the uplift requests to aurora, beta & esr? Thanks
Updated•9 years ago
|
Group: gfx-core-security → core-security-release
Comment 8•9 years ago
|
||
Just caught this - no sec rating but it has already landed. Milan can you request uplift ?
Flags: needinfo?(milan)
Creating the patch that already landed, so that we can request uplift.
Approval Request Comment
[Feature/regressing bug #]: In upstream pixman at our version 0.29.2, fixed by 0.32.6 in 2014.
[User impact if declined]: We don't know the attack vector, but the description of the upstream problem is:
Integer overflow in the create_bits function in pixman-bits-image.c in Pixman before 0.32.6 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via large height and stride values.
Flags: needinfo?(milan)
Attachment #8771561 -
Flags: review+
Attachment #8771561 -
Flags: approval-mozilla-beta?
Attachment #8771561 -
Flags: approval-mozilla-aurora?
Comment 10•9 years ago
|
||
Comment on attachment 8771561 [details] [diff] [review]
The patch that landed (from upstreamed https://lists.freedesktop.org/archives/pixman/2014-April/003244.html)
Milan, Jeff, what about ESR45? Thanks
Flags: needinfo?(milan)
Flags: needinfo?(jmuizelaar)
Attachment #8771561 -
Flags: approval-mozilla-beta?
Attachment #8771561 -
Flags: approval-mozilla-beta+
Attachment #8771561 -
Flags: approval-mozilla-aurora?
Attachment #8771561 -
Flags: approval-mozilla-aurora+
Comment 11•9 years ago
|
||
Comment 12•9 years ago
|
||
Comment on attachment 8771561 [details] [diff] [review]
The patch that landed (from upstreamed https://lists.freedesktop.org/archives/pixman/2014-April/003244.html)
[Approval Request Comment]
If this is not a sec:{high,crit} bug, please state case for ESR consideration:
This is somewhat difficult without the security rating. The description is above, and the fix is simple enough that even without a known attack vector, it would be good to get it into 45esr.
Flags: needinfo?(milan)
Flags: needinfo?(jmuizelaar)
Attachment #8771561 -
Flags: approval-mozilla-esr45?
Updated•9 years ago
|
Alias: CVE-2014-9766
Keywords: csectype-intoverflow,
sec-moderate
Updated•9 years ago
|
Keywords: sec-moderate → sec-low
Comment 14•9 years ago
|
||
Comment on attachment 8771561 [details] [diff] [review]
The patch that landed (from upstreamed https://lists.freedesktop.org/archives/pixman/2014-April/003244.html)
We should take this on all the branches, a=dveditz for ESR-45
Attachment #8771561 -
Flags: approval-mozilla-esr45? → approval-mozilla-esr45+
Updated•9 years ago
|
Whiteboard: [post-critsmash-triage]
Comment 15•9 years ago
|
||
Updated•9 years ago
|
Whiteboard: [post-critsmash-triage] → [post-critsmash-triage][adv-main48-][adv-esr45.3-]
Reporter | ||
Comment 16•9 years ago
|
||
Is there going to be an advisory for this?
Comment 17•9 years ago
|
||
No, there is not (hence the minus tags for the released in the whiteboard). It isn't clear that Firefox was actually affected by this in practice.
Updated•9 years ago
|
Group: core-security-release
You need to log in
before you can comment on or make changes to this bug.
Description
•