Closed
Bug 1279413
(CVE-2014-9766)
Opened 4 years ago
Closed 4 years ago
pixman: integer overflow in create_bits function
Categories
(Core :: Graphics, defect)
Tracking
()
People
(Reporter: huzaifas, Assigned: jrmuizel)
Details
(Keywords: csectype-intoverflow, sec-low, Whiteboard: [post-critsmash-triage][adv-main48-][adv-esr45.3-])
Attachments
(1 file)
|
996 bytes,
patch
|
milan
:
review+
Sylvestre
:
approval-mozilla-aurora+
Sylvestre
:
approval-mozilla-beta+
dveditz
:
approval-mozilla-esr45+
|
Details | Diff | Splinter Review |
User Agent: Mozilla/5.0 (X11; Fedora; Linux x86_64; rv:46.0) Gecko/20100101 Firefox/46.0 Build ID: 20160503092137 Steps to reproduce: CVE-2014-9766 is related to pixman: integer overflow in create_bits function, which Firefox seems to embed. Details at: In create_bits() both height and stride are ints, so the result is also an int, which will overflow if height or stride are big enough and size_t is bigger than int. http://lists.freedesktop.org/archives/pixman/2014-April/003244.html I find similar code in the version of pixman embedded in firefox. But i dont really have the skills to figure out, if Firefox is indeed affected. Would appreciate if you could look, thanks!
|
||
Comment 1•4 years ago
|
||
Jeff, looks like the fix is from pixman 0.32.6, and we're running 0.29.2 on nightly. Is that right?
Group: firefox-core-security → core-security
Component: Untriaged → Graphics
Flags: needinfo?(jmuizelaar)
Product: Firefox → Core
|
||
Updated•4 years ago
|
Group: core-security → gfx-core-security
|
Reporter | |
Comment 2•4 years ago
|
||
dveditz, This is a code execution bug, remote ACE for firefox, and its already public, can you accelerate this a bit? Thanks!
|
|
||
Comment 4•4 years ago
|
||
(In reply to Huzaifa Sidhpurwala from comment #2) > This is a code execution bug, remote ACE for firefox, Is it? Gecko imposes image size limits that should kick in before this code is called. Without a testcase this is still an investigatory bug (though I agree we ought to update our libraries)
status-firefox47:
--- → affected
status-firefox48:
--- → affected
status-firefox49:
--- → affected
status-firefox50:
--- → affected
status-firefox-esr45:
--- → affected
tracking-firefox48:
--- → +
tracking-firefox49:
--- → +
tracking-firefox50:
--- → +
tracking-firefox-esr45:
--- → 48+
Flags: needinfo?(dveditz) → needinfo?(huzaifas)
|
|
Reporter | |
Comment 5•4 years ago
|
||
You could be right, as i said, i have not investigated this from a mozilla pov, but am generally worried about getting it fixed there.
Flags: needinfo?(huzaifas)
|
||
Comment 6•4 years ago
|
||
https://hg.mozilla.org/mozilla-central/rev/330fb1898594
Status: NEW → RESOLVED
Closed: 4 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla50
|
||
Comment 7•4 years ago
|
||
Jeff, could you fill the uplift requests to aurora, beta & esr? Thanks
|
|
||
Updated•4 years ago
|
Group: gfx-core-security → core-security-release
Just caught this - no sec rating but it has already landed. Milan can you request uplift ?
Flags: needinfo?(milan)
Creating the patch that already landed, so that we can request uplift. Approval Request Comment [Feature/regressing bug #]: In upstream pixman at our version 0.29.2, fixed by 0.32.6 in 2014. [User impact if declined]: We don't know the attack vector, but the description of the upstream problem is: Integer overflow in the create_bits function in pixman-bits-image.c in Pixman before 0.32.6 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via large height and stride values.
Flags: needinfo?(milan)
Attachment #8771561 -
Flags: review+
Attachment #8771561 -
Flags: approval-mozilla-beta?
Attachment #8771561 -
Flags: approval-mozilla-aurora?
|
|
||
Comment 10•4 years ago
|
||
Comment on attachment 8771561 [details] [diff] [review] The patch that landed (from upstreamed https://lists.freedesktop.org/archives/pixman/2014-April/003244.html) Milan, Jeff, what about ESR45? Thanks
Flags: needinfo?(milan)
Flags: needinfo?(jmuizelaar)
Attachment #8771561 -
Flags: approval-mozilla-beta?
Attachment #8771561 -
Flags: approval-mozilla-beta+
Attachment #8771561 -
Flags: approval-mozilla-aurora?
Attachment #8771561 -
Flags: approval-mozilla-aurora+
Comment on attachment 8771561 [details] [diff] [review] The patch that landed (from upstreamed https://lists.freedesktop.org/archives/pixman/2014-April/003244.html) [Approval Request Comment] If this is not a sec:{high,crit} bug, please state case for ESR consideration: This is somewhat difficult without the security rating. The description is above, and the fix is simple enough that even without a known attack vector, it would be good to get it into 45esr.
Flags: needinfo?(milan)
Flags: needinfo?(jmuizelaar)
Attachment #8771561 -
Flags: approval-mozilla-esr45?
|
|
||
Updated•4 years ago
|
Alias: CVE-2014-9766
Keywords: csectype-intoverflow,
sec-moderate
|
|
||
Updated•4 years ago
|
Keywords: sec-moderate → sec-low
|
|
||
Comment 14•4 years ago
|
||
Comment on attachment 8771561 [details] [diff] [review] The patch that landed (from upstreamed https://lists.freedesktop.org/archives/pixman/2014-April/003244.html) We should take this on all the branches, a=dveditz for ESR-45
Attachment #8771561 -
Flags: approval-mozilla-esr45? → approval-mozilla-esr45+
|
||
Updated•4 years ago
|
Whiteboard: [post-critsmash-triage]
|
||
Updated•4 years ago
|
Whiteboard: [post-critsmash-triage] → [post-critsmash-triage][adv-main48-][adv-esr45.3-]
|
|
Reporter | |
Comment 16•4 years ago
|
||
Is there going to be an advisory for this?
|
|
||
Comment 17•4 years ago
|
||
No, there is not (hence the minus tags for the released in the whiteboard). It isn't clear that Firefox was actually affected by this in practice.
|
|
||
Updated•4 years ago
|
Group: core-security-release
You need to log in
before you can comment on or make changes to this bug.
Description
•