Bug 1289970 (CVE-2016-5280)

UAF in mozilla::nsTextNodeDirectionalityMap::RemoveElementFromMap

VERIFIED FIXED in Firefox 49

Status

()

--
critical
VERIFIED FIXED
3 years ago
2 years ago

People

(Reporter: wangmei.S102, Assigned: smaug)

Tracking

(4 keywords)

50 Branch
mozilla51
x86_64
Linux
crash, csectype-uaf, sec-high, testcase
Points:
---
Bug Flags:
sec-bounty +
qe-verify +

Firefox Tracking Flags

(firefox48 wontfix, firefox49+ verified, firefox-esr4549+ verified, firefox50+ verified, firefox51+ verified)

Details

(Whiteboard: [adv-main49+][adv-esr45.4+])

Attachments

(3 attachments)

(Reporter)

Description

3 years ago
testcase
Posted file crash.html
User Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.103 Safari/537.36

Steps to reproduce:

Run the attached file (crash.html), it may take a few seconds to crash. 
Test on Mozilla Firefox 50.0a1, Mozilla Firefox 47.0.1 x86/x86_64


Actual results:

The firefox crashed, following is the ASAN report :

==10914==ERROR: AddressSanitizer: heap-use-after-free on address 0x60d000511b10 at pc 0x7f48178af2af bp 0x7ffe1abc7df0 sp 0x7ffe1abc7de8
READ of size 4 at 0x60d000511b10 thread T0
    #0 0x7f48178af2ae in GetBoolFlag /home/dazhuang/workspace/mozilla-central/mozilla-central/dom/base/nsINode.h:1527:12
    #1 0x7f48178af2ae in HasTextNodeDirectionalityMap /home/dazhuang/workspace/mozilla-central/mozilla-central/dom/base/nsINode.h:1612
    #2 0x7f48178af2ae in RemoveElementFromMap /home/dazhuang/workspace/mozilla-central/mozilla-central/dom/base/DirectionalityUtils.cpp:550
    #3 0x7f48178af2ae in mozilla::ResetDir(mozilla::dom::Element*) /home/dazhuang/workspace/mozilla-central/mozilla-central/dom/base/DirectionalityUtils.cpp:1007
    #4 0x7f48178c52cc in mozilla::dom::Element::UnbindFromTree(bool, bool) /home/dazhuang/workspace/mozilla-central/mozilla-central/dom/base/Element.cpp:1849:5
    #5 0x7f481a4ecbe9 in nsGenericHTMLElement::UnbindFromTree(bool, bool) /home/dazhuang/workspace/mozilla-central/mozilla-central/dom/html/nsGenericHTMLElement.cpp:583:3
    #6 0x7f4817934e1d in ContentUnbinder::UnbindSubtree(nsIContent*) /home/dazhuang/workspace/mozilla-central/mozilla-central/dom/base/FragmentOrElement.cpp:1274:9
    #7 0x7f48179347b5 in ContentUnbinder::Run() /home/dazhuang/workspace/mozilla-central/mozilla-central/dom/base/FragmentOrElement.cpp:1285:9
    #8 0x7f4814473c98 in nsThread::ProcessNextEvent(bool, bool*) /home/dazhuang/workspace/mozilla-central/mozilla-central/xpcom/threads/nsThread.cpp:1029:7
    #9 0x7f48144fbacc in NS_ProcessNextEvent(nsIThread*, bool) /home/dazhuang/workspace/mozilla-central/mozilla-central/xpcom/glue/nsThreadUtils.cpp:290:10
    #10 0x7f481554c06f in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /home/dazhuang/workspace/mozilla-central/mozilla-central/ipc/glue/MessagePump.cpp:100:21
    #11 0x7f4815436188 in RunInternal /home/dazhuang/workspace/mozilla-central/mozilla-central/ipc/chromium/src/base/message_loop.cc:235:3
    #12 0x7f4815436188 in RunHandler /home/dazhuang/workspace/mozilla-central/mozilla-central/ipc/chromium/src/base/message_loop.cc:228
    #13 0x7f4815436188 in MessageLoop::Run() /home/dazhuang/workspace/mozilla-central/mozilla-central/ipc/chromium/src/base/message_loop.cc:208
    #14 0x7f481ba89f3f in nsBaseAppShell::Run() /home/dazhuang/workspace/mozilla-central/mozilla-central/widget/nsBaseAppShell.cpp:156:3
    #15 0x7f481dc96db1 in nsAppStartup::Run() /home/dazhuang/workspace/mozilla-central/mozilla-central/toolkit/components/startup/nsAppStartup.cpp:284:19
    #16 0x7f481ddfc45a in XREMain::XRE_mainRun() /home/dazhuang/workspace/mozilla-central/mozilla-central/toolkit/xre/nsAppRunner.cpp:4391:10
    #17 0x7f481ddfd9ee in XREMain::XRE_main(int, char**, nsXREAppData const*) /home/dazhuang/workspace/mozilla-central/mozilla-central/toolkit/xre/nsAppRunner.cpp:4495:8
    #18 0x7f481ddfe8bf in XRE_main /home/dazhuang/workspace/mozilla-central/mozilla-central/toolkit/xre/nsAppRunner.cpp:4600:16
    #19 0x4e0cdb in do_main /home/dazhuang/workspace/mozilla-central/mozilla-central/browser/app/nsBrowserApp.cpp:254:10
    #20 0x4e0cdb in main /home/dazhuang/workspace/mozilla-central/mozilla-central/browser/app/nsBrowserApp.cpp:427
    #21 0x7f483203d57f in __libc_start_main /usr/src/debug/glibc-2.22/csu/libc-start.c:289
    #22 0x41cb18 in _start (/home/dazhuang/workspace/mozilla-central/mozilla-central/objdir-ff-asan/dist/bin/firefox+0x41cb18)

0x60d000511b10 is located 48 bytes inside of 136-byte region [0x60d000511ae0,0x60d000511b68)
freed by thread T0 here:
    #0 0x4b321b in __interceptor_free /home/nikola/final/llvm.src/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:38:3
    #1 0x7f481434d5e4 in SnowWhiteKiller::~SnowWhiteKiller() /home/dazhuang/workspace/mozilla-central/mozilla-central/xpcom/base/nsCycleCollector.cpp:2685:9
    #2 0x7f481433dab6 in nsCycleCollector::FreeSnowWhite(bool) /home/dazhuang/workspace/mozilla-central/mozilla-central/xpcom/base/nsCycleCollector.cpp:2859:3
    #3 0x7f481666a01e in AsyncFreeSnowWhite::Run() /home/dazhuang/workspace/mozilla-central/mozilla-central/js/xpconnect/src/XPCJSRuntime.cpp:142:34
    #4 0x7f4814473c98 in nsThread::ProcessNextEvent(bool, bool*) /home/dazhuang/workspace/mozilla-central/mozilla-central/xpcom/threads/nsThread.cpp:1029:7
    #5 0x7f48144fbacc in NS_ProcessNextEvent(nsIThread*, bool) /home/dazhuang/workspace/mozilla-central/mozilla-central/xpcom/glue/nsThreadUtils.cpp:290:10
    #6 0x7f481554c06f in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /home/dazhuang/workspace/mozilla-central/mozilla-central/ipc/glue/MessagePump.cpp:100:21
    #7 0x7f4815436188 in RunInternal /home/dazhuang/workspace/mozilla-central/mozilla-central/ipc/chromium/src/base/message_loop.cc:235:3
    #8 0x7f4815436188 in RunHandler /home/dazhuang/workspace/mozilla-central/mozilla-central/ipc/chromium/src/base/message_loop.cc:228
    #9 0x7f4815436188 in MessageLoop::Run() /home/dazhuang/workspace/mozilla-central/mozilla-central/ipc/chromium/src/base/message_loop.cc:208
    #10 0x7f481ba89f3f in nsBaseAppShell::Run() /home/dazhuang/workspace/mozilla-central/mozilla-central/widget/nsBaseAppShell.cpp:156:3
    #11 0x7f481dc96db1 in nsAppStartup::Run() /home/dazhuang/workspace/mozilla-central/mozilla-central/toolkit/components/startup/nsAppStartup.cpp:284:19
    #12 0x7f481ddfc45a in XREMain::XRE_mainRun() /home/dazhuang/workspace/mozilla-central/mozilla-central/toolkit/xre/nsAppRunner.cpp:4391:10
    #13 0x7f481ddfd9ee in XREMain::XRE_main(int, char**, nsXREAppData const*) /home/dazhuang/workspace/mozilla-central/mozilla-central/toolkit/xre/nsAppRunner.cpp:4495:8
    #14 0x7f481ddfe8bf in XRE_main /home/dazhuang/workspace/mozilla-central/mozilla-central/toolkit/xre/nsAppRunner.cpp:4600:16
    #15 0x4e0cdb in do_main /home/dazhuang/workspace/mozilla-central/mozilla-central/browser/app/nsBrowserApp.cpp:254:10
    #16 0x4e0cdb in main /home/dazhuang/workspace/mozilla-central/mozilla-central/browser/app/nsBrowserApp.cpp:427
    #17 0x7f483203d57f in __libc_start_main /usr/src/debug/glibc-2.22/csu/libc-start.c:289

previously allocated by thread T0 here:
    #0 0x4b353b in __interceptor_malloc /home/nikola/final/llvm.src/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:52:3
    #1 0x4e186d in moz_xmalloc /home/dazhuang/workspace/mozilla-central/mozilla-central/memory/mozalloc/mozalloc.cpp:83:17
    #2 0x7f48176f1167 in operator new /home/dazhuang/workspace/mozilla-central/mozilla-central/objdir-ff-asan/dist/include/mozilla/mozalloc.h:193:12
    #3 0x7f48176f1167 in nsContentUtils::SetNodeTextContent(nsIContent*, nsAString_internal const&, bool) /home/dazhuang/workspace/mozilla-central/mozilla-central/dom/base/nsContentUtils.cpp:4622
    #4 0x7f481790d11f in mozilla::dom::FragmentOrElement::SetTextContentInternal(nsAString_internal const&, mozilla::ErrorResult&) /home/dazhuang/workspace/mozilla-central/mozilla-central/dom/base/FragmentOrElement.cpp:1179:12
    #5 0x7f481869341d in SetTextContent /home/dazhuang/workspace/mozilla-central/mozilla-central/dom/base/nsINode.h:1250:5
    #6 0x7f481869341d in mozilla::dom::NodeBinding::set_textContent(JSContext*, JS::Handle<JSObject*>, nsINode*, JSJitSetterCallArgs) /home/dazhuang/workspace/mozilla-central/mozilla-central/objdir-ff-asan/dom/bindings/NodeBinding.cpp:561
    #7 0x7f4819d15ede in mozilla::dom::GenericBindingSetter(JSContext*, unsigned int, JS::Value*) /home/dazhuang/workspace/mozilla-central/mozilla-central/dom/bindings/BindingUtils.cpp:2752:8
    #8 0x7f48203493f0 in CallJSNative /home/dazhuang/workspace/mozilla-central/mozilla-central/js/src/jscntxtinlines.h:235:15
    #9 0x7f48203493f0 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /home/dazhuang/workspace/mozilla-central/mozilla-central/js/src/vm/Interpreter.cpp:452
    #10 0x7f482034b648 in InternalCall /home/dazhuang/workspace/mozilla-central/mozilla-central/js/src/vm/Interpreter.cpp:497:12
    #11 0x7f482034b648 in Call /home/dazhuang/workspace/mozilla-central/mozilla-central/js/src/vm/Interpreter.cpp:516
    #12 0x7f482034b648 in js::CallSetter(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::Handle<JS::Value>) /home/dazhuang/workspace/mozilla-central/mozilla-central/js/src/vm/Interpreter.cpp:641
    #13 0x7f48203bd19e in SetExistingProperty /home/dazhuang/workspace/mozilla-central/mozilla-central/js/src/vm/NativeObject.cpp:2370:10
    #14 0x7f48203bd19e in js::NativeSetProperty(JSContext*, JS::Handle<js::NativeObject*>, JS::Handle<jsid>, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::QualifiedBool, JS::ObjectOpResult&) /home/dazhuang/workspace/mozilla-central/mozilla-central/js/src/vm/NativeObject.cpp:2405
    #15 0x7f4820329002 in SetProperty /home/dazhuang/workspace/mozilla-central/mozilla-central/js/src/vm/NativeObject.h:1525:12
    #16 0x7f4820329002 in SetPropertyOperation /home/dazhuang/workspace/mozilla-central/mozilla-central/js/src/vm/Interpreter.cpp:256
    #17 0x7f4820329002 in Interpret(JSContext*, js::RunState&) /home/dazhuang/workspace/mozilla-central/mozilla-central/js/src/vm/Interpreter.cpp:2666
    #18 0x7f4820316588 in js::RunScript(JSContext*, js::RunState&) /home/dazhuang/workspace/mozilla-central/mozilla-central/js/src/vm/Interpreter.cpp:398:12
    #19 0x7f4820349ab8 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /home/dazhuang/workspace/mozilla-central/mozilla-central/js/src/vm/Interpreter.cpp:470:15
    #20 0x7f482034a191 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) /home/dazhuang/workspace/mozilla-central/mozilla-central/js/src/vm/Interpreter.cpp:516:10
    #21 0x7f481fe286a8 in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /home/dazhuang/workspace/mozilla-central/mozilla-central/js/src/jsapi.cpp:2888:12
    #22 0x7f48197cc910 in mozilla::dom::EventHandlerNonNull::Call(JSContext*, JS::Handle<JS::Value>, mozilla::dom::Event&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&) /home/dazhuang/workspace/mozilla-central/mozilla-central/objdir-ff-asan/dom/bindings/EventHandlerBinding.cpp:259:37
    #23 0x7f481a192119 in Call<nsISupports *> /home/dazhuang/workspace/mozilla-central/mozilla-central/objdir-ff-asan/dist/include/mozilla/dom/EventHandlerBinding.h:361:12
    #24 0x7f481a192119 in mozilla::JSEventHandler::HandleEvent(nsIDOMEvent*) /home/dazhuang/workspace/mozilla-central/mozilla-central/dom/events/JSEventHandler.cpp:214
    #25 0x7f481a15e957 in mozilla::EventListenerManager::HandleEventSubType(mozilla::EventListenerManager::Listener*, nsIDOMEvent*, mozilla::dom::EventTarget*) /home/dazhuang/workspace/mozilla-central/mozilla-central/dom/events/EventListenerManager.cpp:1122:16
    #26 0x7f481a16058d in mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, nsIDOMEvent**, mozilla::dom::EventTarget*, nsEventStatus*) /home/dazhuang/workspace/mozilla-central/mozilla-central/dom/events/EventListenerManager.cpp:1294:17
    #27 0x7f481a13a6ec in mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) /home/dazhuang/workspace/mozilla-central/mozilla-central/dom/events/EventDispatcher.cpp:379:5
    #28 0x7f481a13e3b0 in mozilla::EventDispatcher::Dispatch(nsISupports*, nsPresContext*, mozilla::WidgetEvent*, nsIDOMEvent*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*) /home/dazhuang/workspace/mozilla-central/mozilla-central/dom/events/EventDispatcher.cpp:710:9
    #29 0x7f481c3a6926 in nsDocumentViewer::LoadComplete(nsresult) /home/dazhuang/workspace/mozilla-central/mozilla-central/layout/base/nsDocumentViewer.cpp:996:7
    #30 0x7f481d2a45c5 in nsDocShell::EndPageLoad(nsIWebProgress*, nsIChannel*, nsresult) /home/dazhuang/workspace/mozilla-central/mozilla-central/docshell/base/nsDocShell.cpp:7559:5
    #31 0x7f481d2a0661 in nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, nsresult) /home/dazhuang/workspace/mozilla-central/mozilla-central/docshell/base/nsDocShell.cpp:7360:7
    #32 0x7f481d2a77df in non-virtual thunk to nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, nsresult) /home/dazhuang/workspace/mozilla-central/mozilla-central/docshell/base/nsDocShell.cpp:7257:13
    #33 0x7f4816b94be1 in nsDocLoader::DoFireOnStateChange(nsIWebProgress*, nsIRequest*, int&, nsresult) /home/dazhuang/workspace/mozilla-central/mozilla-central/uriloader/base/nsDocLoader.cpp:1250:3
    #34 0x7f4816b93a94 in nsDocLoader::doStopDocumentLoad(nsIRequest*, nsresult) /home/dazhuang/workspace/mozilla-central/mozilla-central/uriloader/base/nsDocLoader.cpp:834:5
    #35 0x7f4816b906dd in nsDocLoader::DocLoaderIsEmpty(bool) /home/dazhuang/workspace/mozilla-central/mozilla-central/uriloader/base/nsDocLoader.cpp:724:9
    #36 0x7f4816b92854 in nsDocLoader::OnStopRequest(nsIRequest*, nsISupports*, nsresult) /home/dazhuang/workspace/mozilla-central/mozilla-central/uriloader/base/nsDocLoader.cpp:608:5
    #37 0x7f4816b936ac in non-virtual thunk to nsDocLoader::OnStopRequest(nsIRequest*, nsISupports*, nsresult) /home/dazhuang/workspace/mozilla-central/mozilla-central/uriloader/base/nsDocLoader.cpp:464:14
    #38 0x7f481466111b in mozilla::net::nsLoadGroup::RemoveRequest(nsIRequest*, nsISupports*, nsresult) /home/dazhuang/workspace/mozilla-central/mozilla-central/netwerk/base/nsLoadGroup.cpp:633:18

SUMMARY: AddressSanitizer: heap-use-after-free /home/dazhuang/workspace/mozilla-central/mozilla-central/dom/base/nsINode.h:1527:12 in GetBoolFlag
Shadow bytes around the buggy address:
  0x0c1a8009a310: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c1a8009a320: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
  0x0c1a8009a330: 00 00 00 00 00 00 00 00 00 fa fa fa fa fa fa fa
  0x0c1a8009a340: fa fa 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c1a8009a350: 00 00 00 fa fa fa fa fa fa fa fa fa fd fd fd fd
=>0x0c1a8009a360: fd fd[fd]fd fd fd fd fd fd fd fd fd fd fa fa fa
  0x0c1a8009a370: fa fa fa fa fa fa 00 00 00 00 00 00 00 00 00 00
  0x0c1a8009a380: 00 00 00 00 00 00 00 fa fa fa fa fa fa fa fa fa
  0x0c1a8009a390: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c1a8009a3a0: 00 fa fa fa fa fa fa fa fa fa fd fd fd fd fd fd
  0x0c1a8009a3b0: fd fd fd fd fd fd fd fd fd fd fd fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==10914==ABORTING
(Reporter)

Updated

3 years ago
Severity: normal → critical
Keywords: crash
OS: Unspecified → Windows 7
Hardware: Unspecified → x86_64
Version: 47 Branch → 50 Branch
Group: firefox-core-security → dom-core-security
Component: Untriaged → DOM: Core & HTML
Product: Firefox → Core
Tyson confirmed the ASAN crash in Nightly (50)
Status: UNCONFIRMED → NEW
status-firefox48: --- → wontfix
status-firefox49: --- → affected
status-firefox50: --- → affected
Ever confirmed: true
Keywords: csectype-uaf, sec-high, testcase
OS: Windows 7 → Linux
Flags: sec-bounty?
According to security@ mail the reporter is a security researcher of Qihoo 360
(Assignee)

Updated

3 years ago
Assignee: nobody → bugs
(Assignee)

Comment 3

3 years ago
The issue here is that since WalkDescendantsResetAutoDirection passes
null to nsTextNodeDirectionalityMap::ResetTextNodeDirection(static_cast<nsTextNode*>(child), nullptr);
ResetNodeDirection may try add entry to newTextNode's map when newTextNode is actually the 'child', from which the entry is removed because ResetNodeDirection returns OpRemove.
(Assignee)

Comment 4

3 years ago
bug 861606 added http://searchfox.org/mozilla-central/rev/d9a04f71630ce4203ff0a5e26722723045d035b5/dom/base/DirectionalityUtils.cpp#687 which is not right, as far as I see. But that doesn't cause the crash, but with the patch causes assertion to fire.
(Assignee)

Comment 5

3 years ago
Attachment #8778014 - Flags: review?(ehsan)

Updated

3 years ago
Attachment #8778014 - Flags: review?(ehsan) → review+
(Assignee)

Comment 6

3 years ago
Comment on attachment 8778014 [details] [diff] [review]
nsTextNodeDirectionalityMap_crash.diff


[Security approval request comment]
How easily could an exploit be constructed based on the patch?
I'd say not very easily, but the patch does of course pinpoint which code to try out to break.

Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem?
Comment could be "Bug 1289970, ensure we don't remove valid Directionality map from textnode"

Which older supported branches are affected by this flaw?
All

Do you have backports for the affected branches? If not, how different, hard to create, and risky will they be?
Based on code inspection the relevant code looks the same in branches.

How likely is this patch to cause regressions; how much testing does it need?
Should be quite safe since when the relevant code is executed, we should currently get this crash.

[String/UUID change made/needed]:
NA
Attachment #8778014 - Flags: sec-approval?
Attachment #8778014 - Flags: approval-mozilla-esr45?
Attachment #8778014 - Flags: approval-mozilla-beta?
Attachment #8778014 - Flags: approval-mozilla-aurora?
sec-approval+ for trunk. I'll do other approvals as well since it is early.
status-firefox51: --- → affected
status-firefox-esr45: --- → affected
tracking-firefox49: --- → +
tracking-firefox50: --- → +
tracking-firefox51: --- → +
tracking-firefox-esr45: --- → 49+
Attachment #8778014 - Flags: sec-approval?
Attachment #8778014 - Flags: sec-approval+
Attachment #8778014 - Flags: approval-mozilla-esr45?
Attachment #8778014 - Flags: approval-mozilla-esr45+
Attachment #8778014 - Flags: approval-mozilla-beta?
Attachment #8778014 - Flags: approval-mozilla-beta+
Attachment #8778014 - Flags: approval-mozilla-aurora?
Attachment #8778014 - Flags: approval-mozilla-aurora+
https://hg.mozilla.org/mozilla-central/rev/534dc4b44b1a
Status: NEW → RESOLVED
Last Resolved: 3 years ago
status-firefox51: affected → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla51
This is hitting conflicts uplifting to esr45. Can we get a rebased patch attached?
Flags: needinfo?(bugs)
(Assignee)

Comment 12

3 years ago
Posted patch esr45Splinter Review
applied with plenty of fuzz. Bug 1257208 caused it.
Flags: needinfo?(bugs)
Flags: sec-bounty? → sec-bounty+
Group: dom-core-security → core-security-release
Flags: qe-verify+
Whiteboard: [adv-main49+][adv-esr45.4+]
Reproduced on 48.0.2, Win 7.
Verified fixed FX 49.0, 50.0a2 (2016-09-06), 51.0a1 (2016-09-06), 45.4.0 ESR, Win 7.
Status: RESOLVED → VERIFIED
status-firefox49: fixed → verified
status-firefox50: fixed → verified
status-firefox51: fixed → verified
status-firefox-esr45: fixed → verified
Alias: CVE-2016-5280
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.