Closed
Bug 1369543
Opened 7 years ago
Closed 4 years ago
address some potentially unsafe snprintf uses in dom/
Categories
(Core Graveyard :: Plug-ins, defect, P3)
Tracking
(firefox-esr45 unaffected, firefox-esr52- wontfix, firefox53- wontfix, firefox54- wontfix, firefox55-, firefox58 wontfix, firefox59 fix-optional, firefox60 fix-optional)
RESOLVED
WONTFIX
Tracking | Status | |
---|---|---|
firefox-esr45 | --- | unaffected |
firefox-esr52 | - | wontfix |
firefox53 | - | wontfix |
firefox54 | - | wontfix |
firefox55 | - | --- |
firefox58 | --- | wontfix |
firefox59 | --- | fix-optional |
firefox60 | --- | fix-optional |
People
(Reporter: keeler, Unassigned)
References
Details
(Keywords: sec-low)
snprintf returns the number of bytes it *would have* written when it runs out of buffer space. nsPluginHost::ParsePostBufferToFixHeaders attempts to handle this but doesn't quite get it right - the == needs to be a >= here: https://dxr.mozilla.org/mozilla-central/rev/bdb2387396b4a74dfefb7c983733eed3625e906a/dom/plugins/base/nsPluginHost.cpp#3545 In practice, it looks like the buffer will always be large enough, but we can better future-proof this. Also, NetworkUtils::setInterfaceDns had a similar issue here: https://hg.mozilla.org/mozilla-central/annotate/deadb414ee23/dom/system/gonk/NetworkUtils.cpp#l1190 It's much less clear that this is safe. That code was removed in 55 by bug 1357323 and was b2g-related anyway, so it's unclear to me if there are any currently-supported projects that we would need to fix this in. I would appreciate some help in tracking this down.
Reporter | ||
Updated•7 years ago
|
Updated•7 years ago
|
status-firefox53:
--- → wontfix
status-firefox54:
--- → wontfix
status-firefox55:
--- → affected
status-firefox-esr45:
--- → unaffected
status-firefox-esr52:
--- → affected
tracking-firefox53:
--- → ?
tracking-firefox54:
--- → ?
tracking-firefox55:
--- → ?
tracking-firefox-esr52:
--- → ?
Updated•7 years ago
|
Version: unspecified → 47 Branch
Comment 1•7 years ago
|
||
Track 53-/54- as we've build 54 RC and there is not security level here. Feel free to nominate again if the security level is critical/high.
Updated•7 years ago
|
Group: core-security → dom-core-security
Updated•7 years ago
|
Priority: -- → P3
This is a sec-low that doesn't need to be tracked for 55. We are already tracking several sec-high/sec-crits for 55. If a fix is ready and deemed low-risk, please nominate for uplift to Beta.
Comment 4•6 years ago
|
||
Not tracking for ESR52 either since it's sec-low.
status-firefox58:
--- → wontfix
status-firefox59:
--- → fix-optional
status-firefox60:
--- → fix-optional
Updated•4 years ago
|
Status: NEW → RESOLVED
Closed: 4 years ago
Resolution: --- → WONTFIX
Updated•2 years ago
|
Product: Core → Core Graveyard
Updated•4 months ago
|
Group: dom-core-security
status-firefox55:
wontfix → ---
You need to log in
before you can comment on or make changes to this bug.
Description
•