Closed Bug 1369545 Opened 8 years ago Closed 5 years ago

address potentially unsafe snprintf usage in PrepareAcceptLanguages

Tracking

()

Status:

RESOLVED DUPLICATE of bug 1403802

Tracking Flags:

Tracking

Status

firefox-esr45

---

wontfix

firefox-esr52

wontfix

firefox53

wontfix

firefox54

wontfix

firefox55

wontfix

firefox56

---

wontfix

firefox57

---

wontfix

People

(Reporter: keeler, Unassigned)

References

Details

(Keywords: sec-low, Whiteboard: [necko-triaged])

Dana Keeler (she/her) [:keeler]

Reporter

Description

•

8 years ago

snprintf returns the number of bytes it *would have* written when it runs out of buffer space. PrepareAcceptLanguages uses the return value from snprintf without checking this. It looks like in practice this code can't overflow the buffer (and it comes from a user pref anyway (as opposed to content, which would be concerning), from what I can tell), but we should actually do the check and better future-proof this code.

Ryan VanderMeulen [:RyanVM]

Updated

•

8 years ago

status-firefox53: --- → wontfix

status-firefox54: --- → wontfix

status-firefox55: --- → affected

status-firefox-esr45: --- → wontfix

status-firefox-esr52: --- → affected

tracking-firefox53: --- → ?

tracking-firefox54: --- → ?

tracking-firefox55: --- → ?

tracking-firefox-esr52: --- → ?

Ryan VanderMeulen [:RyanVM]

Updated

•

8 years ago

Version: unspecified → 45 Branch

Gerry Chang [:gchang]

Comment 1

•

8 years ago

Track 53-/54- as we've build 54 RC and there is not security level here. Feel free to nominate again if the security level is critical/high.

tracking-firefox53: ? → -

tracking-firefox54: ? → -

Julien Cristau [:jcristau]

Comment 2

•

8 years ago

tracking for 55.

tracking-firefox55: ? → +

Andrew McCreight [:mccr8]

Updated

•

8 years ago

Group: core-security → network-core-security

Keywords: sec-low

Ritu Kothari (:ritu) (Inactive, please n-i to RyanVM, jcristau, or pascal)

Comment 3

•

8 years ago

This is a sec-low that doesn't need to be tracked for 55. In 55, we are already tracking several sec-high/sec-crits. If there is a fix ready for this one and deemed low risk, please nominate for uplift to Beta.

status-firefox55: affected → fix-optional

tracking-firefox55: + → -

Honza Bambas (:mayhemer)

Comment 4

•

8 years ago

Potential sec bug that I don't want to backlog just that. PrepareAcceptLanguages is a candidate to rewrite with Tokenizer and an encapsulated string buffer (ns*CString), tho.

Whiteboard: [necko-next]

Julien Cristau [:jcristau]

Updated

•

8 years ago

status-firefox55: fix-optional → wontfix

status-firefox56: --- → fix-optional

status-firefox57: --- → affected

status-firefox-esr52: affected → fix-optional

tracking-firefox-esr52: ? → -

Honza Bambas (:mayhemer)

Updated

•

8 years ago

Priority: -- → P2

Whiteboard: [necko-next] → [necko-triaged]

Ryan VanderMeulen [:RyanVM]

Updated

•

6 years ago

status-firefox56: fix-optional → wontfix

status-firefox57: affected → wontfix

status-firefox-esr52: fix-optional → wontfix

Valentin Gosu [:valentin] (he/him)

Comment 5

•

5 years ago

This was fixed in bug 1403802 by rewriting the method in rust.

Status: NEW → RESOLVED

Closed: 5 years ago

Resolution: --- → DUPLICATE

Daniel Veditz [:dveditz]

Updated

•

2 years ago

Group: network-core-security

You need to log in before you can comment on or make changes to this bug.

Bugzilla

address potentially unsafe snprintf usage in PrepareAcceptLanguages

Categories

(Core :: Networking, enhancement, P2)

Tracking

()

People

(Reporter: keeler, Unassigned)

References

Details

(Keywords: sec-low, Whiteboard: [necko-triaged])

Crash Data

Security

(public)

User Story

Description

Updated

Updated

Comment 1

Comment 2

Updated

Comment 3

Comment 4

Updated

Updated

Updated

Comment 5

Updated