Closed
Bug 1393624
(CVE-2017-7825)
Opened 7 years ago
Closed 7 years ago
Domain spoofing thanks to U+0620 ARABIC LETTER rendered as 'space' on Mac OS
Categories
(Firefox :: Address Bar, defect)
Tracking
()
RESOLVED
FIXED
Firefox 57
People
(Reporter: chromium.khalil, Assigned: jfkthame)
Details
(4 keywords, Whiteboard: [adv-main56+][adv-esr52.4+][post-critsmash-triage])
Attachments
(2 files)
157.59 KB,
image/png
|
Details | |
2.05 KB,
patch
|
jrmuizel
:
review+
gchang
:
approval-mozilla-beta+
gchang
:
approval-mozilla-esr52+
|
Details | Diff | Splinter Review |
After reporting issue 1390980 which is fixed in version 57.0a1 Nightly, we have found another character (https://www.compart.com/en/unicode/U+0620) looks like a 'space' on Mac OS
http://important-domain.google.com.xn--fgbaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.bntk.pl/
Reporter | ||
Comment 1•7 years ago
|
||
Note: I tested this with macOS X El Capitan 10.11.6
Assignee | ||
Comment 2•7 years ago
|
||
Looks like this is another character where some of Apple's Chinese fonts (STSong / Songti) incorrectly have a blank glyph.
The same issue also applies to the extended Arabic-script characters 06EE, 06EF and 06FF. And to some (mostly unassigned) Tibetan-block characters: 0F6D 0F6E 0F6F 0F70 0F98 0FBD 0FCD 0FD9..0FFF. (Based on checking the Songti fonts on macOS 10.12.)
This really is an Apple bug, not a Firefox issue, but I guess we can add all these to the exclusion list in gfxMacPlatformFontList.
Updated•7 years ago
|
Flags: sec-bounty?
Comment 3•7 years ago
|
||
jfkthame: have we now gone through all the suspect fonts and blacklisted every character which is encoded as a space?
Gerv
Assignee | ||
Comment 4•7 years ago
|
||
(In reply to Gervase Markham [:gerv] from comment #3)
> jfkthame: have we now gone through all the suspect fonts and blacklisted
> every character which is encoded as a space?
Not really; that's rather an open-ended project. I found a bunch more in the STSong fonts (comment 2 above), but this may not be exhaustive.
There could easily be additional fonts that have such flaws, but just haven't come to anyone's attention yet. And fonts change with every new OS release... existing fonts are updated, and entirely new fonts may be shipped. In general, of course, we hope that errors are fixed in new releases rather than new ones introduced, but there are no guarantees.
Assignee | ||
Comment 5•7 years ago
|
||
(In reply to Jonathan Kew (:jfkthame) from comment #2)
> Looks like this is another character where some of Apple's Chinese fonts
> (STSong / Songti) incorrectly have a blank glyph.
>
> The same issue also applies to the extended Arabic-script characters 06EE,
> 06EF and 06FF.
And 065F.
Assignee | ||
Comment 6•7 years ago
|
||
This adds all the characters mentioned above (plus a few more I found when trawling through the Songti fonts) to our blacklist.
Attachment #8903080 -
Flags: review?(jmuizelaar)
Reporter | ||
Comment 7•7 years ago
|
||
I think this is Medium severity based on bug 1390980.
Updated•7 years ago
|
Attachment #8903080 -
Flags: review?(jmuizelaar) → review+
Assignee | ||
Updated•7 years ago
|
Assignee | ||
Comment 8•7 years ago
|
||
Status: UNCONFIRMED → RESOLVED
Closed: 7 years ago
status-firefox57:
--- → fixed
Resolution: --- → FIXED
Target Milestone: --- → Firefox 57
Comment 10•7 years ago
|
||
I assume we'll want to backport this to Beta/ESR52 as well.
Assignee: nobody → jfkthame
status-firefox55:
--- → wontfix
status-firefox56:
--- → affected
status-firefox-esr52:
--- → affected
Flags: needinfo?(jfkthame)
Assignee | ||
Comment 11•7 years ago
|
||
Comment on attachment 8903080 [details] [diff] [review]
Blacklist more invalid characters found in Apple's fonts
[Approval Request Comment]
If this is not a sec:{high,crit} bug, please state case for ESR consideration:
Not really a Gecko bug, this is a workaround for a buggy Apple font with spurious blank characters that might be used to obscure a spoofed URL.
User impact if declined:
Potential for URL spoofing due to invalid characters in a Chinese font on macOS
Fix Landed on Version: 57
Risk to taking this patch (and alternatives if risky): minimal
String or UUID changes made by this patch: none
Flags: needinfo?(jfkthame)
Attachment #8903080 -
Flags: approval-mozilla-esr52?
Attachment #8903080 -
Flags: approval-mozilla-beta?
Comment 12•7 years ago
|
||
Comment on attachment 8903080 [details] [diff] [review]
Blacklist more invalid characters found in Apple's fonts
Avoid potential for URL spoofing. Beta56+ & ESR52+.
Attachment #8903080 -
Flags: approval-mozilla-esr52?
Attachment #8903080 -
Flags: approval-mozilla-esr52+
Attachment #8903080 -
Flags: approval-mozilla-beta?
Attachment #8903080 -
Flags: approval-mozilla-beta+
Comment 13•7 years ago
|
||
uplift |
Comment 14•7 years ago
|
||
Note this bug (and the similar Tibetan ones) also affect Safari, as one would expect since this is a Mac font bug.
Comment 15•7 years ago
|
||
We're going to pay a reduced bounty for this one because we've paid before, but we can't afford to be Apple's Bug Bounty program so this will have to be the last one for these bugs that 1) are due to bad Apple fonts, and 2) also affect Safari.
Flags: sec-bounty? → sec-bounty+
Reporter | ||
Comment 16•7 years ago
|
||
See also https://bugs.chromium.org/p/chromium/issues/detail?id=725660 reproted to Chromium.
Updated•7 years ago
|
Group: firefox-core-security → core-security-release
Updated•7 years ago
|
Whiteboard: [adv-main56+][adv-esr52.4+]
Updated•7 years ago
|
Flags: qe-verify-
Whiteboard: [adv-main56+][adv-esr52.4+] → [adv-main56+][adv-esr52.4+][post-critsmash-triage]
Updated•7 years ago
|
Alias: CVE-2017-7825
Updated•7 years ago
|
Group: core-security-release
Updated•6 months ago
|
Keywords: reporter-external
You need to log in
before you can comment on or make changes to this bug.
Description
•