Closed Bug 1423275 (CVE-2018-5110) Opened 2 years ago Closed 2 years ago

Switching mouse cursor from none to image hides the cursor globally on OSX

Categories

(Core :: Widget: Cocoa, defect, P1)

58 Branch
x86
macOS
defect

Tracking

()

VERIFIED FIXED
mozilla59
Tracking Status
firefox-esr52 --- wontfix
firefox57 --- wontfix
firefox58 --- verified
firefox59 --- verified

People

(Reporter: blodbath, Assigned: spohl)

Details

(Keywords: csectype-spoof, sec-moderate, testcase, Whiteboard: [adv-main58+])

Attachments

(2 files)

User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.94 Safari/537.36

Steps to reproduce:

There is a jsFiddle here: https://jsfiddle.net/vb1ojdaL/

Summarizing here; on OSX El Capitan using Firefox 58 (and developer edition) when you have an element with `cursor: none` set and you toggle (via JS) it back to an image based cursor (base64 encoded) when there is another fallback cursor available the mouse cursor will become entirely invisible across all tabs/areas of firefox until you mouse over certain system areas (not sure exactly which cause it to reset).

I have tested with a GIF and PNG that both appear to function correctly in chrome and on firefox in windows and both are broken on OSX.

Here is the rule I initially discovered this bug with: 

cursor:url(data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAACAAAAAgBAMAAACBVGfHAAAAKlBMVEUAAAAzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMjZDADAAAADXRSTlMAYJ/vML9AEN/PUCBwo5BZ4wAAAGZJREFUKM9jQAFL1VH5jFctC1AEZBWcp6MouMTAYoQssAXIC0VWcNFZgekWsgm9Ika6AsgmMF10vohiBYOuCIoCBgaO26gKGHTRFDBdHFXAgK6A4RpUAUIATQHDnTRUBQx376IqAAB3TCfI3I+0DAAAAABJRU5ErkJggg==) 0 31,crosshair;


Actual results:

The mouse cursor becomes invisible across the entire page (and all tabs of firefox.


Expected results:

I would have expected the cursor to be visible as it is on other browsers/operating systems.
Component: Untriaged → Widget: Cocoa
Keywords: testcase
OS: Unspecified → Mac OS X
Product: Firefox → Core
Hardware: Unspecified → x86
Setting to P2, this looks pretty bad. Confirmed on OSX by Tracy. Stephen we should get this prioritized.
Flags: needinfo?(spohl.mozilla.bugs)
Priority: -- → P2
Marking as security sensitive due to the possibility of cursor hijacking.
Group: core-security
Flags: needinfo?(spohl.mozilla.bugs)
Status: UNCONFIRMED → NEW
Ever confirmed: true
Group: core-security → layout-core-security
Keywords: sec-lowsec-moderate
Priority: P2 → P1
Assignee: nobody → spohl.mozilla.bugs
Status: NEW → ASSIGNED
Attachment #8937066 - Attachment description: testcase from jsfiddle → testcase from jsfiddle (click in blue box)
Attached patch PatchSplinter Review
setMacCursor: is called from both setCursor: and setCursorWithImage:, but only setCursor: hides/unhides the mouse cursor. Moving the hiding/unhiding to setMacCursor: fixes the bug.

I've kept the commit message intentionally vague.
Attachment #8937113 - Flags: review?(mstange)
Attachment #8937113 - Flags: review?(mstange) → review+
https://hg.mozilla.org/integration/mozilla-inbound/rev/e15eeb9bbf33b6f73c2a41540931354f4b4ae7df
Bug 1423275: Ensure that the proper mouse cursor is shown on macOS when switching between custom and default system cursors. r=mstange
https://hg.mozilla.org/mozilla-central/rev/e15eeb9bbf33
Status: ASSIGNED → RESOLVED
Closed: 2 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla59
Comment on attachment 8937113 [details] [diff] [review]
Patch

Beta Approval Request Comment
[Feature/Bug causing the regression]: Bug 286304
[User impact if declined]: Cursor hijacking security bug.
[Is this code covered by automated tests?]: no
[Has the fix been verified in Nightly?]: yes
[Needs manual test from QE? If yes, steps to reproduce]: yes, run the test case and verify that the cursor appears every time that the mouse is outside the blue box regardless of how many times the blue box is clicked.
[List of other uplifts needed for the feature/fix]: none
[Is the change risky?]: no
[Why is the change risky/not risky?]: This moves some existing mouse hiding/unhiding code to a more global place to cover both default system cursors and custom cursors.
[String changes made/needed]: none


ESR52 Approval Request Comment
If this is not a sec:{high,crit} bug, please state case for ESR consideration: This issue could be used for cursor hijacking. Nominating in case we want to take this in ESR52.
User impact if declined: Cursor hijacking security bug.
Fix Landed on Version: 59
Risk to taking this patch (and alternatives if risky): This moves some existing mouse hiding/unhiding code to a more global place to cover both default system cursors and custom cursors.
String or UUID changes made by this patch: none

See https://wiki.mozilla.org/Release_Management/ESR_Landing_Process for more info.
Attachment #8937113 - Flags: approval-mozilla-esr52?
Attachment #8937113 - Flags: approval-mozilla-beta?
Comment on attachment 8937113 [details] [diff] [review]
Patch

cursor hijacking issue on mac, beta58+
Attachment #8937113 - Flags: approval-mozilla-beta? → approval-mozilla-beta+
Group: layout-core-security → core-security-release
I managed to reproduce the initial issue on 57.0.2 (20171206182557). I can confirm that 59.0a1 (2017-12-28) and 58.0b13 build1 (20171226085105) are verified fixed using Mac OS X 10.11.6 and macOS 10.13.2.
Status: RESOLVED → VERIFIED
Flags: qe-verify+
Comment on attachment 8937113 [details] [diff] [review]
Patch

Al set esr52 to wontfix, updating patch flag to reflect that.
Attachment #8937113 - Flags: approval-mozilla-esr52? → approval-mozilla-esr52-
Alias: CVE-2018-5110
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.