Testcase for bug 1423159 fails in different place on esr52

RESOLVED FIXED in Firefox -esr52

Status

()

defect
RESOLVED FIXED
a year ago
8 months ago

People

(Reporter: smaug, Assigned: smaug)

Tracking

({csectype-uaf, sec-high})

unspecified
mozilla60
Points:
---
Bug Flags:
qe-verify -

Firefox Tracking Flags

(firefox-esr5259+ fixed, firefox58 wontfix, firefox59+ fixed, firefox60+ fixed)

Details

(Whiteboard: [post-critsmash-triage][adv-main59+][adv-esr52.7+])

Attachments

(1 attachment)

(Assignee)

Description

a year ago
nsCOMPtr<nsIContent> is enough to fix the issue, but ESM should be kept alive too.

The patch seems to apply to trunk and esr52
(Assignee)

Updated

a year ago
Assignee: nobody → bugs
(Assignee)

Comment 1

a year ago
Comment on attachment 8947067 [details] [diff] [review]
esm_crash.diff

[Security approval request comment]
How easily could an exploit be constructed based on the patch?
Crash isn't too hard, I guess

Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem?
commit message could be
-m "Bug 1434580, ensure proper mouseover handling, r=masayuki"

Which older supported branches are affected by this flaw?
all

Do you have backports for the affected branches? If not, how different, hard to create, and risky will they be?
the patch is actually written for esr52, but applies to trunk too

How likely is this patch to cause regressions; how much testing does it need?
Should be very safe. Just keeping objects alive a bit longer.
Attachment #8947067 - Flags: sec-approval?
Attachment #8947067 - Flags: review?(masayuki)
Attachment #8947067 - Flags: approval-mozilla-esr52?
Attachment #8947067 - Flags: approval-mozilla-beta?
Comment on attachment 8947067 [details] [diff] [review]
esm_crash.diff

sec-approval+ and beta+.
Attachment #8947067 - Flags: sec-approval?
Attachment #8947067 - Flags: sec-approval+
Attachment #8947067 - Flags: approval-mozilla-beta?
Attachment #8947067 - Flags: approval-mozilla-beta+
https://hg.mozilla.org/mozilla-central/rev/bfd4bdfd40b4
Status: NEW → RESOLVED
Last Resolved: a year ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla60
Comment on attachment 8947067 [details] [diff] [review]
esm_crash.diff

sec-high fix being shipped in 59, ESR 52.7 needs it too
Attachment #8947067 - Flags: approval-mozilla-esr52? → approval-mozilla-esr52+
Ryan, given smaug's vacation this week, is it easy for you to try landing this on esr52? Previous comments seem to indicate it should apply cleanly.
Flags: needinfo?(ryanvm)
Yeah, I'll take care of landing it. ESR52's a bit busted at the moment, but it's on the radar :)
Flags: needinfo?(ryanvm)
Group: dom-core-security → core-security-release
Flags: qe-verify-
Whiteboard: [post-critsmash-triage]
Whiteboard: [post-critsmash-triage] → [post-critsmash-triage][adv-main59+][adv-esr52.7+]
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.