nsCOMPtr<nsIContent> is enough to fix the issue, but ESM should be kept alive too. The patch seems to apply to trunk and esr52
Comment on attachment 8947067 [details] [diff] [review] esm_crash.diff [Security approval request comment] How easily could an exploit be constructed based on the patch? Crash isn't too hard, I guess Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem? commit message could be -m "Bug 1434580, ensure proper mouseover handling, r=masayuki" Which older supported branches are affected by this flaw? all Do you have backports for the affected branches? If not, how different, hard to create, and risky will they be? the patch is actually written for esr52, but applies to trunk too How likely is this patch to cause regressions; how much testing does it need? Should be very safe. Just keeping objects alive a bit longer.
2 years ago
Attachment #8947067 - Flags: review?(masayuki) → review+
Comment on attachment 8947067 [details] [diff] [review] esm_crash.diff sec-approval+ and beta+.
Comment on attachment 8947067 [details] [diff] [review] esm_crash.diff sec-high fix being shipped in 59, ESR 52.7 needs it too
Attachment #8947067 - Flags: approval-mozilla-esr52? → approval-mozilla-esr52+
Ryan, given smaug's vacation this week, is it easy for you to try landing this on esr52? Previous comments seem to indicate it should apply cleanly.
Yeah, I'll take care of landing it. ESR52's a bit busted at the moment, but it's on the radar :)
Whiteboard: [post-critsmash-triage] → [post-critsmash-triage][adv-main59+][adv-esr52.7+]
You need to log in before you can comment on or make changes to this bug.