Closed
Bug 1513201
Opened 5 years ago
Closed 5 years ago
AddressSanitizer: heap-buffer-overflow [@ NS_strlen] with READ of size 2
Categories
(Core :: Widget: Win32, defect)
Tracking
()
RESOLVED
FIXED
mozilla66
People
(Reporter: decoder, Assigned: Alex_Gaynor)
References
(Blocks 1 open bug)
Details
(4 keywords, Whiteboard: [post-critsmash-triage][adv-main65+][adv-esr60.5+])
Attachments
(2 files)
9.09 KB,
text/plain
|
Details | |
47 bytes,
text/x-phabricator-request
|
RyanVM
:
approval-mozilla-beta+
RyanVM
:
approval-mozilla-esr60+
|
Details | Review |
The attached crash information was submitted via the ASan Nightly Reporter on mozilla-central-asan-nightly revision 65.0a1-20181210095504-https://hg.mozilla.org/mozilla-central/rev/3386ff76878d83496bb822d09115c77472808b53. For detailed crash information, see attachment.
Reporter | ||
Comment 1•5 years ago
|
||
Reporter | ||
Updated•5 years ago
|
Flags: sec-bounty?
Reporter | ||
Comment 3•5 years ago
|
||
From the stack it looks like this is reachable via IPC and might be s-s in a sandboxing context.
Assignee | ||
Comment 4•5 years ago
|
||
This looks similar to bug 1451308. :mats, it looks like you were the last person to look at that one, do you agree?
Flags: needinfo?(mats)
Comment 5•5 years ago
|
||
Yeah, this looks like it's the same issue.
Status: NEW → RESOLVED
Closed: 5 years ago
Flags: needinfo?(mats)
Resolution: --- → DUPLICATE
Reporter | ||
Comment 6•5 years ago
|
||
Reopening, see comment in other bug.
Status: RESOLVED → REOPENED
Resolution: DUPLICATE → ---
Assignee | ||
Comment 8•5 years ago
|
||
Assignee | ||
Comment 9•5 years ago
|
||
Carrying over the security triage from the original bug.
Keywords: csectype-bounds,
sec-moderate
Assignee | ||
Updated•5 years ago
|
Keywords: checkin-needed
Comment 10•5 years ago
|
||
https://hg.mozilla.org/integration/autoland/rev/47aeeaf1c35b
Assignee: nobody → agaynor
Group: core-security → layout-core-security
status-firefox64:
--- → wontfix
status-firefox66:
--- → affected
status-firefox-esr60:
--- → affected
tracking-firefox65:
--- → +
tracking-firefox66:
--- → +
tracking-firefox-esr60:
--- → 65+
Keywords: checkin-needed
Comment 11•5 years ago
|
||
This was backed out for Windows MinGW build bustage. https://hg.mozilla.org/integration/autoland/rev/63525718264d https://treeherder.mozilla.org/logviewer.html#/jobs?job_id=216459339&repo=autoland
Flags: needinfo?(agaynor)
Updated•5 years ago
|
Attachment #9030519 -
Attachment description: Bug 1513201 - handle pasted data of certain types with an odd length; r?mats → Bug 1451308 - handle pasted data of certain types with an odd length; r?mats
Assignee | ||
Updated•5 years ago
|
Flags: needinfo?(agaynor)
Keywords: checkin-needed
Comment 12•5 years ago
|
||
https://hg.mozilla.org/integration/autoland/rev/540d3ce3b9e4c307dd85d46b0130a0ee6ea83cc3
Keywords: checkin-needed
Comment 13•5 years ago
|
||
https://hg.mozilla.org/mozilla-central/rev/540d3ce3b9e4
Group: layout-core-security → core-security-release
Status: REOPENED → RESOLVED
Closed: 5 years ago → 5 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla66
Comment 14•5 years ago
|
||
Please nominate this for Beta/ESR60 approval when you get a chance.
Flags: needinfo?(agaynor)
Assignee | ||
Comment 15•5 years ago
|
||
Comment on attachment 9030519 [details] Bug 1451308 - handle pasted data of certain types with an odd length; r?mats [Beta/Release Uplift Approval Request] Feature/Bug causing the regression: None User impact if declined: Potential IPC security issue and/or full browser crash when you're pasting certain types of content (it seems particularly Chinese content). Is this code covered by automated tests?: Unknown Has the fix been verified in Nightly?: Yes Needs manual test from QE?: No If yes, steps to reproduce: List of other uplifts needed: None Risk to taking this patch: Low Why is the change risky/not risky? (and alternatives if risky): Code change is exceptionally straight forward. String changes made/needed: [ESR Uplift Approval Request] If this is not a sec:{high,crit} bug, please state case for ESR consideration: sec-moderate, full browser crash User impact if declined: Same as beta Fix Landed on Version: Risk to taking this patch: Low Why is the change risky/not risky? (and alternatives if risky): Code change is exceptionally straight forward. String or UUID changes made by this patch:
Flags: needinfo?(agaynor)
Attachment #9030519 -
Flags: approval-mozilla-esr60?
Attachment #9030519 -
Flags: approval-mozilla-beta?
Comment 16•5 years ago
|
||
Comment on attachment 9030519 [details] Bug 1451308 - handle pasted data of certain types with an odd length; r?mats [Triage Comment] Fixes a security-sensitive crash, approved for 65.0b5. We'll revisit the ESR request later in the cycle.
Attachment #9030519 -
Flags: approval-mozilla-beta? → approval-mozilla-beta+
Comment 17•5 years ago
|
||
uplift |
https://hg.mozilla.org/releases/mozilla-beta/rev/3ebfb70bbd0b
Updated•5 years ago
|
Flags: sec-bounty? → sec-bounty+
Updated•5 years ago
|
Flags: qe-verify-
Whiteboard: [post-critsmash-triage]
Comment 18•5 years ago
|
||
Comment on attachment 9030519 [details] Bug 1451308 - handle pasted data of certain types with an odd length; r?mats Approved for 60.5.0esr also.
Attachment #9030519 -
Flags: approval-mozilla-esr60? → approval-mozilla-esr60+
Comment 19•5 years ago
|
||
uplift |
https://hg.mozilla.org/releases/mozilla-esr60/rev/755a27adc485
Updated•5 years ago
|
Whiteboard: [post-critsmash-triage] → [post-critsmash-triage][adv-main65+][adv-esr60.5+]
Updated•5 years ago
|
Group: core-security-release
Updated•4 years ago
|
Blocks: asan-maintenance
Updated•4 years ago
|
You need to log in
before you can comment on or make changes to this bug.
Description
•