Closed
Bug 1513201
Opened 6 years ago
Closed 6 years ago
AddressSanitizer: heap-buffer-overflow [@ NS_strlen] with READ of size 2
Categories
(Core :: Widget: Win32, defect)
Tracking
()
RESOLVED
FIXED
mozilla66
People
(Reporter: decoder, Assigned: Alex_Gaynor)
References
(Blocks 1 open bug)
Details
(5 keywords, Whiteboard: [post-critsmash-triage][adv-main65+][adv-esr60.5+])
Attachments
(2 files)
|
9.09 KB,
text/plain
|
Details | |
|
47 bytes,
text/x-phabricator-request
|
RyanVM
:
approval-mozilla-beta+
RyanVM
:
approval-mozilla-esr60+
|
Details | Review |
The attached crash information was submitted via the ASan Nightly Reporter on mozilla-central-asan-nightly revision 65.0a1-20181210095504-https://hg.mozilla.org/mozilla-central/rev/3386ff76878d83496bb822d09115c77472808b53.
For detailed crash information, see attachment.
|
Reporter | |
Comment 1•6 years ago
|
||
|
|
Reporter | |
Updated•6 years ago
|
Flags: sec-bounty?
|
|
Reporter | |
Comment 3•6 years ago
|
||
From the stack it looks like this is reachable via IPC and might be s-s in a sandboxing context.
|
Assignee | |
Comment 4•6 years ago
|
||
This looks similar to bug 1451308. :mats, it looks like you were the last person to look at that one, do you agree?
Flags: needinfo?(mats)
|
||
Comment 5•6 years ago
|
||
Yeah, this looks like it's the same issue.
Status: NEW → RESOLVED
Closed: 6 years ago
Flags: needinfo?(mats)
Resolution: --- → DUPLICATE
|
|
Reporter | |
Comment 6•6 years ago
|
||
Reopening, see comment in other bug.
Status: RESOLVED → REOPENED
Resolution: DUPLICATE → ---
|
|
Assignee | |
Comment 8•6 years ago
|
||
|
|
Assignee | |
Comment 9•6 years ago
|
||
Carrying over the security triage from the original bug.
Keywords: csectype-bounds,
sec-moderate
|
|
Assignee | |
Updated•6 years ago
|
Keywords: checkin-needed
|
||
Comment 10•6 years ago
|
||
Assignee: nobody → agaynor
Group: core-security → layout-core-security
status-firefox64:
--- → wontfix
status-firefox66:
--- → affected
status-firefox-esr60:
--- → affected
tracking-firefox65:
--- → +
tracking-firefox66:
--- → +
tracking-firefox-esr60:
--- → 65+
Keywords: checkin-needed
|
|
||
Comment 11•6 years ago
|
||
This was backed out for Windows MinGW build bustage.
https://hg.mozilla.org/integration/autoland/rev/63525718264d
https://treeherder.mozilla.org/logviewer.html#/jobs?job_id=216459339&repo=autoland
Flags: needinfo?(agaynor)
|
||
Updated•6 years ago
|
Attachment #9030519 -
Attachment description: Bug 1513201 - handle pasted data of certain types with an odd length; r?mats → Bug 1451308 - handle pasted data of certain types with an odd length; r?mats
|
|
Assignee | |
Updated•6 years ago
|
Flags: needinfo?(agaynor)
Keywords: checkin-needed
|
|
||
Comment 12•6 years ago
|
||
Keywords: checkin-needed
|
||
Comment 13•6 years ago
|
||
Group: layout-core-security → core-security-release
Status: REOPENED → RESOLVED
Closed: 6 years ago → 6 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla66
|
|
||
Comment 14•6 years ago
|
||
Please nominate this for Beta/ESR60 approval when you get a chance.
Flags: needinfo?(agaynor)
|
|
Assignee | |
Comment 15•6 years ago
|
||
Comment on attachment 9030519 [details]
Bug 1451308 - handle pasted data of certain types with an odd length; r?mats
[Beta/Release Uplift Approval Request]
Feature/Bug causing the regression: None
User impact if declined: Potential IPC security issue and/or full browser crash when you're pasting certain types of content (it seems particularly Chinese content).
Is this code covered by automated tests?: Unknown
Has the fix been verified in Nightly?: Yes
Needs manual test from QE?: No
If yes, steps to reproduce:
List of other uplifts needed: None
Risk to taking this patch: Low
Why is the change risky/not risky? (and alternatives if risky): Code change is exceptionally straight forward.
String changes made/needed:
[ESR Uplift Approval Request]
If this is not a sec:{high,crit} bug, please state case for ESR consideration: sec-moderate, full browser crash
User impact if declined: Same as beta
Fix Landed on Version:
Risk to taking this patch: Low
Why is the change risky/not risky? (and alternatives if risky): Code change is exceptionally straight forward.
String or UUID changes made by this patch:
Flags: needinfo?(agaynor)
Attachment #9030519 -
Flags: approval-mozilla-esr60?
Attachment #9030519 -
Flags: approval-mozilla-beta?
|
|
||
Comment 16•6 years ago
|
||
Comment on attachment 9030519 [details]
Bug 1451308 - handle pasted data of certain types with an odd length; r?mats
[Triage Comment]
Fixes a security-sensitive crash, approved for 65.0b5. We'll revisit the ESR request later in the cycle.
Attachment #9030519 -
Flags: approval-mozilla-beta? → approval-mozilla-beta+
|
|
||
Comment 17•6 years ago
|
||
| uplift | ||
|
||
Updated•6 years ago
|
Flags: sec-bounty? → sec-bounty+
|
||
Updated•6 years ago
|
Flags: qe-verify-
Whiteboard: [post-critsmash-triage]
|
|
||
Comment 18•6 years ago
|
||
Comment on attachment 9030519 [details]
Bug 1451308 - handle pasted data of certain types with an odd length; r?mats
Approved for 60.5.0esr also.
Attachment #9030519 -
Flags: approval-mozilla-esr60? → approval-mozilla-esr60+
|
|
||
Comment 19•6 years ago
|
||
| uplift | ||
|
||
Updated•6 years ago
|
Whiteboard: [post-critsmash-triage] → [post-critsmash-triage][adv-main65+][adv-esr60.5+]
|
|
||
Updated•5 years ago
|
Group: core-security-release
|
||
Updated•5 years ago
|
Blocks: asan-maintenance
|
||
Updated•4 years ago
|
|
||
Updated•6 months ago
|
Keywords: reporter-external
You need to log in
before you can comment on or make changes to this bug.
Description
•