Closed Bug 1689395 Opened 4 years ago Closed 4 years ago

Cherry-pick OTS 'maxp' sanitization from upstream to ESR

Categories

(Core :: Graphics: Text, defect)

Product:
Core
Component:
Graphics: Text
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Tracking Flags:
Tracking Status
firefox-esr78 86+ fixed
firefox84 --- wontfix
firefox85 --- wontfix
firefox86 --- unaffected
firefox87 --- unaffected

People

(Reporter: jfkthame, Assigned: RyanVM)

References

Details

(Keywords: sec-high, sec-vector, Whiteboard: [sec-survey][adv-esr78.8-])

Attachments

(1 file)

Bug 1689395 - Backport some upstream OTS commits. r=jfkthame
48 bytes, text/x-phabricator-request
RyanVM
: approval-mozilla-esr78+
Details | Review

OTS commits b703837f4dda38239d and 1141c81c411b599e are not present in ESR78; to protect against a known (though not yet public, afaik) issue in DirectWrite, we should cherry-pick these and apply to the version of OTS in the ESR tree.

(On trunk we have a more recent OTS already that includes this fix.)

Assignee: nobody → ryanvm
Group: core-security
status-firefox84: --- → wontfix
status-firefox85: --- → wontfix
status-firefox86: --- → unaffected
status-firefox87: --- → unaffected
status-firefox-esr78: --- → affected
tracking-firefox-esr78: --- → 86+
Depends on: 1685381

Comment on attachment 9199826 [details]
Bug 1689395 - Backport some upstream OTS commits. r=jfkthame

ESR Uplift Approval Request

  • If this is not a sec:{high,crit} bug, please state case for ESR consideration: Protects against a DirectWrite vulnerability reported to us by Google
  • User impact if declined: Users on unpatched Windows versions will be potentially vulnerable
  • Fix Landed on Version: 86
  • Risk to taking this patch: Low
  • Why is the change risky/not risky? (and alternatives if risky): Just rejects certain malformed fonts to avoid triggering the Windows bug. Fix is already in 86+ by way of the OTS library update in bug 1685381.
  • String or UUID changes made by this patch: N/A
Attachment #9199826 - Flags: approval-mozilla-esr78?

cc'ing Dominik at Google, who was involved in fixing this upstream and notifying us about it (thanks!).

Comment on attachment 9199826 [details]
Bug 1689395 - Backport some upstream OTS commits. r=jfkthame

Approved for 78.8esr.

Attachment #9199826 - Flags: approval-mozilla-esr78? → approval-mozilla-esr78+

https://hg.mozilla.org/releases/mozilla-esr78/rev/cc7a75e521ee

Status: NEW → RESOLVED
Closed: 4 years ago
status-firefox-esr78: affectedfixed
Resolution: --- → FIXED
Group: gfx-core-security → core-security-release

Microsoft's disclosure of the relevant Windows issue: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-24093.

As part of a security bug pattern analysis, we are requesting your help with a high level analysis of this bug. It is our hope to develop static analysis (or potentially runtime/dynamic analysis) in the future to identify classes of bugs.

Please visit this google form to reply.

Flags: needinfo?(ryanvm)
Whiteboard: [sec-survey]
Flags: needinfo?(ryanvm) → needinfo?(jfkthame)
Whiteboard: [sec-survey] → [sec-survey][adv-esr78.8+]

Actually; because this is not a vulnerability in Firefox; but rather a lack of a mitigation for an OS vuln, I don't think it needs an advisory.

Whiteboard: [sec-survey][adv-esr78.8+] → [sec-survey][adv-esr78.8-]

More details on the bug now unrestricted in the Project Zero bugtracker: https://bugs.chromium.org/p/project-zero/issues/detail?id=2123

Flags: needinfo?(jfkthame)
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: