Closed Bug 1695094 Opened 4 years ago Closed 4 years ago

Use-After-Free RCE in SMIL [EIP-2015-0042]

Categories

(Core :: SVG, defect)

Product:
Core
Component:
SVG
Type:
defect

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1321066

People

(Reporter: dveditz, Unassigned)

References

Details

(Keywords: sec-critical)

Attachments

(1 file)

EIP-2015-0042.pdf
299.24 KB, application/pdf
Details
Attached file EIP-2015-0042.pdf

Exodus Intel is creating a new disclosure policy, and as part of that they've forwarded on information about a exploitability bug they had. Given the 2015 date on their identifier we may have fixed this already but we should investigate nonetheless.

We're in the process of finalizing a new disclosure policy. The general gist of which is:

  1. Six months after publishing a vulnerability report to our customers, we'll contact the affected vendor.
  2. Six months after we've contacted the affected vendor, or whenever the vendor issues a patch prior to that moment, we reserve the right to publish the report on our blog.

We'll be happy to share our formal policy once it's fully codified. At the moment we're actively working through our catalog of past discoveries and disclosing them "as-is" to the affected vendors. By "as-is" we mean that we're not 100% sure the vulnerability hasn't been inadvertently patched and that we neither expect nor require a coordinated public disclosure.

Attached please find the following reports that affect Mozilla software:

EIP-2015-0042: Mozilla Firefox Use-After-Free RCE

Please confirm receipt of these details and thank you for your attention. We look forward to working together in the future.

Kind regards

Exodus Intelligence Staff

This looks like the 0-day exploit reported in bug 1321066 in late 2016. the reduced testcase in attachment 8815501 [details] from that bug is nearly identical to the reduced POC in the writeup here.

The exploitation write-up might be educational.

Yeah, I came to the same conclusion - was writing this comment & midair'ed you:

Looks very likely to be a duplicate of bug 1321066, "Reported Firefox SVG 0-day (Iterator invalidation in nsSMILTimeContainer::NotifyTimeChange()".

Section 2.2.2 of the attached report says "The vulnerability is located in theNotifyTimeChange() method of the nsSMILTimeContainer object", and describes what sounds like an iterator invalidation issue.

Bug 1321066 was fixed in Firefox 53, which is more recent than the versions listed in this Exodus report. (The chart of affected versions stops at version 47.)

See Also: → CVE-2016-9079

Thanks for confirming!

Status: NEW → RESOLVED
Closed: 4 years ago
Resolution: --- → DUPLICATE
Group: layout-core-security
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: