Closed Bug 1792643 (CVE-2022-45420) Opened 2 years ago Closed 2 years ago

iframe contents can be arbitrarily drawn outside of iframe.

Categories

(Core :: Web Painting, defect)

Product:
Core
Component:
Web Painting
Version:
Firefox 105
Platform:
Desktop
All
Type:
defect

Tracking

()

Status:
VERIFIED FIXED
Milestone:
107 Branch
Tracking Flags:
Tracking Status
firefox-esr102 107+ verified
firefox105 --- wontfix
firefox106 --- wontfix
firefox107 + verified
firefox108 --- verified

People

(Reporter: prada960808, Assigned: tnikkel)

References

(Regression)

Details

(Keywords: csectype-spoof, regression, sec-low, Whiteboard: [reporter-external] [client-bounty-form] [verif?][post-critsmash-triage][adv-main107+][adv-esr102.5+])

Attachments

(5 files)

main.html
190 bytes, text/html
Details
iframe.html
409 bytes, text/html
Details
screenshot.png
7.12 KB, image/png
Details
Bug 1792643. Set clip on background items for table cols and colgroups, when the table row, rowgroup or table has captured clip. r?mstange
48 bytes, text/x-phabricator-request
dmeehan
: approval-mozilla-esr102+
Details | Review
advisory.txt
277 bytes, text/plain
Details
Attached file main.html

Steps to reproduce:

  1. Download 'main.html' and 'iframe.html' in the same directory.
  2. open 'main.html' on Firefox 105.

Actual results:
The content in the iframe is arbitrarily drawn outside of the iframe.

Expected results:
The content in the iframe should not be drawn outside of the iframe.

Severity:
This is vulnerable because the iframe domain (i.e., attacker) can fully cover the page of the main frame (i.e., victim) with any images using CSS margin-left, margin-top, and background-image (or background).

Environment:
Version: Firefox 105.0b5
OS: ubuntu 20.04

How was this issue discovered?
I used my fuzzer to find this issue.

Flags: sec-bounty?
Attached file iframe.html
Attached image screenshot.png
OS: Unspecified → All
Hardware: Unspecified → Desktop
Version: unspecified → Firefox 105
Group: firefox-core-security → layout-core-security
Component: Security → CSS Parsing and Computation
Product: Firefox → Core
Component: CSS Parsing and Computation → Web Painting
Status: UNCONFIRMED → NEW
Ever confirmed: true
See Also: → CVE-2022-28286

Exactly like bug 1735265 except a frame other then the cell, between the
cell and the table frame is a stacking context.

Assignee: nobody → tnikkel
Status: NEW → ASSIGNED
Regressed by: 1409114

Set release status flags based on info from the regressing bug 1409114

status-firefox105: --- → affected
status-firefox106: --- → affected
status-firefox107: --- → affected
status-firefox-esr102: --- → affected
Keywords: regression

Set clip on background items for table cols and colgroups, when the table row, rowgroup or table has captured clip. r=mstange
https://hg.mozilla.org/integration/autoland/rev/e9d6b6dc577aa1532c7a42b1a8e404db75457237
https://hg.mozilla.org/mozilla-central/rev/e9d6b6dc577a

Status: ASSIGNED → RESOLVED
Closed: 2 years ago
status-firefox107: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → 107 Branch
Group: layout-core-security → core-security-release

The patch landed in nightly and beta is affected.
:tnikkel, is this bug important enough to require an uplift?

  • If yes, please nominate the patch for beta approval.
  • If no, please set status-firefox106 to wontfix.

For more information, please visit auto_nag documentation.

Flags: needinfo?(tnikkel)

I don't feel like we need to uplift this. If anyone thinks we do I can do it though.

status-firefox106: affectedwontfix
Flags: needinfo?(tnikkel)
tracking-firefox107: --- → +
tracking-firefox-esr102: --- → 107+
Flags: in-testsuite+
Flags: sec-bounty? → sec-bounty+

Please nominate this for ESR102 approval. It grafts cleanly.

Flags: needinfo?(tnikkel)

Comment on attachment 9296926 [details]
Bug 1792643. Set clip on background items for table cols and colgroups, when the table row, rowgroup or table has captured clip. r?mstange

ESR Uplift Approval Request

  • If this is not a sec:{high,crit} bug, please state case for ESR consideration: sec-low, should be a pretty safe fix
  • User impact if declined: sec-low, attacker can draw outside of iframe contents
  • Fix Landed on Version: 107
  • Risk to taking this patch: Low
  • Why is the change risky/not risky? (and alternatives if risky): pretty straight forward extension of a fix that's been on release for a while now with no regressions
Flags: needinfo?(tnikkel)
Attachment #9296926 - Flags: approval-mozilla-esr102?

Comment on attachment 9296926 [details]
Bug 1792643. Set clip on background items for table cols and colgroups, when the table row, rowgroup or table has captured clip. r?mstange

Approved for 102.5esr.

Attachment #9296926 - Flags: approval-mozilla-esr102? → approval-mozilla-esr102+
Flags: qe-verify+
Whiteboard: [reporter-external] [client-bounty-form] [verif?] → [reporter-external] [client-bounty-form] [verif?][post-critsmash-triage]
QA Whiteboard: [qa-triaged]

Verified as fixed on Windows 10 x64, macOS 11.6 and on Ubuntu 20.04 x64.

status-firefox107: fixedverified
status-firefox108: --- → verified

Verified as fixed on Firefox 102.5esr on Windows 10 x64, macOS 11.6 and on Ubuntu 20.04 x64.

Status: RESOLVED → VERIFIED
QA Whiteboard: [qa-triaged]
status-firefox-esr102: fixedverified
Flags: qe-verify+
Whiteboard: [reporter-external] [client-bounty-form] [verif?][post-critsmash-triage] → [reporter-external] [client-bounty-form] [verif?][post-critsmash-triage][adv-main107+]
Whiteboard: [reporter-external] [client-bounty-form] [verif?][post-critsmash-triage][adv-main107+] → [reporter-external] [client-bounty-form] [verif?][post-critsmash-triage][adv-main107+][adv-esr102.5+]
Alias: CVE-2022-45420
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: