Closed Bug 1792643 (CVE-2022-45420) Opened 2 years ago Closed 2 years ago

iframe contents can be arbitrarily drawn outside of iframe.

Categories

(Core :: Web Painting, defect)

Firefox 105
Desktop
All
defect

Tracking

()

VERIFIED FIXED
107 Branch
Tracking Status
firefox-esr102 107+ verified
firefox105 --- wontfix
firefox106 --- wontfix
firefox107 + verified
firefox108 --- verified

People

(Reporter: prada960808, Assigned: tnikkel)

References

(Regression)

Details

(4 keywords, Whiteboard: [reporter-external] [client-bounty-form] [verif?][post-critsmash-triage][adv-main107+][adv-esr102.5+])

Attachments

(5 files)

Attached file main.html

Steps to reproduce:

  1. Download 'main.html' and 'iframe.html' in the same directory.
  2. open 'main.html' on Firefox 105.

Actual results:
The content in the iframe is arbitrarily drawn outside of the iframe.

Expected results:
The content in the iframe should not be drawn outside of the iframe.

Severity:
This is vulnerable because the iframe domain (i.e., attacker) can fully cover the page of the main frame (i.e., victim) with any images using CSS margin-left, margin-top, and background-image (or background).

Environment:
Version: Firefox 105.0b5
OS: ubuntu 20.04

How was this issue discovered?
I used my fuzzer to find this issue.

Flags: sec-bounty?
Attached file iframe.html
Attached image screenshot.png
OS: Unspecified → All
Hardware: Unspecified → Desktop
Version: unspecified → Firefox 105
Group: firefox-core-security → layout-core-security
Component: Security → CSS Parsing and Computation
Product: Firefox → Core
Component: CSS Parsing and Computation → Web Painting
Status: UNCONFIRMED → NEW
Ever confirmed: true
See Also: → CVE-2022-28286

Exactly like bug 1735265 except a frame other then the cell, between the
cell and the table frame is a stacking context.

Assignee: nobody → tnikkel
Status: NEW → ASSIGNED
Regressed by: 1409114

Set release status flags based on info from the regressing bug 1409114

Set clip on background items for table cols and colgroups, when the table row, rowgroup or table has captured clip. r=mstange
https://hg.mozilla.org/integration/autoland/rev/e9d6b6dc577aa1532c7a42b1a8e404db75457237
https://hg.mozilla.org/mozilla-central/rev/e9d6b6dc577a

Status: ASSIGNED → RESOLVED
Closed: 2 years ago
Resolution: --- → FIXED
Target Milestone: --- → 107 Branch
Group: layout-core-security → core-security-release

The patch landed in nightly and beta is affected.
:tnikkel, is this bug important enough to require an uplift?

  • If yes, please nominate the patch for beta approval.
  • If no, please set status-firefox106 to wontfix.

For more information, please visit auto_nag documentation.

Flags: needinfo?(tnikkel)

I don't feel like we need to uplift this. If anyone thinks we do I can do it though.

Flags: needinfo?(tnikkel)
Flags: in-testsuite+
Flags: sec-bounty? → sec-bounty+

Please nominate this for ESR102 approval. It grafts cleanly.

Flags: needinfo?(tnikkel)

Comment on attachment 9296926 [details]
Bug 1792643. Set clip on background items for table cols and colgroups, when the table row, rowgroup or table has captured clip. r?mstange

ESR Uplift Approval Request

  • If this is not a sec:{high,crit} bug, please state case for ESR consideration: sec-low, should be a pretty safe fix
  • User impact if declined: sec-low, attacker can draw outside of iframe contents
  • Fix Landed on Version: 107
  • Risk to taking this patch: Low
  • Why is the change risky/not risky? (and alternatives if risky): pretty straight forward extension of a fix that's been on release for a while now with no regressions
Flags: needinfo?(tnikkel)
Attachment #9296926 - Flags: approval-mozilla-esr102?

Comment on attachment 9296926 [details]
Bug 1792643. Set clip on background items for table cols and colgroups, when the table row, rowgroup or table has captured clip. r?mstange

Approved for 102.5esr.

Attachment #9296926 - Flags: approval-mozilla-esr102? → approval-mozilla-esr102+
Flags: qe-verify+
Whiteboard: [reporter-external] [client-bounty-form] [verif?] → [reporter-external] [client-bounty-form] [verif?][post-critsmash-triage]
QA Whiteboard: [qa-triaged]

Verified as fixed on Windows 10 x64, macOS 11.6 and on Ubuntu 20.04 x64.

Verified as fixed on Firefox 102.5esr on Windows 10 x64, macOS 11.6 and on Ubuntu 20.04 x64.

Status: RESOLVED → VERIFIED
QA Whiteboard: [qa-triaged]
Flags: qe-verify+
Whiteboard: [reporter-external] [client-bounty-form] [verif?][post-critsmash-triage] → [reporter-external] [client-bounty-form] [verif?][post-critsmash-triage][adv-main107+]
Whiteboard: [reporter-external] [client-bounty-form] [verif?][post-critsmash-triage][adv-main107+] → [reporter-external] [client-bounty-form] [verif?][post-critsmash-triage][adv-main107+][adv-esr102.5+]
Alias: CVE-2022-45420
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: