more to do for bug #157644...

RESOLVED FIXED in mozilla1.7final

Status

RESOLVED FIXED
15 years ago
10 years ago

People

(Reporter: sspitzer, Assigned: Bienvenu)

Tracking

({fixed1.4.3, fixed1.7})

Trunk
mozilla1.7final
x86
Windows 2000
fixed1.4.3, fixed1.7
Dependency tree / graph
Bug Flags:
blocking1.7 +

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: fixed-aviary1.0, [sg:fix])

Attachments

(1 attachment)

more to do for bug #157644...

dan got email from zen-parse@gmx.net, pointing out that the fix for #157644
plugged one security hole, but not them all.

from the reporter:

the correct fix is to limit the number of messages to (MAXINT(sizeof(Pop3MsgInfo))

if an evil server sends a larger number of messages, we'll only allocate space
for 50k.  but if part way through the list, if the server introduces a message
that is < than the max but > 50k, we'll allocate more space.

SendUidl() doesn't bounds check on the 50k message limit.

the patch in bug #157644 assumes that message numbers are sequential.

I've got the complete email from zen-parse.
giving zen-parse (neuro@es.co.nz) access to this new bug.
As far as I can tell, this is our only open bug which would allow a remote
server to take control of a Mozilla session. 'twould be nice if we could fix it :-)

Comment 3

15 years ago
putting on the 1.7 radar to see if we can get a patch.
Flags: blocking1.7+
(Assignee)

Comment 4

15 years ago
Created attachment 148899 [details] [diff] [review]
proposed fix
(Assignee)

Comment 5

15 years ago
Comment on attachment 148899 [details] [diff] [review]
proposed fix

this was the fix I proposed all along...
Attachment #148899 - Flags: superreview?(mscott)
Attachment #148899 - Flags: review?(sspitzer)

Updated

15 years ago
Attachment #148899 - Flags: superreview?(mscott) → superreview+
Comment on attachment 148899 [details] [diff] [review]
proposed fix

r/a=sspitzer

I'm not sure why we just didn't do what david suggested.

david, should we back out http://bugzilla.mozilla.org/show_bug.cgi?id=157644
Attachment #148899 - Flags: review?(sspitzer)
Attachment #148899 - Flags: review+
Attachment #148899 - Flags: approval1.7+
(Assignee)

Comment 7

15 years ago
yes, we should back it out, just to remove the unneeded code and simplify it.
Fix got approvals on 5/19, is it checked in?
Whiteboard: [sg:fix]

Comment 9

15 years ago
I think your patch is short a parentheses :)

Updated

15 years ago
Whiteboard: [sg:fix] → fixed-aviary1.0, [sg:fix]
(Assignee)

Comment 10

15 years ago
fixed on branch, with added parenthesis
Keywords: fixed1.7
(Assignee)

Comment 11

15 years ago
or not - new cvsisn't working for this tree...
Keywords: fixed1.7

Comment 12

15 years ago
cleaning up 1.7 bug lists -- is this bug ready to be marked fixed?
(Assignee)

Updated

15 years ago
Keywords: fixed1.7
over to david who has the fix and is going to land on trunk (he already landed
on the branch).

I'll log a bug about backing out bug #157644.

note, if we need to test this we can use servterm
http://www.snapfiles.com/get/servterm.html to emulate an evil pop server.
Assignee: sspitzer → bienvenu
(Assignee)

Comment 14

15 years ago
fixed on trunk.
Status: NEW → RESOLVED
Last Resolved: 15 years ago
Resolution: --- → FIXED
backing out the fix for bug #157644 is covered by bug #245066
Target Milestone: --- → mozilla1.7final
Adding Jon Granrose to CC list to help round up QA resources for verification

Comment 17

15 years ago
adding karen to verify on the 1.7 branch
Comment on attachment 148899 [details] [diff] [review]
proposed fix

a=blizzard for 1.4.3
Attachment #148899 - Flags: approval1.4.3+
And checked in.
Keywords: fixed1.4.3
Removing security-sensitive flag for bugs on the known-vulnerabilities list
Group: security

Comment 21

15 years ago
Since David mentioned that this bug need to be verified in the debugger, by
tweaking some values at runtime...
I had requested Seth to help for verifying this bug for 1.7....

Comment 22

15 years ago
Note: The Common Vulnerabilities and Exposures project (cve.mitre.org) has
assigned the name CAN-2004-0757 to this issue.
Product: MailNews → Core
Product: Core → MailNews Core
You need to log in before you can comment on or make changes to this bug.