Open
Bug 328616
Opened 19 years ago
Updated 2 years ago
Input validation missing from mar_read.c
Categories
(Toolkit :: Application Update, defect, P3)
Toolkit
Application Update
Tracking
()
NEW
People
(Reporter: taralx, Unassigned)
Details
(Keywords: sec-other, Whiteboard: [sg:nse])
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.1) Gecko/20060223 Firefox/1.5.0.1
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.1) Gecko/20060223 Firefox/1.5.0.1
http://lxr.mozilla.org/seamonkey/source/modules/libmar/src/mar_read.c#166
This takes a 4-byte value from a MAR file and passes it unchecked to malloc(). This is difficult to exploit, but since MARs are not signed or verified any other way, some input paranoia is appropriate.
Reproducible: Always
Steps to Reproduce:
Comment 1•19 years ago
|
||
> since MARs are not signed or verified ... some input paranoia is appropriate.
Since MARs contain replacement software a *LOT* of paranoia is appropriate. When the entire package could be the trojan I doubt playing malloc games would be high on an attacker's to do list. Clearing the security flag to get more visibility.
Clients check for updates from https://aus2.mozilla.org, SSL used to validate the connection to the trusted Mozilla host and to protect the contents of update.xml in transit. The update file contains the SHA1 hash (still? I thought were were going to use SHA256) and file size of the MAR. The MAR itself is downloaded from potentially insecure ftp.mozilla.org mirrors, but the process ensures people do not get hacked copies.
Assignee: nobody → darin
Group: security
> SSL used to validate...
This surprises me greatly. Is there a particular CA marked "trusted"?
Updated•19 years ago
|
Assignee: darin → nobody
Assignee | ||
Updated•16 years ago
|
Product: Firefox → Toolkit
Comment 3•16 years ago
|
||
Daniel, there hasn't been any movement on this bug for a couple years, is this a valid bug or just a nit? ( Still learning as I go with App Update :( so I need a clue sometimes)
Comment 4•16 years ago
|
||
It is a valid bug that has other measures in place to lessen the likelihood that it could be exploited
Updated•16 years ago
|
Severity: normal → minor
Status: UNCONFIRMED → NEW
Ever confirmed: true
Comment 5•16 years ago
|
||
More precisely, it can't be exploited without delivering a malformed MAR file, and once you've done that you don't need an "exploit".
Whiteboard: [sg:nse]
Updated•7 years ago
|
Priority: -- → P3
Updated•2 years ago
|
Severity: minor → S4
You need to log in
before you can comment on or make changes to this bug.
Description
•