Open Bug 328616 Opened 19 years ago Updated 2 years ago

Input validation missing from mar_read.c

Categories

(Toolkit :: Application Update, defect, P3)

Product:
Toolkit
Component:
Application Update
Type:
defect

Tracking

()

People

(Reporter: taralx, Unassigned)

Details

(Keywords: sec-other, Whiteboard: [sg:nse])

User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.1) Gecko/20060223 Firefox/1.5.0.1 Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.1) Gecko/20060223 Firefox/1.5.0.1 http://lxr.mozilla.org/seamonkey/source/modules/libmar/src/mar_read.c#166 This takes a 4-byte value from a MAR file and passes it unchecked to malloc(). This is difficult to exploit, but since MARs are not signed or verified any other way, some input paranoia is appropriate. Reproducible: Always Steps to Reproduce:
> since MARs are not signed or verified ... some input paranoia is appropriate. Since MARs contain replacement software a *LOT* of paranoia is appropriate. When the entire package could be the trojan I doubt playing malloc games would be high on an attacker's to do list. Clearing the security flag to get more visibility. Clients check for updates from https://aus2.mozilla.org, SSL used to validate the connection to the trusted Mozilla host and to protect the contents of update.xml in transit. The update file contains the SHA1 hash (still? I thought were were going to use SHA256) and file size of the MAR. The MAR itself is downloaded from potentially insecure ftp.mozilla.org mirrors, but the process ensures people do not get hacked copies.
Assignee: nobody → darin
Group: security
> SSL used to validate... This surprises me greatly. Is there a particular CA marked "trusted"?
Assignee: darin → nobody
Product: Firefox → Toolkit
Daniel, there hasn't been any movement on this bug for a couple years, is this a valid bug or just a nit? ( Still learning as I go with App Update :( so I need a clue sometimes)
It is a valid bug that has other measures in place to lessen the likelihood that it could be exploited
Severity: normal → minor
Status: UNCONFIRMED → NEW
Ever confirmed: true
More precisely, it can't be exploited without delivering a malformed MAR file, and once you've done that you don't need an "exploit".
Whiteboard: [sg:nse]
Priority: -- → P3
Severity: minor → S4
You need to log in before you can comment on or make changes to this bug.