Closed
Bug 330900
Opened 18 years ago
Closed 18 years ago
nsCrypto::GenerateCRMFRequest reads past end of array when given 2 args
Categories
(Core :: Security: PSM, defect)
Core
Security: PSM
Tracking
()
RESOLVED
FIXED
People
(Reporter: dbaron, Assigned: KaiE)
Details
(Keywords: fixed1.8.1, verified1.8.0.4, Whiteboard: [sg:low][need testcase])
Attachments
(1 file)
962 bytes,
patch
|
KaiE
:
review+
jst
:
superreview+
KaiE
:
approval-branch-1.8.1+
dveditz
:
approval1.8.0.4+
|
Details | Diff | Splinter Review |
Marking this security-sensitive mainly because I discovered it while looking at bug 330897, and the reverse is therefore also reasonably likely, not because I think it's exploitable (although it's possible that it is, although I think unlikely). nsCrypto::GenerateCRMFRequest intends to allow a number of arguments that is 5, 8, 11, 14, etc. But it doesn't give an error if it's given 2 arguments, which could cause it to read past the end of an array. I haven't tried writing a testcase for this yet, though.
Reporter | ||
Comment 1•18 years ago
|
||
Comment 2•18 years ago
|
||
I guess this would also fix bug 327524, right?
Assignee | ||
Comment 3•18 years ago
|
||
Comment on attachment 215468 [details] [diff] [review] patch r=kengert Thanks for the patch. The documentation for this function is here: http://developer.mozilla.org/en/docs/generateCRMFRequest Note that calling this function does not make much sense if one supplies 5 parameters, the smallest amount of reasonable parameters is 8. The documentation page requests that after the first 5 params, there must be "one or more sets" of additional params. So I think it's ok if we require to supply at least 8 params.
Attachment #215468 -
Flags: review+
Reporter | ||
Updated•18 years ago
|
Attachment #215468 -
Flags: approval-branch-1.8.1?(kengert)
Reporter | ||
Updated•18 years ago
|
Attachment #215468 -
Flags: superreview?(jst)
Assignee | ||
Updated•18 years ago
|
Attachment #215468 -
Flags: approval-branch-1.8.1?(kengert) → approval-branch-1.8.1+
Comment 4•18 years ago
|
||
Comment on attachment 215468 [details] [diff] [review] patch sr=jst
Attachment #215468 -
Flags: superreview?(jst) → superreview+
Reporter | ||
Comment 5•18 years ago
|
||
Fix checked in to trunk and MOZILLA_1_8_BRANCH.
Reporter | ||
Updated•18 years ago
|
Attachment #215468 -
Flags: approval1.8.0.3?
Comment 6•18 years ago
|
||
Not sure the severity here. I suppose it depends on where the data beyond the array comes from (user controlled?).
Flags: blocking1.8.0.3+
Whiteboard: [sg:moderate?]
Comment 7•18 years ago
|
||
kaie: can you explain how this problem could be exploited? thanks!
Assignee | ||
Comment 8•18 years ago
|
||
This bug occurrs when using the function with an invalid number of parameters. This function is not called from within our own code, but only if a web page calls it. I don't know how a web site page can influence the data past the array, will it just read the bytes that follow the javascript code in the web page?
Comment 9•18 years ago
|
||
Comment on attachment 215468 [details] [diff] [review] patch approved for 1.8.0 branch, a=dveditz for drivers
Attachment #215468 -
Flags: approval1.8.0.3? → approval1.8.0.3+
Updated•18 years ago
|
Whiteboard: [sg:moderate?] → [sg:low]
Comment 11•18 years ago
|
||
v.fixed on 1.8.0 branch: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.2) Gecko/20060420 Firefox/1.5.0.2, based on code inspection and comments in this bug. Adding [need testcase]. If anyone does get a testcase together, we can test to double check the fix.
Keywords: fixed1.8.0.3 → verified1.8.0.3
Whiteboard: [sg:low] → [sg:low][need testcase]
Comment 12•18 years ago
|
||
Bug 327524 has a testcase that is fixed by this patch.
Comment 13•18 years ago
|
||
could you backport this patch to firefox 1.0.x branch please ? I can confirm it fixes crash from testcase in bug #327524.
Updated•18 years ago
|
Flags: blocking1.7.14?
Flags: blocking-aviary1.0.9?
Updated•18 years ago
|
Group: security
You need to log in
before you can comment on or make changes to this bug.
Description
•