[1.0.x] Fix for Bug 293527 can be circumvented by using <object> element

RESOLVED WONTFIX

Status

()

Core
Security
P5
normal
RESOLVED WONTFIX
12 years ago
11 years ago

People

(Reporter: moz_bug_r_a4, Unassigned)

Tracking

1.7 Branch
Points:
---
Bug Flags:
blocking1.7.13 -
blocking1.7.14 ?
blocking-aviary1.0.8 -
blocking-aviary1.0.9 ?

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [sg:low spoof] aviary1.0/moz1.7 only)

Attachments

(2 attachments)

(Reporter)

Description

12 years ago
This is a variant of Bug 333428.

  <object id="o" type="image/png" data="a.png">
  o.data = "http://otherdomain/x.exe";

Changing an <object>'s .data property does not trigger a new image loading.
Thus, the state of .onLoadedImage does not change.
(Reporter)

Comment 1

12 years ago
Created attachment 217987 [details]
testcase
(Reporter)

Comment 2

12 years ago
> o.data = "http://otherdomain/x.exe";

Ah, please ignore "otherdomain".  I inadvertently did copy and pasete from Bug 333428.
Flags: blocking1.7.14?
Flags: blocking1.7.13?
Flags: blocking-aviary1.0.9?
Flags: blocking-aviary1.0.8?
Whiteboard: aviary1.0/moz1.7 only
Created attachment 218088 [details] [diff] [review]
patch

I think this fixes this bug without regressing any of the other bugs, but I need to test more. At this point, I don't think this should block 1.0.8: it's a case of bug 293527 that's still present, but I don't think that bug is severe enough that it should block 1.0.8, especially considering the arbitrary code execution vulnerability that was fixed in bug 333305.
Assignee: dveditz → gavin.sharp
Status: NEW → ASSIGNED
Priority: -- → P5
Flags: blocking1.7.13?
Flags: blocking1.7.13-
Flags: blocking-aviary1.0.8?
Flags: blocking-aviary1.0.8-
Whiteboard: aviary1.0/moz1.7 only → [sg:low spoof] aviary1.0/moz1.7 only

Comment 4

12 years ago
Looks good ... so far no regressions. Who will take care for advisories etc. for such 1.0.x only issues? 

Daniel, are there other issues for 1.5.0.4 that we (vendors) might want to backport to 1.0.x branch?
Summary: Fix for Bug 293527 can be circumvented by using <object> element → [1.0.x] Fix for Bug 293527 can be circumvented by using <object> element

Comment 5

12 years ago
Chris, can you please review/checkin? I would like to take this for 1.0.9/1.7.14.
Assignee: gavin.sharp → nobody
Status: ASSIGNED → NEW
Sounds like this is WONTFIX, given that it only affects a now-unsupported branch.
Status: NEW → RESOLVED
Last Resolved: 11 years ago
Resolution: --- → WONTFIX
Group: security
You need to log in before you can comment on or make changes to this bug.