Last Comment Bug 355569 - XML.prototype.hasOwnProperty is exploitable (CVE-2006-5747)
: XML.prototype.hasOwnProperty is exploitable (CVE-2006-5747)
Status: VERIFIED FIXED
[sg:critical] fixed by 355478
: crash, verified1.8.0.8, verified1.8.1
Product: Core
Classification: Components
Component: JavaScript Engine (show other bugs)
: Trunk
: All All
: -- critical (vote)
: ---
Assigned To: general
:
: Jason Orendorff [:jorendorff]
Mentors:
Depends on: 355478
Blocks:
  Show dependency treegraph
 
Reported: 2006-10-05 13:02 PDT by shutdown
Modified: 2008-10-17 14:28 PDT (History)
8 users (show)
dveditz: blocking1.7.14-
dveditz: blocking‑aviary1.0.9-
dbaron: blocking1.9?
mbeltzner: blocking1.8.1+
dveditz: blocking1.8.0.8+
bob: in‑testsuite+
bob: in‑litmus-
See Also:
Crash Signature:
(edit)
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---


Attachments
testcase (4.36 KB, text/html)
2006-10-05 13:11 PDT, shutdown
no flags Details
e4x/Regress/regress-355569.js (5.93 KB, text/plain)
2006-10-09 07:21 PDT, Bob Clary [:bc:]
no flags Details

Description shutdown 2006-10-05 13:02:08 PDT
I had a proof of concept exploit for this vulnerability a month ago,
but it was lost due to HDD crash. bug 355478 have reminded me of it.

TB22649748Q
Comment 1 shutdown 2006-10-05 13:11:54 PDT
Created attachment 241357 [details]
testcase

Salvaged proof of concept exploit. works on:

Mozilla/5.0 (Windows; U; Win98; en-US; rv:1.8.0.8pre)
  Gecko/20061005 Firefox/1.5.0.8pre
TB24181017Q

Mozilla/5.0 (Windows; U; Win98; en-US; rv:1.8.1)
  Gecko/20061005 BonEcho/2.0
TB24181079Q

FIREFOX caused an exception 03H in
module unknown at 0000:12030108
Registers:
EAX=deadfeed CS=015f EIP=12030108 EFLGS=00000206
EBX=deadfeed SS=0167 ESP=00d8ec00 EBP=00d8ec20
ECX=deadfeed DS=0167 ESI=1203008c FS=1987
EDX=deadfeed ES=0167 EDI=12030084 GS=0000
Bytes at CS:EIP:
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90
Stack dump:
6013c26d 02adfc00 12030084 00000003 12030084 00000000 02adfc00 1203008c
00d8ec5c 60113000 02adfc00 12030084 00000003 00d8eca8 12030010 00d8ecc0
Comment 2 Brendan Eich [:brendan] 2006-10-05 13:22:45 PDT
Marking this bug blocking; patch is in bug 355478.

/be
Comment 3 Mike Beltzner [:beltzner, not reading bugmail] 2006-10-08 19:57:26 PDT
Blocking for Fx2 RC3
Comment 4 Brendan Eich [:brendan] 2006-10-08 20:53:42 PDT
Cover bug is fixed on the 1.8 branch.

/be
Comment 5 Bob Clary [:bc:] 2006-10-09 07:21:03 PDT
Created attachment 241706 [details]
e4x/Regress/regress-355569.js

couldn't reproduce the crash, so verification will not have much meaning. shutdown, can you please test in trunk and 1.8 and marked verified? thanks.
Comment 6 Bob Clary [:bc:] 2006-10-10 00:08:58 PDT
no crash with 20061009 1.8 windows/linux/mac* 1.9 windows/linux on e4x/Regress/regress-355569.js, but since I couldn't initially reproduce am not verifying.
Comment 7 Daniel Veditz [:dveditz] 2006-10-13 21:55:08 PDT
bug 355478 has been checked into the 1.8.0 branch
Comment 8 shutdown 2006-10-17 07:25:04 PDT
20061016 trunk/1.8/1.8.0: verifying with shorter testcase.
javascript: <x/>.function::hasOwnProperty.call(new Number(0x50505050>>1));
Comment 9 Daniel Veditz [:dveditz] 2006-11-01 17:48:56 PST
Not applicable to the aviary/moz1.7 branch
Comment 10 Daniel Veditz [:dveditz] 2006-11-07 13:52:36 PST
This has been assigned CVE-2006-5747
Comment 11 Bob Clary [:bc:] 2008-10-17 14:24:47 PDT
/cvsroot/mozilla/js/tests/e4x/Regress/regress-355569.js,v  <--  regress-355569.js
initial revision: 1.1

Note You need to log in before you can comment on or make changes to this bug.