Last Comment Bug 387881 - (CVE-2007-5338) Arbitrary code execution by polluting implicit XPCNativeWrapper (using Script object)
(CVE-2007-5338)
: Arbitrary code execution by polluting implicit XPCNativeWrapper (using Script...
Status: RESOLVED FIXED
[sg:critical] pre 1.9, testcases emba...
: fixed1.8.0.15, verified1.8.1.8
Product: Core
Classification: Components
Component: Security (show other bugs)
: 1.8 Branch
: All All
: -- normal (vote)
: ---
Assigned To: Blake Kaplan (:mrbkap) (please use needinfo!)
:
Mentors:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2007-07-12 06:37 PDT by moz_bug_r_a4
Modified: 2008-03-20 11:16 PDT (History)
7 users (show)
dveditz: blocking1.8.1.8+
dveditz: wanted1.8.1.x+
dveditz: wanted1.8.0.x+
See Also:
Crash Signature:
(edit)
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---


Attachments
Fix (1.26 KB, patch)
2007-08-02 17:33 PDT, Blake Kaplan (:mrbkap) (please use needinfo!)
brendan: review+
dveditz: approval1.8.1.8+
caillon: approval1.8.0.next+
Details | Diff | Review

Description moz_bug_r_a4 2007-07-12 06:37:19 PDT
Does script_compile need the same fix as bug 369211?

This is 1.8/1.8.0 branches only, since Script object has been removed on trunk.
Comment 3 moz_bug_r_a4 2007-07-26 04:13:44 PDT
Due to the fix in bug 388121, privilege escalation testcases that use location
setter and javascript: url no longer work without change.  I'll attach new
testcases that load a chrome: url before loading a javascript: url to
circumvent the fix.
Comment 6 Blake Kaplan (:mrbkap) (please use needinfo!) 2007-08-02 17:33:45 PDT
Created attachment 275053 [details] [diff] [review]
Fix

Yeah, this just mimics what we do for eval.
Comment 7 Daniel Veditz [:dveditz] 2007-08-28 10:41:09 PDT
Comment on attachment 275053 [details] [diff] [review]
Fix

approved for 1.8.1.7 and 1.8.0.14, a=dveditz for release-drivers
Comment 8 Daniel Veditz [:dveditz] 2007-09-26 13:46:07 PDT
Is this approved patch going to land?
Comment 9 Daniel Veditz [:dveditz] 2007-10-01 15:33:37 PDT
Blake: what's the status of this patch? Can I land it for you?
Comment 10 Daniel Veditz [:dveditz] 2007-10-04 10:36:55 PDT
Checked this in on the 1.8 branch for mrbkap.
Comment 11 juan becerra [:juanb] 2007-10-12 16:34:46 PDT
Verified using testcases in comment #4 and comment #5 on: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.8) Gecko/2007100816 Firefox/2.0.0.8

Components.Stack dialog no longer appears.
Comment 12 Daniel Veditz [:dveditz] 2007-12-03 15:47:41 PST
Comment on attachment 275053 [details] [diff] [review]
Fix

Minusing for Thunderbird-focused 1.8.0.14 release, moving request to future release
Comment 13 Christopher Aillon (sabbatical, not receiving bugmail) 2008-02-19 08:27:31 PST
Comment on attachment 275053 [details] [diff] [review]
Fix

a=caillon for 1.8.0.15
Comment 14 Christopher Aillon (sabbatical, not receiving bugmail) 2008-03-20 11:16:25 PDT
fix committed to 1.8.0 branch

Checking in js/src/jsscript.c;
/cvsroot/mozilla/js/src/jsscript.c,v  <--  jsscript.c
new revision: 3.79.2.5.2.8; previous revision: 3.79.2.5.2.7
done

Note You need to log in before you can comment on or make changes to this bug.