Closed
Bug 387881
(CVE-2007-5338)
Opened 18 years ago
Closed 17 years ago
Arbitrary code execution by polluting implicit XPCNativeWrapper (using Script object)
Categories
(Core :: Security, defect)
Tracking
()
RESOLVED
FIXED
People
(Reporter: moz_bug_r_a4, Assigned: mrbkap)
Details
(Keywords: fixed1.8.0.15, verified1.8.1.8, Whiteboard: [sg:critical] pre 1.9, testcases embargoed during upgrade cycle)
Attachments
(1 file)
|
1.26 KB,
patch
|
brendan
:
review+
dveditz
:
approval1.8.1.8+
caillon
:
approval1.8.0.next+
|
Details | Diff | Splinter Review |
Does script_compile need the same fix as bug 369211?
This is 1.8/1.8.0 branches only, since Script object has been removed on trunk.
|
||
Updated•18 years ago
|
Flags: blocking1.8.1.6?
Flags: blocking1.8.1.5?
OS: Windows XP → All
Hardware: PC → All
Whiteboard: [sg:critical]
|
||
Updated•18 years ago
|
Assignee: dveditz → mrbkap
Flags: blocking1.8.1.5?
|
Reporter | |
Comment 3•18 years ago
|
||
Due to the fix in bug 388121, privilege escalation testcases that use location
setter and javascript: url no longer work without change. I'll attach new
testcases that load a chrome: url before loading a javascript: url to
circumvent the fix.
|
Assignee | |
Comment 6•18 years ago
|
||
Yeah, this just mimics what we do for eval.
Attachment #275053 -
Flags: review?(brendan)
|
||
Updated•18 years ago
|
Attachment #275053 -
Flags: review?(brendan) → review+
|
|
Assignee | |
Updated•18 years ago
|
Attachment #275053 -
Flags: approval1.8.1.6?
Attachment #275053 -
Flags: approval1.8.0.13?
|
|
||
Updated•18 years ago
|
Flags: wanted1.8.1.x+
Flags: wanted1.8.0.x+
Whiteboard: [sg:critical] → [sg:critical] pre 1.9
|
|
||
Updated•18 years ago
|
Attachment #275053 -
Flags: approval1.8.1.6? → approval1.8.1.7?
|
|
||
Updated•18 years ago
|
Attachment #275053 -
Flags: approval1.8.0.13? → approval1.8.0.14?
|
|
||
Updated•18 years ago
|
Flags: blocking1.8.1.7? → blocking1.8.1.7+
|
|
||
Comment 7•18 years ago
|
||
Comment on attachment 275053 [details] [diff] [review]
Fix
approved for 1.8.1.7 and 1.8.0.14, a=dveditz for release-drivers
Attachment #275053 -
Flags: approval1.8.1.7?
Attachment #275053 -
Flags: approval1.8.1.7+
Attachment #275053 -
Flags: approval1.8.0.14?
Attachment #275053 -
Flags: approval1.8.0.14+
|
|
||
Comment 8•17 years ago
|
||
Is this approved patch going to land?
|
|
||
Comment 9•17 years ago
|
||
Blake: what's the status of this patch? Can I land it for you?
|
|
||
Comment 10•17 years ago
|
||
Checked this in on the 1.8 branch for mrbkap.
|
||
Comment 11•17 years ago
|
||
Verified using testcases in comment #4 and comment #5 on: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.8) Gecko/2007100816 Firefox/2.0.0.8
Components.Stack dialog no longer appears.
Keywords: fixed1.8.1.8 → verified1.8.1.8
|
||
Updated•17 years ago
|
Alias: CVE-2007-5338
|
|
||
Updated•17 years ago
|
Whiteboard: [sg:critical] pre 1.9 → [sg:critical] pre 1.9, testcases embargoed during upgrade cycle
|
|
||
Updated•17 years ago
|
Group: security
|
|
||
Comment 12•17 years ago
|
||
Comment on attachment 275053 [details] [diff] [review]
Fix
Minusing for Thunderbird-focused 1.8.0.14 release, moving request to future release
Attachment #275053 -
Flags: approval1.8.0.14+ → approval1.8.0.15?
|
||
Comment 13•17 years ago
|
||
Comment on attachment 275053 [details] [diff] [review]
Fix
a=caillon for 1.8.0.15
Attachment #275053 -
Flags: approval1.8.0.15? → approval1.8.0.15+
|
|
||
Comment 14•17 years ago
|
||
fix committed to 1.8.0 branch
Checking in js/src/jsscript.c;
/cvsroot/mozilla/js/src/jsscript.c,v <-- jsscript.c
new revision: 3.79.2.5.2.8; previous revision: 3.79.2.5.2.7
done
Keywords: fixed1.8.0.15
You need to log in
before you can comment on or make changes to this bug.
Description
•