Bug 387881 (CVE-2007-5338)

Arbitrary code execution by polluting implicit XPCNativeWrapper (using Script object)

RESOLVED FIXED

Status

()

Core
Security
RESOLVED FIXED
10 years ago
10 years ago

People

(Reporter: moz_bug_r_a4, Assigned: mrbkap)

Tracking

({fixed1.8.0.15, verified1.8.1.8})

1.8 Branch
fixed1.8.0.15, verified1.8.1.8
Points:
---
Bug Flags:
blocking1.8.1.8 +
wanted1.8.1.x +
wanted1.8.0.x +

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [sg:critical] pre 1.9, testcases embargoed during upgrade cycle)

Attachments

(1 attachment)

Fix
1.26 KB, patch
brendan
: review+
Christopher Aillon (sabbatical, not receiving bugmail)
: approval1.8.0.next+
Details | Diff | Splinter Review
(Reporter)

Description

10 years ago
Does script_compile need the same fix as bug 369211?

This is 1.8/1.8.0 branches only, since Script object has been removed on trunk.
Flags: blocking1.8.1.6?
Flags: blocking1.8.1.5?
OS: Windows XP → All
Hardware: PC → All
Whiteboard: [sg:critical]
Assignee: dveditz → mrbkap
Flags: blocking1.8.1.5?
(Reporter)

Comment 3

10 years ago
Due to the fix in bug 388121, privilege escalation testcases that use location
setter and javascript: url no longer work without change.  I'll attach new
testcases that load a chrome: url before loading a javascript: url to
circumvent the fix.
(Assignee)

Comment 6

10 years ago
Created attachment 275053 [details] [diff] [review]
Fix

Yeah, this just mimics what we do for eval.
Attachment #275053 - Flags: review?(brendan)

Updated

10 years ago
Attachment #275053 - Flags: review?(brendan) → review+
(Assignee)

Updated

10 years ago
Attachment #275053 - Flags: approval1.8.1.6?
Attachment #275053 - Flags: approval1.8.0.13?
Flags: wanted1.8.1.x+
Flags: wanted1.8.0.x+
Whiteboard: [sg:critical] → [sg:critical] pre 1.9
Attachment #275053 - Flags: approval1.8.1.6? → approval1.8.1.7?
Attachment #275053 - Flags: approval1.8.0.13? → approval1.8.0.14?
Flags: blocking1.8.1.7? → blocking1.8.1.7+
Comment on attachment 275053 [details] [diff] [review]
Fix

approved for 1.8.1.7 and 1.8.0.14, a=dveditz for release-drivers
Attachment #275053 - Flags: approval1.8.1.7?
Attachment #275053 - Flags: approval1.8.1.7+
Attachment #275053 - Flags: approval1.8.0.14?
Attachment #275053 - Flags: approval1.8.0.14+
Is this approved patch going to land?
Blake: what's the status of this patch? Can I land it for you?
Checked this in on the 1.8 branch for mrbkap.
Status: NEW → RESOLVED
Last Resolved: 10 years ago
Keywords: fixed1.8.1.8
Resolution: --- → FIXED
Verified using testcases in comment #4 and comment #5 on: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.8) Gecko/2007100816 Firefox/2.0.0.8

Components.Stack dialog no longer appears.
Keywords: fixed1.8.1.8 → verified1.8.1.8

Updated

10 years ago
Alias: CVE-2007-5338
Whiteboard: [sg:critical] pre 1.9 → [sg:critical] pre 1.9, testcases embargoed during upgrade cycle
Group: security
Comment on attachment 275053 [details] [diff] [review]
Fix

Minusing for Thunderbird-focused 1.8.0.14 release, moving request to future release
Attachment #275053 - Flags: approval1.8.0.14+ → approval1.8.0.15?
Comment on attachment 275053 [details] [diff] [review]
Fix

a=caillon for 1.8.0.15
Attachment #275053 - Flags: approval1.8.0.15? → approval1.8.0.15+
fix committed to 1.8.0 branch

Checking in js/src/jsscript.c;
/cvsroot/mozilla/js/src/jsscript.c,v  <--  jsscript.c
new revision: 3.79.2.5.2.8; previous revision: 3.79.2.5.2.7
done
Keywords: fixed1.8.0.15
You need to log in before you can comment on or make changes to this bug.