Closed
Bug 422118
(cpni-zip)
Opened 13 years ago
Closed 13 years ago
Crash reading malformed zip [@nsZipArchive::BuildFileList]
Categories
(Core :: Networking: JAR, defect, P2)
Tracking
()
RESOLVED
FIXED
People
(Reporter: dveditz, Assigned: dveditz)
References
()
Details
(Keywords: crash, testcase, verified1.8.1.15, Whiteboard: [sg:nse dos] test URIs in comment 5 and 8)
Crash Data
Attachments
(6 files, 1 obsolete file)
1.18 KB,
application/java-archive
|
Details | |
1.08 KB,
text/html
|
Details | |
1.04 KB,
application/java-archive
|
Details | |
676 bytes,
application/java-archive
|
Details | |
6.31 KB,
patch
|
Biesinger
:
review+
bzbarsky
:
superreview+
dveditz
:
approval1.8.1.15+
|
Details | Diff | Splinter Review |
5.47 KB,
patch
|
Biesinger
:
review+
bzbarsky
:
superreview+
mtschrep
:
approval1.9+
|
Details | Diff | Splinter Review |
Malformed zip directories can crash us. Appears safe, we read outside our buffer and die with an access violation, but in order to snoop on data in other owned buffers it would have to match up exactly with a ZIP "central directory" structure which is extremely unlikely.
Comment 1•13 years ago
|
||
This seems to be a zip file that seems to crash Mozilla when trying to open it.
Comment 2•13 years ago
|
||
I used this script to open the zip file with.
Assignee | ||
Comment 3•13 years ago
|
||
Martijn's crash: bp-45371582-ef91-11dc-91a2-001a4bd46e84 I think that's probably the same as mine because my patched version doesn't crash on it, but a stock FF does. You don't need to go through the rigamaroll of your script, though, it's enough to simply open the jar: jar:https://bugzilla.mozilla.org/attachment.cgi?id=308642!/ (requires setting network.jar.open-unsafe-types to true, or changing type of attachment to application/java-archive which I'll do for the bug)
Assignee | ||
Updated•13 years ago
|
Attachment #308642 -
Attachment mime type: application/zip → application/java-archive
Assignee | ||
Comment 4•13 years ago
|
||
Assignee | ||
Comment 5•13 years ago
|
||
testcase: in address bar enter jar:https://bugzilla.mozilla.org/attachment.cgi?id=308664!/
Assignee | ||
Comment 6•13 years ago
|
||
This fixes the above testcases but "work in progress" because there are other crashes in this testsuite covered by this bug.
Assignee | ||
Comment 7•13 years ago
|
||
Second testcase, trying to view "!/fakerealsize.txt" will crash 1.8. Doesn't seem to crash trunk though.
Assignee | ||
Comment 8•13 years ago
|
||
That is, the testcase URL is jar:https://bugzilla.mozilla.org/attachment.cgi?id=309512!/fakerealsize.txt
Assignee | ||
Comment 9•13 years ago
|
||
Attachment #308672 -
Attachment is obsolete: true
Attachment #309575 -
Flags: superreview?(bzbarsky)
Attachment #309575 -
Flags: review?(cbiesinger)
Assignee | ||
Comment 10•13 years ago
|
||
Attachment #309577 -
Flags: superreview?(bzbarsky)
Attachment #309577 -
Flags: review?(cbiesinger)
Assignee | ||
Updated•13 years ago
|
Whiteboard: [sg:nse dos
![]() |
||
Updated•13 years ago
|
Attachment #309577 -
Flags: superreview?(bzbarsky) → superreview+
![]() |
||
Updated•13 years ago
|
Attachment #309575 -
Flags: superreview?(bzbarsky) → superreview+
Assignee | ||
Comment 11•13 years ago
|
||
Requesting blocking FF3 -- CPNI is going to release their testsuite and it would be nicer to say "we don't crash" than to have to explain "trust us, they're safe crashes".
Flags: wanted1.8.1.x+
Flags: blocking1.9?
Flags: blocking1.8.1.14?
Whiteboard: [sg:nse dos → [sg:nse dos]
Assignee | ||
Comment 12•13 years ago
|
||
The advisory has been released https://www.cert.fi/haavoittuvuudet/joint-advisory-archive-formats.html
Priority: -- → P2
Assignee | ||
Updated•13 years ago
|
Group: security
Updated•13 years ago
|
Flags: in-testsuite?
Updated•13 years ago
|
Attachment #309575 -
Flags: review?(cbiesinger) → review+
Updated•13 years ago
|
Attachment #309577 -
Flags: review?(cbiesinger) → review+
Assignee | ||
Updated•13 years ago
|
Attachment #309577 -
Flags: approval1.9?
Assignee | ||
Updated•13 years ago
|
Attachment #309575 -
Flags: approval1.8.1.14?
Updated•13 years ago
|
Attachment #309577 -
Flags: approval1.9? → approval1.9+
Assignee | ||
Comment 13•13 years ago
|
||
Fix checked in on trunk
Status: NEW → RESOLVED
Closed: 13 years ago
Resolution: --- → FIXED
Assignee | ||
Updated•13 years ago
|
Flags: blocking1.8.1.14? → blocking1.8.1.14+
Assignee | ||
Comment 14•13 years ago
|
||
Comment on attachment 309575 [details] [diff] [review] Fix both problems (1.8 branch) approved for 1.8.1.14, a=dveditz for release-drivers
Attachment #309575 -
Flags: approval1.8.1.14? → approval1.8.1.14+
Assignee | ||
Updated•13 years ago
|
Whiteboard: [sg:nse dos] → [sg:nse dos] test URIs in comment 5 and 8
Assignee | ||
Updated•13 years ago
|
Keywords: fixed1.8.1.15
Comment 15•13 years ago
|
||
Verified fixed for 1.8 with Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.15pre) Gecko/2008061005 BonEcho/2.0.0.15pre.
Keywords: fixed1.8.1.15 → verified1.8.1.15
Updated•10 years ago
|
Crash Signature: [@nsZipArchive::BuildFileList]
You need to log in
before you can comment on or make changes to this bug.
Description
•