Last Comment Bug 453526 - (CVE-2008-5504) Remaining attack vectors in feed preview on 1.8 branch
(CVE-2008-5504)
: Remaining attack vectors in feed preview on 1.8 branch
Status: VERIFIED FIXED
[sg:critical]
: testcase, verified1.8.1.19
Product: Firefox
Classification: Client Software
Component: RSS Discovery and Preview (show other bugs)
: 2.0 Branch
: All All
: P1 normal (vote)
: ---
Assigned To: Mano (::mano, needinfo? for any questions; not reading general bugmail)
:
Mentors:
Depends on:
Blocks: 360529
  Show dependency treegraph
 
Reported: 2008-09-03 14:11 PDT by :Gavin Sharp [email: gavin@gavinsharp.com]
Modified: 2008-12-16 16:57 PST (History)
12 users (show)
mbeltzner: blocking1.8.1.17-
dveditz: blocking1.8.1.18-
dveditz: blocking1.8.1.19+
dveditz: wanted1.8.1.x+
asac: blocking1.8.0.next-
asac: wanted1.8.0.x-
See Also:
Crash Signature:
(edit)
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---


Attachments
patch (1.97 KB, patch)
2008-11-16 06:59 PST, Mano (::mano, needinfo? for any questions; not reading general bugmail)
mconnor: review+
dveditz: approval1.8.1.19+
Details | Diff | Review

Description :Gavin Sharp [email: gavin@gavinsharp.com] 2008-09-03 14:11:56 PDT
See bug 360529 comment 68 and bug 360529 comment 69.
Comment 2 Daniel Veditz [:dveditz] 2008-09-03 16:24:40 PDT
  -------  Comment #68 From  moz_bug_r_a4@yahoo.com   2008-09-03 05:11:44 PDT   
There are two oversight.  fx2.0.0.17 is still exploitable.

http://bonsai.mozilla.org/cvsblame.cgi?file=mozilla/browser/components/feeds/src/FeedWriter.js&rev=1.2.2.36&mark=635#623
This is exploitable.  I'll attach a testcase.

http://bonsai.mozilla.org/cvsblame.cgi?file=mozilla/browser/components/feeds/src/FeedWriter.js&rev=1.2.2.36&mark=404,406#397
I think this is unsafe.  But, I cannot create a testcase since I don't know a
way to execute this catch block.

------- Comment #69 From moz_bug_r_a4@yahoo.com 2008-09-03 05:14:55 PDT (-)

Created an attachment (id=336641) [attachment 336713 [details] in this bug --dveditz]
testcase 9 - handlers[0].doCommand()

This works on fx2.0.0.17-candidate-build2 (2008082909).

This uses bug 451680's XSS trick.
Comment 3 Samuel Sidler (old account; do not CC) 2008-10-20 12:05:41 PDT
Mano, any update here?
Comment 4 Samuel Sidler (old account; do not CC) 2008-11-10 09:55:19 PST
Mano, have you had time to work on this? I'd hate to miss this for a third release in a row, especially since it's the last Firefox 2 release...
Comment 5 Samuel Sidler (old account; do not CC) 2008-11-14 10:58:37 PST
Mano, please attach a 1.8 patch for this. Code freeze is on Monday.
Comment 6 Mano (::mano, needinfo? for any questions; not reading general bugmail) 2008-11-16 06:59:48 PST
Created attachment 348427 [details] [diff] [review]
patch

See bug 388207, I didn't remove the element from subscribe.xhtml for the sake of backwards-compatibly.
Comment 7 Mike Connor [:mconnor] 2008-11-16 11:50:20 PST
Comment on attachment 348427 [details] [diff] [review]
patch

Looks good.
Comment 8 Daniel Veditz [:dveditz] 2008-11-17 11:17:25 PST
Comment on attachment 348427 [details] [diff] [review]
patch

Approved for 1.8.1.19, a=dveditz for release-drivers
Comment 9 Samuel Sidler (old account; do not CC) 2008-11-18 13:32:38 PST
Can we get this landed asap? Code freeze was technically last night...
Comment 10 Mano (::mano, needinfo? for any questions; not reading general bugmail) 2008-11-18 16:31:14 PST
Checking in browser/components/feeds/src/FeedWriter.js;
/cvsroot/mozilla/browser/components/feeds/src/FeedWriter.js,v  <--  FeedWriter.js
new revision: 1.2.2.37; previous revision: 1.2.2.36
done
Comment 11 Al Billings [:abillings] 2008-11-25 15:55:00 PST
Verified with Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.19pre) Gecko/2008112503 BonEcho/2.0.0.19pre.
Comment 12 Alexander Sack 2008-12-16 00:54:53 PST
not an issue on 1.8.0

Note You need to log in before you can comment on or make changes to this bug.