Last Comment Bug 489131 - (CVE-2009-1838) Arbitrary code execution using event listeners attached to an element whose owner document is null
(CVE-2009-1838)
: Arbitrary code execution using event listeners attached to an element whose o...
Status: VERIFIED FIXED
[sg:critical] fixed in 1.9.1 by 435656
: testcase, verified1.8.1.22, verified1.9.0.11
Product: Core
Classification: Components
Component: Security (show other bugs)
: 1.9.0 Branch
: All All
: -- normal (vote)
: ---
Assigned To: Olli Pettay [:smaug] (vacation Aug 25-28)
:
Mentors:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2009-04-20 00:57 PDT by moz_bug_r_a4
Modified: 2009-06-11 15:16 PDT (History)
6 users (show)
dveditz: blocking1.9.0.11+
dveditz: wanted1.9.0.x+
dveditz: blocking1.8.1.next+
dveditz: wanted1.8.1.x+
See Also:
Crash Signature:
(edit)
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---


Attachments
return PR_FALSE if null owner doc (1.50 KB, patch)
2009-04-20 01:19 PDT, Olli Pettay [:smaug] (vacation Aug 25-28)
jst: review+
jst: superreview+
dveditz: approval1.9.0.11+
Details | Diff | Splinter Review
1.8 patch (1.04 KB, patch)
2009-05-14 04:54 PDT, Martin Stránský
bugs: review+
samuel.sidler+old: approval1.8.1.next+
Details | Diff | Splinter Review

Description moz_bug_r_a4 2009-04-20 00:57:58 PDT
This is a variant of bug 383424.  fx3 and fx2 are affected.

The owner document of an element can become null after GC.  If the owner
document is null, nsCxPusher::Push() does not push a JS context, and thus event
listeners can be executed on the wrong JS context.  (On trunk, if the owner
document is null, nsCxPusher::Push() fails, and thus event listeners are not
executed.)
Comment 1 moz_bug_r_a4 2009-04-20 01:00:05 PDT
Created attachment 373621 [details]
testcase
Comment 2 Olli Pettay [:smaug] (vacation Aug 25-28) 2009-04-20 01:19:31 PDT
Created attachment 373624 [details] [diff] [review]
return PR_FALSE if null owner doc

This is basically what is done on 191/trunk.
Comment 3 Daniel Veditz [:dveditz] 2009-04-22 15:35:01 PDT
Comment on attachment 373624 [details] [diff] [review]
return PR_FALSE if null owner doc

Approved for 1.9.0.10, a=dveditz for release-drivers
Comment 4 Olli Pettay [:smaug] (vacation Aug 25-28) 2009-04-23 00:55:45 PDT
Checking in content/base/src/nsContentUtils.cpp;
/cvsroot/mozilla/content/base/src/nsContentUtils.cpp,v  <--  nsContentUtils.cpp
new revision: 1.312; previous revision: 1.3
Comment 5 Al Billings [:abillings] 2009-05-11 14:09:00 PDT
Verified fixed in 1.9.0.11 with Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.0.11pre) Gecko/2009051104 GranParadiso/3.0.11pre. Verified the ill behavior on 1.9.0.10.
Comment 6 Martin Stránský 2009-05-14 04:54:21 PDT
Created attachment 377393 [details] [diff] [review]
1.8 patch

What about this one for 1.8?
Comment 7 Martin Stránský 2009-05-14 04:57:04 PDT
Comment on attachment 377393 [details] [diff] [review]
1.8 patch

Do you mind to check this one?
Comment 8 Johnny Stenback (:jst, jst@mozilla.com) 2009-05-14 12:47:32 PDT
Comment on attachment 377393 [details] [diff] [review]
1.8 patch

Smaug, what do you think about this for 1.8?
Comment 9 Samuel Sidler (old account; do not CC) 2009-05-29 10:37:08 PDT
Comment on attachment 377393 [details] [diff] [review]
1.8 patch

Approved for 1.8.1.22. a=ss for release-drivers
Comment 10 Daniel Veditz [:dveditz] 2009-05-29 23:55:08 PDT
Fixed on the 1.8.1 branch

Checking in base/src/nsContentUtils.cpp;
/cvsroot/mozilla/content/base/src/nsContentUtils.cpp,v  <--  nsContentUtils.cpp
new revision: 1.107.4.28; previous revision: 1.107.4.27
done
Comment 11 Al Billings [:abillings] 2009-06-02 15:10:10 PDT
Verified for 1.8.1 with Mozilla/5.0 (Macintosh; U; Intel Mac OS X; en-US; rv:1.8.1.22pre) Gecko/20090602 SeaMonkey/1.1.17pre.

Note You need to log in before you can comment on or make changes to this bug.