Closed Bug 489131 (CVE-2009-1838) Opened 15 years ago Closed 15 years ago

Arbitrary code execution using event listeners attached to an element whose owner document is null

Categories

(Core :: Security, defect)

Product:
Core
Component:
Security
Version:
1.9.0 Branch
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
VERIFIED FIXED

People

(Reporter: moz_bug_r_a4, Assigned: smaug)

Details

(Keywords: testcase, verified1.8.1.22, verified1.9.0.11, Whiteboard: [sg:critical] fixed in 1.9.1 by 435656)

Attachments

(2 files)

return PR_FALSE if null owner doc
1.50 KB, patch
jst
: review+
jst
: superreview+
dveditz
: approval1.9.0.11+
Details | Diff | Splinter Review
1.8 patch
1.04 KB, patch
smaug
: review+
samuel.sidler+old
: approval1.8.1.next+
Details | Diff | Splinter Review 
This is a variant of bug 383424.  fx3 and fx2 are affected.

The owner document of an element can become null after GC.  If the owner
document is null, nsCxPusher::Push() does not push a JS context, and thus event
listeners can be executed on the wrong JS context.  (On trunk, if the owner
document is null, nsCxPusher::Push() fails, and thus event listeners are not
executed.)
Attached file testcase 
Assignee: nobody → Olli.Pettay

    
    

    
  


  
This is basically what is done on 191/trunk.

        Attachment #373624 -
        Flags: superreview?(jst)

        Attachment #373624 -
        Flags: review?(jst)

        Attachment #373624 -
        Flags: approval1.9.0.9?

        Attachment #373624 -
        Flags: approval1.9.0.9? → approval1.9.0.10?
Flags: blocking1.9.0.10?
Flags: blocking1.8.1.next?
Keywords: testcase
OS: Windows XP → All
Hardware: x86 → All
Whiteboard: [sg:critical]
Flags: wanted1.9.0.x+
Flags: wanted1.8.1.x+
Flags: blocking1.9.0.10?
Flags: blocking1.9.0.10+
Flags: blocking1.8.1.next?
Flags: blocking1.8.1.next+
Whiteboard: [sg:critical] → [sg:critical] needs r/sr=jst. fixed in 1.9.1 by

        Attachment #373624 -
        Flags: superreview?(jst)

        Attachment #373624 -
        Flags: superreview+

        Attachment #373624 -
        Flags: review?(jst)

        Attachment #373624 -
        Flags: review+
Whiteboard: [sg:critical] needs r/sr=jst. fixed in 1.9.1 by → [sg:critical] fixed in 1.9.1 by ??

    
    

    
  
Comment on attachment 373624 [details] [diff] [review]
return PR_FALSE if null owner doc

Approved for 1.9.0.10, a=dveditz for release-drivers

        Attachment #373624 -
        Flags: approval1.9.0.10? → approval1.9.0.10+
Whiteboard: [sg:critical] fixed in 1.9.1 by ?? → [sg:critical] fixed in 1.9.1 by 435656

    
    

    
  
Checking in content/base/src/nsContentUtils.cpp;
/cvsroot/mozilla/content/base/src/nsContentUtils.cpp,v  <--  nsContentUtils.cpp
new revision: 1.312; previous revision: 1.3
Keywords: fixed1.9.0.10
Status: NEW → RESOLVED
Closed: 15 years ago
Resolution: --- → FIXED

    
    

    
  
Verified fixed in 1.9.0.11 with Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.0.11pre) Gecko/2009051104 GranParadiso/3.0.11pre. Verified the ill behavior on 1.9.0.10.
Status: RESOLVED → VERIFIED
Keywords: fixed1.9.0.11verified1.9.0.11

    
    

    
  

      
      
      
      

        Attached patch
          
          
        1.8 patchSplinter Review
      

    


  
What about this one for 1.8?

    
    

    
  
Comment on attachment 377393 [details] [diff] [review]
1.8 patch

Do you mind to check this one?

    
    

    
  
Comment on attachment 377393 [details] [diff] [review]
1.8 patch

Smaug, what do you think about this for 1.8?

        Attachment #377393 -
        Flags: review?(jst) → review?(Olli.Pettay)

        Attachment #377393 -
        Flags: review?(Olli.Pettay) → review+

        Attachment #377393 -
        Flags: approval1.8.1.next?

    
    

    
  
Comment on attachment 377393 [details] [diff] [review]
1.8 patch

Approved for 1.8.1.22. a=ss for release-drivers

        Attachment #377393 -
        Flags: approval1.8.1.next? → approval1.8.1.next+

    
    

    
  
Fixed on the 1.8.1 branch

Checking in base/src/nsContentUtils.cpp;
/cvsroot/mozilla/content/base/src/nsContentUtils.cpp,v  <--  nsContentUtils.cpp
new revision: 1.107.4.28; previous revision: 1.107.4.27
done
Keywords: fixed1.8.1.22

    
    

    
  
Verified for 1.8.1 with Mozilla/5.0 (Macintosh; U; Intel Mac OS X; en-US; rv:1.8.1.22pre) Gecko/20090602 SeaMonkey/1.1.17pre.
Keywords: fixed1.8.1.22verified1.8.1.22
Group: core-security
Alias: CVE-2009-1838

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: