Closed Bug 489131 (CVE-2009-1838) Opened 16 years ago Closed 16 years ago

Arbitrary code execution using event listeners attached to an element whose owner document is null

Categories

(Core :: Security, defect)

Product:
Core
Component:
Security
Version:
1.9.0 Branch
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
VERIFIED FIXED

People

(Reporter: moz_bug_r_a4, Assigned: smaug)

Details

(Keywords: testcase, verified1.8.1.22, verified1.9.0.11, Whiteboard: [sg:critical] fixed in 1.9.1 by 435656)

Attachments

(2 files)

return PR_FALSE if null owner doc
1.50 KB, patch
jst
: review+
jst
: superreview+
dveditz
: approval1.9.0.11+
Details | Diff | Splinter Review
1.8 patch
1.04 KB, patch
smaug
: review+
samuel.sidler+old
: approval1.8.1.next+
Details | Diff | Splinter Review
This is a variant of bug 383424. fx3 and fx2 are affected. The owner document of an element can become null after GC. If the owner document is null, nsCxPusher::Push() does not push a JS context, and thus event listeners can be executed on the wrong JS context. (On trunk, if the owner document is null, nsCxPusher::Push() fails, and thus event listeners are not executed.)
Attached file testcase
Assignee: nobody → Olli.Pettay
This is basically what is done on 191/trunk.
Attachment #373624 - Flags: superreview?(jst)
Attachment #373624 - Flags: review?(jst)
Attachment #373624 - Flags: approval1.9.0.9?
Attachment #373624 - Flags: approval1.9.0.9? → approval1.9.0.10?
Flags: blocking1.9.0.10?
Flags: blocking1.8.1.next?
Keywords: testcase
OS: Windows XP → All
Hardware: x86 → All
Whiteboard: [sg:critical]
Flags: wanted1.9.0.x+
Flags: wanted1.8.1.x+
Flags: blocking1.9.0.10?
Flags: blocking1.9.0.10+
Flags: blocking1.8.1.next?
Flags: blocking1.8.1.next+
Whiteboard: [sg:critical] → [sg:critical] needs r/sr=jst. fixed in 1.9.1 by
Attachment #373624 - Flags: superreview?(jst)
Attachment #373624 - Flags: superreview+
Attachment #373624 - Flags: review?(jst)
Attachment #373624 - Flags: review+
Whiteboard: [sg:critical] needs r/sr=jst. fixed in 1.9.1 by → [sg:critical] fixed in 1.9.1 by ??
Comment on attachment 373624 [details] [diff] [review] return PR_FALSE if null owner doc Approved for 1.9.0.10, a=dveditz for release-drivers
Attachment #373624 - Flags: approval1.9.0.10? → approval1.9.0.10+
Whiteboard: [sg:critical] fixed in 1.9.1 by ?? → [sg:critical] fixed in 1.9.1 by 435656
Checking in content/base/src/nsContentUtils.cpp; /cvsroot/mozilla/content/base/src/nsContentUtils.cpp,v <-- nsContentUtils.cpp new revision: 1.312; previous revision: 1.3
Keywords: fixed1.9.0.10
Status: NEW → RESOLVED
Closed: 16 years ago
Resolution: --- → FIXED
Verified fixed in 1.9.0.11 with Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.0.11pre) Gecko/2009051104 GranParadiso/3.0.11pre. Verified the ill behavior on 1.9.0.10.
Status: RESOLVED → VERIFIED
Keywords: fixed1.9.0.11verified1.9.0.11
Attached patch 1.8 patchSplinter Review
What about this one for 1.8?
Comment on attachment 377393 [details] [diff] [review] 1.8 patch Do you mind to check this one?
Comment on attachment 377393 [details] [diff] [review] 1.8 patch Smaug, what do you think about this for 1.8?
Attachment #377393 - Flags: review?(jst) → review?(Olli.Pettay)
Attachment #377393 - Flags: review?(Olli.Pettay) → review+
Attachment #377393 - Flags: approval1.8.1.next?
Comment on attachment 377393 [details] [diff] [review] 1.8 patch Approved for 1.8.1.22. a=ss for release-drivers
Attachment #377393 - Flags: approval1.8.1.next? → approval1.8.1.next+
Fixed on the 1.8.1 branch Checking in base/src/nsContentUtils.cpp; /cvsroot/mozilla/content/base/src/nsContentUtils.cpp,v <-- nsContentUtils.cpp new revision: 1.107.4.28; previous revision: 1.107.4.27 done
Keywords: fixed1.8.1.22
Verified for 1.8.1 with Mozilla/5.0 (Macintosh; U; Intel Mac OS X; en-US; rv:1.8.1.22pre) Gecko/20090602 SeaMonkey/1.1.17pre.
Keywords: fixed1.8.1.22verified1.8.1.22
Group: core-security
Alias: CVE-2009-1838
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: