Bug 489131 (CVE-2009-1838)

Arbitrary code execution using event listeners attached to an element whose owner document is null

VERIFIED FIXED

Status

()

Core
Security
VERIFIED FIXED
8 years ago
8 years ago

People

(Reporter: moz_bug_r_a4, Assigned: smaug)

Tracking

({testcase, verified1.8.1.22, verified1.9.0.11})

1.9.0 Branch
testcase, verified1.8.1.22, verified1.9.0.11
Points:
---
Bug Flags:
blocking1.9.0.11 +
wanted1.9.0.x +
blocking1.8.1.next +
wanted1.8.1.x +

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [sg:critical] fixed in 1.9.1 by 435656)

Attachments

(2 attachments)

(Reporter)

Description

8 years ago
This is a variant of bug 383424.  fx3 and fx2 are affected.

The owner document of an element can become null after GC.  If the owner
document is null, nsCxPusher::Push() does not push a JS context, and thus event
listeners can be executed on the wrong JS context.  (On trunk, if the owner
document is null, nsCxPusher::Push() fails, and thus event listeners are not
executed.)
(Reporter)

Comment 1

8 years ago
Created attachment 373621 [details]
testcase
(Assignee)

Updated

8 years ago
Assignee: nobody → Olli.Pettay
(Assignee)

Comment 2

8 years ago
Created attachment 373624 [details] [diff] [review]
return PR_FALSE if null owner doc

This is basically what is done on 191/trunk.
Attachment #373624 - Flags: superreview?(jst)
Attachment #373624 - Flags: review?(jst)
Attachment #373624 - Flags: approval1.9.0.9?
(Assignee)

Updated

8 years ago
Attachment #373624 - Flags: approval1.9.0.9? → approval1.9.0.10?
Flags: blocking1.9.0.10?
Flags: blocking1.8.1.next?
Keywords: testcase
OS: Windows XP → All
Hardware: x86 → All
Whiteboard: [sg:critical]
Flags: wanted1.9.0.x+
Flags: wanted1.8.1.x+
Flags: blocking1.9.0.10?
Flags: blocking1.9.0.10+
Flags: blocking1.8.1.next?
Flags: blocking1.8.1.next+
Whiteboard: [sg:critical] → [sg:critical] needs r/sr=jst. fixed in 1.9.1 by

Updated

8 years ago
Attachment #373624 - Flags: superreview?(jst)
Attachment #373624 - Flags: superreview+
Attachment #373624 - Flags: review?(jst)
Attachment #373624 - Flags: review+
Whiteboard: [sg:critical] needs r/sr=jst. fixed in 1.9.1 by → [sg:critical] fixed in 1.9.1 by ??
Comment on attachment 373624 [details] [diff] [review]
return PR_FALSE if null owner doc

Approved for 1.9.0.10, a=dveditz for release-drivers
Attachment #373624 - Flags: approval1.9.0.10? → approval1.9.0.10+
(Assignee)

Updated

8 years ago
Whiteboard: [sg:critical] fixed in 1.9.1 by ?? → [sg:critical] fixed in 1.9.1 by 435656
(Assignee)

Comment 4

8 years ago
Checking in content/base/src/nsContentUtils.cpp;
/cvsroot/mozilla/content/base/src/nsContentUtils.cpp,v  <--  nsContentUtils.cpp
new revision: 1.312; previous revision: 1.3
Keywords: fixed1.9.0.10
(Assignee)

Updated

8 years ago
Status: NEW → RESOLVED
Last Resolved: 8 years ago
Resolution: --- → FIXED
Verified fixed in 1.9.0.11 with Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.0.11pre) Gecko/2009051104 GranParadiso/3.0.11pre. Verified the ill behavior on 1.9.0.10.
Status: RESOLVED → VERIFIED
Keywords: fixed1.9.0.11 → verified1.9.0.11

Comment 6

8 years ago
Created attachment 377393 [details] [diff] [review]
1.8 patch

What about this one for 1.8?

Updated

8 years ago
Attachment #377393 - Flags: review?(jst)

Comment 7

8 years ago
Comment on attachment 377393 [details] [diff] [review]
1.8 patch

Do you mind to check this one?
Comment on attachment 377393 [details] [diff] [review]
1.8 patch

Smaug, what do you think about this for 1.8?
Attachment #377393 - Flags: review?(jst) → review?(Olli.Pettay)
(Assignee)

Updated

8 years ago
Attachment #377393 - Flags: review?(Olli.Pettay) → review+
Attachment #377393 - Flags: approval1.8.1.next?
Comment on attachment 377393 [details] [diff] [review]
1.8 patch

Approved for 1.8.1.22. a=ss for release-drivers
Attachment #377393 - Flags: approval1.8.1.next? → approval1.8.1.next+
Fixed on the 1.8.1 branch

Checking in base/src/nsContentUtils.cpp;
/cvsroot/mozilla/content/base/src/nsContentUtils.cpp,v  <--  nsContentUtils.cpp
new revision: 1.107.4.28; previous revision: 1.107.4.27
done
Keywords: fixed1.8.1.22
Verified for 1.8.1 with Mozilla/5.0 (Macintosh; U; Intel Mac OS X; en-US; rv:1.8.1.22pre) Gecko/20090602 SeaMonkey/1.1.17pre.
Keywords: fixed1.8.1.22 → verified1.8.1.22
Group: core-security
Alias: CVE-2009-1838
You need to log in before you can comment on or make changes to this bug.