Closed Bug 505988 (CVE-2009-3374) Opened 16 years ago Closed 16 years ago

It's possible to access a double-wrapped object's underlying privileged object

Categories

(Core :: XPConnect, defect, P1)

Product:
Core
Component:
XPConnect
Platform:
x86
Windows XP
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Tracking Flags:
Tracking Status
status1.9.2 --- beta1-fixed
blocking1.9.1 --- .4+
status1.9.1 --- .4-fixed

People

(Reporter: moz_bug_r_a4, Assigned: mrbkap)

References

Details

(Keywords: verified1.9.0.15, verified1.9.1, Whiteboard: [sg:critical])

Attachments

(1 file, 1 obsolete file)

Proposed fix
9.11 KB, patch
bzbarsky
: review+
jst
: superreview+
dveditz
: approval1.9.1.4+
dveditz
: approval1.9.0.15+
Details | Diff | Splinter Review
XPCVariant::VariantDataToJS() unwraps double-wrapped objects even when it shouldn't.
Component: Security → XPConnect
QA Contact: toolkit → xpconnect
Whiteboard: [sg:crit]
blocking1.9.1: --- → ?
Flags: blocking1.9.2+
Priority: -- → P1
Whiteboard: [sg:crit] → [sg:critical]
Do we need this on 1.9.0? This definitely block 1.9.1.x but not sure if it's for .2 or .3.
blocking1.9.1: ? → needed
status1.9.1: --- → wanted
Flags: wanted1.9.0.x?
Yes, this affects Firefox 3.0.x
Assignee: nobody → mrbkap
Flags: wanted1.9.0.x? → wanted1.9.0.x+
blocking1.9.1: needed → .3+
Flags: blocking1.9.0.13?
Attached patch Work in progress (obsolete) — Splinter Review
This patch fixes this bug, but I'm seeing spurious errors in the livemark service with it applied.
Attached patch Proposed fixSplinter Review
The spurious errors were due to my incorrectly backing out bug 384632.
Attachment #390374 - Attachment is obsolete: true
Attachment #390563 - Flags: superreview?(jst)
Attachment #390563 - Flags: review?(bzbarsky)
The blocking1.9.0.13+ is a soft block, we'll take it on the 1.9.0 branch when it gets fixed on the 1.9.1 branch.
Flags: blocking1.9.0.13? → blocking1.9.0.13+
Comment on attachment 390563 [details] [diff] [review] Proposed fix Seems ok.
Attachment #390563 - Flags: review?(bzbarsky) → review+
Attachment #390563 - Flags: superreview?(jst) → superreview+
Keywords: checkin-needed
http://hg.mozilla.org/mozilla-central/rev/03c40c5a2d4b
Status: NEW → RESOLVED
Closed: 16 years ago
Keywords: checkin-needed
Resolution: --- → FIXED
This caused a bunch of password manager test failures along these lines: /test/test_basic_form_observer_autofillForms.html | Checking foundLogins is array - got "Object", expected "Array" 82398 ERROR TEST-UNEXPECTED-FAIL | /tests/toolkit/components/passwordmgr 82407 ERROR TEST-UNEXPECTED-FAIL | /tests/toolkit/components/passwordmgr/test/test_basic_form_observer_foundLogins.html | Checking foundLogins is array - got "Object", expected "Array" and various other stuff, but I suspect most of it is due to the tests that got the errors above failing and due to the fact that the tests in this dir all depend on each other(!). Which means you have to run with --test-path=toolkit/components/passwordmgr/test/ to test reasonably; just running a single test won't work. And if you run a single test and then the whole dir that will also fail... It's not clear to me whether this is a problem in the test or in the patch yet, but for now backed out to get the tree green: http://hg.mozilla.org/mozilla-central/rev/c1ab8650e0ce
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
This is a P1 1.9.2 blocker, thus blocking Firefox 3.6a1 - any ETA on re-landing or analysing why this caused so many test failures?
Justin: can you take a second to see if you can figure out why the PW Mgr tests failed?
So, this was a test added for bug 492153. That bug added notifications for when pwmgr does things when processing a form. The notification's subject is a nsIPropertyBag, with various properties set. One of these is a JS array of relevant logins. The notification is built in nsLoginManager.js's _notifyFoundLogins() as propbag.setPropertyAsInterface("foundLogins", foundLogins.concat()); And the test is checking propbag.get("foundLogins").constructor.name, "Array", "Checking foundLogins is array"); I'd guess that either something is going wrong in setting the property (I think there's some XPCOM magic being used to shove an Array into an nsISupports param), or that checking .constructor.name isn't a reliable thing to do. [ISTR Firebug having run into similar problems.] mrbkap, does this help?
Depends on: 508471
Depends on: 508483
I need to know if this needs to land for alpha 1 in order to make 1.9.2; it's literally holding our alpha production and branch at this point. Please respond ASAP.
(In reply to comment #13) > I need to know if this needs to land for alpha 1 in order to make 1.9.2; it's > literally holding our alpha production and branch at this point. > > Please respond ASAP. Sorry, I should have commented here... The reason for the MochiTest failures are now blocking this bug. Once those bugs land, this one should be able to as well.
This probably needs to wait for the next round of releases rather than trying to rush this into 1.9.1.3/1.9.0.14
blocking1.9.1: .3+ → .4+
Flags: blocking1.9.0.14+ → blocking1.9.0.15+
Status: REOPENED → RESOLVED
Closed: 16 years ago16 years ago
Resolution: --- → FIXED
Depends on: 509583
Mass change: adding fixed1.9.2 keyword (This bug was identified as a mozilla1.9.2 blocker which was fixed before the mozilla-1.9.2 repository was branched (August 13th, 2009) as per this query: http://is.gd/2ydcb - if this bug is not actually fixed on mozilla1.9.2, please remove the keyword. Apologies for the bugspam)
Keywords: fixed1.9.2
This is blocking 1.9.1.4 and 1.9.0.15 (code freeze Sept 22!). We probably need a branch patch that includes any regression fixes, or we need branch approval requests on those bugs too.
Whiteboard: [sg:critical] → [sg:critical][needs branch patch]
Attachment #390563 - Flags: approval1.9.1.4?
Attachment #390563 - Flags: approval1.9.0.15?
Comment on attachment 390563 [details] [diff] [review] Proposed fix Approved for 1.9.1.4 and 1.9.0.15, a=dveditz
Attachment #390563 - Flags: approval1.9.1.4?
Attachment #390563 - Flags: approval1.9.1.4+
Attachment #390563 - Flags: approval1.9.0.15?
Attachment #390563 - Flags: approval1.9.0.15+
http://hg.mozilla.org/releases/mozilla-1.9.1/rev/ed60afa878e9 Checking in js/src/xpconnect/src/xpcprivate.h; /cvsroot/mozilla/js/src/xpconnect/src/xpcprivate.h,v <-- xpcprivate.h new revision: 1.286; previous revision: 1.285 done Checking in js/src/xpconnect/src/xpcvariant.cpp; /cvsroot/mozilla/js/src/xpconnect/src/xpcvariant.cpp,v <-- xpcvariant.cpp new revision: 1.32; previous revision: 1.31 done Checking in js/src/xpconnect/tests/mochitest/Makefile.in; /cvsroot/mozilla/js/src/xpconnect/tests/mochitest/Makefile.in,v <-- Makefile.in new revision: 1.12; previous revision: 1.11 done RCS file: /cvsroot/mozilla/js/src/xpconnect/tests/mochitest/test_bug384632.html,v done Checking in js/src/xpconnect/tests/mochitest/test_bug384632.html; /cvsroot/mozilla/js/src/xpconnect/tests/mochitest/test_bug384632.html,v <-- test_bug384632.html initial revision: 1.1 done
status1.9.1: wanted.4-fixed
Keywords: fixed1.9.0.15
Whiteboard: [sg:critical][needs branch patch] → [sg:critical]
Verified fixed for 1.9.0.15 with Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.15pre) Gecko/2009092805 GranParadiso/3.0.15pre (.NET CLR 3.5.30729). Verified fixed for 1.9.1 with Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.4pre) Gecko/20090924 Shiretoko/3.5.4pre (.NET CLR 3.5.30729).
Keywords: fixed1.9.0.15verified1.9.0.15, verified1.9.1
Alias: CVE-2009-3374
This testcase doesn't run on the 1.8 branch because I get NS_ERROR_NOT_IMPLEMENTED from the document.setUserData() call. Is there some way to get the double unwrapping to happen on that branch? Or should we just not bother because that branch is missing so many wrappers anyway?
It seems that this bug is a regression from bug 384632 and that bug is not fixed on the 1.8 branch and thus the 1.8 branch is not affected by this bug.
This testcase uses XSLTProcessor.setParameter(). This testcase works on fx-3.5.3/fx-3.0.14 and is fixed on fx-3.5.4/fx-3.0.15. On SeaMonkey-1.1.18, the same behavior as fx-3.5.4/fx-3.0.15.
Group: core-security
Flags: wanted1.8.1.x-
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: