Closed
Bug 554449
(CVE-2010-3773)
Opened 15 years ago
Closed 15 years ago
Fix in bug 504021 can be circumvented
Categories
(Core :: XPConnect, defect)
Tracking
()
People
(Reporter: moz_bug_r_a4, Assigned: mrbkap)
References
Details
(Keywords: testcase, Whiteboard: [sg:critical][critsmash:resolved])
Attachments
(2 files)
|
3.97 KB,
patch
|
jst
:
review+
peterv
:
superreview+
christian
:
approval1.9.2.13+
christian
:
approval1.9.1.16+
|
Details | Diff | Splinter Review |
|
2.13 KB,
patch
|
jst
:
review+
mrbkap
:
superreview+
|
Details | Diff | Splinter Review |
In nsXPCWrappedJSClass::CallMethod, JS_GetMethod is called before pushing a
principal, and XPCConvert::JSData2Native is called after popping the principal.
On 1.9.0, in nsXPCWrappedJSClass::CallQueryInterfaceOnJSObject,
OBJ_GET_PROPERTY is called before pushing a principal.
1.9.0 is exploitable by bug 504021. (On trunk/1.9.2/1.9.1, bug 504021 was
fixed by bug 503926.)
A testcase for bug 554448 (which is trunk-only) depends on this bug.
|
Reporter | |
Comment 1•15 years ago
|
||
This uses bug 344495's trick.
This works on fx3.0.19 candidate.
|
||
Updated•15 years ago
|
Flags: blocking1.9.0.19?
Whiteboard: [sg:critical]
|
||
Comment 2•15 years ago
|
||
Comment on attachment 434347 [details]
testcase (requires Firebug)
What is the Firebug pattern you're abusing here? Something we're likely to see in other add-ons?
|
|
Reporter | |
Comment 3•15 years ago
|
||
(In reply to comment #2)
> (From update of attachment 434347 [details])
> What is the Firebug pattern you're abusing here? Something we're likely to see
> in other add-ons?
Please see bug 504021 comment 0. Add-ons that access content xhr.on* could be
exploitable on 1.9.0.
|
||
Comment 4•15 years ago
|
||
1.9.0.x branch is EOL.
Status: NEW → RESOLVED
Closed: 15 years ago
Resolution: --- → WONTFIX
Whiteboard: [sg:critical] → [sg:critical] 1.9.0.x and earlier
|
|
Reporter | |
Comment 5•15 years ago
|
||
Ah, I intended this bug to cover trunk and all branches. Patches for trunk and
all branches in bug 504021 have flaws I described in the first paragraph of
comment 0.
Status: RESOLVED → REOPENED
Resolution: WONTFIX → ---
|
||
Updated•15 years ago
|
Assignee: nobody → mrbkap
Whiteboard: [sg:critical] 1.9.0.x and earlier → [sg:critical]
|
|
||
Updated•15 years ago
|
blocking1.9.1: --- → ?
blocking1.9.2: --- → ?
blocking2.0: --- → ?
|
||
Updated•15 years ago
|
blocking1.9.1: ? → needed
blocking1.9.2: ? → needed
|
||
Updated•15 years ago
|
blocking2.0: ? → beta1+
|
||
Comment 6•15 years ago
|
||
Blake, can we get an ETA here?
|
Assignee | |
Comment 7•15 years ago
|
||
Attachment #440367 -
Flags: review?(jst)
|
|
Assignee | |
Comment 8•15 years ago
|
||
And note: that patch is m-c only... Older branches that call QI on content objects will need more patching.
|
|
||
Updated•15 years ago
|
Attachment #440367 -
Flags: review?(jst) → review+
|
|
Assignee | |
Updated•15 years ago
|
Attachment #440367 -
Flags: superreview?(peterv)
|
||
Updated•15 years ago
|
Attachment #440367 -
Flags: superreview?(peterv) → superreview+
|
|
||
Updated•15 years ago
|
Whiteboard: [sg:critical] → [sg:critical][critsmash:patch]
|
|
Assignee | |
Comment 9•15 years ago
|
||
Status: REOPENED → RESOLVED
Closed: 15 years ago → 15 years ago
Resolution: --- → FIXED
|
|
||
Updated•15 years ago
|
status1.9.1:
--- → wanted
status1.9.2:
--- → wanted
|
|
||
Updated•15 years ago
|
Whiteboard: [sg:critical][critsmash:patch] → [sg:critical][critsmash:resolved]
|
|
||
Updated•15 years ago
|
blocking1.9.1: needed → .13+
blocking1.9.2: needed → .10+
|
|
||
Comment 10•15 years ago
|
||
Blake: you said this was "more involved" on the branches so now would be a good time to start working on it for the next set of releases.
|
|
Assignee | |
Comment 11•14 years ago
|
||
Comment on attachment 440367 [details] [diff] [review]
Proposed fix
This actually applies as-is to these two branches. I must have been confusing this bug with another one.
Attachment #440367 -
Flags: approval1.9.2.13?
Attachment #440367 -
Flags: approval1.9.1.16?
|
|
Assignee | |
Comment 12•14 years ago
|
||
(that being said, I'm having trouble reproducing the exploit on my 1.9.2 tree, I wonder if a change in Firebug is masking the problem)
|
||
Comment 13•14 years ago
|
||
Comment on attachment 440367 [details] [diff] [review]
Proposed fix
a=LegNeato for 1.9.2.13 and 1.9.1.16. Please submit by the end of today PST.
Attachment #440367 -
Flags: approval1.9.2.13?
Attachment #440367 -
Flags: approval1.9.2.13+
Attachment #440367 -
Flags: approval1.9.1.16?
Attachment #440367 -
Flags: approval1.9.1.16+
|
|
Reporter | |
Comment 14•14 years ago
|
||
(In reply to comment #12)
> (that being said, I'm having trouble reproducing the exploit on my 1.9.2 tree,
> I wonder if a change in Firebug is masking the problem)
The testcase in this bug worked only on 1.9.0 branch.
Please see bug 560466. A testcase in bug 560466 depends on this bug.
|
|
||
Comment 15•14 years ago
|
||
|
|
||
Updated•14 years ago
|
Alias: CVE-2010-3773
|
||
Comment 16•14 years ago
|
||
So, interestingly, this backport does fix bug 560466, but not this one. Am I missing something?
Attachment #496155 -
Flags: review?(jst)
|
|
||
Comment 17•14 years ago
|
||
Comment on attachment 496155 [details] [diff] [review]
Backport for 1.9.0
Looks good to me, but mrbkap should have a look as well, and may know why this may not fix this bug but fixes bug 560466.
Attachment #496155 -
Flags: superreview?(mrbkap)
Attachment #496155 -
Flags: review?(jst)
Attachment #496155 -
Flags: review+
|
|
Reporter | |
Comment 18•14 years ago
|
||
(In reply to comment #16)
> So, interestingly, this backport does fix bug 560466, but not this one. Am I
> missing something?
1.9.0 needs to fix nsXPCWrappedJSClass::CallQueryInterfaceOnJSObject (or fix
bug 503926) to stop the testcase in this bug.
|
|
||
Comment 19•14 years ago
|
||
(In reply to comment #18)
> 1.9.0 needs to fix nsXPCWrappedJSClass::CallQueryInterfaceOnJSObject (or fix
> bug 503926) to stop the testcase in this bug.
Applying the patch from bug 503926 fixes the issue, indeed. What is strange is that bug 503926 was supposed to be required to fix CVE-2010-0179 (bug 504021), which was fixed in 1.9.0.19, but bug 503926 isn't in 1.9.0.19.
|
|
Reporter | |
Comment 20•14 years ago
|
||
Please see bug 504021 comment #19, #55, #56. The 1.9.0 patch modified
nsXPCWrappedJSClass::CallQueryInterfaceOnJSObject instead of fixing bug 503926.
|
|
||
Updated•14 years ago
|
Group: core-security
|
|
||
Updated•13 years ago
|
Flags: blocking1.9.0.19?
|
|
Assignee | |
Updated•13 years ago
|
Attachment #496155 -
Flags: superreview?(mrbkap) → superreview+
|
||
Comment 21•13 years ago
|
||
Blake gave this a superreview+ on January 29, 2012. Are we doing something further with this bug?
Assignee: mrbkap → nobody
Component: XPConnect → XP Toolkit/Widgets: XUL
QA Contact: xpconnect → xptoolkit.xul
|
||
Comment 22•13 years ago
|
||
Apart from not refreshing the bug and moving it to another component? :)
Assignee: nobody → mrbkap
Component: XP Toolkit/Widgets: XUL → XPConnect
QA Contact: xptoolkit.xul → xpconnect
|
|
||
Comment 23•13 years ago
|
||
Damn it. This is the second time that this has happened. I'm blaming some interaction of Nightly and Bugzilla here. I certainly didn't specifically select any components to change.
You need to log in
before you can comment on or make changes to this bug.
Description
•