Last Comment Bug 586401 - Potential vulnerability left after the patch in bug 585284
: Potential vulnerability left after the patch in bug 585284
Status: RESOLVED FIXED
[sg:high?][critsmash:investigating]
:
Product: Core
Classification: Components
Component: XPConnect (show other bugs)
: 1.9.2 Branch
: x86_64 Linux
: -- normal (vote)
: ---
Assigned To: Blake Kaplan (:mrbkap)
:
Mentors:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2010-08-11 13:07 PDT by Blake Kaplan (:mrbkap)
Modified: 2012-03-19 12:35 PDT (History)
6 users (show)
See Also:
Crash Signature:
(edit)
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---
fixed
fixed
fixed
fixed
wontfix


Attachments
wip (2.18 KB, patch)
2010-08-11 13:07 PDT, Blake Kaplan (:mrbkap)
no flags Details | Diff | Splinter Review

Description Blake Kaplan (:mrbkap) 2010-08-11 13:07:55 PDT
Created attachment 464910 [details] [diff] [review]
wip

The patch in bug 585284 fixes the testcase in that bug, but I don't think that it deals with the cached principal stuff that is supposed to protect SJOWs from being used to access objects that the original caller doesn't have access to (I don't fully understand what it's supposed to do at the moment).

I don't know if this is actually exploitable, but I wanted to file a bug just in case...
Comment 1 Johnny Stenback (:jst, jst@mozilla.com) 2010-11-16 13:48:21 PST
Blake, I'm assuming this is fixed on trunk now, but we still need this for the older branches, right?
Comment 2 Johnny Stenback (:jst, jst@mozilla.com) 2010-12-07 13:52:17 PST
mrbkap, can you comment on this wrt current trunk vs branches?
Comment 3 Johnny Stenback (:jst, jst@mozilla.com) 2011-09-23 16:41:50 PDT
Blake, this is a non-issue on trunk now, right?
Comment 4 Blake Kaplan (:mrbkap) 2011-09-23 17:17:36 PDT
Yes.
Comment 5 Johnny Stenback (:jst, jst@mozilla.com) 2011-09-23 17:18:46 PDT
Excellent, marking as such.
Comment 6 Johnny Stenback (:jst, jst@mozilla.com) 2011-10-27 14:55:43 PDT
Given that we have no known way to exploit this, and no testcase, this doesn't seem worth fixing for 3.6 at this time. If someone can come up with a testcase then that's something we could look into, but as of now we have no testcase.
Comment 7 Alex Keybl [:akeybl] 2011-10-28 10:43:35 PDT
Thanks Johnny - that sounds reasonable. Marking as wontfix for 1.9.2.
Comment 8 Al Billings [:abillings] 2012-03-19 12:35:40 PDT
Resolving "fixed" since this has apparently been fixed for months but I know of no way to verify.

Note You need to log in before you can comment on or make changes to this bug.