Closed
Bug 626297
(CVE-2011-2983)
Opened 14 years ago
Closed 13 years ago
regexp-statics possibly allows to read private data
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
Tracking | Status | |
---|---|---|
firefox7 | - | unaffected |
firefox8 | - | unaffected |
firefox9 | - | unaffected |
blocking1.9.2 | --- | .20+ |
status1.9.2 | --- | .20-fixed |
status1.9.1 | --- | wontfix |
People
(Reporter: sync2d, Assigned: cdleary)
References
Details
(Keywords: reporter-external, verified1.9.2, Whiteboard: [sg:high])
Attachments
(2 files)
92.67 KB,
image/jpeg
|
Details | |
11.84 KB,
patch
|
mrbkap
:
review+
christian
:
approval1.9.2.20+
|
Details | Diff | Splinter Review |
Mozilla/5.0 (Windows; U; Windows NT 6.0; ja; rv:1.9.2.13) Gecko/20101203
Description:
When RegExp.input is set,
JSSubString which RegExp.$1 uses becomes a dangling pointer.
So, scripts can read a freed-and-recycled memory area.
Testcase:
1. Open the new tab and execute:
javascript:
function S(v) { return "xxxxxxx,xxxxxxx,xxxx" + v; }
/^(.*)/.exec(S(0));
RegExp.input = S(1);
clearInterval(window.tid);
window.tid = setInterval(function () {
document.title = "[" + RegExp.$1 + "]";
}, 1000);
void 0;
2. Then browse some sites in other tabs.
Comment 2•14 years ago
|
||
(In reply to comment #1)
> Seems like a dup of bug 610223.
That bug was marked as a trunk-only YARR regression that didn't affect 1.9.2.
Updated•14 years ago
|
Assignee: general → cdleary
Whiteboard: DUPEME → [sg:moderate?]
Assignee | ||
Comment 4•14 years ago
|
||
(In reply to comment #2)
> That bug was marked as a trunk-only YARR regression that didn't affect 1.9.2.
Yeah, I assumed YARR introduced it -- are our regression tests being backported to 1.9.2 at all? I don't know how that process works.
Status: NEW → ASSIGNED
Updated•14 years ago
|
Whiteboard: [sg:moderate?] → [sg:high]
Updated•14 years ago
|
Comment 5•14 years ago
|
||
(In reply to comment #4)
> Yeah, I assumed YARR introduced it -- are our regression tests being backported
> to 1.9.2 at all? I don't know how that process works.
Not in general. Sometimes/often the regression tests are checked in to the branch along with a specific security bug back-port. Since the YARR regression didn't affect the branches its patch (and therefore regression tests) were not checked in.
We don't always check in tests, depending on how obviously they point at the vulnerability we often wait until we've issued fixes and advisories for the supported branches before checking them in. We set the in-testsuite flag to "?" to remind us to go back and do so.
Updated•14 years ago
|
blocking1.9.1: ? → .18+
blocking1.9.2: ? → .16+
Updated•14 years ago
|
blocking1.9.2: .15+ → .16+
Updated•14 years ago
|
blocking1.9.1: .19+ → ?
blocking1.9.2: .17+ → ?
blocking2.0: --- → ?
Updated•14 years ago
|
blocking2.0: ? → ---
Assignee | ||
Comment 6•14 years ago
|
||
Patch against mc-192. User only has access to res->pendingInput through the object interface. res->input is set iff a successful match is performed or (friend API) js_ClearRegExpStatics is called for save/restore junk; failure in the regexp execution clears the statics entirely.
Attachment #526428 -
Flags: review?(mrbkap)
Updated•14 years ago
|
Attachment #526428 -
Flags: review?(mrbkap) → review+
Assignee | ||
Updated•13 years ago
|
Attachment #526428 -
Flags: approval1.9.2.19?
Assignee | ||
Comment 7•13 years ago
|
||
Comment on attachment 526428 [details] [diff] [review]
Add pending input.
Maybe that was the wrong ? to set.
Attachment #526428 -
Flags: approval1.9.2.20?
Comment on attachment 526428 [details] [diff] [review]
Add pending input.
a=LegNeato for 1.9.2.20.
Attachment #526428 -
Flags: approval1.9.2.20?
Attachment #526428 -
Flags: approval1.9.2.20+
Attachment #526428 -
Flags: approval1.9.2.19?
Assignee | ||
Comment 9•13 years ago
|
||
Status: ASSIGNED → RESOLVED
Closed: 13 years ago
Resolution: --- → FIXED
Updated•13 years ago
|
Alias: CVE-2011-2983
Comment 10•13 years ago
|
||
Verified fixed in 1.9.2.20 (Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.7; en-US; rv:1.9.2.20) Gecko/20110803 Firefox/3.6.20) using code in comment 0. No longer leaking private data as we are in 1.9.2.19 when I tested it.
Comment 11•13 years ago
|
||
Al, why did you move this from .20-fixed to .21-fixed? Did this not make the build?
Updated•13 years ago
|
status-firefox7:
--- → unaffected
status-firefox8:
--- → unaffected
status-firefox9:
--- → unaffected
tracking-firefox7:
--- → -
tracking-firefox8:
--- → -
tracking-firefox9:
--- → -
Updated•13 years ago
|
Group: core-security
Updated•6 months ago
|
Keywords: reporter-external
You need to log in
before you can comment on or make changes to this bug.
Description
•