Closed
Bug 643450
Opened 14 years ago
Closed 14 years ago
Problem with nsJSContext::CallEventHandler
Categories
(Core :: Security, defect)
Tracking
()
RESOLVED
FIXED
mozilla5
People
(Reporter: moz_bug_r_a4, Assigned: mrbkap)
References
Details
(Keywords: regression, Whiteboard: [sg:critical][qa-examined-192][qa-needs-STR])
Attachments
(2 files)
|
1.55 KB,
patch
|
peterv
:
review+
dveditz
:
approval2.0+
|
Details | Diff | Splinter Review |
|
2.01 KB,
patch
|
jst
:
review+
dveditz
:
approval1.9.2.18-
dveditz
:
approval1.9.2.20+
|
Details | Diff | Splinter Review |
In nsJSContext::CallEventHandler, after popping a principal, when converting
rval to variant, we access properties of rval if rval is an array. Thus, it's
possible to call a native function without a frame or a pushed principal, in
which case a result of nsScriptSecurityManager::IsCapabilityEnabled() is true.
|
Reporter | |
Comment 1•14 years ago
|
||
|
||
Comment 2•14 years ago
|
||
Probably needs .x+ blocking.
I can't seem to get the problem to happen with 3.6. Is this trunk-only?
blocking2.0: --- → ?
|
||
Comment 3•14 years ago
|
||
The Pop is there even in 1.9.0.x
|
|
Reporter | |
Comment 4•14 years ago
|
||
(In reply to comment #2)
> I can't seem to get the problem to happen with 3.6. Is this trunk-only?
On 1.9.2/1.9.1, only fast native functions can be called without a frame. I
think that if there is a fast native function that can be used for doing evil
things, 1.9.2/1.9.1 could be affected.
|
|
||
Updated•14 years ago
|
blocking1.9.1: --- → ?
blocking1.9.2: --- → ?
|
|
Reporter | |
Comment 5•14 years ago
|
||
Basically, this bug's intention is to circumvent the fix for bug 614151 (though
I can't see that bug). Is bug 614151 trunk-only?
|
|
||
Comment 6•14 years ago
|
||
Ah, that looks like trunk only.
|
||
Updated•14 years ago
|
blocking2.0: ? → .x+
|
Assignee | |
Comment 7•14 years ago
|
||
I CC'd you to bug 614151.
|
||
Updated•14 years ago
|
Assignee: nobody → mrbkap
Blocks: 614151
blocking1.9.1: ? → ---
blocking1.9.2: ? → ---
status1.9.1:
--- → unaffected
status1.9.2:
--- → unaffected
Keywords: regression
Whiteboard: [sg:critical]
|
|
Assignee | |
Comment 8•14 years ago
|
||
I'm not adding a testcase for this bug since it uses the Array.prototype.shift trick.
Attachment #523429 -
Flags: review?(peterv)
|
||
Updated•14 years ago
|
Attachment #523429 -
Flags: review?(peterv) → review+
|
|
Assignee | |
Comment 9•14 years ago
|
||
Status: NEW → RESOLVED
Closed: 14 years ago
Resolution: --- → FIXED
|
|
||
Updated•14 years ago
|
Blocks: CVE-2011-2981
|
||
Comment 10•14 years ago
|
||
Per security group discussion, requesting landing on mozilla-2.0.
|
|
||
Updated•14 years ago
|
Attachment #523429 -
Flags: approval2.0?
|
|
Assignee | |
Comment 11•13 years ago
|
||
Attachment #537630 -
Flags: review?(jst)
Attachment #537630 -
Flags: approval1.9.2.18?
|
||
Updated•13 years ago
|
Attachment #537630 -
Flags: review?(jst) → review+
|
|
||
Updated•13 years ago
|
|
|
||
Updated•13 years ago
|
blocking1.9.2: ? → .18+
|
|
||
Comment 12•13 years ago
|
||
Comment on attachment 537630 [details] [diff] [review]
1.9.2 patch
Approved for 1.9.2.18, a=dveditz for release-drivers
Attachment #537630 -
Flags: approval1.9.2.18? → approval1.9.2.18+
|
|
||
Updated•13 years ago
|
blocking1.9.2: .18+ → .19+
|
|
||
Comment 13•13 years ago
|
||
Comment on attachment 537630 [details] [diff] [review]
1.9.2 patch
Guess this didn't make 3.6.18 -- next time.
Attachment #537630 -
Flags: approval1.9.2.19+
Attachment #537630 -
Flags: approval1.9.2.18-
Attachment #537630 -
Flags: approval1.9.2.18+
|
|
||
Comment 14•13 years ago
|
||
Comment on attachment 523429 [details] [diff] [review]
Proposed fix
Approved for the mozilla2.0 repository, a=dveditz for release-drivers
Attachment #523429 -
Flags: approval2.0? → approval2.0+
|
||
Comment 15•13 years ago
|
||
Blake, can you land this on 1.9.2, please?
|
|
Assignee | |
Comment 16•13 years ago
|
||
|
|
||
Comment 17•13 years ago
|
||
(In reply to moz_bug_r_a4 from comment #1)
> Created attachment 520663 [details]
> testcase - arbitrary code execution
On 1.9.2.18 on XP, loading this testcase over the net or locally does not cause any issues (or any real behavior at all). We just get a blank iframe.
Was the bad behavior ever actually seen on 1.9.2?
Whiteboard: [sg:critical] → [sg:critical][qa-examined-192][qa-needs-STR]
|
|
||
Comment 18•13 years ago
|
||
https://bugzilla.mozilla.org/show_bug.cgi?id=650252#c6 references this bug. Are the exploits related as that one is definitely fixed and can be verified.
|
|
Reporter | |
Comment 19•13 years ago
|
||
(In reply to Al Billings [:abillings] from comment #17)
> Was the bad behavior ever actually seen on 1.9.2?
No, the testcase did not work on 1.9.2.
|
|
||
Updated•13 years ago
|
Group: core-security
|
|
||
Updated•13 years ago
|
Target Milestone: --- → mozilla5
You need to log in
before you can comment on or make changes to this bug.
Description
•