Closed
Bug 648090
(CVE-2011-0083)
Opened 13 years ago
Closed 13 years ago
Mozilla Firefox SVGPathSegList.replaceItem Remote Code Execution Vulnerability (ZDI-CAN-1142)
Categories
(Core :: SVG, defect)
Tracking
()
RESOLVED
FIXED
Tracking | Status | |
---|---|---|
firefox5 | - | unaffected |
status2.0 | --- | unaffected |
blocking1.9.2 | --- | .18+ |
status1.9.2 | --- | .18-fixed |
blocking1.9.1 | --- | .20+ |
status1.9.1 | --- | .20-fixed |
People
(Reporter: bsterne, Assigned: jwatt)
Details
(Keywords: verified1.9.2, Whiteboard: [sg:critical?])
Attachments
(1 file)
3.12 KB,
patch
|
dholbert
:
review+
bsterne
:
approval1.9.2.18+
bsterne
:
approval1.9.1.20+
|
Details | Diff | Splinter Review |
ZDI-CAN-1142: Mozilla Firefox SVGPathSegList.replaceItem Remote Code Execution Vulnerability -- CVSS ---------------------------------------------------------------- 9, (AV:N/AC:L/Au:N/C:P/I:P/A:C) -- ABSTRACT ------------------------------------------------------------ TippingPoint has identified a vulnerability affecting the following products: Mozilla Firefox -- VULNERABILITY DETAILS ----------------------------------------------- This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Mozilla Firefox. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the code responsible for parsing SVG path segment objects. The function nsSVGPathSegList::ReplaceItem() does not account for deletion of the segment object list within a user defined DOMAttrModified EventListener. Code within nsSVGPathSegList::ReplaceItem() references the segment list without verifying that it was not deleted in the aforementioned callback. This can be abused to create a dangling reference which can be leveraged to execute arbitrary code within the context of the browser. Version(s) tested: 3.6.13 Platform(s) tested: Win XP SP3 From content/svg/content/src/nsSVGPathSegList.cpp: NS_IMETHODIMP nsSVGPathSegList::ReplaceItem(nsIDOMSVGPathSeg *newItem, PRUint32 index, nsIDOMSVGPathSeg **_retval) { ... InsertElementAt(newItemSeg, index); RemoveFromCurrentList(static_cast<nsSVGPathSeg*>(mSegments.ObjectAt(index+1))); NS_ADDREF(*_retval = newItem); return NS_OK; } During execution of |InsertElementAt| "DOMAttrModified" event is dispatched. User's provided event handler will be called. During that callback it is possible to delete whole content of |mSegments|, e.g. by calling method clear() on pathSegList object. As |mSegments| is defined as |nsCOMArray| and method |ObjectAt| does not do out-of-bound check of index argument, previously |ObjectAt| freed memory will be referenced. -- CREDIT -------------------------------------------------------------- This vulnerability was discovered by: * regenrecht
Comment 1•13 years ago
|
||
provisionally "critical" based on reputation, but looks like the PoC got stripped in mail.
Whiteboard: [sg:critical?]
Reporter | ||
Comment 2•13 years ago
|
||
I've sent mail to the reporter requesting a re-send of the PoC.
Comment 3•13 years ago
|
||
Assignee | ||
Updated•13 years ago
|
Assignee: nobody → jwatt
Status: NEW → ASSIGNED
Assignee | ||
Comment 4•13 years ago
|
||
Classes that have this bug: nsSVGNumberList nsSVGPathSegList Classes that do NOT have this bug: nsSVGLengthList - ReplaceItem() not implemented nsSVGPointList - ReplaceItem() not implemented nsSVGTransformList - Different implementation
Assignee | ||
Comment 5•13 years ago
|
||
Attachment #525534 -
Flags: review?(dholbert)
Comment 6•13 years ago
|
||
Comment on attachment 525534 [details] [diff] [review] patch > nsSVGNumberList::ReplaceItem(nsIDOMSVGNumber *newItem, > PRUint32 index, > nsIDOMSVGNumber **_retval) > { >- nsresult rv = RemoveItem(index, _retval); >- if (NS_FAILED(rv)) >- return rv; >+ if (index >= mNumbers.Length()) { >+ return NS_ERROR_DOM_INDEX_SIZE_ERR; >+ } > >- return InsertElementAt(newItem, index); >+ WillModify(); >+ NS_REMOVE_SVGVALUE_OBSERVER(mNumbers[index]); >+ NS_RELEASE(mNumbers[index]); >+ mNumbers[index] = newItem; >+ NS_ADDREF(newItem); >+ NS_ADD_SVGVALUE_OBSERVER(newItem); >+ DidModify(); This ^ is a bit hard to parse. Could you add a comment saying something like: > // This is equivalent to RemoveItem() followed by InsertElementAt(), but > // with the WillModify() / DidModify() notifications collapsed. r=dholbert either way
Attachment #525534 -
Flags: review?(dholbert) → review+
Assignee | ||
Updated•13 years ago
|
Attachment #525534 -
Flags: approval1.9.2.17?
Assignee | ||
Comment 7•13 years ago
|
||
What's the procedure for landing this on 1.9.1 and 1.9.2? I now have patches for both ready to push.
Reporter | ||
Comment 8•13 years ago
|
||
Comment on attachment 525534 [details] [diff] [review] patch Granting approval for 1.9.2.18 and 1.9.1.20 (assuming the same patch applies there) for release-drivers.
Attachment #525534 -
Flags: approval1.9.2.18+
Attachment #525534 -
Flags: approval1.9.2.17?
Attachment #525534 -
Flags: approval1.9.1.20+
Assignee | ||
Comment 9•13 years ago
|
||
Does approval mean I should push directly to 1.9.1 and 1.9.2, or is there some sort of shadow repo that I should be pushing to?
Assignee | ||
Comment 10•13 years ago
|
||
(In reply to comment #8) > [snip] (assuming the same patch applies there) [snip] The patch needs to be tweaked slightly, but it's essentially the same.
Assignee | ||
Comment 11•13 years ago
|
||
Daniel, can I direct comment 9 at you, or ask you to get the appropriate person to comment? Apparently security bugs aren't watched as closely as I expected so asking the wind doesn't work.
Comment 12•13 years ago
|
||
Yes, please check approved patches directly into their respective branches. (shadow repo will be for trunk, as a holding pen until branch patches are ready)
Updated•13 years ago
|
tracking-firefox5:
--- → +
Comment 13•13 years ago
|
||
jst marked this tracking-firefox5+ but the version field says "1.9.2". Does this bug affect mozilla-central/aurora?
Comment 14•13 years ago
|
||
jwatt - jst's out for a while, can you tell us whether this impacts aurora as well? If so, can you request approval-aurora and land it there when you land it elsewhere?
Updated•13 years ago
|
Comment 15•13 years ago
|
||
I'll defer to jwatt for the definitive answer, but AFAIK this doesn't affect Aurora / Firefox 5. (nor does it affect Firefox 4) The classes in question (comment 4) were completely rewritten after gecko 1.9.2
Assignee | ||
Comment 16•13 years ago
|
||
(In reply to comment #3) > Created attachment 524301 [details] > PoC (try 2) This .zip is password protected, so I can't access it.
Assignee | ||
Comment 17•13 years ago
|
||
(In reply to comment #13) > jst marked this tracking-firefox5+ but the version field says "1.9.2". Does > this bug affect mozilla-central/aurora? No. It only affects 1.9.2 and earlier.
Assignee | ||
Updated•13 years ago
|
Assignee | ||
Comment 18•13 years ago
|
||
Pushed http://hg.mozilla.org/releases/mozilla-1.9.2/rev/14dbc2f02f79 Pushed http://hg.mozilla.org/releases/mozilla-1.9.1/rev/e97fac945e09
Status: ASSIGNED → RESOLVED
Closed: 13 years ago
Resolution: --- → FIXED
Updated•13 years ago
|
Comment 19•13 years ago
|
||
Loading the PoC in 1.9.2.17, I get this crash: https://crash-stats.mozilla.com/report/index/43e40b3b-5762-4707-8995-165692110607 In 1.9.2.18pre (Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.18pre) Gecko/20110607 Namoroka/3.6.18pre (.NET CLR 3.5.30729)), I get no crash and the PoC renders. This looks to be fixed in 1.9.2.
Keywords: verified1.9.2
Updated•13 years ago
|
Alias: CVE-2011-0083
Updated•13 years ago
|
Group: core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•