Heap address leak in XLST

RESOLVED DUPLICATE of bug 640339

Status

()

Core
XSLT
RESOLVED DUPLICATE of bug 640339
7 years ago
7 years ago

People

(Reporter: Josh Bressers, Unassigned)

Tracking

Firefox Tracking Flags

(Not tracked)

Details

(Reporter)

Description

7 years ago
From Chris Evans:

The bug is in the generate-id() XPath function, and is sometimes used in XSL transforms. Here's an web page that simply calls generate-id() and renders the result as a web page:

https://cevans-app.appspot.com/static/genid.xml

Let's see how this renders in different browsers:

Firefox (64-bit Linux)
id0x00007fbac51c1000

There is no "obfuscation" that this is a raw heap address. Since Firefox is open source, we can go and look at the source code to find that indeed, the string is generated from a pointer (txXPathNodeUtils::getXSLTId):

const char gPrintfFmt[] = "id0x%016p";


http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1202
http://scarybeastsecurity.blogspot.com/2011/03/multi-browser-heap-address-leak-in-xslt.html
Status: NEW → RESOLVED
Last Resolved: 7 years ago
Resolution: --- → DUPLICATE
Duplicate of bug: 640339
(Reporter)

Updated

7 years ago
Alias: CVE-2011-1202
You need to log in before you can comment on or make changes to this bug.