Closed Bug 718573 (CVE-2012-0477) Opened 13 years ago Closed 13 years ago

Potential XSS attack with ISO-2022-KR/ISO-2022-CN near 1024 bytes

Categories

(Core :: Internationalization, defect)

Product:
Core
Component:
Internationalization
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
VERIFIED FIXED
Milestone:
mozilla13
Tracking Flags:
Tracking Status
firefox10 --- affected
firefox11 + affected
firefox12 + verified
firefox13 + verified
firefox-esr10 12+ verified
blocking1.9.2 --- needed
status1.9.2 --- wanted

People

(Reporter: masatokinugawa, Assigned: smontagu)

References

Details

(Keywords: testcase, Whiteboard: [sg:moderate][qa!])

Attachments

(4 files, 2 obsolete files)

ISO-2022-KR test case
1.02 KB, text/html; charset=iso-2022-kr
Details
ISO-2022-CN test case
1.03 KB, text/html
Details
Patch v.2
35.67 KB, patch
emk
: review+
akeybl
: approval-mozilla-aurora+
akeybl
: approval-mozilla-beta-
lsblakk
: approval-mozilla-esr10+
akeybl
: approval1.9.2.28-
Details | Diff | Splinter Review
Mochitest (covering all charsets)
5.86 KB, patch
Details | Diff | Splinter Review
User Agent: Mozilla/5.0 (Windows NT 6.0; rv:9.0.1) Gecko/20100101 Firefox/9.0.1 Build ID: 20111220165912 Steps to reproduce: Firefox has risk of potential XSS on ISO-2022-KR/ISO-2022-CN page. Actual results: On ISO-2022-KR page, characters near 1024 bytes is copied on back. On ISO-2022-CN page, characters near 1024 bytes is deleted. Expected results: Firefox should not copy or delete.
Attached file ISO-2022-KR test case
Attached file ISO-2022-CN test case
Attachment #589127 - Attachment mime type: text/plain → text/html
Attachment #589126 - Attachment mime type: text/plain → text/html
Oops, test case does not work from this link. So far, I don't know this reason. Please save and test. You will be able to reproduce this.
Confirmed. Was not able to convince bugzilla to give me the correct charset for these attachments so comment 3 applies.
Assignee: nobody → smontagu
Status: UNCONFIRMED → NEW
Component: Untriaged → Internationalization
Ever confirmed: true
Product: Firefox → Core
QA Contact: untriaged → i18n
Whiteboard: [sg:moderate]
Attachment #589126 - Attachment mime type: text/html → text/html; charset=iso-2022-kr
Attached patch Patch (obsolete) — Splinter Review
I included ISO-2022-CN in the patch, even though we may prefer to remove the decoder anyway, as suggested in bug 470523; and also ISO-2022-JP for consistency
Attachment #589920 - Flags: review?
Attachment #589920 - Flags: review? → review?(VYV03354)
Comment on attachment 589920 [details] [diff] [review] Patch > I included ISO-2022-CN in the patch, even though we may prefer to remove the > decoder anyway, as suggested in bug 470523; and also ISO-2022-JP for consistency Where is ISO-2022-JP in the patch?
Attached patch Updated patch (obsolete) — Splinter Review
Attachment #589920 - Attachment is obsolete: true
Attachment #589920 - Flags: review?(VYV03354)
Attachment #590185 - Flags: review?(VYV03354)
Comment on attachment 590185 [details] [diff] [review] Updated patch > - if(dest+1 >= destEnd) > + if(dest+1 > destEnd) Is this legal per C spec? If |dest+1| pass over the end of the array, the behavior will be undefined. It should be: if (destEnd - dest < 1)
(In reply to Masatoshi Kimura [:emk] from comment #8) > > - if(dest+1 >= destEnd) > > + if(dest+1 > destEnd) > Is this legal per C spec? If |dest+1| pass over the end of the array, the > behavior will be undefined. It should be: > if (destEnd - dest < 1) I don't understand this: dest and destEnd are just PRUnichar* pointers, and aren't being dereferenced here.
Assignee: smontagu → nobody
Component: Internationalization → Installer: XPInstall Engine
QA Contact: i18n → xpi-engine
Component: Installer: XPInstall Engine → Internationalization
OS: Windows Vista → All
QA Contact: xpi-engine → i18n
Hardware: x86 → All
Version: 9 Branch → Trunk
Assignee: nobody → smontagu
It causes undefined behavior even if it is not dereferenced per C spec. Consider about what happens if dest == destEnd == 65535 on MS-DOS small model. (I know we don't support 16-bits environments, but I think we shouldn't violate the spec without a good reason.)
Quotation from C99 6.5.6 Additive operators: > If both the pointer operand and the result point to elements of the same array > object, or one past the last element of the array object, the evaluation shall > not produce an overflow; otherwise, the behavior is undefined. See also C FAQ 6.17. http://c-faq.com/aryptr/non0based.html
Attached patch Patch v.2Splinter Review
Attachment #590185 - Attachment is obsolete: true
Attachment #590185 - Flags: review?(VYV03354)
Attachment #594972 - Flags: review?(VYV03354)
Comment on attachment 594973 [details] [diff] [review] Mochitest (covering all charsets) > #define CHECK_OVERRUN(dest, destEnd, length) ((dest > destEnd) || ((destEnd - dest) < length)) Is |(dest > destEnd)| required? It will never hold unless the program has a bug. I do not want to add extra checks because the ISO-2022-JP decoder is still heavily used in Japan.
Are you OK with adding an assertion instead of the extra check?
(In reply to Simon Montagu from comment #15) > Are you OK with adding an assertion instead of the extra check? I'm fine with that.
Comment on attachment 594972 [details] [diff] [review] Patch v.2 r=me with (dest > destEnd) changed to an assertion.
Attachment #594972 - Flags: review?(VYV03354) → review+
https://hg.mozilla.org/mozilla-central/rev/24b776d91fdb
Status: NEW → RESOLVED
Closed: 13 years ago
status-firefox13: affectedfixed
Flags: in-testsuite?
Resolution: --- → FIXED
blocking1.9.2: ? → needed
status1.9.2: --- → wanted
Comment on attachment 594972 [details] [diff] [review] Patch v.2 [Approval Request Comment] Regression caused by (bug #): Not a regression. User impact if declined: Possibility of XSS caused by omitted or doubled bytes when decoding Testing completed (on m-c, etc.): Baked on trunk for 3 weeks. Risk to taking this patch (and alternatives if risky): No known risk. String changes made by this patch: None
Attachment #594972 - Flags: approval1.9.2.28?
Attachment #594972 - Flags: approval-mozilla-esr10?
Attachment #594972 - Flags: approval-mozilla-beta?
Attachment #594972 - Flags: approval-mozilla-aurora?
Comment on attachment 594972 [details] [diff] [review] Patch v.2 [Triage Comment] Approving for Aurora 12, but we're too late in FF11's release too take an sg:moderate bug. Also clearing the approval‑mozilla‑esr10 and adding the ESR tracking flag instead - we'll approve once 12 is on Beta.
Attachment #594972 - Flags: approval1.9.2.28?
Attachment #594972 - Flags: approval1.9.2.28-
Attachment #594972 - Flags: approval-mozilla-esr10?
Attachment #594972 - Flags: approval-mozilla-beta?
Attachment #594972 - Flags: approval-mozilla-beta-
Attachment #594972 - Flags: approval-mozilla-aurora?
Attachment #594972 - Flags: approval-mozilla-aurora+
Comment on attachment 594972 [details] [diff] [review] Patch v.2 [Triage Comment] 12 is on Beta now, please go ahead and land this to ESR branch as per https://wiki.mozilla.org/Release_Management/ESR_Landing_Process
Attachment #594972 - Flags: approval-mozilla-esr10+
Whiteboard: [sg:moderate] → [sg:moderate][qa+]
Keywords: testcase
Alias: CVE-2012-0477
Verified in trunk using nightly with attached testcases. Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:14.0) Gecko/20120420 Firefox/14.0a1
Status: RESOLVED → VERIFIED
Group: core-security
Landed mochitest now that the bug is open: https://hg.mozilla.org/integration/mozilla-inbound/rev/58d38bc9de23. Should the test land on branches also?
Flags: in-testsuite? → in-testsuite+
Mozilla/5.0 (Windows NT 6.1; rv:10.0.5) Gecko/20100101 Firefox/10.0.5 Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:10.0.5) Gecko/20100101 Firefox/10.0.5 Mozilla/5.0 (X11; Linux i686; rv:10.0.5) Gecko/20100101 Firefox/10.0.5 Verified as fixed using the attached testcases.
status-firefox-esr10: fixedverified
Whiteboard: [sg:moderate][qa+] → [sg:moderate][qa!]
Depends on: 797645
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: