When there is no frame, the result of IsCapabilityEnabled is always true. This is not good since event listeners can be called with no frame.
Created attachment 631400 [details] testcase - arbitrary code execution This uses bug 344495's trick. This works on trunk.
Over to Bobby.
Assignee: nobody → bobbyholley+bmo
mmmm... did we have no tests for this?
Hmm, the testcase doesn't work for me on trunk...
(In reply to Boris Zbarsky (:bz) from comment #3) > mmmm... did we have no tests for this? That used moz_bug_r_a4's stack frame trick? I wasn't sure those were ever checked in.
We don't want to check in tests demonstrating the exploit, but often the specific problem can be demonstrated without using that trick (sometimes requires a chrome testcase to show the wrong thing is getting used/returned in places).
Keywords: regression, sec-critical, testcase
Severity: normal → blocker
status-firefox-esr10: --- → unaffected
status-firefox15: --- → unaffected
status-firefox16: --- → affected
tracking-firefox16: --- → +
This should be fixed by the backout in bug 754202 comment 41 right? I don't think it makes sense to leave open in case we reland it, but of course we should test it again.
Status: NEW → RESOLVED
Last Resolved: 6 years ago
Resolution: --- → FIXED
Whiteboard: new in Fx 16
I can't get this testcase to do anything on pre-fix trunk builds. The only thing I see that is different pre and post fix on my mozilla central builds is that pre-fix has the following in the webconsole: [12:02:01.330] Error: Permission denied for <https://bug762920.bugzilla.mozilla.org> to get property XPCComponents.utils I see the same whether I load it locally or from bugzilla, as in above. Do we have something that repros that issue?
There should be a specific window, between when bug 754202 landed and when it was backed out, where you should get an alert popup (indicating that the exploit was successful).
Yeah, I thought I had it. I'll keep digging.
All right. I was a day off last time. Bug repro's in 6/9 Mozilla Central build and was fixed after back out off bug 754202.
Status: RESOLVED → VERIFIED
bug 754202 has relanded so it'd be safest to reverify this bug.
Status: VERIFIED → RESOLVED
Last Resolved: 6 years ago → 6 years ago
Whiteboard: new in Fx 16 → [advisory-tracking+] new in Fx 16
Whiteboard: [advisory-tracking+] new in Fx 16 → [advisory-tracking-] new in Fx 16
You need to log in before you can comment on or make changes to this bug.