The default bug view has changed. See this FAQ.
Bug 769265 (CVE-2012-3979)

Audit for incorrect uses of __android_log_print

RESOLVED FIXED in Firefox 15



5 years ago
5 years ago


(Reporter: mrbkap, Assigned: mrbkap)


({sec-audit, sec-high})

sec-audit, sec-high

Firefox Tracking Flags

(firefox15+ fixed, firefox16 fixed, firefox-esr10 wontfix)


(Whiteboard: [advisory-tracking+])


(1 attachment)

2.72 KB, patch
Ben Turner (not reading bugmail, use the needinfo flag!)
: review+
: checkin+
Details | Diff | Splinter Review


5 years ago
Debugging something today, I realized that we have a few places where we incorrectly call __android_log_print in potentially exploitable ways. The fix is easy and coming up.

Comment 1

5 years ago
Created attachment 637506 [details] [diff] [review]
Attachment #637506 - Flags: review?(bent.mozilla)
Attachment #637506 - Flags: review?(bent.mozilla) → review+

Comment 2

5 years ago


5 years ago
Attachment #637506 - Flags: checkin+
Last Resolved: 5 years ago
status-firefox16: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla16


5 years ago
status-firefox-esr10: --- → unaffected


5 years ago
status-firefox-esr10: unaffected → wontfix
We should fix this in Firefox 15.
status-firefox15: --- → affected
tracking-firefox15: --- → ?
Keywords: sec-audit, sec-high
Please nominate for aurora uplift so we can look at getting this in before merge day on Monday July 16th.
tracking-firefox15: ? → +

Comment 6

5 years ago
Comment on attachment 637506 [details] [diff] [review]

[Approval Request Comment]
User impact if declined: Possible problems if people use dump in evil ways on Android.
Testing completed (on m-c, etc.): The patch has been in m-c for a while.
Risk to taking this patch (and alternatives if risky): Very low risk.
Attachment #637506 - Flags: approval-mozilla-beta?
Attachment #637506 - Flags: approval-mozilla-aurora?
Comment on attachment 637506 [details] [diff] [review]

This is already fixed in Aurora (16) so only approving for Beta (15)
Attachment #637506 - Flags: approval-mozilla-beta?
Attachment #637506 - Flags: approval-mozilla-beta+
Attachment #637506 - Flags: approval-mozilla-aurora?
Attachment #637506 - Flags: approval-mozilla-aurora-

Comment 8

5 years ago
status-firefox15: affected → fixed
Whiteboard: [advisory-tracking+]
Will this do anything bad if people aren't actively debugging android? I'm guessing that __android_log_print bails out if not actually being used before doing the dangerous printf family stuff, and if so that reduces the severity here to sec-moderate since you could only target a handful of people debugging  while visiting attack sites.
Alias: CVE-2012-3979

Comment 10

5 years ago
As far as I know, __android_log_print always prints stuff to the logcat. However, I don't know if there's anything that controls whether or not that's on. dougt might know more.
The advisory here says that this can only be exploited through dump() which is disabled by default. If this is the case, then this isn't sec-high. Of course if there's another way to supply the string from content, then that rating is perfectly valid.
As far as I know none of the dump() implementations touched in attachment 637506 [details] [diff] [review] are exposed to content, except maybe the Worker* ones.

WorkerPrivate.cpp's implementation only uses it as a fallback if reporting to the console service fails, which shouldn't really ever happen in practice. 

WorkerScope.cpp's implementation looks to not be pref-controlled, which means that workers calling dump() can spam stdout in release builds, which seems like a bug we should fix regardless of the security implementations.
I confirmed that it's exposed to content (using and filed bug 785656.
Group: core-security
You need to log in before you can comment on or make changes to this bug.