Closed
Bug 770431
Opened 13 years ago
Closed 12 years ago
Arbitrary code execution using bug 768101 and bug 770429
Categories
(Core :: Security, defect)
Tracking
()
People
(Reporter: moz_bug_r_a4, Assigned: bholley)
References
Details
(Keywords: sec-critical, Whiteboard: [advisory-tracking+])
By using bug 768101's trick, content can take advantage of bug 770429 and perform a privilege escalation attack without user interaction.
|
Reporter | |
Comment 1•13 years ago
|
||
This works on fx10-16.
|
||
Updated•13 years ago
|
status-firefox-esr10:
--- → affected
status-firefox14:
--- → affected
status-firefox15:
--- → affected
status-firefox16:
--- → affected
tracking-firefox-esr10:
--- → ?
tracking-firefox15:
--- → +
tracking-firefox16:
--- → +
Keywords: sec-critical
|
Assignee | |
Comment 2•13 years ago
|
||
Presumably, this will be fixed with my fix for bug 770431 (the actual patches are in bug 760109).
|
||
Comment 3•13 years ago
|
||
Assigning to Bobby for book keeping and double checking the fix.
Assignee: nobody → bobbyholley+bmo
|
|
||
Updated•13 years ago
|
|
|
||
Updated•13 years ago
|
|
|
||
Comment 4•13 years ago
|
||
Did those changes end up fixing this problem?
|
||
Comment 5•13 years ago
|
||
The testcase doesn't seem to do much on my OS X machine with Firefox 14.0.1 or current nightly. I get a blank iframe on a page.
|
||
Comment 6•12 years ago
|
||
Let's wait for this to be fixed on trunk before tracking for a specific ESR version again.
Bobby - can you try to see if you have better luck than Al?
tracking-firefox-esr10:
15+ → ---
|
|
||
Comment 7•12 years ago
|
||
Oh nevermind, bug 760109 has an approval request. We'll leave this at 15+.
tracking-firefox-esr10:
--- → 15+
|
||
Comment 8•12 years ago
|
||
bug 760109 is landed in 15 and ESR 10.0.7 (15+) but there's still some work here for bug 768101 coming for 16 so bumping up the esr tracking flag for the next release.
|
|
||
Comment 9•12 years ago
|
||
This may now be fixed in Firefox 18 since bug 768101 might be. This testcase probably no longer works (I get Error: Access to 'chrome://browser/content/browser.xul' from script denied) because bug 770429 was fixed.
I guess we might as well call this fixed and if there are unfixed variations they can go into new bugs.
Status: NEW → RESOLVED
Closed: 12 years ago
status-firefox18:
--- → fixed
tracking-firefox18:
--- → +
Resolution: --- → FIXED
|
|
||
Updated•12 years ago
|
Whiteboard: [advisory-tracking+]
|
|
||
Comment 10•12 years ago
|
||
calling this fixed in 15 because it's using 768101 to abuse bug 770429, and that was fixed in 15.
|
|
||
Updated•12 years ago
|
Group: core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•