PresShell::DispatchTouchEvent should keep contentPresShell alive while using it

RESOLVED FIXED in Firefox 16

Status

()

Core
Layout
RESOLVED FIXED
5 years ago
5 years ago

People

(Reporter: smaug, Assigned: wesj)

Tracking

({csectype-uaf, regression, sec-critical})

unspecified
mozilla18
x86
Linux
csectype-uaf, regression, sec-critical
Points:
---
Bug Flags:
in-testsuite -

Firefox Tracking Flags

(firefox15 unaffected, firefox16+ fixed, firefox17+ fixed, firefox18+ fixed, firefox-esr10 unaffected)

Details

(Whiteboard: regression from 732052)

Attachments

(1 attachment, 1 obsolete attachment)

(Reporter)

Description

5 years ago
I mentioned the problem few times in review comments, yet we have now an sg:crit bug ;)
https://bugzilla.mozilla.org/show_bug.cgi?id=732052#c44
status-firefox-esr10: --- → unaffected
status-firefox15: --- → unaffected
status-firefox16: --- → affected
status-firefox17: --- → affected
status-firefox18: --- → affected
Keywords: sec-critical
Whiteboard: regression from 732052
(Assignee)

Comment 1

5 years ago
Created attachment 660146 [details] [diff] [review]
Patch
Assignee: nobody → wjohnston
Attachment #660146 - Flags: review?(bugs)
(Assignee)

Comment 2

5 years ago
Created attachment 660147 [details] [diff] [review]
Patch v2

Whoops. Sorry about that :(
Attachment #660146 - Attachment is obsolete: true
Attachment #660146 - Flags: review?(bugs)
Attachment #660147 - Flags: review?(bugs)
tracking-firefox16: --- → ?
tracking-firefox17: --- → ?
tracking-firefox18: --- → ?
(Reporter)

Comment 3

5 years ago
Comment on attachment 660147 [details] [diff] [review]
Patch v2

No need to assign nullptr.
Attachment #660147 - Flags: review?(bugs) → review+
(Assignee)

Comment 4

5 years ago
http://hg.mozilla.org/integration/mozilla-inbound/rev/89e726e160e5
(Assignee)

Comment 5

5 years ago
Comment on attachment 660147 [details] [diff] [review]
Patch v2

I assume we want to move this forward.

[Approval Request Comment]
Bug caused by (feature/regressing bug #): bug 732052
User impact if declined: Security risks if the presShell is destroyed by the touch event.
Testing completed (on m-c, etc.): landed on mc today (9/11/12)
Risk to taking this patch (and alternatives if risky): Low risk.
String or UUID changes made by this patch: None.
Attachment #660147 - Flags: approval-mozilla-beta?
Attachment #660147 - Flags: approval-mozilla-aurora?
https://hg.mozilla.org/mozilla-central/rev/89e726e160e5
Status: NEW → RESOLVED
Last Resolved: 5 years ago
Flags: in-testsuite-
Resolution: --- → FIXED
Target Milestone: --- → mozilla18

Comment 7

5 years ago
sec-critical regression in FF16 - approved for landing on branches.
tracking-firefox16: ? → +
tracking-firefox17: ? → +
tracking-firefox18: ? → +
Keywords: regression

Updated

5 years ago
Attachment #660147 - Flags: approval-mozilla-beta?
Attachment #660147 - Flags: approval-mozilla-beta+
Attachment #660147 - Flags: approval-mozilla-aurora?
Attachment #660147 - Flags: approval-mozilla-aurora+
(Assignee)

Comment 8

5 years ago
https://hg.mozilla.org/releases/mozilla-beta/rev/e5f591a4b733
https://hg.mozilla.org/releases/mozilla-aurora/rev/75cf936e3bdc

Updated

5 years ago
status-firefox16: affected → fixed
status-firefox17: affected → fixed
Blocks: 732052
Group: core-security
Keywords: csec-uaf

Updated

5 years ago
status-firefox18: affected → fixed
You need to log in before you can comment on or make changes to this bug.