Closed Bug 811382 Opened 7 years ago Closed 7 years ago

Update OTS to r95


(Core :: Graphics, defect, major)

Not set



Tracking Status
firefox17 --- wontfix
firefox18 + verified
firefox19 + verified
firefox-esr10 18+ verified
firefox-esr17 18+ verified


(Reporter: posidron, Assigned: jfkthame)




(Keywords: csectype-bounds, sec-high, sec-vector, Whiteboard: [adv-main18+][adv-esr17+][adv-esr10+])


(2 files, 1 obsolete file)

We should update OTS to r95 to fix an out of bounds issue.
Group: core-security
some information at, the chromium bug is hidden.

Also identified as CVE-2012-2897, and MS is apparently fixing the underlying kernel bug today

There may still be other OS bugs triggerable from the same table, we should still take the OTS patch.
Attached patch update OTS library to r.95 (obsolete) — Splinter Review
Attachment #681983 - Flags: review?(jdaggett)
Attachment #681988 - Flags: review?(jdaggett)
Attachment #681983 - Attachment is obsolete: true
Attachment #681983 - Flags: review?(jdaggett)
Attachment #681988 - Flags: review?(jdaggett) → review+
Comment on attachment 681988 [details] [diff] [review]
update OTS library to r.95

[Security approval request comment]
How easily can the security issue be deduced from the patch?
The flaw in OTS is easy to see; it's harder to know what its actual impact would be, or how to exploit the loophole, as the real problem is within Windows code; this patch is about preventing the bad data being passed on to Windows in the first place.

Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem?
Google has opened up the corresponding Chromium bug, which has details of the problem.

Which older supported branches are affected by this flaw?

If not all supported branches, which bug introduced the flaw?

Do you have backports for the affected branches? If not, how different, hard to create, and risky will they be?
Trivial to backport, negligible risk.

How likely is this patch to cause regressions; how much testing does it need?
This patch may cause us to reject a webfont that is currently accepted, which could appear as a "regression" to an author relying on a broken font; but that's its intended effect.

Given that the upstream OTS/chromium reports and patch are public, and given the simplicity of the patch, I think we should land this on all branches ASAP.
Attachment #681988 - Flags: sec-approval?
Attachment #681988 - Flags: approval-mozilla-esr10?
Attachment #681988 - Flags: approval-mozilla-beta?
Attachment #681988 - Flags: approval-mozilla-aurora?
Comment on attachment 681988 [details] [diff] [review]
update OTS library to r.95

[Triage Comment]
Too late in the cycle (one day before RC) to take this into FF17.
Attachment #681988 - Flags: approval-mozilla-beta? → approval-mozilla-beta-
Now that we can see Chrome's bug it looks like the specific OS crash is not triggerable in Firefox because we use different windows drawing calls. A variant font still might be able to tickle the OS in untoward ways but as of right now we don't know of one.
Keywords: sec-criticalsec-high
Comment on attachment 681988 [details] [diff] [review]
update OTS library to r.95


Since Chrome's patch was already public there's no need to delay landing on mozilla-central. Other branch landings still require release-driver approval.
Attachment #681988 - Flags: sec-approval?
Attachment #681988 - Flags: sec-approval+
Attachment #681988 - Flags: approval-mozilla-esr17?
Assignee: nobody → jfkthame
Closed: 7 years ago
Resolution: --- → FIXED
Comment on attachment 681988 [details] [diff] [review]
update OTS library to r.95

We'll approve for the ESRs after we ship this next round on Tuesday. Please land on Aurora now, however, to make the merge.
Attachment #681988 - Flags: approval-mozilla-aurora? → approval-mozilla-aurora+
Comment on attachment 681988 [details] [diff] [review]
update OTS library to r.95

Approved for ESR-10 and ESR-17 branches.
Attachment #681988 - Flags: approval-mozilla-esr17?
Attachment #681988 - Flags: approval-mozilla-esr17+
Attachment #681988 - Flags: approval-mozilla-esr10?
Attachment #681988 - Flags: approval-mozilla-esr10+
I notice that ESR-10 is currently at a significantly older version of OTS; i.e. we haven't been backporting OTS updates as we've been taking them over the past year. Do we want to just cherry-pick this fix (it applies cleanly to the older version, so we can do that without difficulty)? Or if we're going to touch OTS in ESR-10, should we simply take the complete update from r.74 to r.95, so as to pick up other correctness fixes that have happened in the meantime?

(Personally, I think it would make most sense to take the full update. There are a few other revs listed at that look like they could have possible security implications, and I don't think there's any significant stability risk in taking the update.)
For ESR-10 consideration: this is the patch to update OTS to r.95 from the version currently in ESR-10 (r.74), rather than only cherry-picking the couple of most recent changes. (See for the upstream changelog.)
Comment on attachment 687013 [details] [diff] [review]
[esr10] update OTS library to r.95.

Marking approval-mozilla-esr10? for consideration as per comment 14. In effect, this rolls up the fixes we took in bug 712217, bug 730190, bug 747816 and bug 762484, together with the most recent fixes in this bug.

The code changes are pretty minor, but include at least one potential OOB issue as well as a few sanitization correctness fixes, so although the earlier bugs were not specifically called out as security issues, I think it would make sense to take the complete update rather than cherry-picking.

If this is -not- accepted for ESR-10, we can still land the smaller patch that only cherry-picks the latest two fixes but leaves earlier issues unaddressed.
Attachment #687013 - Flags: approval-mozilla-esr10?
I'd much rather take the whole r95 update rather than try to cherry pick patches.
Attachment #687013 - Flags: approval-mozilla-esr10? → approval-mozilla-esr10+
Whiteboard: [adv-main18+][adv-esr17+][adv-esr10+]
Is there any type of testing QA can do for the upcoming releases (18, 10.0.12esr, 17.0.2esr) to shake out potential regressions?
Whiteboard: [adv-main18+][adv-esr17+][adv-esr10+] → [adv-main18+][adv-esr17+][adv-esr10+][qa?]
All downloadable webfonts are processed by OTS, so regressions would most likely show up as webfont problems (fonts failing to load, or in the worst case, crashes when trying to load them). So it'd be good to have lots of testing on sites that use a variety of webfonts, I guess.
I'll see what I can come up with. Thanks.
Keywords: verifyme
Whiteboard: [adv-main18+][adv-esr17+][adv-esr10+][qa?] → [adv-main18+][adv-esr17+][adv-esr10+]
Jonathan, I had Softvision do some dogfooding of Web Fonts in 10.0.2esr candidate builds overnight and this is what they came up with:

Can you please review their results and let me know if this meets verification of this bug? If not, please advise what we can test further.

Thank you
It looks like many of the "scenarios" described there involve downloading and installing a font locally, and then using it in the browser; IOW those aren't web-font (CSS @font-face) tests but general font-installation and font-selection tests.

The scenarios that use the Google webfonts service are indeed testing OTS; for more extensive testing, maybe it'd be worth checking examples that use other webfonts services as well, such as,, and; or use fonts from via @font-face kits rather than downloading the font and installing locally.
(In reply to Jonathan Kew (:jfkthame) from comment #23)
> maybe it'd be worth checking examples that use
> other webfonts services as well

Sure, I'll have them check a few of these tonight.
Jonathan, Softvision tested with the same scenarios as before using the font sites you suggested and did not find any regressions. Unless there is something else you'd like tested, I think we can call this verified fixed and keep our eye out for potential real-world feedback.
Keywords: verifyme
Sounds good to me, thanks.
Marking this bug verified fixed based on comment 22 through 26.
Group: core-security
You need to log in before you can comment on or make changes to this bug.