Closed
Bug 821573
(CVE-2014-8631)
Opened 12 years ago
Closed 10 years ago
Stop allowing COWs to be passed as native interfaces
Categories
(Core :: XPConnect, defect)
Core
XPConnect
Tracking
()
RESOLVED
FIXED
mozilla34
People
(Reporter: bholley, Assigned: bholley)
References
Details
(Keywords: sec-low, Whiteboard: [adv-main34+])
Attachments
(1 file)
|
3.17 KB,
patch
|
gkrizsanits
:
review+
|
Details | Diff | Splinter Review |
My patches in bug 658909 effectively make them so, and I discovered that this breaks the contact API, because it expects to be able to pass COWs into native XPCOM methods and have them appear as XPCJWrappedJS.
There's a pretty low chance that this is exploitable. Exploiting it involve finding a content-accessible native method that accepts an interface type not marked builtin-class whose method/property requirements are somehow satisfied by those on content-accessible chrome object and that somehow manipulates the XPCWrappedJS-wrapped chrome object in a harmful way.
I think this is unlikely, and this will be fixed by bug 658909 anyway. Still, I wanted to get it on file. So I'm flagging sec-low and marking the dep.
|
Assignee | |
Comment 1•12 years ago
|
||
Just making moz_bug_r_a4 aware in case this trick is useful somehow :-)
|
|
Assignee | |
Comment 2•11 years ago
|
||
Now that PeerConnection and Contacts are on WebIDL, we should hopefully be able to get rid of this case.
https://tbpl.mozilla.org/?tree=Try&rev=d73009dd967a
|
|
Assignee | |
Comment 3•11 years ago
|
||
Looks like we also need to remove COWs from:
* mozApps
* browser-element CustomEvents
* indexedDB IPC tests
Depends on: 899322
|
||
Comment 4•11 years ago
|
||
I'd wait a little bit before actually landing anything that relies on Contacts being WebIDL, as it has a lot of regressions filed against it.
|
|
Assignee | |
Updated•10 years ago
|
Summary: COWs are not SCRIPT_ACCESS_ONLY → Stop allowing COWs to be passed as native interfaces
|
|
Assignee | |
Comment 5•10 years ago
|
||
I think we may be able to do this now.
https://tbpl.mozilla.org/?tree=Try&rev=2307927f1c4e
|
|
Assignee | |
Comment 6•10 years ago
|
||
Attachment #8475702 -
Flags: review?(gkrizsanits)
|
||
Updated•10 years ago
|
Attachment #8475702 -
Flags: review?(gkrizsanits) → review+
|
|
Assignee | |
Comment 7•10 years ago
|
||
Looks like the ICS xpcshell bustage is actually present on the underlying revision on m-c. Looks green otherwise.
https://hg.mozilla.org/integration/mozilla-inbound/rev/a23b03bf9f61
|
||
Comment 8•10 years ago
|
||
Status: NEW → RESOLVED
Closed: 10 years ago
status-firefox34:
--- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla34
|
||
Updated•10 years ago
|
Flags: qe-verify-
|
||
Updated•10 years ago
|
status-firefox-esr31:
--- → wontfix
|
||
Updated•10 years ago
|
Whiteboard: [adv-main34+]
|
|
||
Updated•10 years ago
|
Alias: CVE-2014-8631
|
||
Updated•9 years ago
|
Group: core-security → core-security-release
|
|
||
Updated•8 years ago
|
Group: core-security-release
You need to log in
before you can comment on or make changes to this bug.
Description
•