Closed
Bug 825025
Opened 12 years ago
Closed 12 years ago
MaybeWrapValue fails to correctly wrap up string values
Categories
(Core :: DOM: Core & HTML, defect)
Tracking
()
RESOLVED
FIXED
mozilla20
Tracking | Status | |
---|---|---|
firefox18 | --- | unaffected |
firefox19 | + | fixed |
firefox20 | + | fixed |
firefox-esr10 | --- | unaffected |
firefox-esr17 | --- | unaffected |
People
(Reporter: bzbarsky, Assigned: bzbarsky)
References
Details
(Keywords: regression, sec-critical, Whiteboard: [adv-main19-])
Attachments
(2 files)
2.60 KB,
patch
|
peterv
:
review+
abillings
:
sec-approval+
|
Details | Diff | Splinter Review |
1.39 KB,
patch
|
peterv
:
review+
bajaj
:
approval-mozilla-aurora+
|
Details | Diff | Splinter Review |
It checks vp->isObject(), but of course strings live in compartments too.
This causes tests to fail with the patch for bug 822691.
We need to fix this on m-c and aurora; it's a regression from bug 801712.
Assignee | ||
Updated•12 years ago
|
Whiteboard: [need review]
Assignee | ||
Comment 1•12 years ago
|
||
Attachment #696092 -
Flags: review?(peterv)
Assignee | ||
Comment 2•12 years ago
|
||
Comment on attachment 696092 [details] [diff] [review]
MaybeWrapValue should work with all gcthings.
[Security approval request comment]
How easily could an exploit be constructed based on the patch? Probably pretty difficult. I don't know how to do it.
Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem? To some extent. You have to know what gcthings are not objects, and how to trigger this code.
Which older supported branches are affected by this flaw? Nothing released; just Aurora 19.
If not all supported branches, which bug introduced the flaw?
Do you have backports for the affected branches? If not, how different, hard to create, and risky will they be? I have an Aurora backport.
How likely is this patch to cause regressions; how much testing does it need? I don't think this is likely to cause regressions.
Attachment #696092 -
Flags: sec-approval?
Assignee | ||
Comment 3•12 years ago
|
||
Attachment #696094 -
Flags: review?(peterv)
Assignee | ||
Comment 4•12 years ago
|
||
Comment on attachment 696094 [details] [diff] [review]
Patch for Aurora
[Approval Request Comment]
Bug caused by (feature/regressing bug #): Bug 801712
User impact if declined: On m-c, crashes. On Aurora, possible security problems.
Testing completed (on m-c, etc.): Passes the tests that fail without it.
Risk to taking this patch (and alternatives if risky): Very low risk, I believe.
String or UUID changes made by this patch: None.
Attachment #696094 -
Flags: approval-mozilla-aurora?
Updated•12 years ago
|
status-firefox-esr10:
--- → unaffected
status-firefox18:
--- → unaffected
status-firefox19:
--- → affected
status-firefox20:
--- → affected
status-firefox-esr17:
--- → unaffected
tracking-firefox19:
--- → ?
tracking-firefox20:
--- → +
Updated•12 years ago
|
Attachment #696092 -
Flags: sec-approval? → sec-approval+
Comment 5•12 years ago
|
||
Let's try to get this in for Aurora. Waiting for release management approval here.
Updated•12 years ago
|
Keywords: regression,
sec-critical
Comment 6•12 years ago
|
||
Failure to wrap sounds like sec-crit to me, if it can be exploited.
Updated•12 years ago
|
Attachment #696092 -
Flags: review?(peterv) → review+
Updated•12 years ago
|
Attachment #696094 -
Flags: review?(peterv) → review+
Updated•12 years ago
|
Comment 7•12 years ago
|
||
Comment on attachment 696094 [details] [diff] [review]
Patch for Aurora
Low risk fix for a for a sec-crit FF19 regression.Approving on aurora.
Attachment #696094 -
Flags: approval-mozilla-aurora? → approval-mozilla-aurora+
Assignee | ||
Comment 8•12 years ago
|
||
Flags: in-testsuite+
Whiteboard: [need review]
Target Milestone: --- → mozilla20
Assignee | ||
Comment 9•12 years ago
|
||
Comment 10•12 years ago
|
||
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
Updated•12 years ago
|
Whiteboard: [adv-main19-]
Updated•11 years ago
|
Group: core-security
Updated•6 years ago
|
Component: DOM → DOM: Core & HTML
You need to log in
before you can comment on or make changes to this bug.
Description
•