Closed
Bug 826163
(CVE-2013-1677)
Opened 12 years ago
Closed 12 years ago
Out-of-bound read in gfxSkipCharsIterator::SetOffsets
Categories
(Core :: Layout: Text and Fonts, defect)
Tracking
()
RESOLVED
FIXED
mozilla21
Tracking | Status | |
---|---|---|
firefox19 | --- | unaffected |
firefox20 | + | wontfix |
firefox21 | + | fixed |
firefox-esr17 | --- | unaffected |
b2g18 | --- | unaffected |
People
(Reporter: inferno, Assigned: smontagu)
References
Details
(5 keywords, Whiteboard: [asan][adv-main21+])
Attachments
(3 files)
4.74 KB,
text/html
|
Details | |
1.58 KB,
patch
|
roc
:
review+
dveditz
:
sec-approval+
|
Details | Diff | Splinter Review |
5.70 KB,
patch
|
Details | Diff | Splinter Review |
Reproduces on trunk.
>==20823== ERROR: AddressSanitizer: heap-buffer-overflow on address 0x7f2a4ada32cc at pc 0x7f2a7fc58c4c bp 0x7fff9bb19a10 sp 0x7fff9bb19a08
>READ of size 4 at 0x7f2a4ada32cc thread T0
> #0 0x7f2a7fc58c4b in gfxSkipCharsIterator::SetOffsets(unsigned int, bool) src/gfx/thebes/gfxSkipChars.cpp:91
> #1 0x7f2a71fedf14 in gfxSkipCharsIterator::SetOriginalOffset(int) src/../../../dist/include/gfxSkipChars.h:232
> #2 0x7f2a728d57a8 in nsTextFrame::ReflowText(nsLineLayout&, int, nsRenderingContext*, bool, nsHTMLReflowMetrics&, unsigned int&) src/layout/generic/nsTextFrameThebes.cpp:7877
> #3 0x7f2a726cfc69 in nsLineLayout::ReflowFrame(nsIFrame*, unsigned int&, nsHTMLReflowMetrics*, bool&) src/layout/generic/nsLineLayout.cpp:847
> #4 0x7f2a7269fc7d in nsInlineFrame::ReflowInlineFrame(nsPresContext*, nsHTMLReflowState const&, nsInlineFrame::InlineReflowState&, nsIFrame*, unsigned int&) src/layout/generic/nsInlineFrame.cpp:680
> #5 0x7f2a7269cc36 in nsInlineFrame::ReflowFrames(nsPresContext*, nsHTMLReflowState const&, nsInlineFrame::InlineReflowState&, nsHTMLReflowMetrics&, unsigned int&) src/layout/generic/nsInlineFrame.cpp:543
> #6 0x7f2a72699856 in nsInlineFrame::Reflow(nsPresContext*, nsHTMLReflowMetrics&, nsHTMLReflowState const&, unsigned int&) src/layout/generic/nsInlineFrame.cpp:395
> #7 0x7f2a726cf77d in nsLineLayout::ReflowFrame(nsIFrame*, unsigned int&, nsHTMLReflowMetrics*, bool&) src/layout/generic/nsLineLayout.cpp:840
> #8 0x7f2a7238d9b2 in nsBlockFrame::ReflowInlineFrame(nsBlockReflowState&, nsLineLayout&, nsLineList_iterator, nsIFrame*, LineReflowStatus*) src/layout/generic/nsBlockFrame.cpp:3725
> #9 0x7f2a72387fd6 in nsBlockFrame::DoReflowInlineFrames(nsBlockReflowState&, nsLineLayout&, nsLineList_iterator, nsFlowAreaRect&, int&, nsFloatManager::SavedState*, bool*, LineReflowStatus*, bool) src/layout/generic/nsBlockFrame.cpp:3522
> #10 0x7f2a7237abea in nsBlockFrame::ReflowInlineFrames(nsBlockReflowState&, nsLineList_iterator, bool*) src/layout/generic/nsBlockFrame.cpp:3376
> #11 0x7f2a72369ecb in nsBlockFrame::ReflowLine(nsBlockReflowState&, nsLineList_iterator, bool*) src/layout/generic/nsBlockFrame.cpp:2483
> #12 0x7f2a72350be8 in nsBlockFrame::ReflowDirtyLines(nsBlockReflowState&) src/layout/generic/nsBlockFrame.cpp:2000
> #13 0x7f2a72343dd4 in nsBlockFrame::Reflow(nsPresContext*, nsHTMLReflowMetrics&, nsHTMLReflowState const&, unsigned int&) src/layout/generic/nsBlockFrame.cpp:1043
> #14 0x7f2a723d2921 in nsBlockReflowContext::ReflowBlock(nsRect const&, bool, nsCollapsingMargin&, int, bool, nsLineBox*, nsHTMLReflowState&, unsigned int&, nsBlockReflowState&) src/layout/generic/nsBlockReflowContext.cpp:268
> #15 0x7f2a72374ec6 in nsBlockFrame::ReflowBlockFrame(nsBlockReflowState&, nsLineList_iterator, bool*) src/layout/generic/nsBlockFrame.cpp:3101
> #16 0x7f2a72369bea in nsBlockFrame::ReflowLine(nsBlockReflowState&, nsLineList_iterator, bool*) src/layout/generic/nsBlockFrame.cpp:2480
> #17 0x7f2a72350be8 in nsBlockFrame::ReflowDirtyLines(nsBlockReflowState&) src/layout/generic/nsBlockFrame.cpp:2000
> #18 0x7f2a72343dd4 in nsBlockFrame::Reflow(nsPresContext*, nsHTMLReflowMetrics&, nsHTMLReflowState const&, unsigned int&) src/layout/generic/nsBlockFrame.cpp:1043
> #19 0x7f2a724327cd in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, nsHTMLReflowMetrics&, nsHTMLReflowState const&, int, int, unsigned int, unsigned int&, nsOverflowContinuationTracker*) src/layout/generic/nsContainerFrame.cpp:953
> #20 0x7f2a725fd5a7 in nsCanvasFrame::Reflow(nsPresContext*, nsHTMLReflowMetrics&, nsHTMLReflowState const&, unsigned int&) src/layout/generic/nsCanvasFrame.cpp:493
> #21 0x7f2a724327cd in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, nsHTMLReflowMetrics&, nsHTMLReflowState const&, int, int, unsigned int, unsigned int&, nsOverflowContinuationTracker*) src/layout/generic/nsContainerFrame.cpp:953
> #22 0x7f2a72576746 in nsHTMLScrollFrame::ReflowScrolledFrame(ScrollReflowState*, bool, bool, nsHTMLReflowMetrics*, bool) src/layout/generic/nsGfxScrollFrame.cpp:433
> #23 0x7f2a7257af47 in nsHTMLScrollFrame::ReflowContents(ScrollReflowState*, nsHTMLReflowMetrics const&) src/layout/generic/nsGfxScrollFrame.cpp:533
> #24 0x7f2a7257f397 in nsHTMLScrollFrame::Reflow(nsPresContext*, nsHTMLReflowMetrics&, nsHTMLReflowState const&, unsigned int&) src/layout/generic/nsGfxScrollFrame.cpp:774
> #25 0x7f2a724327cd in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, nsHTMLReflowMetrics&, nsHTMLReflowState const&, int, int, unsigned int, unsigned int&, nsOverflowContinuationTracker*) src/layout/generic/nsContainerFrame.cpp:953
> #26 0x7f2a72971a8b in ViewportFrame::Reflow(nsPresContext*, nsHTMLReflowMetrics&, nsHTMLReflowState const&, unsigned int&) src/layout/generic/nsViewportFrame.cpp:202
> #27 0x7f2a72090215 in PresShell::DoReflow(nsIFrame*, bool) src/layout/base/nsPresShell.cpp:7558
> #28 0x7f2a720c0a6d in PresShell::ProcessReflowCommands(bool) src/layout/base/nsPresShell.cpp:7699
> #29 0x7f2a720bf13d in PresShell::FlushPendingNotifications(mozilla::ChangesToFlush) src/layout/base/nsPresShell.cpp:3907
> #30 0x7f2a720bd4d3 in PresShell::FlushPendingNotifications(mozFlushType) src/layout/base/nsPresShell.cpp:3757
> #31 0x7f2a71eb687f in nsDocumentViewer::LoadComplete(tag_nsresult) src/layout/base/nsDocumentViewer.cpp:990
> #32 0x7f2a7a48bb7e in nsDocShell::EndPageLoad(nsIWebProgress*, nsIChannel*, tag_nsresult) src/docshell/base/nsDocShell.cpp:6514
> #33 0x7f2a7a48344b in nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, tag_nsresult) src/docshell/base/nsDocShell.cpp:6342
> #34 0x7f2a7a4843cb in non-virtual thunk to nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, tag_nsresult) src/docshell/base/nsDocShell.cpp:6349
> #35 0x7f2a7a59707f in nsDocLoader::DoFireOnStateChange(nsIWebProgress*, nsIRequest*, int&, tag_nsresult) src/uriloader/base/nsDocLoader.cpp:1305
> #36 0x7f2a7a594632 in nsDocLoader::doStopDocumentLoad(nsIRequest*, tag_nsresult) src/uriloader/base/nsDocLoader.cpp:885
> #37 0x7f2a7a58d8fe in nsDocLoader::DocLoaderIsEmpty(bool) src/uriloader/base/nsDocLoader.cpp:775
> #38 0x7f2a7a591f95 in nsDocLoader::OnStopRequest(nsIRequest*, nsISupports*, tag_nsresult) src/uriloader/base/nsDocLoader.cpp:659
> #39 0x7f2a7a5937cb in non-virtual thunk to nsDocLoader::OnStopRequest(nsIRequest*, nsISupports*, tag_nsresult) src/uriloader/base/nsDocLoader.cpp:663
> #40 0x7f2a6ff667c1 in nsLoadGroup::RemoveRequest(nsIRequest*, nsISupports*, tag_nsresult) src/netwerk/base/src/nsLoadGroup.cpp:676
> #41 0x7f2a73ae0290 in nsDocument::DoUnblockOnload() src/content/base/src/nsDocument.cpp:7361
> #42 0x7f2a73adfe41 in nsDocument::UnblockOnload(bool) src/content/base/src/nsDocument.cpp:7303
> #43 0x7f2a73a88cb3 in nsDocument::DispatchContentLoadedEvents() src/content/base/src/nsDocument.cpp:4280
> #44 0x7f2a73b83272 in nsRunnableMethodImpl<void (nsDocument::*)(), true>::Run() src/../../../dist/include/nsThreadUtils.h:367
> #45 0x7f2a7f4d1c3f in nsThread::ProcessNextEvent(bool, bool*) src/xpcom/threads/nsThread.cpp:627
> #46 0x7f2a7f146495 in NS_ProcessNextEvent_P(nsIThread*, bool) src/objdir-ff-asan-sym/xpcom/build/nsThreadUtils.cpp:237
> #47 0x7f2a7cb7cadc in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) src/ipc/glue/MessagePump.cpp:82
> #48 0x7f2a7f7c35f2 in MessageLoop::RunInternal() src/ipc/chromium/src/base/message_loop.cc:215
> #49 0x7f2a7f7c3429 in MessageLoop::RunHandler() src/ipc/chromium/src/base/message_loop.cc:208
> #50 0x7f2a7f7c32fe in MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:182
> #51 0x7f2a7bf6f317 in nsBaseAppShell::Run() src/widget/xpwidgets/nsBaseAppShell.cpp:163
> #52 0x7f2a7aa9b575 in nsAppStartup::Run() src/toolkit/components/startup/nsAppStartup.cpp:288
> #53 0x7f2a6fce5284 in XREMain::XRE_mainRun() src/toolkit/xre/nsAppRunner.cpp:3823
> #54 0x7f2a6fceae6a in XREMain::XRE_main(int, char**, nsXREAppData const*) src/toolkit/xre/nsAppRunner.cpp:3890
> #55 0x7f2a6fcedc30 in XRE_main src/toolkit/xre/nsAppRunner.cpp:4088
> #56 0x41dad6 in do_main(int, char**) src/browser/app/nsBrowserApp.cpp:174
> #57 0x41b2f0 in main src/browser/app/nsBrowserApp.cpp:279
> #58 0x7f2a90abb76c in
>0x7f2a4ada32cc is located 0 bytes to the right of 204-byte region [0x7f2a4ada3200,0x7f2a4ada32cc)
>allocated by thread T0 here:
> #0 0x40fbd2 in __interceptor_malloc
> #1 0x7f2a91ad8604 in moz_xmalloc src/memory/mozalloc/mozalloc.cpp:54
> #2 0x7f2a7fc567c8 in operator new[](unsigned long) src/../../dist/include/mozilla/mozalloc.h:212
> #3 0x7f2a7fc567c8 in gfxSkipChars::BuildShortcuts() src/gfx/thebes/gfxSkipChars.cpp:25
> #4 0x7f2a7fb582bf in gfxSkipChars::TakeFrom(gfxSkipChars*) src/gfx/thebes/gfxSkipChars.h:106
> #5 0x7f2a7fb57af3 in gfxTextRun::gfxTextRun(gfxTextRunFactory::Parameters const*, unsigned int, gfxFontGroup*, unsigned int) src/gfx/thebes/gfxFont.cpp:4568
> #6 0x7f2a7fb3a5db in gfxTextRun::Create(gfxTextRunFactory::Parameters const*, unsigned int, gfxFontGroup*, unsigned int) src/gfx/thebes/gfxFont.cpp:4551
> #7 0x7f2a7fb3dc84 in gfxFontGroup::MakeTextRun(unsigned char const*, unsigned int, gfxTextRunFactory::Parameters const*, unsigned int) src/gfx/thebes/gfxFont.cpp:3592
> #8 0x7f2a72840dab in gfxTextRun* MakeTextRun<unsigned char>(unsigned char const*, unsigned int, gfxFontGroup*, gfxTextRunFactory::Parameters const*, unsigned int) src/layout/generic/nsTextFrameThebes.cpp:555
> #9 0x7f2a72835bc5 in BuildTextRunsScanner::BuildTextRunForFrames(void*) src/layout/generic/nsTextFrameThebes.cpp:2052
> #10 0x7f2a7282ab47 in BuildTextRunsScanner::FlushFrames(bool, bool) src/layout/generic/nsTextFrameThebes.cpp:1411
> #11 0x7f2a7283a6fe in BuildTextRunsScanner::ScanFrame(nsIFrame*) src/layout/generic/nsTextFrameThebes.cpp:1603
> #12 0x7f2a7283b145 in BuildTextRunsScanner::ScanFrame(nsIFrame*) src/layout/generic/nsTextFrameThebes.cpp:1643
> #13 0x7f2a7284e807 in BuildTextRuns(gfxContext*, nsTextFrame*, nsIFrame*, nsLineList_iterator const*, nsTextFrame::TextRunType) src/layout/generic/nsTextFrameThebes.cpp:1314
> #14 0x7f2a72849f2c in nsTextFrame::EnsureTextRun(nsTextFrame::TextRunType, gfxContext*, nsIFrame*, nsLineList_iterator const*, unsigned int*) src/layout/generic/nsTextFrameThebes.cpp:2468
> #15 0x7f2a728d4339 in nsTextFrame::ReflowText(nsLineLayout&, int, nsRenderingContext*, bool, nsHTMLReflowMetrics&, unsigned int&) src/layout/generic/nsTextFrameThebes.cpp:7816
> #16 0x7f2a726cfc69 in nsLineLayout::ReflowFrame(nsIFrame*, unsigned int&, nsHTMLReflowMetrics*, bool&) src/layout/generic/nsLineLayout.cpp:847
> #17 0x7f2a7269fc7d in nsInlineFrame::ReflowInlineFrame(nsPresContext*, nsHTMLReflowState const&, nsInlineFrame::InlineReflowState&, nsIFrame*, unsigned int&) src/layout/generic/nsInlineFrame.cpp:680
> #18 0x7f2a7269cc36 in nsInlineFrame::ReflowFrames(nsPresContext*, nsHTMLReflowState const&, nsInlineFrame::InlineReflowState&, nsHTMLReflowMetrics&, unsigned int&) src/layout/generic/nsInlineFrame.cpp:543
> #19 0x7f2a72699856 in nsInlineFrame::Reflow(nsPresContext*, nsHTMLReflowMetrics&, nsHTMLReflowState const&, unsigned int&) src/layout/generic/nsInlineFrame.cpp:395
> #20 0x7f2a726cf77d in nsLineLayout::ReflowFrame(nsIFrame*, unsigned int&, nsHTMLReflowMetrics*, bool&) src/layout/generic/nsLineLayout.cpp:840
> #21 0x7f2a7238d9b2 in nsBlockFrame::ReflowInlineFrame(nsBlockReflowState&, nsLineLayout&, nsLineList_iterator, nsIFrame*, LineReflowStatus*) src/layout/generic/nsBlockFrame.cpp:3725
> #22 0x7f2a72387fd6 in nsBlockFrame::DoReflowInlineFrames(nsBlockReflowState&, nsLineLayout&, nsLineList_iterator, nsFlowAreaRect&, int&, nsFloatManager::SavedState*, bool*, LineReflowStatus*, bool) src/layout/generic/nsBlockFrame.cpp:3522
> #23 0x7f2a7237abea in nsBlockFrame::ReflowInlineFrames(nsBlockReflowState&, nsLineList_iterator, bool*) src/layout/generic/nsBlockFrame.cpp:3376
> #24 0x7f2a72369ecb in nsBlockFrame::ReflowLine(nsBlockReflowState&, nsLineList_iterator, bool*) src/layout/generic/nsBlockFrame.cpp:2483
> #25 0x7f2a72350be8 in nsBlockFrame::ReflowDirtyLines(nsBlockReflowState&) src/layout/generic/nsBlockFrame.cpp:2000
> #26 0x7f2a72343dd4 in nsBlockFrame::Reflow(nsPresContext*, nsHTMLReflowMetrics&, nsHTMLReflowState const&, unsigned int&) src/layout/generic/nsBlockFrame.cpp:1043
> #27 0x7f2a723d2921 in nsBlockReflowContext::ReflowBlock(nsRect const&, bool, nsCollapsingMargin&, int, bool, nsLineBox*, nsHTMLReflowState&, unsigned int&, nsBlockReflowState&) src/layout/generic/nsBlockReflowContext.cpp:268
> #28 0x7f2a72374ec6 in nsBlockFrame::ReflowBlockFrame(nsBlockReflowState&, nsLineList_iterator, bool*) src/layout/generic/nsBlockFrame.cpp:3101
> #29 0x7f2a72369bea in nsBlockFrame::ReflowLine(nsBlockReflowState&, nsLineList_iterator, bool*) src/layout/generic/nsBlockFrame.cpp:2480
> #30 0x7f2a72350be8 in nsBlockFrame::ReflowDirtyLines(nsBlockReflowState&) src/layout/generic/nsBlockFrame.cpp:2000
>Shadow bytes around the buggy address:
> 0x1fe5495b4600: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
> 0x1fe5495b4610: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
> 0x1fe5495b4620: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
> 0x1fe5495b4630: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
> 0x1fe5495b4640: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>=>0x1fe5495b4650: 00 00 00 00 00 00 00 00 00[04]fb fb fb fb fb fb
> 0x1fe5495b4660: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
> 0x1fe5495b4670: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
> 0x1fe5495b4680: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
> 0x1fe5495b4690: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
> 0x1fe5495b46a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
>Shadow byte legend (one shadow byte represents 8 application bytes):
> Addressable: 00
> Partially addressable: 01 02 03 04 05 06 07
> Heap left redzone: fa
> Heap righ redzone: fb
> Freed Heap region: fd
> Stack left redzone: f1
> Stack mid redzone: f2
> Stack right redzone: f3
> Stack partial redzone: f4
> Stack after return: f5
> Stack use after scope: f8
> Global redzone: f9
> Global init order: f6
> Poisoned by user: f7
> ASan internal: fe
>Stats: 250M malloced (538M for red zones) by 403569 calls
>Stats: 47M realloced by 24065 calls
>Stats: 225M freed by 283304 calls
>Stats: 113M really freed by 208600 calls
>Stats: 612M (612M-0M) mmaped; 153 maps, 0 unmaps
> mmaps by size class: 10:253890; 11:12282; 12:3072; 13:1536; 14:1280; 15:256; 16:1152; 17:1280; 18:48; 19:40; 20:24;
> mallocs by size class: 10:374083; 11:19834; 12:2763; 13:1873; 14:1627; 15:435; 16:1456; 17:1366; 18:70; 19:40; 20:22;
> frees by size class: 10:258335; 11:17089; 12:1638; 13:1639; 14:1453; 15:310; 16:1376; 17:1349; 18:58; 19:38; 20:19;
> rfrees by size class: 10:193497; 11:10852; 12:866; 13:748; 14:834; 15:188; 16:977; 17:607; 18:26; 19:4; 20:1;
>Stats: malloc large: 1498 small slow: 4502
>Stats: StackDepot: 0 ids; 0M mapped
>==20823== ABORTING
>
Reporter | ||
Updated•12 years ago
|
Component: General → Layout: Text
Product: Firefox → Core
Version: unspecified → Trunk
Comment 1•12 years ago
|
||
more fallout from
Assignee: nobody → smontagu
Summary: Heap-buffer-overflow in gfxSkipCharsIterator::SetOffsets → Out-of-bound read in gfxSkipCharsIterator::SetOffsets
Whiteboard: [asan]
Assignee | ||
Comment 2•12 years ago
|
||
Bisecting with mozilla-central-debug nightlies, the history seems to be a bit complicated. I start seeing an assertion
Invalid offset: 'aOffset <= mSkipChars->mCharCount', file ../../../gfx/thebes/gfxSkipChars.cpp, line 60
in the range http://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=edd45de440ba&tochange=8a30e07815ff, which could be bug 818454.
The crash starts in the range
http://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=d8ca3e1c469e&tochange=20d1a5916ef6, which could be bug 825871 or bug 825875.
Assignee | ||
Comment 3•12 years ago
|
||
Jonathan, I think this is more likely your beat than mine.
Assignee: smontagu → jfkthame
Assignee | ||
Comment 5•12 years ago
|
||
So I think we should fix this by reapplying the patch from bug 722137, and re-patch bug 818454 (see also comments in bug 827192)
Attachment #708543 -
Flags: review?(roc)
Assignee | ||
Comment 6•12 years ago
|
||
Attachment #708543 -
Flags: review?(roc) → review+
Assignee | ||
Comment 7•12 years ago
|
||
Comment on attachment 708543 [details] [diff] [review]
Reapply bug 722137
[Security approval request comment]
How easily could an exploit be constructed based on the patch? Not at all, as far as I can see.
Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem? No
Which older supported branches are affected by this flaw? 20 (aurora)
If not all supported branches, which bug introduced the flaw? Bug 818454
Do you have backports for the affected branches? If not, how different, hard to create, and risky will they be? Yes
How likely is this patch to cause regressions; how much testing does it need? This area of code has been vulnerable to regressions before (bug 722137, bug 698335). Fuzzing has been effective in finding regressions.
Attachment #708543 -
Flags: sec-approval?
Updated•12 years ago
|
Blocks: CVE-2013-1676
status-b2g18:
--- → unaffected
status-firefox19:
--- → unaffected
status-firefox20:
--- → affected
status-firefox21:
--- → affected
status-firefox-esr17:
--- → unaffected
tracking-firefox20:
--- → +
tracking-firefox21:
--- → +
Updated•12 years ago
|
Keywords: sec-moderate
Comment 8•12 years ago
|
||
Attachment #708543 -
Flags: sec-approval? → sec-approval+
Updated•12 years ago
|
No longer blocks: CVE-2013-1676
Updated•12 years ago
|
Blocks: CVE-2013-1676
Assignee | ||
Comment 9•12 years ago
|
||
Comment 10•12 years ago
|
||
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla21
Comment 11•12 years ago
|
||
This needs to be nominated for beta uplift (if low risk) prior to this coming Tuesday when we go to build on beta 5.
Comment 12•12 years ago
|
||
This is marked tracking+ for 20, which is closing its doors soon. Simon, any plans on uplift?
Flags: needinfo?(smontagu)
Assignee | ||
Comment 13•12 years ago
|
||
I don't think this is low-risk enough for beta, especially since there is a knock-on effect: taking this will regress bug 818454, so we would need to take the latest patch from there as well.
Flags: needinfo?(smontagu)
Updated•12 years ago
|
Updated•12 years ago
|
Whiteboard: [asan] → [asan][adv-main21+]
Updated•12 years ago
|
Alias: CVE-2013-1677
Updated•11 years ago
|
Group: core-security
Assignee | ||
Comment 14•11 years ago
|
||
Flags: in-testsuite+
You need to log in
before you can comment on or make changes to this bug.
Description
•