Closed
Bug 827591
Opened 12 years ago
Closed 11 years ago
Abort when CSSOM modifies an @page rule, due to reassigning an nsAutoPtr
Categories
(Core :: CSS Parsing and Computation, defect)
Tracking
()
RESOLVED
FIXED
mozilla21
Tracking | Status | |
---|---|---|
firefox18 | --- | unaffected |
firefox19 | + | fixed |
firefox20 | + | fixed |
firefox21 | + | fixed |
firefox-esr17 | --- | unaffected |
b2g18 | --- | unaffected |
People
(Reporter: jruderman, Assigned: bdahl)
References
Details
(6 keywords, Whiteboard: [adv-main19-])
Attachments
(4 files, 1 obsolete file)
217 bytes,
text/html
|
Details | |
236 bytes,
text/html
|
Details | |
13.59 KB,
text/plain
|
Details | |
1.83 KB,
patch
|
dbaron
:
review+
bajaj
:
approval-mozilla-aurora+
bajaj
:
approval-mozilla-beta+
abillings
:
sec-approval+
|
Details | Diff | Splinter Review |
No description provided.
Reporter | ||
Comment 1•12 years ago
|
||
###!!! ABORT: This makes no sense!: 'mRawPtr != newPtr || !newPtr', file nsAutoPtr.h, line 37 (This assertion in nsAutoPtr::assign checks that we don't re-assign the same pointer value using the '=' operator. It was added in bug 723446.)
Reporter | ||
Comment 2•12 years ago
|
||
Reporter | ||
Comment 3•12 years ago
|
||
Reporter | ||
Comment 4•12 years ago
|
||
Filed bug 827596 for fixing nsAutoPtr. But that won't fix the leaks...
Presumably nsCSSKeyframeRule::ChangeDeclaration should look more like nsCSSPageRule::ChangeDeclaration (i.e., have a test around the mDeclaration = aDeclaration). The code is still pretty sketchy, though.
Comment 6•11 years ago
|
||
Marking sec-critical because I think this kind of thing is a UAF.
Keywords: csec-uaf,
sec-critical
Assignee | ||
Comment 7•11 years ago
|
||
This uses the same fix as bug 723446. I assume we should nominate this for aurora and beta too? I have yet to find the cause of the leak though.
Attachment #699941 -
Flags: review?(dbaron)
Comment on attachment 699941 [details] [diff] [review] crash fix - v1 r=dbaron, and yes, this should go on aurora and beta
Attachment #699941 -
Flags: review?(dbaron) → review+
Assignee | ||
Comment 9•11 years ago
|
||
Comment on attachment 699941 [details] [diff] [review] crash fix - v1 [Approval Request Comment] Bug caused by (feature/regressing bug #): 115199 User impact if declined: crashes when setting @page rule properties Testing completed (on m-c, etc.): try run Risk to taking this patch (and alternatives if risky): very low String or UUID changes made by this patch: none As mentioned above this is the same fix as bug 723446 which landed awhile ago.
Attachment #699941 -
Flags: approval-mozilla-beta?
Attachment #699941 -
Flags: approval-mozilla-aurora?
Comment 10•11 years ago
|
||
This will need to go through sec-approval on the patch as a sec-critical affecting more than trunk. https://wiki.mozilla.org/Security/Bug_Approval_Process
Updated•11 years ago
|
Blocks: 115199
Keywords: regression
Updated•11 years ago
|
Assignee: nobody → bdahl
status-b2g18:
--- → unaffected
status-firefox18:
--- → unaffected
status-firefox19:
--- → affected
status-firefox20:
--- → affected
status-firefox21:
--- → affected
status-firefox-esr17:
--- → unaffected
Updated•11 years ago
|
Updated•11 years ago
|
Assignee | ||
Comment 11•11 years ago
|
||
Comment on attachment 699941 [details] [diff] [review] crash fix - v1 [Security approval request comment] How easily could an exploit be constructed based on the patch? It's trivial to crash the browser, I'm not sure what level of exploit we consider this. Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem? Yes, the test illuminates the problem. Which older supported branches are affected by this flaw? ff19+ If not all supported branches, which bug introduced the flaw? bug 115199 Do you have backports for the affected branches? If not, how different, hard to create, and risky will they be? The code hasn't changed since FF19 so it should be easy to apply the patch. How likely is this patch to cause regressions; how much testing does it need? Very unlikely.
Attachment #699941 -
Flags: sec-approval?
Updated•11 years ago
|
Attachment #699941 -
Flags: sec-approval? → sec-approval+
Comment 12•11 years ago
|
||
Since this affects 19+ only, we should get this in now before we go through more betas. If we fix it now, we don't run the risk of exposing the public to it. sec-approval+
Updated•11 years ago
|
Attachment #699941 -
Flags: approval-mozilla-beta?
Attachment #699941 -
Flags: approval-mozilla-beta+
Attachment #699941 -
Flags: approval-mozilla-aurora?
Attachment #699941 -
Flags: approval-mozilla-aurora+
Reporter | ||
Comment 13•11 years ago
|
||
I filed a separate bug for the leak: bug 829817.
Keywords: mlk
Summary: Leak or abort when CSSOM modifies an @page rule → Abort when CSSOM modifies an @page rule, due to reassigning an nsAutoPtr
Reporter | ||
Updated•11 years ago
|
Attachment #698941 -
Attachment is obsolete: true
Assignee | ||
Comment 14•11 years ago
|
||
What do I need to do to get this into MC and the other branches? I imagine setting the usual checkin-needed keyword won't work since this is a security bug?
Comment 15•11 years ago
|
||
I've seen RyanVM land security bugs, too.
Comment 16•11 years ago
|
||
So just go ahead and set the flag, I mean.
Assignee | ||
Updated•11 years ago
|
Keywords: checkin-needed
Comment 17•11 years ago
|
||
(In reply to Andrew McCreight [:mccr8] from comment #15) > I've seen RyanVM land security bugs, too. Lies. https://hg.mozilla.org/integration/mozilla-inbound/rev/f5742005bcbd
Comment 18•11 years ago
|
||
https://hg.mozilla.org/mozilla-central/rev/f5742005bcbd
Status: NEW → RESOLVED
Closed: 11 years ago
Resolution: --- → FIXED
Comment 19•11 years ago
|
||
https://hg.mozilla.org/releases/mozilla-aurora/rev/4c9385482def https://hg.mozilla.org/releases/mozilla-beta/rev/75e3211747e1
Updated•11 years ago
|
Whiteboard: [adv-main19-]
Comment 20•11 years ago
|
||
Can we make this bug public now? It would allow us to unhide bug 829817 so that more people can try to fix that bug.
Flags: needinfo?(dveditz)
Comment 21•11 years ago
|
||
We normally would wait until at least Firefox 20 shipped since this was just fixed in 19.
Updated•11 years ago
|
Group: core-security
Flags: needinfo?(dveditz)
You need to log in
before you can comment on or make changes to this bug.
Description
•