Closed
Bug 865948
(CVE-2013-1703)
Opened 11 years ago
Closed 11 years ago
nsScriptSecurityManager::CheckLoadURIWithPrincipal is broken for nsExpandedPrincipal
Categories
(Core :: XPConnect, defect)
Tracking
()
People
(Reporter: bholley, Assigned: bholley)
References
Details
(Keywords: regression, sec-high, Whiteboard: [adv-main21+][adv-esr1708+])
Attachments
(3 files)
|
1.31 KB,
patch
|
gkrizsanits
:
review+
bajaj
:
approval-mozilla-aurora+
bajaj
:
approval-mozilla-beta+
akeybl
:
approval-mozilla-esr17+
lsblakk
:
approval-mozilla-b2g18+
|
Details | Diff | Splinter Review |
|
2.34 KB,
patch
|
gkrizsanits
:
review+
|
Details | Diff | Splinter Review |
|
2.43 KB,
patch
|
bholley
:
review+
|
Details | Diff | Splinter Review |
in CheckLoadURIWithPrincipal, we have special handling for nsExpandedPrincipal, in which we iterate over the whitelist, caling CheckLoadURIWithPrincipal on each one individually. But if none of those succeed, we return NS_OK (!!!) instead of a failure code. This means that the nsExpandedPrincipal can load whatever it wants. :-( I really should have caught this in review. I'm currently investigating why this wasn't caught by our test coverage.
|
||
Comment 1•11 years ago
|
||
This is a regression from bug 734891, patch 2, which landed in Fx16.
status-b2g18:
--- → affected
status-b2g18-v1.0.0:
--- → wontfix
status-b2g18-v1.0.1:
--- → affected
status-firefox20:
--- → wontfix
status-firefox21:
--- → affected
status-firefox22:
--- → affected
status-firefox23:
--- → affected
status-firefox-esr17:
--- → affected
tracking-firefox21:
--- → ?
tracking-firefox22:
--- → ?
tracking-firefox23:
--- → ?
|
|
||
Comment 2•11 years ago
|
||
Probably better not to mark the dependency on bug 734891, which may be findable by inspection of the patch.
|
||
Comment 3•11 years ago
|
||
(In reply to Bobby Holley (:bholley) from comment #0) > This means that > the nsExpandedPrincipal can load whatever it wants. :-( Trying to estimate the risk here... what can they load? For XHR this check is only used for the scheme check (we don't have test coverage for that :( ), but XHR to another domain that is not on the list still fails. For accessing object we don't rely on this check. Can we load anything else? Is anyone currently using nsEP based XHR?
|
Assignee | |
Comment 4•11 years ago
|
||
(In reply to Gabor Krizsanits [:krizsa :gabor] from comment #3) > Can we load anything else? Is anyone currently using nsEP based XHR? This check isn't just for XHR. In this particular case, it allows content to load about: (a system-principal paged) in an iframe, which should normally throw as insecure.
|
|
||
Comment 5•11 years ago
|
||
(In reply to Bobby Holley (:bholley) from comment #4) > (In reply to Gabor Krizsanits [:krizsa :gabor] from comment #3) > > Can we load anything else? Is anyone currently using nsEP based XHR? > > This check isn't just for XHR. In this particular case, it allows content to > load about: (a system-principal paged) in an iframe, which should normally > throw as insecure. Sure, I get that this check is used in other cases too. But I don't understand your example, how could content code ever run with nsEP to do that?
|
|
Assignee | |
Comment 6•11 years ago
|
||
(In reply to Gabor Krizsanits [:krizsa :gabor] from comment #5) > Sure, I get that this check is used in other cases too. But I don't > understand your example, how could content code ever run with nsEP to do > that? If they combine it with other vulnerabilities, like bug 865947. See bug 863933.
|
|
||
Comment 7•11 years ago
|
||
Thanks, I looked over that one. wow... just, wow...
|
||
Comment 8•11 years ago
|
||
Can we get a security rating here? Tracking regardless for now, but the sec rating will be important for uplift considerations.
|
|
Assignee | |
Comment 9•11 years ago
|
||
Attachment #742718 -
Flags: review?(gkrizsanits)
|
|
Assignee | |
Comment 10•11 years ago
|
||
Attachment #742719 -
Flags: review?(gkrizsanits)
|
|
Assignee | |
Updated•11 years ago
|
Flags: in-testsuite?
|
|
Assignee | |
Comment 11•11 years ago
|
||
It's hard to say. I'm going to hazard a guess at sec-moderate on its own, but this is one of the pieces that make up bug 863933, which is sec-critical.
Keywords: sec-moderate
|
|
||
Updated•11 years ago
|
Attachment #742718 -
Flags: review?(gkrizsanits) → review+
|
|
||
Comment 12•11 years ago
|
||
Comment on attachment 742719 [details] [diff] [review] Tests. v1 Review of attachment 742719 [details] [diff] [review]: ----------------------------------------------------------------- replace all 777777 -> 865948
Attachment #742719 -
Flags: review?(gkrizsanits) → review+
|
|
Assignee | |
Comment 13•11 years ago
|
||
https://hg.mozilla.org/integration/mozilla-inbound/rev/cf9e342c1e7c
|
|
Assignee | |
Comment 14•11 years ago
|
||
Heh, sorry about the 777777 thing. I was on a plane and couldn't file a bug. :-)
Attachment #742757 -
Flags: review+
|
|
Assignee | |
Comment 15•11 years ago
|
||
Comment on attachment 742718 [details] [diff] [review] Return the appropriate value when the whitelist checks fail. v1 [Approval Request Comment] Bug caused by (feature/regressing bug #): bug 734891 User impact if declined: Potential security bugs, depending on who's using nsExpandedPrincipal. They only started being used outside of jetpack in FF21. Testing completed (on m-c, etc.): Just pushed to inbound, but the patch is very safe. Risk to taking this patch (and alternatives if risky): None. Not risky. String or IDL/UUID changes made by this patch: None
Attachment #742718 -
Flags: approval-mozilla-esr17?
Attachment #742718 -
Flags: approval-mozilla-beta?
Attachment #742718 -
Flags: approval-mozilla-b2g18?
Attachment #742718 -
Flags: approval-mozilla-aurora?
|
|
||
Comment 16•11 years ago
|
||
See comment 11 for the security ramifications of this beyond the immediate sec-moderate rating.
https://hg.mozilla.org/mozilla-central/rev/cf9e342c1e7c
Target Milestone: --- → mozilla23
Status: NEW → RESOLVED
Closed: 11 years ago
Resolution: --- → FIXED
|
||
Comment 18•11 years ago
|
||
Comment on attachment 742718 [details] [diff] [review] Return the appropriate value when the whitelist checks fail. v1 Given this is sec-mod,I am going to untrack it for Fx21 and let the fix land in Fx22.Also this is a regression from Fx16, hence no rush to get it landed in our final two beta's .Approving for aurora and a- for beta. please renominate if there is a disagreement here.
Attachment #742718 -
Flags: approval-mozilla-beta?
Attachment #742718 -
Flags: approval-mozilla-beta-
Attachment #742718 -
Flags: approval-mozilla-aurora?
Attachment #742718 -
Flags: approval-mozilla-aurora+
|
|
||
Updated•11 years ago
|
|
|
Assignee | |
Comment 19•11 years ago
|
||
Comment on attachment 742718 [details] [diff] [review] Return the appropriate value when the whitelist checks fail. v1 (In reply to bhavana bajaj [:bajaj] from comment #18) > Comment on attachment 742718 [details] [diff] [review] > Return the appropriate value when the whitelist checks fail. v1 > > Given this is sec-mod See comment 16. The security rating is kind of arbitrary here. > Also this is a regression from Fx16, hence no rush to get it landed > in our final two beta's. It's a regression from Fx16 in that Fx16 introduced the feature of nsExpandedPrincipal. But we only started using it in the platform in Fx21. I think we should take the patch. It's a one-liner that very clearly only takes effect in a situation that is, otherwise, a very obvious security bug.
Attachment #742718 -
Flags: approval-mozilla-beta- → approval-mozilla-beta?
|
|
||
Comment 20•11 years ago
|
||
Comment on attachment 742718 [details] [diff] [review] Return the appropriate value when the whitelist checks fail. v1 Reconsidered based on https://bugzilla.mozilla.org/show_bug.cgi?id=865948#c19 & because the patch is very safe . Approving on beta. please land by tomorrow noon PT.
Attachment #742718 -
Flags: approval-mozilla-beta? → approval-mozilla-beta+
|
|
||
Updated•11 years ago
|
|
||
Updated•11 years ago
|
|
|
||
Comment 21•11 years ago
|
||
https://hg.mozilla.org/releases/mozilla-aurora/rev/32fb800ed81d https://hg.mozilla.org/releases/mozilla-beta/rev/75e01dbd4b22
|
|
||
Updated•11 years ago
|
|
|
||
Comment 22•11 years ago
|
||
Comment on attachment 742718 [details] [diff] [review] Return the appropriate value when the whitelist checks fail. v1 This is out of scope for ESR17, being sec-moderate, approving for uplift to b2g18 though.
Attachment #742718 -
Flags: approval-mozilla-esr17?
Attachment #742718 -
Flags: approval-mozilla-esr17-
Attachment #742718 -
Flags: approval-mozilla-b2g18?
Attachment #742718 -
Flags: approval-mozilla-b2g18+
|
|
Assignee | |
Comment 24•11 years ago
|
||
(In reply to lsblakk@mozilla.com from comment #22) > Comment on attachment 742718 [details] [diff] [review] > Return the appropriate value when the whitelist checks fail. v1 > > This is out of scope for ESR17, being sec-moderate, approving for uplift to > b2g18 though. Ok. We should definitely advisory-embargo this until esr17-EOL then. Al, is that the default behavior when we WONTFIX a sec bug on branch? This _could_ also imply embargoing bug 863933, which gets tricky...
Flags: needinfo?(abillings)
|
||
Comment 25•11 years ago
|
||
We only mention where we fix in advisories, not where we won't fix. This is only a sec-moderate. Normally, as an internal find, this would go into the rollup advisory under the list of "things found by Mozilla people that we fixed in 21" with a link to a list of bugs in bugzilla (and no details). This wouldn't get its own advisory.
Flags: needinfo?(abillings)
Whiteboard: [adv-main21+]
|
|
||
Comment 26•11 years ago
|
||
Al, this isn't actually an internal find, despite the fact that bholley filed the bug. It is actually one part of bug 863933, which was externally reported, so it seems to me it thus qualifies as externally reported. Personally, I think this is such a low risk fix, and part of a really awful exploit, so we should really just take it on ESR17. Maybe we could even wait a few weeks, or maybe a month (when it will be in release), to get a better sense if there are any regressions.
|
|
||
Comment 27•11 years ago
|
||
Ah, I didn't realize that this was an external report. Let's loop in release management.
|
||
Updated•11 years ago
|
|
|
||
Comment 30•11 years ago
|
||
(In reply to Andrew McCreight [:mccr8] from comment #26) > Personally, I think this is such a low risk fix, and part of a really > awful exploit, so we should really just take it on ESR17. Maybe we > could even wait a few weeks, or maybe a month (when it will be in > release), to get a better sense if there are any regressions. Re-nominating for ESR-17 based on the above.
|
|
||
Updated•11 years ago
|
Flags: needinfo?
|
||
Updated•11 years ago
|
|
|
||
Updated•11 years ago
|
|
|
||
Updated•11 years ago
|
Attachment #742718 -
Flags: approval-mozilla-esr17- → approval-mozilla-esr17+
|
|
||
Comment 31•11 years ago
|
||
This seems safe, and given the security team's preference here, we've approved for the next ESR17 release.
|
|
||
Updated•11 years ago
|
Whiteboard: [adv-main21+] → [adv-main21+][adv-esr1708+]
|
|
||
Updated•11 years ago
|
Alias: CVE-2013-1703
|
|
||
Updated•11 years ago
|
Group: core-security
|
|
Assignee | |
Comment 34•10 years ago
|
||
Landed tests: https://hg.mozilla.org/integration/mozilla-inbound/rev/1c6f050126d7
|
|
Assignee | |
Updated•10 years ago
|
Flags: in-testsuite? → in-testsuite+
You need to log in
before you can comment on or make changes to this bug.
Description
•