Closed
Bug 913492
Opened 11 years ago
Closed 11 years ago
MobileMessageCallback::NotifyMessageDeleted needs a JS request before using JSAPI
Categories
(Core :: DOM: Device Interfaces, defect)
Tracking
()
Tracking | Status | |
---|---|---|
firefox27 | --- | unaffected |
firefox-esr17 | --- | unaffected |
firefox-esr24 | --- | unaffected |
b2g18 | --- | fixed |
b2g18-v1.0.0 | --- | wontfix |
b2g18-v1.0.1 | --- | wontfix |
b2g-v1.1hd | --- | fixed |
b2g-v1.2 | --- | unaffected |
People
(Reporter: bent.mozilla, Assigned: bent.mozilla)
Details
(Keywords: sec-high)
Attachments
(1 file)
855 bytes,
patch
|
khuey
:
review+
|
Details | Diff | Splinter Review |
MobileMessageCallback::NotifyMessageDeleted doesn't enter a request before creating an array. This crashes debug builds and could lead to GC hazards in opt builds. Trunk looks ok so this is a branch-only problem.
Attachment #800795 -
Flags: review?(khuey)
Comment 1•11 years ago
|
||
Can you clarify why you think this is a stop ship blocker? What user impact comes from this? What security rating does this bug have?
Assignee | ||
Comment 2•11 years ago
|
||
(In reply to Jason Smith [:jsmith] from comment #1) > Can you clarify why you think this is a stop ship blocker? What user impact > comes from this? See comment 0? GC hazards can lead to exploitable security bugs or crashes. > What security rating does this bug have? Someone from sec-group would have to answer this.
Comment 3•11 years ago
|
||
Paul - Can you give a sec-rating and indicate if we need to block on this for 1.1 or not?
Flags: needinfo?(ptheriault)
Attachment #800795 -
Flags: review?(khuey) → review+
Comment 4•11 years ago
|
||
Talked with Dan about this. Probability is low this can be discovered, but if it's discovered, it's exploitable to own your phone. The patch is simple, making this is a low risk, high value patch. I'm leaning towards arguing to take this on the 1.1 branch given the benefits this security fix provides.
Updated•11 years ago
|
Flags: needinfo?(ptheriault)
Updated•11 years ago
|
blocking-b2g: leo? → leo+
tracking-b2g18:
? → ---
Assignee | ||
Comment 5•11 years ago
|
||
Does this mean I'm free to land it?
Comment 6•11 years ago
|
||
(In reply to ben turner [:bent] (needinfo? encouraged) from comment #5) > Does this mean I'm free to land it? Yes. Good to land on b2g18.
Assignee | ||
Comment 7•11 years ago
|
||
https://hg.mozilla.org/releases/mozilla-b2g18/rev/af0ad26a98bd
Comment 8•11 years ago
|
||
Trunk doesn't need this fix per comment 0, and comment 7 contains the landing. Marking resolved fixed as such.
Status: ASSIGNED → RESOLVED
Closed: 11 years ago
Resolution: --- → FIXED
Comment 9•11 years ago
|
||
https://hg.mozilla.org/releases/mozilla-b2g18_v1_1_0_hd/rev/af0ad26a98bd
status-b2g18-v1.0.0:
--- → wontfix
status-b2g18-v1.0.1:
--- → wontfix
status-b2g-v1.1hd:
--- → fixed
status-b2g-v1.2:
--- → unaffected
status-firefox27:
--- → unaffected
Target Milestone: --- → 1.1 QE5
Updated•11 years ago
|
status-firefox-esr17:
--- → unaffected
status-firefox-esr24:
--- → unaffected
Updated•9 years ago
|
Group: core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•