Closed Bug 913492 Opened 11 years ago Closed 11 years ago

MobileMessageCallback::NotifyMessageDeleted needs a JS request before using JSAPI

Categories

(Core :: DOM: Device Interfaces, defect)

18 Branch
defect
Not set
normal

Tracking

()

RESOLVED FIXED
1.1 QE5
blocking-b2g leo+
Tracking Status
firefox27 --- unaffected
firefox-esr17 --- unaffected
firefox-esr24 --- unaffected
b2g18 --- fixed
b2g18-v1.0.0 --- wontfix
b2g18-v1.0.1 --- wontfix
b2g-v1.1hd --- fixed
b2g-v1.2 --- unaffected

People

(Reporter: bent.mozilla, Assigned: bent.mozilla)

Details

(Keywords: sec-high)

Attachments

(1 file)

Attached patch Patch, v1Splinter Review
MobileMessageCallback::NotifyMessageDeleted doesn't enter a request before creating an array. This crashes debug builds and could lead to GC hazards in opt builds.

Trunk looks ok so this is a branch-only problem.
Attachment #800795 - Flags: review?(khuey)
Can you clarify why you think this is a stop ship blocker? What user impact comes from this? What security rating does this bug have?
(In reply to Jason Smith [:jsmith] from comment #1)
> Can you clarify why you think this is a stop ship blocker? What user impact
> comes from this?

See comment 0? GC hazards can lead to exploitable security bugs or crashes.

> What security rating does this bug have?

Someone from sec-group would have to answer this.
Paul - Can you give a sec-rating and indicate if we need to block on this for 1.1 or not?
Flags: needinfo?(ptheriault)
Keywords: sec-high
Talked with Dan about this. Probability is low this can be discovered, but if it's discovered, it's exploitable to own your phone. The patch is simple, making this is a low risk, high value patch.

I'm leaning towards arguing to take this on the 1.1 branch given the benefits this security fix provides.
Flags: needinfo?(ptheriault)
blocking-b2g: leo? → leo+
tracking-b2g18: ? → ---
Does this mean I'm free to land it?
(In reply to ben turner [:bent] (needinfo? encouraged) from comment #5)
> Does this mean I'm free to land it?

Yes. Good to land on b2g18.
Trunk doesn't need this fix per comment 0, and comment 7 contains the landing. Marking resolved fixed as such.
Status: ASSIGNED → RESOLVED
Closed: 11 years ago
Resolution: --- → FIXED
Group: core-security
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: