Closed Bug 932496 Opened 12 years ago Closed 12 years ago

ObexBase.cpp unsafe pointer increment

Categories

(Firefox OS Graveyard :: Bluetooth, defect)

Product:
Firefox OS Graveyard
Component:
Bluetooth
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(firefox26 wontfix, firefox27 wontfix, firefox28 fixed, firefox-esr24 unaffected, b2g18 fixed, b2g-v1.1hd fixed, b2g-v1.2 fixed, b2g-v1.3 fixed, b2g-v1.3T fixed, b2g-v1.4 unaffected)

Status:
RESOLVED FIXED
Milestone:
1.3 Sprint 6 - 12/6
Tracking Flags:
Tracking Status
firefox26 --- wontfix
firefox27 --- wontfix
firefox28 --- fixed
firefox-esr24 --- unaffected
b2g18 --- fixed
b2g-v1.1hd --- fixed
b2g-v1.2 --- fixed
b2g-v1.3 --- fixed
b2g-v1.3T --- fixed
b2g-v1.4 --- unaffected

People

(Reporter: rfletcher, Assigned: echou)

Details

(Keywords: sec-moderate, Whiteboard: [adv-main28+])

Attachments

(3 files, 5 obsolete files)

patch 1: v3: Add length check to prevent from memory pollusion
8.70 KB, patch
gyeh
: review+
Details | Diff | Splinter Review
patch 1: final: patch for b2g26, r=gyeh
6.20 KB, patch
praghunath
: approval-mozilla-b2g26+
Details | Diff | Splinter Review
patch 1: final: patch for b2g18, r=gyeh
7.32 KB, patch
praghunath
: approval-mozilla-b2g18+
Details | Diff | Splinter Review
ObexBase.cpp defines a ParseHeaders() function that is responsible for parsing a header. During parsing, ParseHeaders() extracts a device supplied 2-byte contentLength from the header. Finally, ParseHeaders() increases a pointer by that contentLength. If ptr + contentLength > aHeaderStart + aTotalLength then [1] will read pass the object. The worst case scenario appears to be a crash caused by a malicious contentLength. [1] http://mxr.mozilla.org/mozilla-central/source/dom/bluetooth/ObexBase.cpp#118
Hmm, should ObexBase be rewritten using nsCString as data structure. Manual memcpy and malloc/free is error prone.
or could the bogus data be interpreted as something dangerous? I guess there's probably not much opportunity for a Bluetooth device to prep a FirefoxOS device's memory to take advantage of that
Assignee: nobody → echou
* Error handling for case 'ptr + contentLength > aHeaderStart + aTotalLength' * Add a new function ObexHeaderSet::ClearHeader() to empty the header set. * contentLength should be uint16_t.
Attachment #8338384 - Flags: review?
Attachment #8338384 - Flags: feedback?(rfletcher)
(In reply to Eric Chou [:ericchou] [:echou] from comment #3) > Created attachment 8338384 [details] [diff] [review] > patch 1: v1: Add length check to prevent from memory pollusion > > * Error handling for case 'ptr + contentLength > aHeaderStart + aTotalLength' > * Add a new function ObexHeaderSet::ClearHeader() to empty the header set. > * contentLength should be uint16_t. One nits: ClearHeader() appears to clear "all" headers. If that is the case, would it be better to name it ClearHeaders()? Besides that, lgtm! Thanks Eric!
Comment on attachment 8338384 [details] [diff] [review] patch 1: v1: Add length check to prevent from memory pollusion Ahhh, newb'd this one up. Here is my response from the original bugzilla thread: (In reply to Eric Chou [:ericchou] [:echou] from comment #3) > Created attachment 8338384 [details] [diff] [review] [diff] [review] > patch 1: v1: Add length check to prevent from memory pollusion > > * Error handling for case 'ptr + contentLength > aHeaderStart + aTotalLength' > * Add a new function ObexHeaderSet::ClearHeader() to empty the header set. > * contentLength should be uint16_t. One nits: ClearHeader() appears to clear "all" headers. If that is the case, would it be better to name it ClearHeaders()? Besides that, lgtm! Thanks Eric!
Attachment #8338384 - Flags: feedback?(rfletcher) → feedback-
(In reply to Rob Fletcher [:omerta] from comment #5) > Comment on attachment 8338384 [details] [diff] [review] > patch 1: v1: Add length check to prevent from memory pollusion > > Ahhh, newb'd this one up. Here is my response from the original bugzilla > thread: > (In reply to Eric Chou [:ericchou] [:echou] from comment #3) > > Created attachment 8338384 [details] [diff] [review] > > patch 1: v1: Add length check to prevent from memory pollusion > > > > * Error handling for case 'ptr + contentLength > aHeaderStart + aTotalLength' > > * Add a new function ObexHeaderSet::ClearHeader() to empty the header set. > > * contentLength should be uint16_t. > > One nits: > ClearHeader() appears to clear "all" headers. If that is the case, would it > be better to name it ClearHeaders()? You're right. Thanks!
* Updated based on Rob's comment.
Attachment #8338384 - Attachment is obsolete: true
Attachment #8338384 - Flags: review?
Attachment #8341568 - Flags: review?(gyeh)
Comment on attachment 8341568 [details] [diff] [review] patch 1: v2: Add length check to prevent from memory pollusion Review of attachment 8341568 [details] [diff] [review]: ----------------------------------------------------------------- ::: dom/bluetooth/ObexBase.cpp @@ +122,5 @@ > + MOZ_ASSERT(false); > + aRetHandlerSet->ClearHeaders(); > + return; > + } > + I think that error handling in BluetoothOppManager is needed for this case.
* Updated based on Gina's comment.
Attachment #8341568 - Attachment is obsolete: true
Attachment #8341568 - Flags: review?(gyeh)
Attachment #8343569 - Flags: review?(gyeh)
Comment on attachment 8343569 [details] [diff] [review] patch 1: v3: Add length check to prevent from memory pollusion Review of attachment 8343569 [details] [diff] [review]: ----------------------------------------------------------------- Great! :)
Attachment #8343569 - Flags: review?(gyeh) → review+
https://hg.mozilla.org/mozilla-central/rev/0f2650f8c995
Status: NEW → RESOLVED
Closed: 12 years ago
status-b2g18: --- → ?
status-b2g-v1.2: --- → ?
status-firefox26: --- → wontfix
status-firefox27: --- → wontfix
status-firefox28: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → 1.3 Sprint 6 - 12/6
Rob - Can you find out if this issue can reproduce on 1.2 or 1.1?
Flags: needinfo?(rfletcher)
This is present in mozilla-b2g18, mozilla-b2g18_v1_1_0_hd, and mozilla-b2g26_v1_2. Yes, it's present in 1.2 and 1.1
Flags: needinfo?(rfletcher)
(In reply to Rob Fletcher [:omerta] from comment #14) > This is present in mozilla-b2g18, mozilla-b2g18_v1_1_0_hd, and > mozilla-b2g26_v1_2. > > Yes, it's present in 1.2 and 1.1 Can you please nominate the for b2g26 and b2g18 uplift?
Flags: needinfo?(echou)
Attached patch patch for b2g26 (obsolete) — Splinter Review
* Patch for b2g26. Will test with this patch next Monday.
Flags: needinfo?(echou)
Attached patch patch for b2g18 (obsolete) — Splinter Review
* Patch for b2g18. Will test on Monday then request for uplift.
(In reply to Eric Chou [:ericchou] [:echou] from comment #16) > Created attachment 8350903 [details] [diff] [review] > patch for b2g26 > > * Patch for b2g26. Will test with this patch next Monday. Verified.
Attachment #8350903 - Attachment is obsolete: true
* Updated. Final patch for b2g18.
Attachment #8350905 - Attachment is obsolete: true
Hi Bhavana, Again, we need your help to uplift this security bug just like bug 932490. Thank you.
Flags: needinfo?(bbajaj)
Please request b2g26/b2g18 approval on the patches.
Flags: needinfo?(bbajaj)
(In reply to Ryan VanderMeulen [:RyanVM UTC-5] from comment #22) > Please request b2g26/b2g18 approval on the patches. To be honest I don't know what the criteria is for this kind of patch. Take bug 932543 as an example, at first I tried to nominate as koi+ in comment 24 and Jason told me to request for approval to uplift, so I did in comment 27. Then Bhavana explained why release team rather koi+'ing than using approval, so it turned out to be koi+. After that I nominate as leo+ to bug 932490 but soon I was told that 'we won't have leo triage anymore', so I ni? Bhavana again and everything looks just fine. Now I'm confused because we don't seem to have a procedure for developers to make these patches get uplifted.
Comment on attachment 8351307 [details] [diff] [review] patch 1: final: patch for b2g26, r=gyeh NOTE: This flag is now for security issues only. Please see https://wiki.mozilla.org/Release_Management/B2G_Landing to better understand the B2G approval process and landings. [Approval Request Comment] Bug caused by (feature/regressing bug #): No specific bug. This issue should have existed from the beginning. User impact if declined: no user impact. Security issue. Testing completed: m-c and manual testing by transferring files. Risk to taking this patch (and alternatives if risky): Fairly low. Just added length-checking to prevent from potential memory pollution. String or UUID changes made by this patch: no
Attachment #8351307 - Flags: approval-mozilla-b2g26?
Comment on attachment 8359024 [details] [diff] [review] patch 1: final: patch for b2g18, r=gyeh NOTE: This flag is now for security issues only. Please see https://wiki.mozilla.org/Release_Management/B2G_Landing to better understand the B2G approval process and landings. [Approval Request Comment] Bug caused by (feature/regressing bug #): No specific bug. This issue should have existed from the beginning. User impact if declined: no user impact. Security issue. Testing completed: m-c and manual testing by transferring files. Risk to taking this patch (and alternatives if risky): Fairly low. Just added length-checking to prevent from potential memory pollution. String or UUID changes made by this patch: no
Attachment #8359024 - Flags: approval-mozilla-b2g18?
(In reply to Eric Chou [:ericchou] [:echou] from comment #23) > (In reply to Ryan VanderMeulen [:RyanVM UTC-5] from comment #22) > > Please request b2g26/b2g18 approval on the patches. > > To be honest I don't know what the criteria is for this kind of patch. I completely feel your pain. We (myself, Bhavana, and Preeti) had a discussion about this exact topic on Friday and requesting approval was the route we came to a consensus on. The B2G Landing page has also been updated to reflect this information. Sorry for the confusion, hopefully things are more straightforward in the future. https://wiki.mozilla.org/Release_Management/B2G_Landing
(In reply to Ryan VanderMeulen [:RyanVM UTC-5] from comment #26) > (In reply to Eric Chou [:ericchou] [:echou] from comment #23) > > (In reply to Ryan VanderMeulen [:RyanVM UTC-5] from comment #22) > > > Please request b2g26/b2g18 approval on the patches. > > > > To be honest I don't know what the criteria is for this kind of patch. > > I completely feel your pain. We (myself, Bhavana, and Preeti) had a > discussion about this exact topic on Friday and requesting approval was the > route we came to a consensus on. The B2G Landing page has also been updated > to reflect this information. Sorry for the confusion, hopefully things are > more straightforward in the future. > https://wiki.mozilla.org/Release_Management/B2G_Landing No problem. Thank you for clarifying that, Ryan.
FWIW, the b2g26 backport is green on Try. The b2g18 backport is busted, however. 20:23:39 INFO - ../../../gecko/dom/bluetooth/BluetoothOppManager.cpp: In member function 'bool mozilla::dom::bluetooth::BluetoothOppManager::WriteToFile(const uint8_t*, int)': 20:23:39 WARNING - ../../../gecko/dom/bluetooth/BluetoothOppManager.cpp:575: warning: comparison between signed and unsigned integer expressions 20:23:39 INFO - ../../../gecko/dom/bluetooth/BluetoothOppManager.cpp: In member function 'void mozilla::dom::bluetooth::BluetoothOppManager::ServerDataHandler(mozilla::ipc::UnixSocketRawData*)': 20:23:39 ERROR - ../../../gecko/dom/bluetooth/BluetoothOppManager.cpp:791: error: 'ReplyError' was not declared in this scope 20:23:39 ERROR - ../../../gecko/dom/bluetooth/BluetoothOppManager.cpp:804: error: 'ReplyError' was not declared in this scope 20:23:39 INFO - ../../../gecko/dom/bluetooth/BluetoothOppManager.cpp: At global scope: 20:23:39 ERROR - ../../../gecko/dom/bluetooth/BluetoothOppManager.cpp:1253: error: no 'void mozilla::dom::bluetooth::BluetoothOppManager::ReplyError(uint8_t)' member function declared in class 'mozilla::dom::bluetooth::BluetoothOppManager' 20:23:39 INFO - In the directory /builds/slave/b2g_try_emu_dep-00000000000000/build/objdir-gecko/dom/bluetooth 20:23:39 INFO - The following command failed to execute properly: 20:23:39 INFO - /usr/bin/ccache /builds/slave/b2g_try_emu_dep-00000000000000/build/prebuilt/linux-x86/toolchain/arm-linux-androideabi-4.4.x/bin/arm-linux-androideabi-g++ -o BluetoothOppManager.o -c -fvisibility=hidden -D_IMPL_NS_LAYOUT -DMOZ_BLUETOOTH_GONK -DMOZILLA_INTERNAL_API -D_IMPL_NS_COM -DEXPORT_XPT_API -DEXPORT_XPTC_API -D_IMPL_NS_GFX -D_IMPL_NS_WIDGET -DIMPL_XREAPI -DIMPL_NS_NET -DIMPL_THEBES -DSTATIC_EXPORTABLE_JS_API -DEXCLUDE_SKIA_DEPENDENCIES -DOS_POSIX=1 -DOS_LINUX=1 -I/builds/slave/b2g_try_emu_dep-00000000000000/build/gecko/dom/base -I/builds/slave/b2g_try_emu_dep-00000000000000/build/gecko/dom/battery -I/builds/slave/b2g_try_emu_dep-00000000000000/build/gecko/dom/encoding -I/builds/slave/b2g_try_emu_dep-00000000000000/build/gecko/dom/file -I/builds/slave/b2g_try_emu_dep-00000000000000/build/gecko/dom/power -I/builds/slave/b2g_try_emu_dep-00000000000000/build/gecko/dom/push -I/builds/slave/b2g_try_emu_dep-00000000000000/build/gecko/dom/push/src -I/builds/slave/b2g_try_emu_dep-00000000000000/build/gecko/dom/media -I/builds/slave/b2g_try_emu_dep-00000000000000/build/gecko/dom/network/src -I/builds/slave/b2g_try_emu_dep-00000000000000/build/gecko/dom/settings -I/builds/slave/b2g_try_emu_dep-00000000000000/build/gecko/dom/phonenumberutils -I/builds/slave/b2g_try_emu_dep-00000000000000/build/gecko/dom/contacts -I/builds/slave/b2g_try_emu_dep-00000000000000/build/gecko/dom/permission -I/builds/slave/b2g_try_emu_dep-00000000000000/build/gecko/dom/alarm -I/builds/slave/b2g_try_emu_dep-00000000000000/build/gecko/dom/src/events -I/builds/slave/b2g_try_emu_dep-00000000000000/build/gecko/dom/src/storage -I/builds/slave/b2g_try_emu_dep-00000000000000/build/gecko/dom/src/offline -I/builds/slave/b2g_try_emu_dep-00000000000000/build/gecko/dom/src/geolocation -I/builds/slave/b2g_try_emu_dep-00000000000000/build/gecko/dom/src/notification -I/builds/slave/b2g_try_emu_dep-00000000000000/build/gecko/dom/workers -I/builds/slave/b2g_try_emu_dep-00000000000000/build/gecko/dom/time -I/builds/slave/b2g_try_emu_dep-00000000000000/build/gecko/content/xbl/src -I/builds/slave/b2g_try_emu_dep-00000000000000/build/gecko/content/xul/document/src -I/builds/slave/b2g_try_emu_dep-00000000000000/build/gecko/content/events/src -I/builds/slave/b2g_try_emu_dep-00000000000000/build/gecko/content/base/src -I/builds/slave/b2g_try_emu_dep-00000000000000/build/gecko/content/html/content/src -I/builds/slave/b2g_try_emu_dep-00000000000000/build/gecko/content/html/document/src -I/builds/slave/b2g_try_emu_dep-00000000000000/build/gecko/content/media/webaudio -I/builds/slave/b2g_try_emu_dep-00000000000000/build/gecko/content/svg/content/src -I/builds/slave/b2g_try_emu_dep-00000000000000/build/gecko/layout/generic -I/builds/slave/b2g_try_emu_dep-00000000000000/build/gecko/layout/style -I/builds/slave/b2g_try_emu_dep-00000000000000/build/gecko/layout/xul/base/src -I/builds/slave/b2g_try_emu_dep-00000000000000/build/gecko/layout/xul/base/src/tree/src -I/builds/slave/b2g_try_emu_dep-00000000000000/build/gecko/dom/camera -I/builds/slave/b2g_try_emu_dep-00000000000000/build/gecko/dom/system/gonk -I/builds/slave/b2g_try_emu_dep-00000000000000/build/gecko/dom/telephony -I/builds/slave/b2g_try_emu_dep-00000000000000/build/gecko/dom/wifi -I/builds/slave/b2g_try_emu_dep-00000000000000/build/gecko/dom/icc/src -I/builds/slave/b2g_try_emu_dep-00000000000000/build/gecko/dom/fm -I/builds/slave/b2g_try_emu_dep-00000000000000/build/gecko/dom/bluetooth -I/builds/slave/b2g_try_emu_dep-00000000000000/build/gecko/dom/bluetooth -I/builds/slave/b2g_try_emu_dep-00000000000000/build/gecko/dom/bluetooth/ipc -I/builds/slave/b2g_try_emu_dep-00000000000000/build/gecko/dom/bluetooth/linux -I/builds/slave/b2g_try_emu_dep-00000000000000/build/gecko/dom/bluetooth/gonk -I/builds/slave/b2g_try_emu_dep-00000000000000/build/gecko/ipc/chromium/src -I/builds/slave/b2g_try_emu_dep-00000000000000/build/gecko/ipc/glue -I../../ipc/ipdl/_ipdlheaders -I/builds/slave/b2g_try_emu_dep-00000000000000/build/gecko/dom/bluetooth -I. -I../../dist/include -I/builds/slave/b2g_try_emu_dep-00000000000000/build/objdir-gecko/dist/include/nspr -I/builds/slave/b2g_try_emu_dep-00000000000000/build/objdir-gecko/dist/include/nss -fPIC -DANDROID -isystem /builds/slave/b2g_try_emu_dep-00000000000000/build/bionic/libc/arch-arm/include -isystem /builds/slave/b2g_try_emu_dep-00000000000000/build/bionic/libc/include/ -isystem /builds/slave/b2g_try_emu_dep-00000000000000/build/bionic/libc/kernel/common -isystem /builds/slave/b2g_try_emu_dep-00000000000000/build/bionic/libc/kernel/arch-arm -isystem /builds/slave/b2g_try_emu_dep-00000000000000/build/bionic/libm/include -I/builds/slave/b2g_try_emu_dep-00000000000000/build/frameworks/base/opengl/include -I/builds/slave/b2g_try_emu_dep-00000000000000/build/frameworks/base/native/include -I/builds/slave/b2g_try_emu_dep-00000000000000/build/hardware/libhardware/include -I/builds/slave/b2g_try_emu_dep-00000000000000/build/hardware/libhardware_legacy/include -I/builds/slave/b2g_try_emu_dep-00000000000000/build/system -I/builds/slave/b2g_try_emu_dep-00000000000000/build/system/core/include -isystem /builds/slave/b2g_try_emu_dep-00000000000000/build/bionic -I/builds/slave/b2g_try_emu_dep-00000000000000/build/frameworks/base/include -I/builds/slave/b2g_try_emu_dep-00000000000000/build/external/dbus -I/builds/slave/b2g_try_emu_dep-00000000000000/build/external/bluetooth/bluez/lib -I/builds/slave/b2g_try_emu_dep-00000000000000/build/frameworks/base/services/sensorservice -I/builds/slave/b2g_try_emu_dep-00000000000000/build/frameworks/base/services/camera -I/builds/slave/b2g_try_emu_dep-00000000000000/build/system/media/wilhelm/include -I/builds/slave/b2g_try_emu_dep-00000000000000/build/frameworks/base/include/media/stagefright -I/builds/slave/b2g_try_emu_dep-00000000000000/build/frameworks/base/include/media/stagefright/openmax -I/builds/slave/b2g_try_emu_dep-00000000000000/build/frameworks/base/media/libstagefright/rtsp -I/builds/slave/b2g_try_emu_dep-00000000000000/build/frameworks/base/media/libstagefright/include -I/builds/slave/b2g_try_emu_dep-00000000000000/build/dalvik/libnativehelper/include/nativehelper -Wall -Wpointer-arith -Woverloaded-virtual -Werror=return-type -Wtype-limits -Wempty-body -Werror=conversion-null -Wno-ctor-dtor-privacy -Wno-overlength-strings -Wno-invalid-offsetof -Wno-variadic-macros -Wno-long-long -mandroid -fno-short-enums -fno-exceptions -Wno-psabi -DMOZ_ENABLE_JS_DUMP -include /builds/slave/b2g_try_emu_dep-00000000000000/build/gonk-misc/Unicode.h -I/builds/slave/b2g_try_emu_dep-00000000000000/build/ndk/sources/cxx-stl/stlport/stlport/ -I/builds/slave/b2g_try_emu_dep-00000000000000/build/external/stlport/stlport/ -march=armv7-a -mthumb -mfpu=vfp -mfloat-abi=softfp -fno-exceptions -fno-strict-aliasing -fno-rtti -ffunction-sections -fdata-sections -fno-exceptions -std=gnu++0x -pipe -DNDEBUG -DTRIMMED -g -Os -freorder-blocks -fno-reorder-functions -fomit-frame-pointer -DANDROID -isystem /builds/slave/b2g_try_emu_dep-00000000000000/build/bionic/libc/arch-arm/include -isystem /builds/slave/b2g_try_emu_dep-00000000000000/build/bionic/libc/include/ -isystem /builds/slave/b2g_try_emu_dep-00000000000000/build/bionic/libc/kernel/common -isystem /builds/slave/b2g_try_emu_dep-00000000000000/build/bionic/libc/kernel/arch-arm -isystem /builds/slave/b2g_try_emu_dep-00000000000000/build/bionic/libm/include -I/builds/slave/b2g_try_emu_dep-00000000000000/build/frameworks/base/opengl/include -I/builds/slave/b2g_try_emu_dep-00000000000000/build/frameworks/base/native/include -I/builds/slave/b2g_try_emu_dep-00000000000000/build/hardware/libhardware/include -I/builds/slave/b2g_try_emu_dep-00000000000000/build/hardware/libhardware_legacy/include -I/builds/slave/b2g_try_emu_dep-00000000000000/build/system -I/builds/slave/b2g_try_emu_dep-00000000000000/build/system/core/include -isystem /builds/slave/b2g_try_emu_dep-00000000000000/build/bionic -I/builds/slave/b2g_try_emu_dep-00000000000000/build/frameworks/base/include -I/builds/slave/b2g_try_emu_dep-00000000000000/build/external/dbus -I/builds/slave/b2g_try_emu_dep-00000000000000/build/external/bluetooth/bluez/lib -I/builds/slave/b2g_try_emu_dep-00000000000000/build/frameworks/base/services/sensorservice -I/builds/slave/b2g_try_emu_dep-00000000000000/build/frameworks/base/services/camera -I/builds/slave/b2g_try_emu_dep-00000000000000/build/system/media/wilhelm/include -I/builds/slave/b2g_try_emu_dep-00000000000000/build/frameworks/base/include/media/stagefright -I/builds/slave/b2g_try_emu_dep-00000000000000/build/frameworks/base/include/media/stagefright/openmax -I/builds/slave/b2g_try_emu_dep-00000000000000/build/frameworks/base/media/libstagefright/rtsp -I/builds/slave/b2g_try_emu_dep-00000000000000/build/frameworks/base/media/libstagefright/include -I/builds/slave/b2g_try_emu_dep-00000000000000/build/dalvik/libnativehelper/include/nativehelper -DMOZILLA_CLIENT -include ../../mozilla-config.h -MD -MF .deps/BluetoothOppManager.o.pp /builds/slave/b2g_try_emu_dep-00000000000000/build/gecko/dom/bluetooth/BluetoothOppManager.cpp 20:23:39 ERROR - make[7]: *** [BluetoothOppManager.o] Error 1
Flags: needinfo?(echou)
* Patch updated. Should fixed the bustage. Is there any way I can run try based on a specific branch like b2g18 or b2g26 by myself to save your time?
Attachment #8359024 - Attachment is obsolete: true
Attachment #8359024 - Flags: approval-mozilla-b2g18?
Flags: needinfo?(echou)
Comment on attachment 8362358 [details] [diff] [review] patch 1: final: patch for b2g18, r=gyeh NOTE: This flag is now for security issues only. Please see https://wiki.mozilla.org/Release_Management/B2G_Landing to better understand the B2G approval process and landings. [Approval Request Comment] Bug caused by (feature/regressing bug #): No specific bug. This issue should have existed from the beginning. User impact if declined: no user impact. Security issue. Testing completed: m-c and manual testing by transferring files. Risk to taking this patch (and alternatives if risky): Fairly low. Just added length-checking to prevent from potential memory pollution. String or UUID changes made by this patch: no
Attachment #8362358 - Flags: approval-mozilla-b2g18?
(In reply to Eric Chou [:ericchou] [:echou] from comment #29) > Is there any way I can run try based on a specific branch like b2g18 or > b2g26 by myself to save your time? You can push to Try on top of any branch. It doesn't always work well because it assumes a trunk-like config, but it generally is OK to at least say it builds.
(In reply to Eric Chou [:ericchou] [:echou] from comment #29) > * Patch updated. Should fixed the bustage. It does :)
(In reply to Ryan VanderMeulen [:RyanVM UTC-5] from comment #31) > (In reply to Eric Chou [:ericchou] [:echou] from comment #29) > > Is there any way I can run try based on a specific branch like b2g18 or > > b2g26 by myself to save your time? > > You can push to Try on top of any branch. It doesn't always work well > because it assumes a trunk-like config, but it generally is OK to at least > say it builds. Yeah, I know what it would be looked like. Thanks, Ryan.
Attachment #8362358 - Flags: approval-mozilla-b2g18? → approval-mozilla-b2g18+
Attachment #8351307 - Flags: approval-mozilla-b2g26? → approval-mozilla-b2g26+
Whiteboard: [adv-main28+]
Does it impact also ESR24?
No, this is some kind of Bluetooth thing which doesn't affect desktop.
status-firefox-esr24: --- → unaffected
Group: core-security
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: