Closed
Bug 972622
(CVE-2014-1502)
Opened 11 years ago
Closed 11 years ago
WebGL.compressedTex(Sub)Image2D doesn't call MakeCurrent
Categories
(Core :: Graphics: CanvasWebGL, defect)
Core
Graphics: CanvasWebGL
Tracking
()
People
(Reporter: jgilbert, Assigned: jgilbert)
Details
(Keywords: sec-moderate, Whiteboard: [qa-][adv-main28+])
Attachments
(1 file)
|
1.40 KB,
patch
|
u480271
:
review+
lsblakk
:
approval-mozilla-aurora+
lsblakk
:
approval-mozilla-beta+
bajaj
:
approval-mozilla-b2g26+
|
Details | Diff | Splinter Review |
Ok, this one is potentially dangerous, since it can change the data in another context. It can't steal data, only upload its own data, though.
Maybe a very low likelihood sec-vector?
|
Assignee | |
Comment 1•11 years ago
|
||
Attachment #8375877 -
Flags: review?(dglastonbury)
|
||
Comment 2•11 years ago
|
||
Right; what would be a big problem is if we forgot to makecurrent in a WebGL entry point that can retrieve information out of a WebGL context...
|
|
Assignee | |
Comment 3•11 years ago
|
||
(In reply to Benoit Jacob [:bjacob] from comment #2)
> Right; what would be a big problem is if we forgot to makecurrent in a WebGL
> entry point that can retrieve information out of a WebGL context...
You could steal data from other GLContexts, possibly including the compositor. (I think not the compositor if we're on OMTC, though)
|
|
||
Comment 4•11 years ago
|
||
Right, the likely attack case is a WebGL context on the main thread stealing data from another WebGL context on the main thread, from a different origin.
Attachment #8375877 -
Flags: review?(dglastonbury) → review+
|
|
Assignee | |
Comment 5•11 years ago
|
||
I was wrong about what sec-vector meant. This sounds like it's potentially sec-high, since you can potentially inject static images into other running WebGL. The difficulty in doing something targeted with it likely drops it down to sec-moderate, which is what I'll mark this.
The only danger here is if:
The malicious WebGL context can interleave its command stream with another context's rendering loop, but only in that it overwrites a specific texture to something phishy, or similar.
This is baaasically not viable.
It can happen more easily if an victim context renders using a texture without rebinding it, which more or less is never done in anything non-trivial.
Keywords: sec-vector → sec-moderate
|
|
Assignee | |
Comment 6•11 years ago
|
||
This bug is ancient. These are my recommendations for wontfix: Release, ESR24, B2G18, B2G 1.1.
status-b2g18:
--- → wontfix
status-b2g-v1.1hd:
--- → wontfix
status-b2g-v1.2:
--- → affected
status-b2g-v1.3:
--- → affected
status-b2g-v1.3T:
--- → affected
status-b2g-v1.4:
--- → affected
status-firefox27:
--- → wontfix
status-firefox28:
--- → affected
status-firefox29:
--- → affected
status-firefox30:
--- → affected
status-firefox-esr24:
--- → wontfix
tracking-firefox28:
--- → ?
|
|
Assignee | |
Updated•11 years ago
|
tracking-b2g-v1.2:
--- → ?
|
|
Assignee | |
Comment 7•11 years ago
|
||
|
|
Assignee | |
Comment 8•11 years ago
|
||
Comment on attachment 8375877 [details] [diff] [review]
makecur-compressed
NOTE: This flag is now for security issues only. Please see https://wiki.mozilla.org/Release_Management/B2G_Landing to better understand the B2G approval process and landings.
[Approval Request Comment]
Bug caused by (feature/regressing bug #): 728017
User impact if declined: Very unlikely sec concerns brought up in above comments.
Testing completed: Local
Risk to taking this patch (and alternatives if risky): none
String or UUID changes made by this patch: none
Attachment #8375877 -
Flags: approval-mozilla-beta?
Attachment #8375877 -
Flags: approval-mozilla-b2g28?
Attachment #8375877 -
Flags: approval-mozilla-b2g26?
Attachment #8375877 -
Flags: approval-mozilla-aurora?
|
||
Comment 9•11 years ago
|
||
Status: NEW → RESOLVED
Closed: 11 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla30
|
||
Comment 10•11 years ago
|
||
Comment on attachment 8375877 [details] [diff] [review]
makecur-compressed
If this is approved and landed on beta, it will be merged to b2g28.
Attachment #8375877 -
Flags: approval-mozilla-b2g28?
|
||
Updated•11 years ago
|
Attachment #8375877 -
Flags: approval-mozilla-beta?
Attachment #8375877 -
Flags: approval-mozilla-beta+
Attachment #8375877 -
Flags: approval-mozilla-aurora?
Attachment #8375877 -
Flags: approval-mozilla-aurora+
|
|
||
Updated•11 years ago
|
|
|
||
Comment 11•11 years ago
|
||
|
|
||
Comment 12•11 years ago
|
||
|
||
Updated•11 years ago
|
Attachment #8375877 -
Flags: approval-mozilla-b2g26? → approval-mozilla-b2g26+
|
|
||
Updated•11 years ago
|
tracking-b2g-v1.2:
? → ---
|
|
||
Comment 13•11 years ago
|
||
|
||
Comment 14•11 years ago
|
||
Matt, can you please evaluate if this needs testing before release?
Flags: needinfo?(mwobensmith)
|
||
Updated•11 years ago
|
Flags: needinfo?(mwobensmith)
Whiteboard: [qa-]
|
||
Updated•11 years ago
|
Whiteboard: [qa-] → [qa-][adv-main28+]
|
|
||
Updated•11 years ago
|
Alias: CVE-2014-1502
|
||
Updated•11 years ago
|
Group: core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•