Ok, this one is potentially dangerous, since it can change the data in another context. It can't steal data, only upload its own data, though. Maybe a very low likelihood sec-vector?
Right; what would be a big problem is if we forgot to makecurrent in a WebGL entry point that can retrieve information out of a WebGL context...
(In reply to Benoit Jacob [:bjacob] from comment #2) > Right; what would be a big problem is if we forgot to makecurrent in a WebGL > entry point that can retrieve information out of a WebGL context... You could steal data from other GLContexts, possibly including the compositor. (I think not the compositor if we're on OMTC, though)
Right, the likely attack case is a WebGL context on the main thread stealing data from another WebGL context on the main thread, from a different origin.
Attachment #8375877 - Flags: review?(dglastonbury) → review+
I was wrong about what sec-vector meant. This sounds like it's potentially sec-high, since you can potentially inject static images into other running WebGL. The difficulty in doing something targeted with it likely drops it down to sec-moderate, which is what I'll mark this. The only danger here is if: The malicious WebGL context can interleave its command stream with another context's rendering loop, but only in that it overwrites a specific texture to something phishy, or similar. This is baaasically not viable. It can happen more easily if an victim context renders using a texture without rebinding it, which more or less is never done in anything non-trivial.
This bug is ancient. These are my recommendations for wontfix: Release, ESR24, B2G18, B2G 1.1.
Comment on attachment 8375877 [details] [diff] [review] makecur-compressed NOTE: This flag is now for security issues only. Please see https://wiki.mozilla.org/Release_Management/B2G_Landing to better understand the B2G approval process and landings. [Approval Request Comment] Bug caused by (feature/regressing bug #): 728017 User impact if declined: Very unlikely sec concerns brought up in above comments. Testing completed: Local Risk to taking this patch (and alternatives if risky): none String or UUID changes made by this patch: none
Comment on attachment 8375877 [details] [diff] [review] makecur-compressed If this is approved and landed on beta, it will be merged to b2g28.
Attachment #8375877 - Flags: approval-mozilla-b2g26? → approval-mozilla-b2g26+
Matt, can you please evaluate if this needs testing before release?
You need to log in before you can comment on or make changes to this bug.