Closed
Bug 307725
Opened 19 years ago
Closed 19 years ago
SECURITY flaw exposed by Tom Ferris
Categories
(Firefox :: General, defect)
Tracking
()
VERIFIED
DUPLICATE
of bug 307259
People
(Reporter: softexpert, Unassigned)
References
()
Details
Attachments
(1 file)
|
(deleted),
text/html
|
Details |
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8b4) Gecko/20050909 Firefox/1.4
Build Identifier: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8b4) Gecko/20050909 Firefox/1.4
Someone brought up on Mozillazine this security issue.
It can be found on:
http://news.com.com/Unpatched+Firefox+flaw+may+expose+users/2100-1002_3-5856201.html?tag=nefd.top
http://secunia.com/advisories/16764/
http://security-protocols.com/advisory/sp-x17-advisory.txt
Reproducible: Always
Steps to Reproduce:
1. Make sure you don't have anything to loose on the browser
2. Load attached file
3. Freeze
You need to kill the process
Actual Results:
On console I got this output:
*** glibc detected *** ./firefox-bin: realloc(): invalid next size: 0x0a9f4bc8 ***
======= Backtrace: =========
/lib/libc.so.6[0xc36045]
/lib/libc.so.6(__libc_realloc+0x101)[0xc36a30]
./libxpcom_core.so(_ZN14nsStringBuffer7ReallocEPS_j+0x20)[0x32f53c]
./libxpcom_core.so(_ZN12nsCSubstring10MutatePrepEjPPcPj+0xce)[0x33075a]
./libxpcom_core.so(_ZN12nsCSubstring11SetCapacityEj+0x7c)[0x3310f6]
./libxpcom_core.so(_ZN12nsCSubstring9SetLengthEj+0x1b)[0x331189]
./firefox-bin[0x80db586]
./firefox-bin[0x80dc883]
./firefox-bin[0x80df53c]
./firefox-bin[0x8111b1e]
./firefox-bin[0x80d3328]
./firefox-bin[0x8323f81]
./firefox-bin[0x8371f6b]
./firefox-bin[0x82cad9e]
./firefox-bin[0x82ab4a6]
./firefox-bin[0x82c6372]
./firefox-bin[0x81f9d57]
./firefox-bin[0x81fae9c]
./firefox-bin[0x81fca7c]
./firefox-bin[0x8220e1d]
./firefox-bin[0x832d5f4]
./firefox-bin[0x8380b4d]
./firefox-bin[0x837d2dc]
./firefox-bin[0x837ed73]
./firefox-bin[0x816f051]
./firefox-bin[0x816f300]
./firefox-bin[0x816f3a9]
./firefox-bin[0x816f665]
./firefox-bin[0x816bf1a]
./firefox-bin[0x817b9f6]
./firefox-bin[0x817c857]
./firefox-bin[0x817d5b5]
./firefox-bin[0x84e8738]
./firefox-bin[0x8106747]
./firefox-bin[0x80d1afd]
./firefox-bin[0x80d1871]
./libxpcom_core.so(_ZN23nsInputStreamReadyEvent12EventHandlerEP7PLEvent+0x30)[0x305684]
./libxpcom_core.so(PL_HandleEvent+0x1d)[0x31685f]
./libxpcom_core.so(PL_ProcessPendingEvents+0x70)[0x3167b2]
./libxpcom_core.so[0x317ddf]
./firefox-bin[0x81eb880]
/usr/lib/libglib-2.0.so.0[0x1974fc]
/usr/lib/libglib-2.0.so.0(g_main_context_dispatch+0x1dc)[0x1714ce]
/usr/lib/libglib-2.0.so.0[0x1744d6]
/usr/lib/libglib-2.0.so.0(g_main_loop_run+0x1a1)[0x1747c3]
/usr/lib/libgtk-x11-2.0.so.0(gtk_main+0xb4)[0x44fa46]
./firefox-bin[0x81ebb24]
./firefox-bin[0x862e1ae]
./firefox-bin[0x807a848]
./firefox-bin[0x8076c8b]
/lib/libc.so.6(__libc_start_main+0xdf)[0xbe5d5f]
./firefox-bin[0x8076be9]
======= Memory map: ========
00111000-00113000 r-xp 00000000 03:0c 47408 /opt/MozillaFirefox/libplds4.so
00113000-00114000 rwxp 00001000 03:0c 47408 /opt/MozillaFirefox/libplds4.so
00114000-00122000 r-xp 00000000 03:0b 273208 /lib/libpthread-2.3.5.so
00122000-00123000 r-xp 0000d000 03:0b 273208 /lib/libpthread-2.3.5.so
00123000-00124000 rwxp 0000e000 03:0b 273208 /lib/libpthread-2.3.5.so
00124000-00126000 rwxp 00124000 00:00 0
00126000-0013a000 r-xp 00000000 03:0d 1043124 /usr/lib/libatk-1.0.so.0.901.0
0013a000-0013d000 rwxp 00014000 03:0d 1043124 /usr/lib/libatk-1.0.so.0.901.0
0013d000-00142000 r-xp 00000000 03:0d 1042801 /usr/lib/libpangoxft-1.0.so.0.800.1
00142000-00143000 rwxp 00005000 03:0d 1042801 /usr/lib/libpangoxft-1.0.so.0.800.1
00143000-0014d000 r-xp 00000000 03:0d 1042830 /usr/lib/libpangox-1.0.so.0.800.1
0014d000-0014e000 rwxp 00009000 03:0d 1042830 /usr/lib/libpangox-1.0.so.0.800.1
0014e000-001d2000 r-xp 00000000 03:0d 1439306 /usr/lib/libglib-2.0.so.0.600.6
001d2000-001d7000 rwxp 00084000 03:0d 1439306 /usr/lib/libglib-2.0.so.0.600.6
001d7000-001de000 r-xp 00000000 03:0d 911058 /usr/X11R6/lib/libXrender.so.1.2.2
001de000-001df000 rwxp 00007000 03:0d 911058 /usr/X11R6/lib/libXrender.so.1.2.2
001df000-001e8000 r-xp 00000000 03:0b 273204 /lib/libgcc_s-4.0.1-20050727.so.1
001e8000-001e9000 rwxp 00009000 03:0b 273204 /lib/libgcc_s-4.0.1-20050727.so.1
001e9000-0026c000 r-xp 00000000 03:0c 47403 /opt/MozillaFirefox/libmozjs.so
0026c000-00271000 rwxp 00083000 03:0c 47403 /opt/MozillaFirefox/libmozjs.so
00271000-0028f000 r-xp 00000000 03:0c 47412 /opt/MozillaFirefox/libssl3.so
0028f000-00291000 rwxp 0001d000 03:0c 47412 /opt/MozillaFirefox/libssl3.so
00291000-00294000 r-xp 00000000 03:0d 911067 /usr/X11R6/lib/libXrandr.so.2.0
00294000-00295000 rwxp 00002000 03:0d 911067 /usr/X11R6/lib/libXrandr.so.2.0
00295000-0029c000 r-xp 00000000 03:0d 911089 /usr/X11R6/lib/libXi.so.6.0
0029c000-0029d000 rwxp 00006000 03:0d 911089 /usr/X11R6/lib/libXi.so.6.0
0029d000-0029f000 r-xp 00000000 03:0d 911877 ./run-mozilla.sh: line 131: 26587
Killed "$prog" ${1+"$@"}
Expected Results:
A link should be rendered or an error message should be displayed
|
Reporter | |
Comment 1•19 years ago
|
||
This is the testcase that will perform as expected: browser will freeze!
You will need to kill the process.
|
||
Comment 2•19 years ago
|
||
*** This bug has been marked as a duplicate of 307259 ***
Status: UNCONFIRMED → RESOLVED
Closed: 19 years ago
Resolution: --- → DUPLICATE
|
||
Updated•19 years ago
|
Group: security
|
||
Comment 3•19 years ago
|
||
Tom Ferris himself reported that he already filed a bug :
<http://security-protocols.com/advisory/sp-x17-advisory.txt>. There's no reason
to report this again.
Status: RESOLVED → VERIFIED
You need to log in
before you can comment on or make changes to this bug.
Description
•