User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9a8pre) Gecko/2007090504 Minefield/3.0a8pre Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9a8pre) Gecko/2007090504 Minefield/3.0a8pre I ran every security test they had and everything is fine with this overnight version of a8pre. The site that makes firefox to crash is: http://bcheck.scanit.be/bcheck/session/sid-ba6bf5926cb3a11554ef3ddbca39cd96/main-frames.php?tests[]=idef20041123 It testes a security vulnerability with Sun Java Plugin... So I'm not sure if it has something to do with the security issue or it just crashes I don't know. Reproducible: Always Steps to Reproduce: 1. Start again the browser. 2. Then go to the homepage http://bcheck.scanit.be/bcheck/ 3. Select the link "Choose which tests to run" right under "Start the test". 4. Choose number 7 which is the "Sun Java Plugin Arbitrary Package Access Vulnerability / Opera Java Vulnerability (idef20041123)" test. 5. Then just push the button at the bottom of the page to start the test. 6. Now it should crash when the page has loaded. Actual Results: It crashes and then firefox shows a little report window that it crashed and you can view some info but to little and you can close the window or restart firefox. Expected Results: Well it wouldn't had to crash :p I just wont to point one thing that might be little bit off topic. When the window comes up with the restart firefox button after that the firefox has crashed. I would like to have that window improved with like: Advanced information on the crash, like se the memory addresses and files that made the crash and etc. And then there should be a button so that you could report the crash imideatly to you guys here or to the development team.

When you go to Application Data, Mozilla, Firefox, you'll see a folder Crash Reports. There you can find a link that you can copy to this bug.

It is a regression on 6 Aug, presumably from Bug 390385.

Okey, I think I found the link on two files that I had in that the folder Submitted: http://crash-stats.mozilla.com/report/index/38aee657-5bd7-11dc-abf1-001a4bd43ef6?date=2007-09-05-17

The site that makes firefox to crash is: http://bcheck.scanit.be/bcheck/session/sid-ba6bf5926cb3a11554ef3ddbca39cd96/main-frames.php?tests[]=idef20041123 Yes. I can confirm crash. I cannot confirm crash on test #7 at http://bcheck.scanit.be/bcheck/ in the Steps To Reproduce.

> I cannot confirm crash on test #7 at http://bcheck.scanit.be/bcheck/ in the > Steps To Reproduce. > Yes, I know it don't crash at the site http://bcheck.scanit.be/bcheck/ but if you read how to get to the site where it crashes. Read the whole "Steps to Reproduce"...

Now I think I have found the code for the applet that causes the crash: http://bcheck.scanit.be/bcheck/session/sid-ba6bf5926cb3a11554ef3ddbca39cd96/Idef20041123.class And the script: <applet name="Dummy" code="Idef20041123.class"> </applet> <script language="JavaScript" defer> function vulnerable() {window.open('http://bcheck.scanit.be:80/bcheck/session/sid-ba6bf5926cb3a11554ef3ddbca39cd96/accresults.php?&testid=idef20041123&vulnerable=yes','testframe1');};function notvulnerable() {window.open('http://bcheck.scanit.be:80/bcheck/session/sid-ba6bf5926cb3a11554ef3ddbca39cd96/accresults.php?&testid=idef20041123&vulnerable=no','testframe1');}; wait_applet(); // Here we are trying to detect two different vulnerablities - // one in Sun Java Plugin before 1.4.2_06 () and another one // in Opera before 2.54u1. Both allow loading of sun.* Java // classes // Unpatched Sun Java throws a Java exception inside the Java class // and does not throw JavaScript exception when we call forName() // Patched Sun Java throws exceptions in both cases // Unpatched Opera does not throw exception inside the Java class // Patched Opera does not throw exception inside the Java class and // does not throw the exception in JavaScript // Thus it is difficult to distinguish patched Opera from unpatched // everything else. We check the return value of forName() // Patched Opera returns null, unpatched everything else returns an // object function wait_applet() { try { var applet_class = document.applets[0].getClass(); if(applet_class) { // Check for vulnerable Opera if(document.applets[0].vulnerableOpera() == 1) { vulnerable(); return; } try { var private_class = applet_class.forName('sun.text.Utility') if(private_class == null) { // This is probably patched Opera notvulnerable(); } else { // Unpatched Java Plugin vulnerable(); } } catch (e) { notvulnerable(); } } else { setTimeout("wait_applet()", 500); } } catch (e) { setTimeout("wait_applet()", 500); } } </script> Hopefully this is for some help.

(In reply to comment #6) > Now I think I have found the code for the applet that causes the crash: ... > <script language="JavaScript" defer> > > function vulnerable() > {window.open('http://bcheck.scanit.be:80/bcheck/session/sid-ba6bf5926cb3a11554ef3ddbca39cd96/accresults.php?&testid=idef20041123&vulnerable=yes','testframe1');};function > notvulnerable() > {window.open('http://bcheck.scanit.be:80/bcheck/session/sid-ba6bf5926cb3a11554ef3ddbca39cd96/accresults.php?&testid=idef20041123&vulnerable=no','testframe1');}; > wait_applet(); > > // Here we are trying to detect two different vulnerablities - > // one in Sun Java Plugin before 1.4.2_06 () ... > Hopefully this is for some help. Which version of Java are you running? http://www.heise-security.co.uk/services/browsercheck/tests/java.shtml This test page shows if java is enabled, you can try working a rubik's cube, and it tells you which version of Java you are running. or type about:plugins into the location bar to see the versions of your plug-ins: Java(TM) Platform SE 6 U2 File name: .... Java Plug-in 1.6.0_02 for Netscape Navigator (DLL Helper)

> Which version of Java are you running? > The Java plugin version I had before was: Java Plug-in 1.6.0 for Netscape Navigator (DLL Helper) And so I thought on upgrading the Java version to update 2 that was available for download. SO now I have: Java Plug-in 1.6.0_02 for Netscape Navigator (DLL Helper) But FireFox still crashes on this page: http://bcheck.scanit.be/bcheck/session/sid-ba6bf5926cb3a11554ef3ddbca39cd96/main-frames.php?tests[]=idef20041123

Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9a8pre) Gecko/2007091823 Minefield/3.0a8pre Test 7 still crashing with the latest Java version. If automatic updating is enabled (I believe this is by default), you have always the latest. Don't know if this bug is something that should be repaired in Java or in Firefox. Fact is that the fix of bug 390385 started to trigger this crash.

(In reply to comment #9) > Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9a8pre) Gecko/2007091823 > Minefield/3.0a8pre > Test 7 still crashing with the latest Java version. If automatic updating is > enabled (I believe this is by default), you have always the latest. Don't know > if this bug is something that should be repaired in Java or in Firefox. Fact is > that the fix of bug 390385 started to trigger this crash. > Well I have tested on the Internet Explorer 7.0.5730.11 and it worked fine with Java version 1.6.0 and 1.6.0_02. So I think there might be a small chance that the Java engine might be working wrongly with Firefox. But it might be a good thing to ask Sun Microsystems if they could take a look at it at least.

The old url has stopped working so I'm posting the new url for the bug/vurlnerability issue: http://bcheck.scanit.be/old-bcheck/session/sid-b70743f9c163ef889c507d9031afe640/main-frames.php?tests%5B%5D=idef20041123 And FireFox still crashes on this coding. I haven't found any solution to it yet thought. :/ Error report detail: Add-ons: {972ce4c6-7e08-4474-a285-3208198ce6fd}:3.0pre BuildID: 2008041005 CrashTime: 1207861574 InstallTime: 1207858265 ProductName: Firefox SecondsSinceLastCrash: 997986 StartupTime: 1207861550 Theme: classic/1.0 URL: http://bcheck.scanit.be/old-bcheck/session/sid-b70743f9c163ef889c507d9031afe640/main-frames.php?tests%5B%5D=idef20041123 UserID: 11f0f248-06a0-40d5-9beb-e535932c5b8a Vendor: Mozilla Version: 3.0pre

Oh and I forgot to give the class file a new url: http://bcheck.scanit.be/old-bcheck/session/sid-b70743f9c163ef889c507d9031afe640/Idef20041123.class (In reply to comment #11) > The old url has stopped working so I'm posting the new url for the > bug/vurlnerability issue: > > http://bcheck.scanit.be/old-bcheck/session/sid-b70743f9c163ef889c507d9031afe640/main-frames.php?tests%5B%5D=idef20041123 > > And FireFox still crashes on this coding. I haven't found any solution to it > yet thought. :/ > > > Error report detail: > Add-ons: {972ce4c6-7e08-4474-a285-3208198ce6fd}:3.0pre > BuildID: 2008041005 > CrashTime: 1207861574 > InstallTime: 1207858265 > ProductName: Firefox > SecondsSinceLastCrash: 997986 > StartupTime: 1207861550 > Theme: classic/1.0 > URL: > http://bcheck.scanit.be/old-bcheck/session/sid-b70743f9c163ef889c507d9031afe640/main-frames.php?tests%5B%5D=idef20041123 > UserID: 11f0f248-06a0-40d5-9beb-e535932c5b8a > Vendor: Mozilla > Version: 3.0pre >

reporter: please load about:crashes, and copy the report id here. the information crash reporter shows you is not useful for us.

(In reply to comment #13) > reporter: please load about:crashes, and copy the report id here. the > information crash reporter shows you is not useful for us. > Here's the url: http://crash-stats.mozilla.com/report/pending/c73f87b3-07db-11dd-bbf9-0013211cbf8a

I did a debug on the crash and here's the result of it from WinDbg: CommandLine: C:\Program\Minefield2\firefox.exe Symbol search path is: C:\symbols;SRV*c:\symbols*http://symbols.mozilla.org/firefox;SRV*c:\symbols*http://msdl.microsoft.com/download/symbols Executable search path is: ModLoad: 00400000 00417000 firefox.exe ModLoad: 7c900000 7c9b2000 ntdll.dll ModLoad: 7c800000 7c8f9000 C:\WINDOWS\system32\kernel32.dll ModLoad: 60490000 60dd7000 C:\Program\Minefield2\xul.dll ModLoad: 60210000 60277000 C:\Program\Minefield2\sqlite3.dll ModLoad: 60000000 600ae000 C:\Program\Minefield2\MOZCRT19.dll ModLoad: 77c00000 77c58000 C:\WINDOWS\system32\msvcrt.dll ModLoad: 60100000 601ac000 C:\Program\Minefield2\js3250.dll ModLoad: 600b0000 600e0000 C:\Program\Minefield2\nspr4.dll ModLoad: 77dc0000 77e6b000 C:\WINDOWS\system32\ADVAPI32.dll ModLoad: 77e70000 77f01000 C:\WINDOWS\system32\RPCRT4.dll ModLoad: 71ac0000 71aca000 C:\WINDOWS\system32\WSOCK32.dll ModLoad: 71aa0000 71ab7000 C:\WINDOWS\system32\WS2_32.dll ModLoad: 71a90000 71a98000 C:\WINDOWS\system32\WS2HELP.dll ModLoad: 76b30000 76b5e000 C:\WINDOWS\system32\WINMM.dll ModLoad: 7e360000 7e3f1000 C:\WINDOWS\system32\USER32.dll ModLoad: 77f10000 77f57000 C:\WINDOWS\system32\GDI32.dll ModLoad: 60430000 60448000 C:\Program\Minefield2\smime3.dll ModLoad: 60340000 603ea000 C:\Program\Minefield2\nss3.dll ModLoad: 603f0000 60404000 C:\Program\Minefield2\nssutil3.dll ModLoad: 600f0000 600f7000 C:\Program\Minefield2\plc4.dll ModLoad: 600e0000 600e7000 C:\Program\Minefield2\plds4.dll ModLoad: 60410000 60430000 C:\Program\Minefield2\ssl3.dll ModLoad: 7c9c0000 7d1d9000 C:\WINDOWS\system32\SHELL32.dll ModLoad: 77f60000 77fdc000 C:\WINDOWS\system32\SHLWAPI.dll ModLoad: 774d0000 7760d000 C:\WINDOWS\system32\ole32.dll ModLoad: 77bf0000 77bf8000 C:\WINDOWS\system32\VERSION.dll ModLoad: 72fd0000 72ff6000 C:\WINDOWS\system32\WINSPOOL.DRV ModLoad: 76390000 763d9000 C:\WINDOWS\system32\COMDLG32.dll ModLoad: 773c0000 774c3000 C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2982_x-ww_ac3f9c03\COMCTL32.dll ModLoad: 76370000 7638d000 C:\WINDOWS\system32\IMM32.dll ModLoad: 76360000 76365000 C:\WINDOWS\system32\MSIMG32.dll ModLoad: 75530000 7559b000 C:\WINDOWS\system32\USP10.dll ModLoad: 77110000 7719b000 C:\WINDOWS\system32\OLEAUT32.dll ModLoad: 60de0000 60de7000 C:\Program\Minefield2\xpcom.dll (9dc.7c0): Break instruction exception - code 80000003 (first chance) eax=00191eb4 ebx=7ffdf000 ecx=00000005 edx=00000020 esi=00191f48 edi=00191eb4 eip=7c901230 esp=0012fb20 ebp=0012fc94 iopl=0 nv up ei pl nz na po nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000202 ntdll!DbgBreakPoint: 7c901230 cc int 3 0:000> g ModLoad: 59f50000 59ff1000 C:\WINDOWS\system32\dbghelp.dll ModLoad: 5ad70000 5ada8000 C:\WINDOWS\system32\uxtheme.dll ModLoad: 22200000 22206000 C:\Program\Eset\ESET NOD32 Antivirus\eplgHooks.dll ModLoad: 746f0000 7473c000 C:\WINDOWS\system32\MSCTF.dll ModLoad: 10000000 10010000 C:\WINDOWS\system32\tabhook.dll ModLoad: 77910000 77a05000 C:\WINDOWS\system32\SETUPAPI.dll ModLoad: 751a0000 751ce000 C:\WINDOWS\system32\msctfime.ime ModLoad: 76fc0000 7703f000 C:\WINDOWS\system32\CLBCATQ.DLL ModLoad: 77040000 77108000 C:\WINDOWS\system32\COMRes.dll ModLoad: 601b0000 601b8000 C:\Program\Minefield2\components\browserdirprovider.dll ModLoad: 00e00000 00e1d000 C:\Program\TCPSPY~1\TCPSPYLSP.DLL ModLoad: 71a40000 71a80000 C:\WINDOWS\system32\MSWSOCK.dll ModLoad: 698b0000 69908000 C:\WINDOWS\system32\hnetcfg.dll ModLoad: 73050000 7306c000 C:\WINDOWS\system32\rsvpsp.dll ModLoad: 71a80000 71a88000 C:\WINDOWS\System32\wshtcpip.dll ModLoad: 76d50000 76d69000 C:\WINDOWS\system32\iphlpapi.dll ModLoad: 76f10000 76f37000 C:\WINDOWS\system32\DNSAPI.dll ModLoad: 76fa0000 76fa8000 C:\WINDOWS\System32\winrnr.dll ModLoad: 76f50000 76f7d000 C:\WINDOWS\system32\WLDAP32.dll ModLoad: 16080000 16099000 C:\Program\Bonjour\mdnsNSP.dll ModLoad: 20000000 202ca000 C:\WINDOWS\system32\xpsp2res.dll ModLoad: 602f0000 60315000 C:\Program\Minefield2\softokn3.dll ModLoad: 60320000 60338000 C:\Program\Minefield2\nssdbm3.dll ModLoad: 60450000 60489000 C:\Program\Minefield2\freebl3.dll ModLoad: 602a0000 602e8000 C:\Program\Minefield2\nssckbi.dll ModLoad: 601c0000 601e3000 C:\Program\Minefield2\components\brwsrcmp.dll ModLoad: 76fb0000 76fb6000 C:\WINDOWS\system32\rasadhlp.dll ModLoad: 6d690000 6d6b1000 C:\Program\Java\jre1.6.0_03\bin\npoji610.dll ModLoad: 6d4e0000 6d4f0000 C:\Program\Java\jre1.6.0_03\bin\jpioji.dll ModLoad: 7c360000 7c3b6000 C:\WINDOWS\system32\MSVCR71.dll ModLoad: 6d4c0000 6d4d8000 C:\Program\Java\jre1.6.0_03\bin\jpinscp.dll ModLoad: 6d4f0000 6d514000 C:\Program\Java\jre1.6.0_03\bin\jpishare.dll ModLoad: 6d250000 6d261000 C:\Program\Java\jre1.6.0_03\bin\deploy.dll ModLoad: 77a70000 77b05000 C:\WINDOWS\system32\CRYPT32.dll ModLoad: 77b10000 77b22000 C:\WINDOWS\system32\MSASN1.dll ModLoad: 44540000 4460f000 C:\WINDOWS\system32\WININET.dll ModLoad: 041e0000 041e9000 C:\WINDOWS\system32\Normaliz.dll ModLoad: 442c0000 44305000 C:\WINDOWS\system32\iertutil.dll ModLoad: 44620000 44747000 C:\WINDOWS\system32\urlmon.dll ModLoad: 76770000 76779000 C:\WINDOWS\system32\shfolder.dll ModLoad: 6d7c0000 6da0a000 C:\Program\Java\JRE16~2.0_0\bin\client\jvm.dll ModLoad: 6d310000 6d318000 C:\Program\Java\JRE16~2.0_0\bin\hpi.dll ModLoad: 76be0000 76beb000 C:\WINDOWS\system32\PSAPI.DLL ModLoad: 6d770000 6d77c000 C:\Program\Java\JRE16~2.0_0\bin\verify.dll ModLoad: 6d3b0000 6d3cf000 C:\Program\Java\JRE16~2.0_0\bin\java.dll ModLoad: 6d7b0000 6d7bf000 C:\Program\Java\JRE16~2.0_0\bin\zip.dll ModLoad: 6d000000 6d1c3000 C:\Program\Java\jre1.6.0_03\bin\awt.dll ModLoad: 73730000 73779000 C:\WINDOWS\system32\ddraw.dll ModLoad: 73b90000 73b96000 C:\WINDOWS\system32\DCIMAN32.dll ModLoad: 6d2b0000 6d303000 C:\Program\Java\jre1.6.0_03\bin\fontmanager.dll ModLoad: 76770000 76779000 C:\WINDOWS\system32\shfolder.dll ModLoad: 77fe0000 77ff1000 C:\WINDOWS\system32\Secur32.dll ModLoad: 6d6d0000 6d70b000 C:\Program\Java\jre1.6.0_03\bin\regutils.dll ModLoad: 7d1e0000 7d49e000 C:\WINDOWS\system32\msi.dll ModLoad: 6d570000 6d583000 C:\Program\Java\jre1.6.0_03\bin\net.dll (9dc.7c0): Stack overflow - code c00000fd (first chance) First chance exceptions are reported before any exception handling. This exception may be expected and handled. eax=00000060 ebx=00000000 ecx=00032428 edx=00000000 esi=6d4c32b4 edi=000334a8 eip=6d4ccf45 esp=00033420 ebp=00033440 iopl=0 nv up ei pl nz na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010206 *** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\Program\Java\jre1.6.0_03\bin\jpinscp.dll - jpinscp!NSGetFactory+0x56b: 6d4ccf45 8501 test dword ptr [ecx],eax ds:0023:00032428=00000000 0:000> kp ChildEBP RetAddr WARNING: Stack unwind information not available. Following frames may be wrong. 00033440 7e368724 jpinscp!NSGetFactory+0x56b 0003346c 7e368806 USER32!InternalCallWinProc+0x28 000334d4 7e36c623 USER32!UserCallWinProcCheckWow+0x150 00033504 7e36e8e5 USER32!CallWindowProcAorW+0x98 00033524 6d4c3789 USER32!CallWindowProcA+0x1b 000345c4 7e368724 jpinscp+0x3789 000345f0 7e368806 USER32!InternalCallWinProc+0x28 00034658 7e36c623 USER32!UserCallWinProcCheckWow+0x150 00034688 7e36e8e5 USER32!CallWindowProcAorW+0x98 000346a8 6d4c3789 USER32!CallWindowProcA+0x1b 00035748 7e368724 jpinscp+0x3789 00035774 7e368806 USER32!InternalCallWinProc+0x28 000357dc 7e36c623 USER32!UserCallWinProcCheckWow+0x150 0003580c 7e36e8e5 USER32!CallWindowProcAorW+0x98 0003582c 6d4c3789 USER32!CallWindowProcA+0x1b 000368cc 7e368724 jpinscp+0x3789 000368f8 7e368806 USER32!InternalCallWinProc+0x28 00036960 7e36c623 USER32!UserCallWinProcCheckWow+0x150 00036990 7e36e8e5 USER32!CallWindowProcAorW+0x98 000369b0 6d4c3789 USER32!CallWindowProcA+0x1b

I was looking at my crash report page and found out that the overflow has changed a litte from jpinscp.dll 0xcf15 to jpinscp.dll 0xcf45. So I took a quike search and found another bug with the same stack overflow: https://bugzilla.mozilla.org/show_bug.cgi?id=405357 is these bugs the same?

yes