Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 275948 - net-libs/xulrunner-1.9.0.11-r1 XML nested "A" tag crash in nsCSSRuleProcessor
Summary: net-libs/xulrunner-1.9.0.11-r1 XML nested "A" tag crash in nsCSSRuleProcessor
Status: RESOLVED UPSTREAM
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: Current packages (show other bugs)
Hardware: All Linux
: High minor (vote)
Assignee: Mozilla Gentoo Team
URL: https://bugzilla.mozilla.org/show_bug...
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2009-06-30 13:44 UTC by Mart Raudsepp
Modified: 2009-07-02 15:00 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Mart Raudsepp gentoo-dev 2009-06-30 13:44:32 UTC
+++ This bug was initially created as a clone of Bug #271865 +++

CVE-2009-1233 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-1233):
  Apple Safari 3.2.2 and 4 Beta on Windows allows remote attackers to
  cause a denial of service (application crash) via an XML document
  containing many nested A elements.

^^^ Above is from bug 271865 ^^^

While testing this exploit (http://www.milw0rm.com/exploits/8325) in webkit-gtk, I also tried it on firefox for the heck of it, and that caused the crash of firefox instead (denial of service).


Backtrace seems to be corrupted, and the interesting thread has only this (there are 8 worker threads that are uninteresting and sitting in conditional wait):

(gdb) bt full
#0  nsCSSRuleProcessor::GetRuleCascade (this=0x318f370, aPresContext=0x27010e0) at nsCSSRuleProcessor.cpp:2176
	cascadep = (RuleCascadeData **) Cannot access memory at address 0x7fff14385ee8



I don't know if this bug is known by anyone, or if this should be considered a security bug or not, etc. Don't have the time right now to go search and do all the proper dance, so I hope you guys can check into it meanwhile. Restricting to be safe until research or time has found it to be public knowledge.
Comment 1 Robert Buchholz (RETIRED) gentoo-dev 2009-06-30 16:04:49 UTC
reported upstream, Mart is cc'ed on the bug.
Comment 2 Robert Buchholz (RETIRED) gentoo-dev 2009-07-02 11:58:38 UTC
Upstream is tracking this publicly now and states that it is only a crasher. Client crash bugs are not treated as vulnerabilities by Gentoo Security.
If it crashes your browser, do not visit the page again. Reassigning to mozilla.
Comment 3 Nirbheek Chauhan (RETIRED) gentoo-dev 2009-07-02 15:00:14 UTC
mozilla@gentoo.org has been CCed on the upstream bug, let's track it there...