Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 275948

Summary: net-libs/xulrunner-1.9.0.11-r1 XML nested "A" tag crash in nsCSSRuleProcessor
Product: Gentoo Linux Reporter: Mart Raudsepp <leio>
Component: Current packagesAssignee: Mozilla Gentoo Team <mozilla>
Status: RESOLVED UPSTREAM    
Severity: minor CC: rbu
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://bugzilla.mozilla.org/show_bug.cgi?id=501381
Whiteboard:
Package list:
Runtime testing required: ---

Description Mart Raudsepp gentoo-dev 2009-06-30 13:44:32 UTC 
+++ This bug was initially created as a clone of Bug #271865 +++

CVE-2009-1233 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-1233):
  Apple Safari 3.2.2 and 4 Beta on Windows allows remote attackers to
  cause a denial of service (application crash) via an XML document
  containing many nested A elements.

^^^ Above is from bug 271865 ^^^

While testing this exploit (http://www.milw0rm.com/exploits/8325) in webkit-gtk, I also tried it on firefox for the heck of it, and that caused the crash of firefox instead (denial of service).


Backtrace seems to be corrupted, and the interesting thread has only this (there are 8 worker threads that are uninteresting and sitting in conditional wait):

(gdb) bt full
#0  nsCSSRuleProcessor::GetRuleCascade (this=0x318f370, aPresContext=0x27010e0) at nsCSSRuleProcessor.cpp:2176
	cascadep = (RuleCascadeData **) Cannot access memory at address 0x7fff14385ee8



I don't know if this bug is known by anyone, or if this should be considered a security bug or not, etc. Don't have the time right now to go search and do all the proper dance, so I hope you guys can check into it meanwhile. Restricting to be safe until research or time has found it to be public knowledge.
Comment 1 Robert Buchholz (RETIRED) gentoo-dev 2009-06-30 16:04:49 UTC 
reported upstream, Mart is cc'ed on the bug.
Comment 2 Robert Buchholz (RETIRED) gentoo-dev 2009-07-02 11:58:38 UTC 
Upstream is tracking this publicly now and states that it is only a crasher. Client crash bugs are not treated as vulnerabilities by Gentoo Security.
If it crashes your browser, do not visit the page again. Reassigning to mozilla.
Comment 3 Nirbheek Chauhan (RETIRED) gentoo-dev 2009-07-02 15:00:14 UTC 
mozilla@gentoo.org has been CCed on the upstream bug, let's track it there...