Mozilla Firefox Vulns

GazL · 03-23-2010, 07:28 AM

Thanks for keeping us informed win32sux. Your efforts on this and the kernel vulnerabilities thread are very much appreciated.

From what I read, it looks like the error is in the parsing of downloadable WOFF format fonts, so in theory going into about:config and changing gfx.downloadable_fonts.enabled to false sounds like it would have mitigated the "remote" aspects of this vulnerability. If anyone is waiting for their distro to get the fix out, then you may want to consider doing this. (Actually, I think I'm gonna leave this disabled even though I'm now running 3.6.2).

Pity no one at secunia or mozilla thought to inform people about such a simple mitigation action.

catilley1092 · 03-23-2010, 05:21 PM

Finally, Firefox 3.6.2 has been released, I have it. Hopefully it will address some of the concerns here. I apologize to anyone who may have been offended by my previous posts, but I was only going by what I was told the first time that I installed Linux. No viruses, malware, and no worries. Mabye I need to do some studying on this issue, but at the same time, no one should be saying that with Linux, you have nothing to fear. That is still being repeated to this day.

win32sux · 03-23-2010, 11:02 PM

Quote:

Originally Posted by GazL

Thanks for keeping us informed win32sux. Your efforts on this and the kernel vulnerabilities thread are very much appreciated.

You (and anyone else who reads these threads) are most welcome!

Quote:

Originally Posted by catilley1092

Finally, Firefox 3.6.2 has been released, I have it. Hopefully it will address some of the concerns here. I apologize to anyone who may have been offended by my previous posts, but I was only going by what I was told the first time that I installed Linux. No viruses, malware, and no worries. Mabye I need to do some studying on this issue, but

The virus threat to GNU/Linux is indeed extremely lower than with Windows — there's absolutely no doubt about that, but it's beside the point. With arbitrary code execution vulnerabilities, the bad guys with the exploits are able to execute pretty much anything they wish on your box if you're attacked. Think about that for a second, pretty much anything they wish. The damage they can cause is limited only by their skills/abilities and your security posture. The implications of that are huge, to include code which can do anything ranging from data destruction to identity theft and worse. This is true on any generic OS, and it's important that LQSEC serve as a place to encourage proactive defense against such threats.

Quote:

at the same time, no one should be saying that with Linux, you have nothing to fear. That is still being repeated to this day.

Unfortunately, you're absolutely correct — some people do believe and proclaim things of that nature. I would like to think that it's mainly newcomers, though — specifically, those who have been encouraged to try GNU/Linux by misguided individuals. From that perspective, it's not really their fault, and perhaps they just need time in order to realize that there's plenty of security threats to go around, regardless of the OS you use. If I could offer you a suggestion, it would be to browse through unSpawn's Security references thread. However, instead of looking to learn how to use the tools listed there, go at it from a different angle: study the specific vulnerabilities which the tools are designed to mitigate.

catilley1092 · 03-24-2010, 01:05 AM

win32sux, thanks for letting me know that I'm not 100% safe on a computer, regardless of the OS. Linux and Mac users swears by this. I did click onto the link "arbitrary code execution", it led to a Wikipedia article that described it in detail. When I made my initial posts regarding this, the thought of it caught me off guard and I became entangled with defending FF, without looking up anything. I do apologize, it's my bad for assuming something didn't exist w/o at least researching it. I use Linux Mint 8 and Windows 7 Pro. Both OS's have their merits. I'm a VIP member of a Windows 7 forum, and this issue never once came up on the forum. Most security related issues do. Like myself, there are a few Linux users on the forum who prefers speed and security over scanning and scanning for viruses and malware. Although I normally use Mint for the sheer speed (virus and malware protection comes at a price, your speed), I have to use Windows to print and for my grandaughter to play games on. But I have learned from this, and the next time I hear of a threat like this, I'll switch browsers until the issue is resolved. I proudly accept the warning that was issued to me as a lesson learned, with no hard feelings toward anyone.

H_TeXMeX_H · 03-24-2010, 11:15 AM

Quote:

Originally Posted by catilley1092

Mabye I need to do some studying on this issue, but at the same time, no one should be saying that with Linux, you have nothing to fear. That is still being repeated to this day.

I'd say that if you configure it right and do upgrade when needed, you have little to fear. I don't think that there can ever be a 100% secure OS, not even with SELinux (which I don't like), so don't expect it.

win32sux · 03-30-2010, 09:41 PM

Firefox 3.0.19 and 3.5.9 have been released.

They include fixes for several security vulnerabilities, most of which are rated as Critical.

win32sux · 03-31-2010, 11:17 PM

FWIW, Secunia issued advisories today pertaining to the aforementioned releases: 3.0.x and 3.5.x.

win32sux · 04-01-2010, 09:00 PM

Firefox 3.6.3 has been released.

It addresses a security vulnerability rated as Critical.

H_TeXMeX_H · 04-02-2010, 04:20 AM

Quote:

Originally Posted by win32sux

Firefox 3.6.3 has been released.

It addresses a security vulnerability rated as Critical.

That's great, and on April Fools, I hope this isn't a joke, but they forgot to put the source code on there, which prevents me from upgrading ...

GazL · 04-02-2010, 05:35 AM

Quote:

Originally Posted by H_TeXMeX_H

That's great, and on April Fools, I hope this isn't a joke, but they forgot to put the source code on there, which prevents me from upgrading ...

Yep you're quite right ftp.mozilla.org/pub/firefox/releases/3.6.3/source is AWOL.

win32sux · 04-02-2010, 01:48 PM

Wow, I didn't know the source code was pending. I did try to take a look at the relevant bug report in order to determine whether it affected the GNU/Linux version, but it's not publicly accessible.

EDIT: Just checked and it looks like the source was uploaded today.

win32sux · 04-03-2010, 01:19 AM

Secunia issued an advisory today pertaining to the vulnerability present in Firefox 3.6.2.

The relevant bug report remains inaccessible to me at this time.

FWIW, here's the diff between 3.6.2 and 3.6.3:

Code:

diff -Naur ./mozilla-1.9.2.old/browser/config/version.txt ./mozilla-1.9.2/browser/config/version.txt
--- ./mozilla-1.9.2.old/browser/config/version.txt	2010-03-16 02:57:31.000000000 -0700
+++ ./mozilla-1.9.2/browser/config/version.txt	2010-04-02 09:03:19.000000000 -0700
@@ -1 +1 @@
-3.6.2
+3.6.3
diff -Naur ./mozilla-1.9.2.old/config/milestone.txt ./mozilla-1.9.2/config/milestone.txt
--- ./mozilla-1.9.2.old/config/milestone.txt	2010-03-16 02:57:31.000000000 -0700
+++ ./mozilla-1.9.2/config/milestone.txt	2010-04-02 09:03:19.000000000 -0700
@@ -10,4 +10,4 @@
 # hardcoded milestones in the tree from these two files.
 #--------------------------------------------------------
 
-1.9.2.2
+1.9.2.3
diff -Naur ./mozilla-1.9.2.old/content/base/src/nsContentUtils.cpp ./mozilla-1.9.2/content/base/src/nsContentUtils.cpp
--- ./mozilla-1.9.2.old/content/base/src/nsContentUtils.cpp	2010-03-16 02:54:00.000000000 -0700
+++ ./mozilla-1.9.2/content/base/src/nsContentUtils.cpp	2010-04-02 09:02:18.000000000 -0700
@@ -1302,7 +1302,7 @@
     return NS_ERROR_NOT_AVAILABLE;
   }
 
-  return sXPConnect->ReparentScopeAwareWrappers(cx, oldScopeObj, newScopeObj);
+  return sXPConnect->MoveWrappers(cx, oldScopeObj, newScopeObj);
 }
 
 nsIDocShell *
diff -Naur ./mozilla-1.9.2.old/content/html/document/src/nsHTMLContentSink.cpp ./mozilla-1.9.2/content/html/document/src/nsHTMLContentSink.cpp
--- ./mozilla-1.9.2.old/content/html/document/src/nsHTMLContentSink.cpp	2010-03-16 02:54:10.000000000 -0700
+++ ./mozilla-1.9.2/content/html/document/src/nsHTMLContentSink.cpp	2010-04-02 09:02:19.000000000 -0700
@@ -179,6 +179,7 @@
 
   // nsISupports
   NS_DECL_ISUPPORTS_INHERITED
+  NS_DECL_CYCLE_COLLECTION_CLASS_INHERITED(HTMLContentSink, nsContentSink)
 
   // nsIContentSink
   NS_IMETHOD WillParse(void);
@@ -232,15 +233,15 @@
                      void* aThis);
 #endif
 
-  nsIHTMLDocument* mHTMLDocument;
+  nsCOMPtr<nsIHTMLDocument> mHTMLDocument;
 
   // The maximum length of a text run
   PRInt32 mMaxTextRun;
 
-  nsGenericHTMLElement* mRoot;
-  nsGenericHTMLElement* mBody;
+  nsRefPtr<nsGenericHTMLElement> mRoot;
+  nsRefPtr<nsGenericHTMLElement> mBody;
   nsRefPtr<nsGenericHTMLElement> mFrameset;
-  nsGenericHTMLElement* mHead;
+  nsRefPtr<nsGenericHTMLElement> mHead;
 
   nsRefPtr<nsGenericHTMLElement> mCurrentForm;
 
@@ -1535,12 +1536,6 @@
 
 HTMLContentSink::~HTMLContentSink()
 {
-  NS_IF_RELEASE(mHead);
-  NS_IF_RELEASE(mBody);
-  NS_IF_RELEASE(mRoot);
-
-  NS_IF_RELEASE(mHTMLDocument);
-
   if (mNotificationTimer) {
     mNotificationTimer->Cancel();
   }
@@ -1578,18 +1573,45 @@
   }
 }
 
+NS_IMPL_CYCLE_COLLECTION_CLASS(HTMLContentSink)
+
+NS_IMPL_CYCLE_COLLECTION_UNLINK_BEGIN_INHERITED(HTMLContentSink, nsContentSink)
+  NS_IMPL_CYCLE_COLLECTION_UNLINK_NSCOMPTR(mHTMLDocument)
+  NS_IMPL_CYCLE_COLLECTION_UNLINK_NSCOMPTR(mRoot)
+  NS_IMPL_CYCLE_COLLECTION_UNLINK_NSCOMPTR(mBody)
+  NS_IMPL_CYCLE_COLLECTION_UNLINK_NSCOMPTR(mFrameset)
+  NS_IMPL_CYCLE_COLLECTION_UNLINK_NSCOMPTR(mHead)
+  NS_IMPL_CYCLE_COLLECTION_UNLINK_NSCOMPTR(mCurrentForm)
+  for (PRUint32 i = 0; i < NS_ARRAY_LENGTH(tmp->mNodeInfoCache); ++i) {
+    NS_IF_RELEASE(tmp->mNodeInfoCache[i]);
+  }
+NS_IMPL_CYCLE_COLLECTION_UNLINK_END
+NS_IMPL_CYCLE_COLLECTION_TRAVERSE_BEGIN_INHERITED(HTMLContentSink,
+                                                  nsContentSink)
+  NS_IMPL_CYCLE_COLLECTION_TRAVERSE_NSCOMPTR(mHTMLDocument)
+  NS_IMPL_CYCLE_COLLECTION_TRAVERSE_NSCOMPTR(mRoot)
+  NS_IMPL_CYCLE_COLLECTION_TRAVERSE_NSCOMPTR(mBody)
+  NS_IMPL_CYCLE_COLLECTION_TRAVERSE_NSCOMPTR(mFrameset)
+  NS_IMPL_CYCLE_COLLECTION_TRAVERSE_NSCOMPTR(mHead)
+  NS_IMPL_CYCLE_COLLECTION_TRAVERSE_NSCOMPTR(mCurrentForm)
+  for (PRUint32 i = 0; i < NS_ARRAY_LENGTH(tmp->mNodeInfoCache); ++i) {
+    NS_CYCLE_COLLECTION_NOTE_EDGE_NAME(cb, "mNodeInfoCache[i]");
+    cb.NoteXPCOMChild(tmp->mNodeInfoCache[i]);
+  }
+NS_IMPL_CYCLE_COLLECTION_TRAVERSE_END
+
+NS_INTERFACE_TABLE_HEAD_CYCLE_COLLECTION_INHERITED(HTMLContentSink)
+  NS_INTERFACE_TABLE_BEGIN
+    NS_INTERFACE_TABLE_ENTRY(HTMLContentSink, nsIContentSink)
+    NS_INTERFACE_TABLE_ENTRY(HTMLContentSink, nsIHTMLContentSink)
 #if DEBUG
-NS_IMPL_ISUPPORTS_INHERITED3(HTMLContentSink,
-                             nsContentSink,
-                             nsIContentSink,
-                             nsIHTMLContentSink,
-                             nsIDebugDumpContent)
-#else
-NS_IMPL_ISUPPORTS_INHERITED2(HTMLContentSink,
-                             nsContentSink,
-                             nsIContentSink,
-                             nsIHTMLContentSink)
+    NS_INTERFACE_TABLE_ENTRY(HTMLContentSink, nsIDebugDumpContent)
 #endif
+  NS_INTERFACE_TABLE_END
+NS_INTERFACE_TABLE_TAIL_INHERITING(nsContentSink)
+
+NS_IMPL_ADDREF_INHERITED(HTMLContentSink, nsContentSink)
+NS_IMPL_RELEASE_INHERITED(HTMLContentSink, nsContentSink)
 
 static PRBool
 IsScriptEnabled(nsIDocument *aDoc, nsIDocShell *aContainer)
@@ -1643,7 +1665,7 @@
 
   aDoc->AddObserver(this);
   mIsDocumentObserver = PR_TRUE;
-  CallQueryInterface(aDoc, &mHTMLDocument);
+  mHTMLDocument = do_QueryInterface(aDoc);
 
   mObservers = nsnull;
   nsIParserService* service = nsContentUtils::GetParserService();
@@ -1687,7 +1709,7 @@
     // If the document already has a root we'll use it. This will
     // happen when we do document.open()/.write()/.close()...
 
-    NS_ADDREF(mRoot = static_cast<nsGenericHTMLElement*>(doc_root));
+    mRoot = static_cast<nsGenericHTMLElement*>(doc_root);
   } else {
     mRoot = NS_NewHTMLHtmlElement(nodeInfo);
     if (!mRoot) {
@@ -1695,7 +1717,6 @@
       MOZ_TIMER_STOP(mWatch);
       return NS_ERROR_OUT_OF_MEMORY;
     }
-    NS_ADDREF(mRoot);
 
     NS_ASSERTION(mDocument->GetChildCount() == 0,
                  "Document should have no kids here!");
@@ -1714,7 +1735,6 @@
     MOZ_TIMER_STOP(mWatch);
     return NS_ERROR_OUT_OF_MEMORY;
   }
-  NS_ADDREF(mHead);
 
   mRoot->AppendChildTo(mHead, PR_FALSE);
 
@@ -2040,8 +2060,6 @@
 
   mBody = mCurrentContext->mStack[mCurrentContext->mStackPos - 1].mContent;
 
-  NS_ADDREF(mBody);
-
   MOZ_TIMER_DEBUGLOG(("Stop: nsHTMLContentSink::OpenBody()\n"));
   MOZ_TIMER_STOP(mWatch);
 
diff -Naur ./mozilla-1.9.2.old/.hgtags ./mozilla-1.9.2/.hgtags
--- ./mozilla-1.9.2.old/.hgtags	2010-03-16 02:57:33.000000000 -0700
+++ ./mozilla-1.9.2/.hgtags	2010-04-02 09:03:21.000000000 -0700
@@ -49,3 +49,13 @@
 cd857b3b0e33449cd97b98c00c058aa147171114 FIREFOX_3_6_2_BUILD3
 827a6883442f5bd110e66616fc86df732b05b2d6 FIREFOX_3_6_2_RELEASE
 cd857b3b0e33449cd97b98c00c058aa147171114 FIREFOX_3_6_2_RELEASE
+f14062c981ba6e70ebc85f751f5f38fa41de732d FIREFOX_3_6_2_BUILD1
+d6e028dc1b68ed3e716fbc2d5ca3ea52e4f9409a FIREFOX_3_6_2_BUILD1
+cd857b3b0e33449cd97b98c00c058aa147171114 FIREFOX_3_6_2_RELEASE
+d6e028dc1b68ed3e716fbc2d5ca3ea52e4f9409a FIREFOX_3_6_2_RELEASE
+28ef231a65a3b4de825a1071a2b1b21e94cd6959 FIREFOX_3_6_3_BUILD1
+28ef231a65a3b4de825a1071a2b1b21e94cd6959 FIREFOX_3_6_3_RELEASE
+d6e028dc1b68ed3e716fbc2d5ca3ea52e4f9409a FIREFOX_3_6_2_BUILD1
+f14062c981ba6e70ebc85f751f5f38fa41de732d FIREFOX_3_6_2_BUILD1
+d6e028dc1b68ed3e716fbc2d5ca3ea52e4f9409a FIREFOX_3_6_2_RELEASE
+f14062c981ba6e70ebc85f751f5f38fa41de732d FIREFOX_3_6_2_RELEASE
diff -Naur ./mozilla-1.9.2.old/js/src/config/milestone.txt ./mozilla-1.9.2/js/src/config/milestone.txt
--- ./mozilla-1.9.2.old/js/src/config/milestone.txt	2010-03-16 02:57:31.000000000 -0700
+++ ./mozilla-1.9.2/js/src/config/milestone.txt	2010-04-02 09:03:19.000000000 -0700
@@ -10,4 +10,4 @@
 # hardcoded milestones in the tree from these two files.
 #--------------------------------------------------------
 
-1.9.2.2
+1.9.2.3
diff -Naur ./mozilla-1.9.2.old/js/src/xpconnect/idl/nsIXPConnect.idl ./mozilla-1.9.2/js/src/xpconnect/idl/nsIXPConnect.idl
--- ./mozilla-1.9.2.old/js/src/xpconnect/idl/nsIXPConnect.idl	2010-03-16 02:55:57.000000000 -0700
+++ ./mozilla-1.9.2/js/src/xpconnect/idl/nsIXPConnect.idl	2010-04-02 09:02:30.000000000 -0700
@@ -620,9 +620,9 @@
                                  in JSObjectPtr  aNewParent,
                                  in nsISupports  aCOMObj);
     void
-    reparentScopeAwareWrappers(in JSContextPtr aJSContext,
-                               in JSObjectPtr  aOldScope,
-                               in JSObjectPtr  aNewScope);
+    moveWrappers(in JSContextPtr aJSContext,
+                 in JSObjectPtr  aOldScope,
+                 in JSObjectPtr  aNewScope);
 
     void clearAllWrappedNativeSecurityPolicies();
 
diff -Naur ./mozilla-1.9.2.old/js/src/xpconnect/src/nsXPConnect.cpp ./mozilla-1.9.2/js/src/xpconnect/src/nsXPConnect.cpp
--- ./mozilla-1.9.2.old/js/src/xpconnect/src/nsXPConnect.cpp	2010-03-16 02:55:57.000000000 -0700
+++ ./mozilla-1.9.2/js/src/xpconnect/src/nsXPConnect.cpp	2010-04-02 09:02:30.000000000 -0700
@@ -1465,11 +1465,11 @@
     return JS_DHASH_NEXT;
 }
 
-/* void reparentScopeAwareWrappers(in JSContextPtr aJSContext, in JSObjectPtr  aOldScope, in JSObjectPtr  aNewScope); */
+/* void moveWrappers(in JSContextPtr aJSContext, in JSObjectPtr  aOldScope, in JSObjectPtr  aNewScope); */
 NS_IMETHODIMP
-nsXPConnect::ReparentScopeAwareWrappers(JSContext *aJSContext,
-                                        JSObject *aOldScope,
-                                        JSObject *aNewScope)
+nsXPConnect::MoveWrappers(JSContext *aJSContext,
+                          JSObject *aOldScope,
+                          JSObject *aNewScope)
 {
     XPCCallContext ccx(NATIVE_CALLER, aJSContext);
     if(!ccx.IsValid())
@@ -1537,24 +1537,29 @@
         if(NS_FAILED(rv))
             return rv;
 
-        if(newParent != aOldScope)
+        if(newParent == aOldScope)
         {
-            // The wrapper returned a new parent. If the new parent is in
-            // a different scope, then we need to reparent it, otherwise,
-            // the old scope is fine.
-
-            XPCWrappedNativeScope *betterScope =
-                XPCWrappedNativeScope::FindInJSObjectScope(ccx, newParent);
-            if(betterScope == oldScope)
-                continue;
-
-            NS_ASSERTION(betterScope == newScope, "Weird scope returned");
+            // The old scope still works for this wrapper. We have to assume
+            // that the wrapper will continue to return the old scope from
+            // PreCreate, so don't move it.
+            continue;
         }
-        else
+
+        // The wrapper returned a new parent. If the new parent is in
+        // a different scope, then we need to reparent it, otherwise,
+        // the old scope is fine.
+
+        XPCWrappedNativeScope *betterScope =
+            XPCWrappedNativeScope::FindInJSObjectScope(ccx, newParent);
+        if(betterScope == oldScope)
         {
-            // The old scope still works for this wrapper.
-            continue;
+            // The wrapper asked for a different object, but that object
+            // was in the same scope. We assume here that the new parent
+            // simply hasn't been reparented yet.
+            newParent = nsnull;
         }
+        else
+            NS_ASSERTION(betterScope == newScope, "Weird scope returned");
 
         // Now, reparent the wrapper, since we know that it wants to be
         // reparented.
diff -Naur ./mozilla-1.9.2.old/js/src/xpconnect/src/xpcwrappednative.cpp ./mozilla-1.9.2/js/src/xpconnect/src/xpcwrappednative.cpp
--- ./mozilla-1.9.2.old/js/src/xpconnect/src/xpcwrappednative.cpp	2010-03-16 02:55:57.000000000 -0700
+++ ./mozilla-1.9.2/js/src/xpconnect/src/xpcwrappednative.cpp	2010-04-02 09:02:30.000000000 -0700
@@ -1465,8 +1465,11 @@
     {
         flat = cache->GetWrapper();
         if(flat && !IS_SLIM_WRAPPER(flat))
+        {
             wrapper = static_cast<XPCWrappedNative*>(xpc_GetJSPrivate(flat));
-        
+            NS_ASSERTION(wrapper->GetScope() == aOldScope,
+                         "Incorrect scope passed");
+        }
     }
     else
     {
@@ -1610,10 +1613,8 @@
 
     // Now we can just fix up the parent and return the wrapper
 
-    if(!JS_SetParent(ccx, flat, aNewParent))
-    {
+    if(aNewParent && !JS_SetParent(ccx, flat, aNewParent))
         return NS_ERROR_FAILURE;
-    }
 
     *aWrapper = nsnull;
     wrapper.swap(*aWrapper);

GazL · 04-03-2010, 08:01 AM

Quote:

Originally Posted by win32sux

Secunia issued an advisory today pertaining to the Firefox 3.6.3 release.

Your wording was a little misleading there. "advisory pertaining to Firefox 3.6.3" suggests that they are advising of an issue with 3.6.3

The advisory you linked states that the solution is to update to 3.6.3, which suggests that it's a 3.6.2 (and possibly earlier) issue.

win32sux · 04-03-2010, 08:58 PM

Quote:

Originally Posted by GazL

Your wording was a little misleading there. "advisory pertaining to Firefox 3.6.3" suggests that they are advising of an issue with 3.6.3

The advisory you linked states that the solution is to update to 3.6.3, which suggests that it's a 3.6.2 (and possibly earlier) issue.

Agreed. Fixed, and made a mental note for next time. Thanks!

win32sux · 04-09-2010, 09:06 AM

I pretty much ignored this post when I saw it originally, but in retrospect it does seem like it's pertinent enough to be discussed here in this thread. Personally, I find it quite refreshing whenever Mozilla is proactive like this. I just hope the unintended, negative consequences will be minimal.

Quote:

We’re close to landing some changes in the Firefox development tree that will fix a privacy leak that browsers have been struggling with for some time. We’re really excited about this fix, we hope other browsers will follow suit. It’s a tough problem to fix, though, so I’d like to describe how we ended up with this approach.

Complete Post