Daniel Veditz [:dveditz] Reporter
	Description • 6 years ago

Looks like we may need the patch from https://bugs.chromium.org/p/chromium/issues/detail?id=850350 to fix a static buffer overflow found by fuzzing in Chrome. The fix was shipped with Chrome 68 and assigned CVE-2018-6153. It was demonstrated to affect m67; no regressor was identified so it might affect the m66 branch we're using.

There were two patches taken (plus a test patch). Only the second one appears to have been merged to the m68 branch

https://skia.googlesource.com/skia/+/1e259cda4fb7f12e98dd611bd651f40ebef2d14a
https://skia.googlesource.com/skia/+/73be50da2a1fe8944f2623a511fda1957eed708a

	Daniel Veditz [:dveditz] Reporter
	Comment 1 • 6 years ago

A stack buffer UNDERflow in this function was reported as https://bugs.chromium.org/p/chromium/issues/detail?id=862004 but this was determined to have been fixed by the same patches. Not sure why it wasn't duped but was instead marked fixed.

	Ryan VanderMeulen [:RyanVM] Assignee
	Comment 2 • 6 years ago

AFAICT, this affects all of our supported releases.

	Ryan VanderMeulen [:RyanVM] Assignee
	Comment 3 • 6 years ago

Green on Try.

64: https://treeherder.mozilla.org/#/jobs?repo=try&group_state=expanded&revision=c1705a90f47141dea9d3bee7ab2b544669d411ef
63: https://treeherder.mozilla.org/#/jobs?repo=try&group_state=expanded&revision=6771c38d533b19ac36d7833ac612508b876155ea
ESR60: https://treeherder.mozilla.org/#/jobs?repo=try&group_state=expanded&revision=1a994860ea0c9fc0afd8b5ed0becb68647a1c819

	Ryan VanderMeulen [:RyanVM] Assignee
	Comment 4 • 6 years ago

Comment on attachment 9017302 [details] [diff] [review]
Backport the upstream patches

[Security Approval Request]

How easily could an exploit be constructed based on the patch?: No clue, but the upstream commit is public knowledge.

Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem?: No

Which older supported branches are affected by this flaw?: All

If not all supported branches, which bug introduced the flaw?: N/A

Do you have backports for the affected branches?: Yes

If not, how different, hard to create, and risky will they be?: N/A

How likely is this patch to cause regressions; how much testing does it need?: Green on Try, not sure what more we can realistically do.

[Beta/Release Uplift Approval Request]

Feature/Bug causing the regression: None

User impact if declined: 

Is this code covered by automated tests?: Yes

Has the fix been verified in Nightly?: Yes

Needs manual test from QE?: Yes

If yes, steps to reproduce: 

List of other uplifts needed: None

Risk to taking this patch: Low

Why is the change risky/not risky? (and alternatives if risky): 

String changes made/needed: 

[ESR Uplift Approval Request]

If this is not a sec:{high,crit} bug, please state case for ESR consideration: 

User impact if declined: 

Fix Landed on Version: 

Risk to taking this patch: Low

Why is the change risky/not risky? (and alternatives if risky): 

String or UUID changes made by this patch:

	Al Billings [:abillings - ex-MoCo]
	Comment 5 • 6 years ago

Comment on attachment 9017302 [details] [diff] [review]
Backport the upstream patches

Approvals given.

	Ryan VanderMeulen [:RyanVM] Assignee
	Comment 6 • 6 years ago

https://hg.mozilla.org/integration/mozilla-inbound/rev/a1fb2da7388b

	Ryan VanderMeulen [:RyanVM] Assignee
	Comment 7 • 6 years ago
uplift

https://hg.mozilla.org/releases/mozilla-release/rev/3b7261093ce0
https://hg.mozilla.org/releases/mozilla-esr60/rev/023133ff02ec

	Ryan VanderMeulen [:RyanVM] Assignee
	Comment 8 • 6 years ago

https://hg.mozilla.org/mozilla-central/rev/a1fb2da7388b

	Daniel Veditz [:dveditz] Reporter
	Comment 9 • 6 years ago

Google assigned CVE-2018-6153 to chromebug 850350. chromebug 862004 was fixed by 850350 and didn't get its own patch or cve.