Closed
Bug 1498482
Opened 6 years ago
Closed 6 years ago
stack buffer overflow in SkAlphaRuns::Break
Categories
(Core :: Graphics, defect)
Core
Graphics
Tracking
()
RESOLVED
FIXED
mozilla64
People
(Reporter: dveditz, Assigned: RyanVM)
References
Details
(Keywords: csectype-bounds, sec-high, Whiteboard: [adv-main63+][adv-esr60.3+][Google CVE-2018-6153])
Attachments
(1 file)
4.32 KB,
patch
|
rhunt
:
review+
abillings
:
approval-mozilla-release+
abillings
:
approval-mozilla-esr60+
abillings
:
sec-approval+
|
Details | Diff | Splinter Review |
Looks like we may need the patch from https://bugs.chromium.org/p/chromium/issues/detail?id=850350 to fix a static buffer overflow found by fuzzing in Chrome. The fix was shipped with Chrome 68 and assigned CVE-2018-6153. It was demonstrated to affect m67; no regressor was identified so it might affect the m66 branch we're using. There were two patches taken (plus a test patch). Only the second one appears to have been merged to the m68 branch https://skia.googlesource.com/skia/+/1e259cda4fb7f12e98dd611bd651f40ebef2d14a https://skia.googlesource.com/skia/+/73be50da2a1fe8944f2623a511fda1957eed708a
Reporter | ||
Comment 1•6 years ago
|
||
A stack buffer UNDERflow in this function was reported as https://bugs.chromium.org/p/chromium/issues/detail?id=862004 but this was determined to have been fixed by the same patches. Not sure why it wasn't duped but was instead marked fixed.
Assignee | ||
Comment 2•6 years ago
|
||
AFAICT, this affects all of our supported releases.
status-firefox62:
--- → wontfix
status-firefox63:
--- → affected
status-firefox64:
--- → affected
status-firefox-esr60:
--- → affected
tracking-firefox63:
--- → +
tracking-firefox64:
--- → +
tracking-firefox-esr60:
--- → 63+
Assignee | ||
Comment 3•6 years ago
|
||
Green on Try. 64: https://treeherder.mozilla.org/#/jobs?repo=try&group_state=expanded&revision=c1705a90f47141dea9d3bee7ab2b544669d411ef 63: https://treeherder.mozilla.org/#/jobs?repo=try&group_state=expanded&revision=6771c38d533b19ac36d7833ac612508b876155ea ESR60: https://treeherder.mozilla.org/#/jobs?repo=try&group_state=expanded&revision=1a994860ea0c9fc0afd8b5ed0becb68647a1c819
Assignee: nobody → ryanvm
Attachment #9017302 -
Flags: review?(lsalzman)
Updated•6 years ago
|
Attachment #9017302 -
Flags: review?(lsalzman) → review+
Assignee | ||
Comment 4•6 years ago
|
||
Comment on attachment 9017302 [details] [diff] [review] Backport the upstream patches [Security Approval Request] How easily could an exploit be constructed based on the patch?: No clue, but the upstream commit is public knowledge. Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem?: No Which older supported branches are affected by this flaw?: All If not all supported branches, which bug introduced the flaw?: N/A Do you have backports for the affected branches?: Yes If not, how different, hard to create, and risky will they be?: N/A How likely is this patch to cause regressions; how much testing does it need?: Green on Try, not sure what more we can realistically do. [Beta/Release Uplift Approval Request] Feature/Bug causing the regression: None User impact if declined: Is this code covered by automated tests?: Yes Has the fix been verified in Nightly?: Yes Needs manual test from QE?: Yes If yes, steps to reproduce: List of other uplifts needed: None Risk to taking this patch: Low Why is the change risky/not risky? (and alternatives if risky): String changes made/needed: [ESR Uplift Approval Request] If this is not a sec:{high,crit} bug, please state case for ESR consideration: User impact if declined: Fix Landed on Version: Risk to taking this patch: Low Why is the change risky/not risky? (and alternatives if risky): String or UUID changes made by this patch:
Attachment #9017302 -
Flags: sec-approval?
Attachment #9017302 -
Flags: approval-mozilla-release?
Attachment #9017302 -
Flags: approval-mozilla-esr60?
Comment 5•6 years ago
|
||
Comment on attachment 9017302 [details] [diff] [review] Backport the upstream patches Approvals given.
Attachment #9017302 -
Flags: sec-approval?
Attachment #9017302 -
Flags: sec-approval+
Attachment #9017302 -
Flags: approval-mozilla-release?
Attachment #9017302 -
Flags: approval-mozilla-release+
Attachment #9017302 -
Flags: approval-mozilla-esr60?
Attachment #9017302 -
Flags: approval-mozilla-esr60+
Assignee | ||
Comment 6•6 years ago
|
||
https://hg.mozilla.org/integration/mozilla-inbound/rev/a1fb2da7388b
Assignee | ||
Comment 7•6 years ago
|
||
uplift |
https://hg.mozilla.org/releases/mozilla-release/rev/3b7261093ce0 https://hg.mozilla.org/releases/mozilla-esr60/rev/023133ff02ec
Assignee | ||
Comment 8•6 years ago
|
||
https://hg.mozilla.org/mozilla-central/rev/a1fb2da7388b
Status: NEW → RESOLVED
Closed: 6 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla64
Assignee | ||
Updated•6 years ago
|
Group: gfx-core-security → core-security-release
Updated•6 years ago
|
Whiteboard: [adv-main63+][adv-esr60.3+]
Reporter | ||
Comment 9•6 years ago
|
||
Google assigned CVE-2018-6153 to chromebug 850350. chromebug 862004 was fixed by 850350 and didn't get its own patch or cve.
Whiteboard: [adv-main63+][adv-esr60.3+] → [adv-main63+][adv-esr60.3+][Google CVE-2018-6153]
Reporter | ||
Updated•5 years ago
|
Group: core-security-release
You need to log in
before you can comment on or make changes to this bug.
Description
•