[VIM] Two Firefox vulnerabilities from VUPEN and problems matching

Brian Martin brian at opensecurityfoundation.org
Wed Dec 12 15:14:05 CST 2012 

VUPEN announced two bugs in Mozilla Firefox. After discussion with Dan 
Veditz at Mozilla, with input from CVE, we cannot be absolutely sure 
these are new vulnerabilities. Dan has looked at comments from Chaouki 
Bekrar of VUPEN (via Twitter) and made his bess guess. This mail 
outlines what we know, and what we believe. I am sharing it with the 
list in case anyone has input, or VUPEN can clarify any more.

Mozilla Firefox "DocumentViewerImpl" Class Remote Use-After-Free 
Vulnerability
http://seclists.org/bugtraq/2012/Nov/93
https://twitter.com/cBekrar/status/275520998374244353
https://twitter.com/cBekrar/status/275949289967087616

Dan did some digging and said that "the only patch to the file 
containing the function mentioned --DocumentViewerImpl::Show()--was for 
bug 790856, an internally-found use-after-free involving that function. 
We fixed the bug we found as part of CVE-2012-3982 which was announced 
in http://www.mozilla.org/security/announce/2012/mfsa2012-74.html"

He also said the one big discrepancy was that vulnerability was fixed in 
Firefox 16, and VUPEN claims their bug affects Firefox before 17. 
Between 16 and 17, no patches were commited related to the 
DocumentViewer, certainly no security fixes. Based on that, he believes 
this is the same bug but is awaiting any confirmation from VUPEN.

Bekrar cites CVE-2012-4217 for the DocumentViewerImpl use-after-free, 
which we track as "nsViewManager::ProcessPendingUpdates() Function 
Use-after-free" and affecting multiple products. Dan indicates that the 
nsViewManager touched in that patch holds a reference to the 
DocumentViewerImpl, but he would have to do more digging to verify that. 
He also said that vulnerability was a Firefox 17 problem, where VUPEN's 
original advisory sais it affects the ESR branch too. This is the patch 
in question:
https://hg.mozilla.org/releases/mozilla-beta/rev/c97fa88a0069


Mozilla Firefox "imgRequestProxy" Remote Use-After-Free Vulnerability
http://seclists.org/bugtraq/2012/Nov/109
https://twitter.com/cBekrar/status/275520998374244353
https://twitter.com/cBekrar/status/275949289967087616

Dan looked into this one as well, and thinks it may be bug 802168 which 
fixed a use-after-free in imgRequestProxy in Firefox 17 and 10.0.11. He 
followed up saying "We didn't hit the problem in the OnStopRequest() 
method specifically but given the nature of the bug that could depend on 
the PoC." If that is the same vulnerability, then it is covered by 
CVE-2012-5842 in MFSA2012-91.

After Chaouki replied on Twitter, Dan doesn't think that CVE-2012-5829 
is correct for the imgRequestProxy bug at all. He says that bug is 
"Linux/Gtk only, and the stacks for that bug go nowhere near the image 
library." He says that was patched in both releases as their advisory 
says, making it seem like a good match. This is the relevant patch:
https://hg.mozilla.org/releases/mozilla-esr10/rev/53363548ad9b

VUPEN has the testcases and can try builds with only those patches to 
verify if these are truly new vulnerabilities, or related to the 
previously patched ones. Hopefully they can provide insight into this 
matter.

Based on the two posts, CVE and OSVDB does not have enough actionable 
details to warrant adding new entries to our databases. If VUPEN can 
confirm these are new issues, we will of course add entries right away.

Brian
OSVDB / OSF

More information about the VIM mailing list