Bug#670586: iceweasel:[regression 3.5.16-13 > 14] JavaScript SIGSEGV

Steven Chamberlain Tue, 08 May 2012 14:42:43 -0700

retitle 670586 iceweasel: [regression 3.5.16-13 > 14] JavaScript SIGSEGV
tags 670586 + squeeze security
reassign 670586 src:iceweasel
fixed 670586 iceweasel/3.5.16-13
found 670586 iceweasel/3.5.16-14
thanks


Hi,

I separately observed this crash, triggered reproducibly on the eBay
website, and realised my issue is the same as the submitter of #670586.

I can confirm this is a regression introduced in the 3.5.16-14 security
update as this is not reproducible in 3.5.16-13.  I tested from a clean
user home (new UNIX user with no ~/.mozilla/) and with -safe-mode enabled.

I'm CC'ing the security team in the hope they could please look into
this.  The severity of this may also want upgrading.


This is most easily reproducible at the below URI given by manuel, by
simply waiting for the page to load (the 'user/email' field will be
given keyboard focus) and pressing 'enter'.  I think the keypress has a
JavaScript handler which triggers the crash.

https://www.taringa.net/login?redirect=%2F


I also saw this when logged into eBay.  After sign-in (for a UK user at
least), the next page 'My eBay Summary' shows the first 10 items on my
Watch List.  I click the '2' at the foot of that list to go to the next
page, but that triggers the crash.  Again this is JavaScript functionality.


It is also sufficient to do a 'complete' page save to a local HTML file
(this also creates a directory of page objects), quit, and open that
local copy from a new iceweasel instance.


I was able to obtain this (incomplete) backtrace from a core dump:

> (gdb) bt
> #0  0x00007f65008c0ebb in raise (sig=<value optimized out>) at 
> ../nptl/sysdeps/unix/sysv/linux/pt-raise.c:41
> #1  0x00007f64fef2ea94 in ?? () from /usr/lib/xulrunner-1.9.1/libxul.so
> #2  <signal handler called>
> #3  0x00007f64ff6f11f9 in ?? () from /usr/lib/xulrunner-1.9.1/libxul.so
> #4  0x00007f64ff33e4dd in ?? () from /usr/lib/xulrunner-1.9.1/libxul.so
> #5  0x00007f64ff33ec1e in ?? () from /usr/lib/xulrunner-1.9.1/libxul.so
> #6  0x00007f64ff33f2ed in ?? () from /usr/lib/xulrunner-1.9.1/libxul.so
> #7  0x00007f64ff707305 in ?? () from /usr/lib/xulrunner-1.9.1/libxul.so
> #8  0x00007f64ff6dd49d in ?? () from /usr/lib/xulrunner-1.9.1/libxul.so
> #9  0x00007f64ff660171 in ?? () from /usr/lib/xulrunner-1.9.1/libxul.so
> #10 0x00007f64ff538794 in ?? () from /usr/lib/xulrunner-1.9.1/libxul.so
> #11 0x00007f64fef293f7 in XRE_main () from /usr/lib/xulrunner-1.9.1/libxul.so
> #12 0x000000000040246d in ?? ()
> #13 0x00007f650056ec8d in __libc_start_main (main=<value optimized out>, 
> argc=<value optimized out>, ubp_av=<value optimized out>, init=<value 
> optimized out>, 
>     fini=<value optimized out>, rtld_fini=<value optimized out>, 
> stack_end=0x7fff5cb73828) at libc-start.c:228
> #14 0x0000000000401cb9 in ?? ()
> #15 0x00007fff5cb73828 in ?? ()
> #16 0x000000000000001c in ?? ()
> #17 0x0000000000000003 in ?? ()
> #18 0x00007fff5cb7441a in ?? ()
> #19 0x00007fff5cb74444 in ?? ()
> #20 0x0000000000000000 in ?? ()

Thanks.

-- Package-specific info:

-- Extensions information
Name: DOM Inspector
Location:
/usr/share/mozilla/extensions/{ec8030f7-c20a-464f-9b0e-13a3a9e97384}/[email protected]
Package: xul-ext-dom-inspector
Status: enabled

Name: Default
Location:
/usr/lib/iceweasel/extensions/{972ce4c6-7e08-4474-a285-3208198ce6fd}
Package: iceweasel
Status: enabled

Name: NoScript
Location:
/usr/share/mozilla/extensions/{ec8030f7-c20a-464f-9b0e-13a3a9e97384}/{73a6fe31-595d-460b-a920-fcc0f8843232}
Package: xul-ext-noscript
Status: enabled

-- Plugins information

-- Addons package information
ii  xul-ext-dom-in 1:2.0.4-2      tool for inspecting the DOM of pages
in Icew
ii  xul-ext-noscri 1.9.9.69-1     Javascript/plugins permissions manager
for I

-- System Information:
Debian Release: 6.0.4
  APT prefers proposed-updates
  APT policy: (500, 'proposed-updates'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.32-5+dsdt1-amd64 (SMP w/4 CPU cores; PREEMPT)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages iceweasel depends on:
ii  debianutils            3.4               Miscellaneous utilities
specific t
ii  fontconfig             2.8.0-2.1         generic font configuration
library
ii  libc6                  2.11.3-3          Embedded GNU C Library:
Shared lib
ii  libglib2.0-0           2.24.2-1          The GLib library of C routines
ii  libgtk2.0-0            2.20.1-2          The GTK+ graphical user
interface
ii  libnspr4-0d            4.8.6-1           NetScape Portable Runtime
Library
ii  libstdc++6             4.4.5-8           The GNU Standard C++ Library v3
ii  procps                 1:3.2.8-9squeeze1 /proc file system utilities
hi  xulrunner-1.9.1        1.9.1.16-14       XUL + XPCOM application runner

iceweasel recommends no packages.

Versions of packages iceweasel suggests:
ii  libgssapi-krb5-2    1.8.3+dfsg-4squeeze5 MIT Kerberos runtime
libraries - k
pn  mozplugger          <none>               (no description available)
ii  ttf-lyx             1.6.7-1              TrueType versions of some
TeX font
pn  ttf-mathematica4.1  <none>               (no description available)
ii  xfonts-mathml       4                    Type1 Symbol font for MathML
pn  xprint              <none>               (no description available)

Versions of packages xulrunner-1.9.1 depends on:
ii  libasound2            1.0.23-2.1         shared library for ALSA
applicatio
ii  libatk1.0-0           1.30.0-1           The ATK accessibility toolkit
ii  libbz2-1.0            1.0.5-6+squeeze1   high-quality block-sorting
file co
ii  libc6                 2.11.3-3           Embedded GNU C Library:
Shared lib
ii  libcairo2             1.10.2-1.1~bpo60+1 The Cairo 2D vector
graphics libra
ii  libdbus-1-3           1.2.24-4+squeeze1  simple interprocess
messaging syst
ii  libfontconfig1        2.8.0-2.1          generic font configuration
library
ii  libfreetype6          2.4.2-2.1+squeeze4 FreeType 2 font engine,
shared lib
ii  libgcc1               1:4.4.5-8          GCC support library
ii  libglib2.0-0          2.24.2-1           The GLib library of C routines
ii  libgtk2.0-0           2.20.1-2           The GTK+ graphical user
interface
ii  libhunspell-1.2-0     1.2.11-1           spell checker and
morphological an
ii  libjpeg62             6b1-1              The Independent JPEG
Group's JPEG
hi  libmozjs2d            1.9.1.16-14        The Mozilla SpiderMonkey
JavaScrip
ii  libnspr4-0d           4.8.6-1            NetScape Portable Runtime
Library
ii  libnss3-1d            3.13.3-1~bpo60+1   Network Security Service
libraries
ii  libpango1.0-0         1.28.3-1+squeeze2  Layout and rendering of
internatio
ii  libpng12-0            1.2.44-1+squeeze4  PNG library - runtime
ii  libreadline6          6.1-3              GNU readline and history
libraries
ii  libsqlite3-0          3.7.11-2           SQLite 3 shared library
ii  libstartup-notificati 0.10-1             library for program launch
feedbac
ii  libstdc++6            4.4.5-8            The GNU Standard C++ Library v3
ii  libx11-6              2:1.3.3-4          X11 client-side library
ii  libxrender1           1:0.9.6-1          X Rendering Extension
client libra
ii  libxt6                1:1.0.7-1          X11 toolkit intrinsics library
ii  zlib1g                1:1.2.3.4.dfsg-3   compression library - runtime

-- no debconf information

-- 
Steven Chamberlain
[email protected]



-- 
To UNSUBSCRIBE, email to [email protected]
with a subject of "unsubscribe". Trouble? Contact [email protected]

Bug#670586: iceweasel:[regression 3.5.16-13 > 14] JavaScript SIGSEGV

Reply via email to