Bug#769624: Major Security Flaw when viewing WebM videos.
On So, 2014-11-16 at 16:20 -0800, James Galizio wrote: On Sun, 16 Nov 2014 13:04:27 +0100 Yves-Alexis Perez cor...@debian.org wrote: On dim., 2014-11-16 at 10:48 +0100, Sebastian Dröge wrote: On Sa, 2014-11-15 at 12:01 -0800, James Galizio wrote: Also; just ran iceweasel through the terminal and recreated the steps to the crash. Terminal output below. [...] Segmentation fault That last line makes me believe that this isn't fixed yet; and in any case, having the browser crash is still a bug, no? [Also CC'ing Yves-Alexis who reported the other bug] Definitely, yes. The patch from the other bug is applied, which is supposed to be the fix for the CVE though. Unfortunately the only reference to the fix that I can find is in the Debian bug report as the Mozilla Bugzilla Bug is still non-public. Maybe there are more related changes that were forgotten? Do you know anything about that? :) Also you you get a backtrace of the segfault to see where exactly it comes from? And are you sure packages for that âcrunchbang GNU/Linuxâ are really identical to the Debian ones? -- Yves-Alexis Crunchbang has a separate repo for Crunchbang specific packages; but shares the vast majority of its packages (99%, including all major system libraries) with debian mainline. It uses the official debian repos. When I said I was using the latest version of iceweasel from the experimental branch, I meant it. Also; apologies for not recording the error through gdb. Here's the log that should have been posted; I have a longer version of it if need be, but this seems to be the portion that is relevant to the current issue. [...] Are you using libvpx 1.3.0-3 from Debian too or is it a Crunchbang specific package? The backtrace is relatively useless unfortunately, the memory corruption has happened before that already. Can you reproduce the problem when running in valgrind? Please don't forget to install valgrind-dbg and also relevant other debug packages, then set G_SLICE=always-malloc in the environment and run valgrind with --track-origins=yes and --trace-children=yes and paste the log here. signature.asc Description: This is a digitally signed message part
Bug#769624: Major Security Flaw when viewing WebM videos.
On Sa, 2014-11-15 at 12:01 -0800, James Galizio wrote: Also; just ran iceweasel through the terminal and recreated the steps to the crash. Terminal output below. [...] Segmentation fault That last line makes me believe that this isn't fixed yet; and in any case, having the browser crash is still a bug, no? [Also CC'ing Yves-Alexis who reported the other bug] Definitely, yes. The patch from the other bug is applied, which is supposed to be the fix for the CVE though. Unfortunately the only reference to the fix that I can find is in the Debian bug report as the Mozilla Bugzilla Bug is still non-public. Maybe there are more related changes that were forgotten? Do you know anything about that? :) Also you you get a backtrace of the segfault to see where exactly it comes from? signature.asc Description: This is a digitally signed message part
Bug#769624: Major Security Flaw when viewing WebM videos.
On dim., 2014-11-16 at 10:48 +0100, Sebastian Dröge wrote: On Sa, 2014-11-15 at 12:01 -0800, James Galizio wrote: Also; just ran iceweasel through the terminal and recreated the steps to the crash. Terminal output below. [...] Segmentation fault That last line makes me believe that this isn't fixed yet; and in any case, having the browser crash is still a bug, no? [Also CC'ing Yves-Alexis who reported the other bug] Definitely, yes. The patch from the other bug is applied, which is supposed to be the fix for the CVE though. Unfortunately the only reference to the fix that I can find is in the Debian bug report as the Mozilla Bugzilla Bug is still non-public. Maybe there are more related changes that were forgotten? Do you know anything about that? :) Also you you get a backtrace of the segfault to see where exactly it comes from? And are you sure packages for that “crunchbang GNU/Linux” are really identical to the Debian ones? -- Yves-Alexis signature.asc Description: This is a digitally signed message part
Bug#769624: Major Security Flaw when viewing WebM videos.
On Sun, 16 Nov 2014 13:04:27 +0100 Yves-Alexis Perez cor...@debian.org wrote: On dim., 2014-11-16 at 10:48 +0100, Sebastian Dröge wrote: On Sa, 2014-11-15 at 12:01 -0800, James Galizio wrote: Also; just ran iceweasel through the terminal and recreated the steps to the crash. Terminal output below. [...] Segmentation fault That last line makes me believe that this isn't fixed yet; and in any case, having the browser crash is still a bug, no? [Also CC'ing Yves-Alexis who reported the other bug] Definitely, yes. The patch from the other bug is applied, which is supposed to be the fix for the CVE though. Unfortunately the only reference to the fix that I can find is in the Debian bug report as the Mozilla Bugzilla Bug is still non-public. Maybe there are more related changes that were forgotten? Do you know anything about that? :) Also you you get a backtrace of the segfault to see where exactly it comes from? And are you sure packages for that âcrunchbang GNU/Linuxâ are really identical to the Debian ones? -- Yves-Alexis Crunchbang has a separate repo for Crunchbang specific packages; but shares the vast majority of its packages (99%, including all major system libraries) with debian mainline. It uses the official debian repos. When I said I was using the latest version of iceweasel from the experimental branch, I meant it. Also; apologies for not recording the error through gdb. Here's the log that should have been posted; I have a longer version of it if need be, but this seems to be the portion that is relevant to the current issue. [New Thread 0x7fffbcdff700 (LWP 13614)] [New Thread 0x7fffbc5fe700 (LWP 13615)] [New Thread 0x7fffbbdfd700 (LWP 13616)] [New Thread 0x7fffbb3ff700 (LWP 13617)] [Thread 0x7fffbc5fe700 (LWP 13615) exited] [Thread 0x7fffd03ff700 (LWP 13597) exited] [New Thread 0x7fffba7ff700 (LWP 13618)] [New Thread 0x7fffbc5fe700 (LWP 13619)] [New Thread 0x7fffd03ff700 (LWP 13620)] Gtk-Message: (for origin information, set GTK_DEBUG): failed to retrieve property `GtkRange::activate-slider' of type `gboolean' from rc file value ((GString*) 0x7fffda1f9660) of type `GString' Gtk-Message: (for origin information, set GTK_DEBUG): failed to retrieve property `GtkRange::activate-slider' of type `gboolean' from rc file value ((GString*) 0x7fffda1f9660) of type `GString' [New Thread 0x7fffb03ff700 (LWP 13621)] [New Thread 0x7fffaeeff700 (LWP 13622)] [New Thread 0x7fffab3ff700 (LWP 13623)] [New Thread 0x7fffd198d700 (LWP 13624)] [New Thread 0x7fffd196c700 (LWP 13625)] [New Thread 0x7fffce93c700 (LWP 13626)] [New Thread 0x7fffcde60700 (LWP 13627)] [New Thread 0x7fffc88bb700 (LWP 13628)] [New Thread 0x7fffc889a700 (LWP 13629)] [New Thread 0x7fffaa4ff700 (LWP 13630)] [New Thread 0x7fffa8d76700 (LWP 13631)] out of memory: 0x bytes requested Program received signal SIGSEGV, Segmentation fault. [Switching to Thread 0x7fffce93c700 (LWP 13626)] 0x769ff3da in mozalloc_abort(char const*) () from /usr/lib/iceweasel/ libmozalloc.so (sorry for responding directly to your email address; this is my first time reporting a bug on debian, so please bare with me - I'm trying to learn!)
Bug#769624: Major Security Flaw when viewing WebM videos.
On Sat, 15 Nov 2014 11:38:10 +0100 Sebastian =?ISO-8859-1?Q?Dr=F6ge?= sl...@debian.org wrote: fixed 769624 1.3.0-3 merge 765435 769624 thanks Thanks for reporting bug this is already fixed since 1.3.0-3. See: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=765435 I'm still getting the tell-tale iceweasel crashes on my end; libvpx and iceweasel are the latest versions. Sure it's fixed?
Bug#769624: Major Security Flaw when viewing WebM videos.
Also; just ran iceweasel through the terminal and recreated the steps to
the crash. Terminal output below.
(process:10442): GLib-CRITICAL **: g_slice_set_config: assertion
'sys_page_size == 0' failed
console.error: user-agent-quick-switch:
DEPRECATED: The widget module is deprecated. Please consider using the
sdk/ui module instead.
Traceback (most recent call last):
File resource://gre/modules/services-sync/service.js, line 1595, in null
Service.onStartup();
File resource://gre/modules/services-sync/service.js, line 318, in
onStartup
if (!Status || !Status._authManager) {
File resource://services-sync/status.js, line 36, in
this.Status._authManager
cb.wait();
File resource://services-common/async.js, line 145, in
makeSpinningCallback/callback.wait
callback.wait = function() Async.waitForSyncCallback(cb);
File resource://services-common/async.js, line 102, in
waitForSyncCallback
thread.processNextEvent(true);
File resource://gre/modules/Promise-backend.js, line 745, in
this.PromiseWalker.walkerLoop
this.handlers.shift().process();
File resource://gre/modules/Promise-backend.js, line 866, in
Handler.prototype.process
nextValue = this.onResolve.call(undefined, nextValue);
File resource://gre/modules/commonjs/sdk/addon/runner.js, line 115, in
startup/
run(options);
File resource://gre/modules/commonjs/sdk/addon/runner.js, line 172, in
run
let program = main(options.loader, options.main);
File resource://gre/modules/commonjs/toolkit/loader.js, line 659, in
main
return loader.load(loader, module).exports;
File resource://gre/modules/commonjs/sdk/loader/cuddlefish.js, line
129, in CuddlefishLoader/options.load
result = load(loader, module);
File resource://gre/modules/commonjs/toolkit/loader.js, line 313, in
load
evaluate(sandbox, module.uri);
File resource://gre/modules/commonjs/toolkit/loader.js, line 262, in
evaluate
: loadSubScript(uri, sandbox, encoding);
File
resource://jid0-62jr3sq6mhtlknusea92dfyvgcs-at-jetpack/user-agent-quick-switch/lib/main.js,
line 4, in null
var widget = require(widget);
File resource://gre/modules/commonjs/toolkit/loader.js, line 633, in
require
freeze(load(loader, module));
File resource://gre/modules/commonjs/sdk/loader/cuddlefish.js, line
129, in CuddlefishLoader/options.load
result = load(loader, module);
File resource://gre/modules/commonjs/toolkit/loader.js, line 313, in
load
evaluate(sandbox, module.uri);
File resource://gre/modules/commonjs/toolkit/loader.js, line 262, in
evaluate
: loadSubScript(uri, sandbox, encoding);
File resource://gre/modules/commonjs/sdk/widget.js, line 59, in null
require(./util/deprecate).deprecateUsage(
File resource://gre/modules/commonjs/sdk/util/deprecate.js, line 18, in
deprecateUsage
let stack = get().slice(2);
Gtk-Message: (for origin information, set GTK_DEBUG): failed to retrieve
property `GtkRange::activate-slider' of type `gboolean' from rc file value
((GString*) 0x7f2064a14b00) of type `GString'
out of memory: 0x bytes requested
Segmentation fault
That last line makes me believe that this isn't fixed yet; and in any case,
having the browser crash is still a bug, no?
On Sat, Nov 15, 2014 at 11:48 AM, James Galizio jgsww...@gmail.com wrote:
On Sat, 15 Nov 2014 11:38:10 +0100 Sebastian =?ISO-8859-1?Q?Dr=F6ge?=
sl...@debian.org wrote:
fixed 769624 1.3.0-3
merge 765435 769624
thanks
Thanks for reporting bug this is already fixed since 1.3.0-3. See:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=765435
I'm still getting the tell-tale iceweasel crashes on my end; libvpx and
iceweasel are the latest versions.
Sure it's fixed?
Bug#769624: Major Security Flaw when viewing WebM videos.
fixed 769624 1.3.0-3 merge 765435 769624 thanks Thanks for reporting bug this is already fixed since 1.3.0-3. See: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=765435 signature.asc Description: This is a digitally signed message part
Bug#769624: Major Security Flaw when viewing WebM videos.
Package: Iceweasel Version: 33.1-1 Identical bug to the one reported at https://www.mozilla.org/security/advisories/mfsa2014-77/ Viewing certain WebMs will cause a buffer overflow; it's probably important this gets fixed ASAP. There is already a fix on Mozilla's end; so you might want to look there for the solution. I'm running CrunchBang GNU/Linux 3.16-2-amd64, though this bug is present on all platforms so this really doesn't matter.
