-
Notifications
You must be signed in to change notification settings - Fork 254
CVE 2013 2878
kayladavis edited this page Dec 18, 2016
·
5 revisions
||| |:----|:------|:------| |CVE_ID| | |version_broken|| |version_found|27.0.1418.0| |version_fixed|28.0.1500.71| |file/s|core/editing/TextIterator.cpp| |subsystem|Core| |code review ID||
Google Chrome before 28.0.1500.71 allows remote attackers to cause a denial of service (out-of-bounds read) via vectors related to the handling of text.
- Lack of out of bounds protections and input sanitization allows for remote attackers to cause denial of service attacks with bad inputs.
- An incorrectly used ASSERT method in the chromium causes a crash in the system
- The vcc's message states: "Added a test to ensure WebKit does not hit assertions in SimplifiedBackwardsTextIterator." This is the function that the vulnerability happened in
| type/s | DoS, Overflow |
| coding mistakes | lack of input sanitization, buffer overflow protection |
| CWE-ID | 119 |
| Exploits | No Known |
| CVSS | |
|---|---|
| Overall | 5.0 |
| Confidentiality | None |
| Integrity | None |
| Availability | Partial |
| Access Complexity | Low |
| Authentication | None |
| Gained Access | None |
| commit_id | f158e3bb08fdbd04094cd2144c04a4d06336d0a7 |
| commit_date | 2011-08-18 |
| user_username | [email protected] |
| user_name | |
| user_role | Webkit team |
| issue_id | 177197https://bugs.chromium.org/p/chromium/issues/detail?id=177197 |
| date | 2013-02-20 |
| user_username | [email protected] |
| user_name | Atte Kettunen |
| user_role | member of Oulu University Secure Programming Group (OUSPG), at least 31 issues reported since |
| metasploit | None |
| bounty | None |
| commit_id | 65997236c31ba75055031d6b3a1afdfcf61638d0 |
| commit_date | 2013-05-10 |
| user_username | [email protected] |
| user_name | Chris Evans |
| user_handle | Probably this guy: scarybeasts |
| user_role | Head of Project Zero, Chrome Security team - Mountainview, CA |
| method | change ASSERT -> RELEASE_ALERT |
| files changed | 1 |
| lines of code | 1 |
| bounty | [employee] |
No mention if found by a fuzzer, but chromium ran a fuzzer to get a detailed report of the problem after it was reported
| testing_general | Fuzzers |
| testing_specific | Fuzzer 'Inferno_twister' used by chromium devs |
| unit_testing | LayoutTests had a new test added to test SimplifiedBackwardsTextIterator, which is probably run before code is deployed |
- No code review was attached to the introduction commit message, just ‘Reviewed by Darian Adler’
- Review urls weren’t first attached until April 24th 2013
- Some of the changes to the code in between involved fixing bugs to avoid uninitialized read, regression fixes, and performance enhancemets.
- Nearly all of the commits with reviews attached referred to "Absolutify paths to [something]" or cleaning up unused code
- [Interesting things Chromium Security was doing around the time of the fix] (http://dev.chromium.org/Home/chromium-security/quarterly-updates#TOC-Q2-2013)