Use-after-free in FilePicker
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Oxide |
Fix Released
|
High
|
Olivier Tilloy | ||
1.6 |
Fix Released
|
High
|
Olivier Tilloy | ||
oxide-qt (Ubuntu) |
Fix Released
|
High
|
Unassigned |
Bug Description
The oxide::FilePicker class contains a pointer to the RenderViewHost that the picker is associated with. It is also a WebContentsObserver and implements WebContentsObse
However, unless I've missed something, it doesn't look like it calls WebContentsObse
The consequence of this is that RenderViewHost can be deleted (eg, by a process swap on navigation), leaving FilePicker with a dangling pointer which results in a potentially exploitable use-after-free.
CVE References
Changed in oxide: | |
importance: | Undecided → High |
status: | New → Triaged |
Changed in oxide: | |
assignee: | nobody → Olivier Tilloy (osomon) |
Changed in oxide: | |
status: | Triaged → In Progress |
Changed in oxide: | |
milestone: | none → branch-1.7 |
Changed in oxide: | |
status: | In Progress → Fix Released |
Changed in oxide-qt (Ubuntu): | |
status: | New → Triaged |
importance: | Undecided → High |
Changed in oxide-qt (Ubuntu): | |
status: | Triaged → Fix Released |
information type: | Private Security → Public Security |
This is CVE-2015-1321