Firefox 16.0.1 Crash Report [@ unity_webapps_available_application_get_application_domain ]
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
| Mozilla Firefox |
Won't Fix
|
Critical
|
||
| WebApps: libunity-webapps |
High
|
Alex Launi | ||
| libunity-webapps (Ubuntu) |
High
|
Unassigned | ||
| Quantal |
High
|
Marc Deslauriers | ||
| Raring |
High
|
Unassigned |
Bug Description
This has increased in frequency a lot since yesterday:
https:/
Some comments:
"Tried to use gmail integration with ubuntu 12.10 and firefox crashed"
"opening a google calendar invite link from thunderbird"
"I just opened facebook"
"I click on view document in the gmail. What different: may be because I installed gmail plugin."
Crashing thread:
0 libunity-
1 libxul.so libxul.so@0x15cc717
2 libxul.so ffi_call ffi64.c:485
3 libxul.so js::ctypes:
4 libxul.so js::InvokeKernel jscntxtinlines.
5 libxul.so js::Invoke jsinterp.h:119
6 libxul.so js::IndirectPro
7 libxul.so js::DirectWrapp
8 libxul.so js::CrossCompar
9 libxul.so proxy_Call jsproxy.cpp:1143
10 libxul.so js::InvokeKernel jscntxtinlines.
11 libxul.so js::Interpret jsinterp.cpp:2442
12 libxul.so js::RunScript jsinterp.cpp:301
13 libxul.so js::InvokeKernel jsinterp.cpp:355
14 libxul.so js::Invoke jsinterp.h:119
15 libxul.so js::IndirectPro
16 libxul.so js::DirectWrapp
17 libxul.so js::CrossCompar
18 libxul.so proxy_Call jsproxy.cpp:1143
19 libxul.so js::InvokeKernel jscntxtinlines.
20 libxul.so js::Interpret jsinterp.cpp:2442
21 libxul.so js::RunScript jsinterp.cpp:301
22 libxul.so js::InvokeKernel jsinterp.cpp:355
23 libxul.so js_fun_apply jsinterp.h:119
24 libxul.so js::InvokeKernel jscntxtinlines.
25 libxul.so js::Interpret jsinterp.cpp:2442
26 libxul.so js::RunScript jsinterp.cpp:301
27 libxul.so js::InvokeKernel jsinterp.cpp:355
28 libxul.so array_forEach jsinterp.h:119
29 libxul.so js::InvokeKernel jscntxtinlines.
30 libxul.so js::Interpret jsinterp.cpp:2442
31 libxul.so js::RunScript jsinterp.cpp:301
32 libxul.so js::InvokeKernel jsinterp.cpp:355
33 libxul.so js_fun_apply jsinterp.h:119
34 libxul.so js::InvokeKernel jscntxtinlines.
35 libxul.so js::Interpret jsinterp.cpp:2442
36 libxul.so js::RunScript jsinterp.cpp:301
37 libxul.so js::InvokeKernel jsinterp.cpp:355
38 libxul.so js::Invoke jsinterp.h:119
39 libxul.so JS_CallFunction
40 libxul.so nsXPCWrappedJSC
41 libxul.so nsXPCWrappedJS:
42 libxul.so PrepareAndDispatch xptcstubs_
43 libxul.so libxul.so@0x10c1d02
44 libxul.so nsDocLoader:
45 libxul.so nsDocShell:
46 libxul.so nsDSURIContentL
47 libxul.so nsDocumentOpenI
48 libxul.so nsDocumentOpenI
49 libxul.so nsDocumentOpenI
50 libxul.so mozilla:
51 libxul.so mozilla:
52 libxul.so mozilla:
53 libxul.so mozilla:
54 libxul.so mozilla:
55 libxul.so nsInputStreamPu
56 libxul.so nsInputStreamPu
57 libxul.so nsInputStreamRe
58 libxul.so nsThread:
59 libxul.so NS_ProcessNextE
60 libxul.so mozilla:
61 libxul.so MessageLoop::Run message_loop.cc:201
62 libxul.so nsBaseAppShell::Run nsBaseAppShell.
63 libxul.so nsAppStartup::Run nsAppStartup.
64 libxul.so XREMain:
65 libxul.so XREMain::XRE_main nsAppRunner.
66 libxul.so XRE_main nsAppRunner.
67 firefox main nsBrowserApp.
68 libc-2.15.so libc-2.
69 libstdc++.so.6.0.17 libstdc+
70 firefox firefox@0x25ef
71 firefox firefox@0x294f
72 icon-theme.cache icon-theme.
73 ld-2.15.so ld-2.15.so@0xf3ee
Related branches
- Alex Launi (community): Approve on 2012-10-28
- PS Jenkins bot: Approve (continuous-integration) on 2012-10-28
-
Diff: 12 lines (+1/-1)1 file modifiedsrc/libunity-webapps-repository/unity-webapps-application-repository.c (+1/-1)
CVE References
Changed in libunity-webapps (Ubuntu): | |
importance: | Undecided → High |
|
#9 |
FWIW, I reported this to Ubuntu's bug tracker on Friday (19th). No response yet though
Changed in firefox: | |
importance: | Unknown → Critical |
status: | Unknown → Confirmed |
Changed in libunity-webapps: | |
importance: | Undecided → High |
assignee: | nobody → Alexandre Abreu (abreu-alexandre) |
Changed in libunity-webapps: | |
assignee: | Alexandre Abreu (abreu-alexandre) → Alex Launi (alexlauni) |
Alex Launi (alexlauni) wrote : | #1 |
As best I can tell without being able to reproduce the bug and get a better trace, this is being caused by a bad cast. I've added a series of checks to ensure we don't try and access members of a null pointer.
Changed in libunity-webapps: | |
status: | New → In Progress |
Chris Coulson (chrisccoulson) wrote : | #2 |
I commented on the MP, but I'll copy that here too:
"I'm not sure this is going to fix it. From looking at the crash reports, the issue just looks like a classic use-after-free rather than an issue with gobject type casts. In unity_webapps_
In fact, it looks like the bug is here:
unity_
app = unity_webapps_
g_
}
... |app| is stored without a reference, so next time a webapp is installed, this app is destroyed when it is replaced here:
app_name = unity_webapps_
app = (UnityWebappsLo
g_hash_
g_object_ref (app));
out:
if (manifest != NULL)
{
g_
}
if (app != NULL)
{
g_
}
return ret;
Marc Deslauriers (mdeslaur) wrote : | #3 |
This issue may have a security impact. Subscribing the security team.
information type: | Public → Public Security |
Changed in libunity-webapps: | |
status: | In Progress → Fix Committed |
milestone: | none → 2.3.3 |
Chris Coulson (chrisccoulson) wrote : | #4 |
This is CVE-2012-4551
Changed in libunity-webapps (Ubuntu Quantal): | |
assignee: | nobody → Marc Deslauriers (mdeslaur) |
status: | New → Confirmed |
Changed in libunity-webapps (Ubuntu Raring): | |
status: | New → Confirmed |
Changed in libunity-webapps (Ubuntu Quantal): | |
importance: | Undecided → High |
Marc Deslauriers (mdeslaur) wrote : | #5 |
Unless someone objects, I intend on pushing the fix out as a security update for Quantal this week.
Launchpad Janitor (janitor) wrote : | #6 |
This bug was fixed in the package libunity-webapps - 2.4.1-0ubuntu3.2
---------------
libunity-webapps (2.4.1-0ubuntu3.2) quantal-security; urgency=low
* SECURITY UPDATE: denial of service and possible code execution via
use after free (LP: #1068495)
- debian/
src/
- CVE-2012-4551
-- Marc Deslauriers <email address hidden> Tue, 13 Nov 2012 13:28:10 -0500
Changed in libunity-webapps (Ubuntu Quantal): | |
status: | Confirmed → Fix Released |
Launchpad Janitor (janitor) wrote : | #7 |
This bug was fixed in the package libunity-webapps - 2.4.3daily12.
---------------
libunity-webapps (2.4.3daily12.
[ Robert Bruce Park ]
* -debian/
* Inline packaging.
[ Ken VanDine ]
* Automatic snapshot from revision 795 (bootstrap)
[ Didier Roche ]
* debian/*symbols:
- remove now unexported private symbols
[ Alex Launi ]
* Firefox 16.0.1 Crash Report [@
unity_
#1068495)
[ Chris Coulson ]
* Firefox 16.0.1 Crash Report [@
unity_
#1068495)
[ Maxim Ermilov ]
* ubuntu-
unity_
* Youtube sound menu integration doesn't behave correctly (LP:
#1038491)
[ Automatic PS uploader ]
* Automatic snapshot from revision 862
-- Automatic PS uploader <email address hidden> Wed, 28 Nov 2012 05:01:36 +0000
Changed in libunity-webapps (Ubuntu Raring): | |
status: | Confirmed → Fix Released |
|
#10 |
It's no longer a top crasher on Linux in 17.0.
Changed in libunity-webapps: | |
status: | Fix Committed → Fix Released |
Changed in firefox: | |
status: | Confirmed → Won't Fix |
It's #5 top browser crasher in 16.0.1 on Linux.
It's correlated to 4 extensions in Ubuntu but most likely Webapps-team: webapps_ available_ application_ get_application _domain| SIGSEGV (31 crashes) 2682-11e1- bfc2-0800200c9a 66}
unity_
100% (31/31) vs. 10% (123/1224) {2e1445b0-
100% (31/31) vs. 10% (125/1224) <email address hidden>
100% (31/31) vs. 69% (844/1224) <email address hidden>
100% (31/31) vs. 80% (984/1224) <email address hidden>
Signature unity_webapps_ available_ application_ get_application _domain More Reports Search ae00-43b9- 998f-29c4721210 21 ility True
UUID 184d0775-
Date Processed 2012-10-21 12:01:32
Uptime 875
Last Crash 50.4 minutes before submission
Install Age 1.3 hours since version was first installed.
Install Time 2012-10-21 10:46:03
Product Firefox
Version 16.0.1
Build ID 20121010223852
Release Channel release
OS Linux
OS Version 0.0.0 Linux 3.5.0-17-generic #28-Ubuntu SMP Tue Oct 9 19:32:08 UTC 2012 i686
Build Architecture x86
Build Architecture Info GenuineIntel family 6 model 42 stepping 7
Crash Reason SIGSEGV
Crash Address 0x4c
App Notes
OpenGL: Intel Open Source Technology Center -- Mesa DRI Intel(R) Sandybridge Desktop x86/MMX/SSE2 -- 3.0 Mesa 9.0 -- texture_from_pixmap
EMCheckCompatib
Frame Module Signature Source webapps- repository. so.0.0. 0 unity_webapps_ available_ application_ get_application _domain unity-webapps- available- application. c:65 webapps- repository. so.0.0. 0 unity_webapps_ application_ repository_ get_resolved_ application_ domain unity-webapps- application- repository. c:446 :FunctionType: :Call CTypes.cpp:5576 h:382 xyHandler: :call jsproxy.cpp:442 er::call jswrapper.cpp:383 tmentWrapper: :call jswrapper.cpp:777 h:382
0 libunity-
1 libunity-
2 libxul.so libxul.so@0x1390bb9
3 libxul.so ffi_call ffi.c:303
4 libxul.so js::ctypes:
5 libxul.so js::InvokeKernel jscntxtinlines.
6 libxul.so js::Invoke jsinterp.h:119
7 libxul.so js::IndirectPro
8 libxul.so js::DirectWrapp
9 libxul.so js::CrossCompar
10 libxul.so proxy_Call jsproxy.cpp:1143
11 libxul.so js::InvokeKernel jscntxtinlines.
...
More reports at: /crash- stats.mozilla. com/report/ list?signature= unity_webapps_ available_ application_ get_application _domain
https:/