Ubuntu

Bypasses Same Origin Policy checks via toDataURL()

Reported by Chris Coulson on 2012-10-22
260
This bug affects 1 person
Affects Status Importance Assigned to Milestone
WebApps: unity-chromium-extensions
Undecided
Alexandre Abreu
WebApps: unity-firefox-extension
Undecided
Maxim Ermilov
unity-chromium-extension (Ubuntu)
Undecided
Unassigned
Quantal
Undecided
Unassigned
unity-firefox-extension (Ubuntu)
Undecided
Ken VanDine
Quantal
Undecided
Unassigned
unity-webapps-amazoncloudreader (Ubuntu)
Undecided
Unassigned
unity-webapps-facebookapps (Ubuntu)
Undecided
Unassigned
unity-webapps-librefm (Ubuntu)
Undecided
Unassigned
unity-webapps-pandora-com (Ubuntu)
Undecided
Unassigned
webapps-applications (Ubuntu)
Undecided
Unassigned

Bug Description

This addon exposes a toDataURL() function to the web which allows content to convert an image (specified by a URL) to a data URI. It seems to work by drawing the image to a canvas and using the canvas.toDataURL() mechanism. However, this function seems to bypass all same-origin checks and returns valid data even if the image URL doesn't have the same origin as the document URL.

canvas.toDataURL() will throw a SecurityError exception if the canvas is not origin-clean. A canvas is not origin clean if you call ctx.drawImage() with a URL which does not have the same origin as the document that the canvas is in. However, the canvas used for the conversion is created in chrome context, so it has full privileges and the usual security mechanisms are bypassed completely.

[Test Case]
This can be reproduced with the following test case (I loaded this at http://localhost/test.html):

<html>
<head></head>
<body>
<p id="foo"/>
<script type="text/javascript">
    window.external
          .getUnityObject(1)
          .toDataURL("http://www.ubuntu.com/sites/default/themes/ubuntu10/images/footer_logo.png",
                     function(a, b) {
        document.getElementById("foo").innerHTML = b;
    });
</script>
</html>

In this example, you will see that toDataURL() throws as expected and an alert appears ("The operation is insecure"):

<html>
<head></head>
<body>
<p id="foo"/>
<script type="text/javascript">
    var img = new Image();
    var canvas = document.createElement('canvas');
    var ctx = canvas.getContext('2d');
    img.onload = function() {
        try {
            ctx.drawImage(img, 0, 0);
            document.getElementById("foo").innerHTML = canvas.toDataURL();
        } catch(e) { alert(e); }
    };

    img.src = "http://www.ubuntu.com/sites/default/themes/ubuntu10/images/footer_logo.png";
</script>
</html>

[Regression Risks]
The fix consists mostly in removing code from the exposed API (toDataURL).

Marc Deslauriers (mdeslaur) wrote :

This is CVE-2012-0958

Changed in unity-firefox-extension (Ubuntu):
assignee: nobody → Ken VanDine (ken-vandine)
Marc Deslauriers (mdeslaur) wrote :

Ken,

Could you take a look at this, and give an ETA on a security fix? Thanks.

Maxim Ermilov (zaspire) on 2012-10-23
Changed in unity-firefox-extension:
assignee: nobody → Maxim Ermilov (zaspire)
Maxim Ermilov (zaspire) on 2012-10-24
Changed in unity-firefox-extension:
status: New → Fix Committed
Marc Deslauriers (mdeslaur) wrote :
information type: Private Security → Public Security
Marc Deslauriers (mdeslaur) wrote :

Can I push the r331 commit as a security update, or will that break existing scripts?

Changed in unity-chromium-extension:
status: New → Fix Committed
assignee: nobody → Alexandre Abreu (abreu-alexandre)
Maxim Ermilov (zaspire) wrote :

> Can I push the r331 commit as a security update, or will that break existing scripts?
no, It will break some scripts

To be more precise, from what I see it'll break, LibreFm, Pandora and AmazonCloudReader "only".
Those will be updated in Universe ASAP.

description: updated
Changed in unity-chromium-extension:
status: Fix Committed → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package unity-chromium-extension - 2.4.4-0ubuntu1

---------------
unity-chromium-extension (2.4.4-0ubuntu1) raring; urgency=low

  * New upstream release.
    - No installation process triggered when a url matches more than one URL
      in the list of available apps (LP: #1078325)
    - Bypasses Same Origin Policy checks via toDataURL (LP: #1069817)
    - Extension options page is broken & does not work (LP: #1076452)
    - Race condition related to integration/install infobar (LP: #1068308)
    - WebApps Unity plugin for Chromium keeps crashing (LP: #1070433)
 -- Ken VanDine <email address hidden> Thu, 15 Nov 2012 11:21:16 -0500

Changed in unity-chromium-extension (Ubuntu):
status: New → Fix Released
Maxim Ermilov (zaspire) on 2012-11-30
Changed in unity-firefox-extension:
status: Fix Committed → Fix Released

Hello Chris, or anyone else affected,

Accepted unity-chromium-extension into quantal-proposed. The package will build now and be available at http://launchpad.net/ubuntu/+source/unity-chromium-extension/2.4.4-0ubuntu0.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please change the bug tag from verification-needed to verification-done. If it does not, change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Changed in unity-chromium-extension (Ubuntu Quantal):
status: New → Fix Committed
tags: added: verification-needed
Marc Deslauriers (mdeslaur) wrote :

What's the status on the security fix for unity-firefox-extension?

I was told the fix would break API, so updated versions of the webscripts would be uploaded, and a new unity-firefox-extension was going to be uploaded to quantal-proposed. Has any progress been made?

Víctor R. Ruiz (vrruiz) wrote :

Scripts that have been fixed to avoid using toDataURL() API: AmazonCloudReader, FacebookApps, GooglePlus, LibreFm, cnn-news, pandora-com and LibreFm. The commit is available at lp:webapps-applications revision 412 http://bazaar.launchpad.net/~webapps/webapps-applications/trunk/revision/412?start_revid=412

Marc Deslauriers (mdeslaur) wrote :

Proposed updated packages for Quantal for this issue are in the security team PPA:
https://launchpad.net/~ubuntu-security-proposed/+archive/ppa/+packages

Víctor R. Ruiz (vrruiz) wrote :

I've passed the manual test suite and everything looks good. I also passed Amazon Cloud Reader and it worked fine.

Didier Roche (didrocks) wrote :

The unity-firefox-extension with this fix has been in fact already uploaded to raring with version 2.4.2-0ubuntu1: http://launchpadlibrarian.net/124260453/unity-firefox-extension_2.4.1-0ubuntu3_2.4.2-0ubuntu1.diff.gz

Changed in unity-firefox-extension (Ubuntu):
status: New → Fix Committed
Didier Roche (didrocks) on 2012-12-13
Changed in unity-firefox-extension (Ubuntu):
status: Fix Committed → Fix Released
Didier Roche (didrocks) on 2012-12-13
no longer affects: webapps-applications (Ubuntu Quantal)
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package unity-webapps-amazoncloudreader - 2.2ubuntu0.1

---------------
unity-webapps-amazoncloudreader (2.2ubuntu0.1) quantal-security; urgency=low

  * SECURITY UPDATE: same origin policy bypass via toDataURL() (LP: #1069817)
    - AmazonCloudReader.user.js: Remove use of toDataURL.
    - CVE-2012-0958
 -- Marc Deslauriers <email address hidden> Wed, 12 Dec 2012 11:42:41 -0500

Changed in unity-webapps-amazoncloudreader (Ubuntu):
status: New → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package unity-webapps-facebookapps - 2.2ubuntu0.1

---------------
unity-webapps-facebookapps (2.2ubuntu0.1) quantal-security; urgency=low

  * SECURITY UPDATE: same origin policy bypass via toDataURL() (LP: #1069817)
    - FacebookApps.user.js: Remove use of toDataURL.
    - CVE-2012-0958
 -- Marc Deslauriers <email address hidden> Wed, 12 Dec 2012 11:45:22 -0500

Changed in unity-webapps-facebookapps (Ubuntu):
status: New → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package unity-webapps-librefm - 2.2ubuntu0.1

---------------
unity-webapps-librefm (2.2ubuntu0.1) quantal-security; urgency=low

  * SECURITY UPDATE: same origin policy bypass via toDataURL() (LP: #1069817)
    - LibreFM.user.js: Remove use of toDataURL.
    - CVE-2012-0958
 -- Marc Deslauriers <email address hidden> Wed, 12 Dec 2012 11:48:41 -0500

Changed in unity-webapps-librefm (Ubuntu):
status: New → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package unity-webapps-pandora-com - 2.2ubuntu0.1

---------------
unity-webapps-pandora-com (2.2ubuntu0.1) quantal-security; urgency=low

  * SECURITY UPDATE: same origin policy bypass via toDataURL() (LP: #1069817)
    - pandora-com.user.js: Remove use of toDataURL.
    - CVE-2012-0958
 -- Marc Deslauriers <email address hidden> Wed, 12 Dec 2012 11:50:33 -0500

Changed in unity-webapps-pandora-com (Ubuntu):
status: New → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package unity-firefox-extension - 2.4.1-0ubuntu1.2

---------------
unity-firefox-extension (2.4.1-0ubuntu1.2) quantal-security; urgency=low

  * SECURITY UPDATE: same origin policy bypass via toDataURL() (LP: #1069817)
    - debian/patches/CVE-2012-0958.patch: merge Unity.toDataURL to
      Unity.init in unity-firefox-extension/content/unity-api.js.
    - CVE-2012-0958
 -- Marc Deslauriers <email address hidden> Wed, 12 Dec 2012 10:54:19 -0500

Changed in unity-firefox-extension (Ubuntu Quantal):
status: New → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package webapps-applications - 2.4.10-0ubuntu3

---------------
webapps-applications (2.4.10-0ubuntu3) raring; urgency=low

  * debian/patches/lp_1069817.patch:
    - fix script breakage due to toDataUrl fix (LP: #1069817)
 -- Didier Roche <email address hidden> Thu, 13 Dec 2012 13:12:01 +0100

Changed in webapps-applications (Ubuntu):
status: New → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package unity-chromium-extension - 2.4.4-0ubuntu0.2

---------------
unity-chromium-extension (2.4.4-0ubuntu0.2) quantal-security; urgency=low

  * New upstream release.
    - No installation process triggered when a url matches more than one URL
      in the list of available apps (LP: #1078325)
    - Bypasses Same Origin Policy checks via toDataURL (LP: #1069817)
    - Extension options page is broken & does not work (LP: #1076452)
    - Race condition related to integration/install infobar (LP: #1068308)
    - WebApps Unity plugin for Chromium keeps crashing (LP: #1070433)
 -- Ken VanDine <email address hidden> Thu, 15 Nov 2012 15:23:34 -0500

Changed in unity-chromium-extension (Ubuntu Quantal):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers