2007-01-03 20:11:38 |
Ewen McNeill |
bug |
|
|
added bug |
2007-01-03 20:32:10 |
Ewen McNeill |
bug |
|
|
added attachment 'mailman-signon-page.html' (Issolated test case (extracted from Mailman admin signon form)) |
2007-01-10 20:52:50 |
Ewen McNeill |
firefox: status |
Unconfirmed |
Confirmed |
|
2007-01-10 20:52:50 |
Ewen McNeill |
firefox: statusexplanation |
|
In the hope that this will bring the bug to the firefox/security maintainers attention, I've changed the status to "confirmed" given (a) the number of bugs which have been marked as a duplicate of this bug, and (b) that several people have reported they can reproduce the bug.
It would be nice to have some indication from the Firefox maintainer and/or the Ubuntu security folks as to when this regression introduced with the Dapper 1.5.0.9 package might be looked at.
Ewen |
|
2007-01-19 15:50:04 |
Rafael Gattringer |
bug |
|
|
added attachment 'index.html' (crash page testcase) |
2007-01-19 18:22:02 |
Freddy Martinez |
title |
Firefox: saved passwords causes crash with Mailman admin page |
Saved passwords causes crash with Mailman admin (1.5.x) |
|
2007-01-19 22:41:22 |
Ewen McNeill |
description |
Binary package hint: firefox
The latest security update for Firefox for Ubuntu Dapper (6.06), version 1.5.dfsg+1.5.0.9-0ubuntu0.6.06, now causes Firefox to crash repeatedly when using a saved password field on a Mailman admin login screen. This did not happen with the previous version (1.5.dfsg+1.5.0.8-0ubuntu0.6.06) or any previous version that I can recall. Other forms with saved passwords may also be affected (I initially thought that it was all saved forms, but it seems the one for launchpad.net isn't affected -- curious).
Ubuntu Version: Dapper Drake (6.06)
Firefox Version: 1.5.dfsg+1.5.0.9-0ubuntu0.6.06,
Reproducable: always
How to reproduce:
1. Stop Firefox
2. Remove ~/.mozilla/firefox/PROFILE/signons.txt
3. Start Firefox
4. Go to http://somelistserver/mailman/admindb/mailman
5. Log in
6. Choose to allow Firefox to save the password
7. Observe Firefox crashes
8. Restart Firefox
9. Go back to http://somelistserver/mailman/admindb/mailman
10. Observe Firefox crashes again without displaying the page
11. Go back to step 2 and repeat.
12. Go back to step 2 and repeat choosing NOT to save the password at step 6 and observe Firefox doesn't crash
Desired behaviour: As per previous version, should fill in saved password for the form and not crash.
Other notes:
It doesn't appear necessary for the password to actually be correct; just that it be saved. The crash on visiting the page with a saved password appears to happen aroun the time that the saved password might be pre-filled.
Completely removing the saved passwords and starting again doesn't seem to help; as soon as the password is saved the problem reappears. Removing the firefox profile and starting again also doesn't seem to help; again as soon as the password is saved the problem reappears.
The only thing I can see which is noticably different between the Mailman login page and, eg, the launchpad.net login page, in terms of saved passwords, is that the Mailman page is password-only, whereas the launchpad.net has an email address as well as the password. Possibly the bug is somehow related to the form being password-only.
This behaviour is new with the security update for Ubuntu Dapper which came out this morning. I've used the saved password feature with many previous versions of Firefox without any problems. Knowing the issues which have been reported with Firefox recently, including a password stealing attack, I'd guess that there is a bug in the "fix" chosen to try to defeat that password stealing attack.
Finally, for what little it seems to be worth, a backtrace of the coredump:
ewen@wat:/var/tmp$ gdb /usr/lib/firefox/firefox-bin core.10049
GNU gdb 6.4-debian
Copyright 2005 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB. Type "show warranty" for details.
This GDB was configured as "i486-linux-gnu"...(no debugging symbols found)
Using host libthread_db library "/lib/tls/i686/cmov/libthread_db.so.1".
(no debugging symbols found)
Core was generated by `/usr/lib/firefox/firefox-bin -a firefox'.
Program terminated with signal 11, Segmentation fault.
[....]
#0 0xffffe410 in __kernel_vsyscall ()
(gdb) bt
#0 0xffffe410 in __kernel_vsyscall ()
#1 0xb7e56790 in raise () from /lib/tls/i686/cmov/libpthread.so.0
#2 0x08055e0b in ?? ()
#3 0x0000000b in ?? ()
#4 0xbfaf0e8c in ?? ()
#5 0x00000000 in ?? ()
(gdb)
Ewen |
Binary package hint: firefox
[Edit: NOTE: This is a _regression_ in Firefox 1.5.0.9, released as a security update for Ubuntu Dapper. Functionality that used to work perfectly now causes the browser to crash hard. The problem appears to be widely reproduced with the only people unable to reproduce it being those using some other browser version.]
The latest security update for Firefox for Ubuntu Dapper (6.06), version 1.5.dfsg+1.5.0.9-0ubuntu0.6.06, now causes Firefox to crash repeatedly when using a saved password field on a Mailman admin login screen. This did not happen with the previous version (1.5.dfsg+1.5.0.8-0ubuntu0.6.06) or any previous version that I can recall. Other forms with saved passwords may also be affected (I initially thought that it was all saved forms, but it seems the one for launchpad.net isn't affected -- curious).
Ubuntu Version: Dapper Drake (6.06)
Firefox Version: 1.5.dfsg+1.5.0.9-0ubuntu0.6.06,
Reproducable: always
How to reproduce:
1. Stop Firefox
2. Remove ~/.mozilla/firefox/PROFILE/signons.txt
3. Start Firefox
4. Go to http://somelistserver/mailman/admindb/mailman
5. Log in
6. Choose to allow Firefox to save the password
7. Observe Firefox crashes
8. Restart Firefox
9. Go back to http://somelistserver/mailman/admindb/mailman
10. Observe Firefox crashes again without displaying the page
11. Go back to step 2 and repeat.
12. Go back to step 2 and repeat choosing NOT to save the password at step 6 and observe Firefox doesn't crash
Desired behaviour: As per previous version, should fill in saved password for the form and not crash.
Other notes:
It doesn't appear necessary for the password to actually be correct; just that it be saved. The crash on visiting the page with a saved password appears to happen aroun the time that the saved password might be pre-filled.
Completely removing the saved passwords and starting again doesn't seem to help; as soon as the password is saved the problem reappears. Removing the firefox profile and starting again also doesn't seem to help; again as soon as the password is saved the problem reappears.
The only thing I can see which is noticably different between the Mailman login page and, eg, the launchpad.net login page, in terms of saved passwords, is that the Mailman page is password-only, whereas the launchpad.net has an email address as well as the password. Possibly the bug is somehow related to the form being password-only.
This behaviour is new with the security update for Ubuntu Dapper which came out this morning. I've used the saved password feature with many previous versions of Firefox without any problems. Knowing the issues which have been reported with Firefox recently, including a password stealing attack, I'd guess that there is a bug in the "fix" chosen to try to defeat that password stealing attack.
Finally, for what little it seems to be worth, a backtrace of the coredump:
ewen@wat:/var/tmp$ gdb /usr/lib/firefox/firefox-bin core.10049
GNU gdb 6.4-debian
Copyright 2005 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB. Type "show warranty" for details.
This GDB was configured as "i486-linux-gnu"...(no debugging symbols found)
Using host libthread_db library "/lib/tls/i686/cmov/libthread_db.so.1".
(no debugging symbols found)
Core was generated by `/usr/lib/firefox/firefox-bin -a firefox'.
Program terminated with signal 11, Segmentation fault.
[....]
#0 0xffffe410 in __kernel_vsyscall ()
(gdb) bt
#0 0xffffe410 in __kernel_vsyscall ()
#1 0xb7e56790 in raise () from /lib/tls/i686/cmov/libpthread.so.0
#2 0x08055e0b in ?? ()
#3 0x0000000b in ?? ()
#4 0xbfaf0e8c in ?? ()
#5 0x00000000 in ?? ()
(gdb)
Ewen |
|
2007-01-19 22:41:22 |
Ewen McNeill |
title |
Saved passwords causes crash with Mailman admin (1.5.x) |
Dapper: Regression: Firefox 1.5.0.9: Saved passwords causes crash with Mailman admin |
|
2007-01-26 03:08:21 |
Ewen McNeill |
bug |
|
|
added attachment 'firefox-1.5.0.9-saved-passwords-password-only.diff' (Firefox 1.5.0.9 password only forms fix) |
2007-01-26 11:10:44 |
Martin Pitt |
firefox: status |
Confirmed |
In Progress |
|
2007-01-26 11:10:44 |
Martin Pitt |
firefox: importance |
Undecided |
Medium |
|
2007-01-26 11:10:44 |
Martin Pitt |
firefox: statusexplanation |
In the hope that this will bring the bug to the firefox/security maintainers attention, I've changed the status to "confirmed" given (a) the number of bugs which have been marked as a duplicate of this bug, and (b) that several people have reported they can reproduce the bug.
It would be nice to have some indication from the Firefox maintainer and/or the Ubuntu security folks as to when this regression introduced with the Dapper 1.5.0.9 package might be looked at.
Ewen |
|
|
2007-01-26 11:10:44 |
Martin Pitt |
firefox: assignee |
|
pitti |
|
2007-01-26 18:42:44 |
Kees Cook |
firefox: status |
Unconfirmed |
Fix Committed |
|
2007-01-26 18:42:44 |
Kees Cook |
firefox: importance |
Undecided |
Medium |
|
2007-01-26 18:42:44 |
Kees Cook |
firefox: statusexplanation |
|
|
|
2007-01-26 18:42:44 |
Kees Cook |
firefox: assignee |
|
keescook |
|
2007-01-26 18:42:57 |
Kees Cook |
firefox: status |
Unconfirmed |
Fix Committed |
|
2007-01-26 18:42:57 |
Kees Cook |
firefox: importance |
Undecided |
Medium |
|
2007-01-26 18:42:57 |
Kees Cook |
firefox: statusexplanation |
|
|
|
2007-01-26 18:42:57 |
Kees Cook |
firefox: assignee |
|
keescook |
|
2007-01-26 18:45:51 |
Kees Cook |
firefox: status |
In Progress |
Fix Committed |
|
2007-01-26 18:45:51 |
Kees Cook |
firefox: assignee |
pitti |
keescook |
|
2007-01-26 18:45:51 |
Kees Cook |
firefox: statusexplanation |
|
I've confirmed this is a problem in Breezy as well.
Ewen, thanks again for the patch; I agree this is a correct fix. I added additional sanity-checking around the passField just in case. :) My Dapper build shows that the patch fixes the problem, as you observed. Breezy is building now, and I'll get them rolled out to the archives as soon as I can. |
|
2007-01-27 01:39:39 |
Kees Cook |
firefox: status |
Fix Committed |
Fix Released |
|
2007-01-27 01:39:39 |
Kees Cook |
firefox: statusexplanation |
I've confirmed this is a problem in Breezy as well.
Ewen, thanks again for the patch; I agree this is a correct fix. I added additional sanity-checking around the passField just in case. :) My Dapper build shows that the patch fixes the problem, as you observed. Breezy is building now, and I'll get them rolled out to the archives as soon as I can. |
This fix has been rolled out with USN-398-4.
http://www.ubuntu.com/usn/usn-398-4 |
|
2007-01-27 01:40:15 |
Kees Cook |
firefox: status |
Fix Committed |
Fix Released |
|
2007-01-27 01:40:23 |
Kees Cook |
firefox: status |
Fix Committed |
Fix Released |
|
2008-04-09 20:07:34 |
Kees Cook |
bug |
|
|
added subscriber Ubuntu Security Team |
2013-09-09 05:00:30 |
bulldozer2003 |
removed subscriber bulldozer2003 |
|
|
|