firefox 1.0PR crashes when clicking a javascript popup link

Fixed in the newer build with this version string:

Mozilla/5.0 (X11; U; Linux i686; rv:1.7.3) Gecko/20040923 Firefox/0.10

Bug has reappeared in:

Mozilla/5.0 (X11; U; Linux i686; rv:1.7.3) Gecko/20040929 Firefox/0.10 (Ubuntu)

(In reply to comment #2)
> Bug has reappeared in:
>
> Mozilla/5.0 (X11; U; Linux i686; rv:1.7.3) Gecko/20040929 Firefox/0.10 (Ubuntu)

Can you give me an example chunk of javascript or a page that reproduces this?

> > Mozilla/5.0 (X11; U; Linux i686; rv:1.7.3) Gecko/20040929 Firefox/0.10 (Ubuntu)
>
> Can you give me an example chunk of javascript or a page that reproduces this?

The address book inside Google Mail seems to trigger this bug (it crashes
firefox when trying to view your contacts).

The "CPS Web-Link" button www.cpsact.com.au seems to trigger it, too. I've
noticed it on other sites using image buttons with javascript popups, too, but I
can't remember any urls.

Both these examples work perfectly for me; I'm willing to go out
on a limb and speculate that both of you have old versions of your
mozilla profiles. If you move them out the way
(mv .mozilla{,.old} for the purposes of this) and try again, what happens?

(In reply to comment #6)
> Both these examples work perfectly for me; I'm willing to go out
> on a limb and speculate that both of you have old versions of your
> mozilla profiles. If you move them out the way
> (mv .mozilla{,.old} for the purposes of this) and try again, what happens?

The box I installed Ubuntu 2 weeks ago does not have this problem after upgrades.
But a fresh install with today's build, new user, no extensions, no plugins
exhibit the "crash on javascript popup" behavior.

I copied the working .mozilla to the faulty machine, but it did not solve the
problem

I can reproduce this (on www.cpsact.com.au) with a brand new user on a
up-to-date (as of last night) warty.

(In reply to comment #6)
> Both these examples work perfectly for me; I'm willing to go out
> on a limb and speculate that both of you have old versions of your
> mozilla profiles. If you move them out the way
> (mv .mozilla{,.old} for the purposes of this) and try again, what happens?

I did just that (removing .mozilla) using the latest firefox package
(0.99+1.0PR.1-0ubuntu1),
and I can still reproduce the bug in both gmail.com and www.cpsact.com.au

Bah. I can reproduce this on x86, but not on amd64. (And only with the warty
packages, not the upstream binary release.)
Investigating.

Might help localise it: the "online banking" link on www.intechcu.com.au also
causes a crash.

This is https://bugzilla.mozilla.org/show_bug.cgi?id=255372

I was able to pretty consistently crash firefox last night, and it seems like the same (or
atleast similar) problem. It isn't just *any* javascript popup, it requires a few tabs
open. I was able to consistently reproduce it with 3 tabs open, but not with just 1 or 2.

Here's my procedure:
Open firefox, go to www.cnn.com
open a new tab, go to www.msnbc.com
open a new tab and go to www.foxnews.com
go back to the www.cnn.com tab
go to their poll question and try to vote. (when I was doing this I was trying
to fill out online polls after the debate).

When you vote, it will go *boom*. I think any JS popup window will do it to you. Pretty
repeatable once you get the extra tabs in the mix.

Above procedure "works" well for me. However, I can perfectly reproduce the
crash with only a single tab, so this bug does not really depend on multiple
tabs. We already had several theories about how the bug can be triggered
reliably; a prime modulus of the current time's square root was not worse than
any other theory so far...

Upgrading to RC.

There seems to be a workaround in upstream Bugzilla: setting
om.disable_window_open_feature.toolbar to "true" *seems* to prevent the crash,
though it's still not really clear when the bug was introduced.

Does the workaround work for those of you who experience this regularly?

(In reply to comment #16)

dom.disable_window_open_feature.toolbar set to "true" seems to be solve all the
problem
I have had; I haven't been able to crash firefox since changing it. I'm not
clear exactly
what that option do, but it seems to be an easy enough workaround until they
solve the problem upstream.

I tried with both om.* and dom.*, neither prevents the crash for me. :-(

I've made Thom's 0.9.3 build available here:

deb http://people.ubuntu.com/~mdz/firefox/ /

as a plan to revert back to 0.9.3 in order to fix this and other
release-critical firefox bugs. Please, anyone who is able, try it out and
report whether it works better for you, and if you encounter any problems

(In reply to comment #19)
> I've made Thom's 0.9.3 build available here:
>
> deb http://people.ubuntu.com/~mdz/firefox/ /

I have installed this version, and with this new(old) 0.9.3 I don't experience
any of the crashes I used to get with 0.10.1
before I started setting up dom.disable_window_open_feature.toolbar to true
(that setting in my case solved all the problems I had with 0.10.1)

But a question: are all the vulnerabilities solved by 0.10 and 0.10.1 patched
in this special 0.9.3?
There has been some rather nasty vulnerabilities in mozilla/firefox in recent weeks:

http://www.mozilla.org/projects/security/known-vulnerabilities.html#firefox0.10.1

Works fine for me now, I was not able to provoke a crash. But as Daniel already
said, there should be some security fixes to backport to this version, right?

(In reply to comment #21)
> Works fine for me now, I was not able to provoke a crash. But as Daniel already
> said, there should be some security fixes to backport to this version, right?

All the ones fixed in 0.10 are fixed in this version.
I need to backport the fix from 0.10.1, but that is hopefully relatively trivial.

(In reply to comment #22)
>
> All the ones fixed in 0.10 are fixed in this version.
> I need to backport the fix from 0.10.1, but that is hopefully relatively trivial.

One line fix, now applied.
mozilla-firefox (0.99+1.0PR.1+revertedto0.9.3-0ubuntu1) warty; urgency=low

  * Revert to 0.9.3-6 + branding changes
  * Version so as to be greater than 0.99+1.0PR.1-0ubuntu1
  * Port Ubuntu branding changes to 0.9.3
  * Patch to fix upstream bug #259708, the 1.0PR security problem.

 -- Thom May <email address hidden> Fri, 8 Oct 2004 14:56:35 +0100

I just want to say that I tried to reproduce the examples given in comment#4,#5
and #13, neither of them crashed my Firefox client.

dpkg -l | grep -i mozilla
ii mozilla-firefo 0.99+1.0PR.1-0 lightweight web browser based on Mozilla

Regards.
JC.