Bypasses Same Origin Policy checks via toDataURL()

Bug #1069817 reported by Chris Coulson
260
This bug affects 1 person
Affects Status Importance Assigned to Milestone
WebApps: unity-chromium-extensions
Fix Released
Undecided
Alexandre Abreu
WebApps: unity-firefox-extension
Fix Released
Undecided
Maxim Ermilov
unity-chromium-extension (Ubuntu)
Fix Released
Undecided
Unassigned
Quantal
Fix Released
Undecided
Unassigned
unity-firefox-extension (Ubuntu)
Fix Released
Undecided
Ken VanDine
Quantal
Fix Released
Undecided
Unassigned
unity-webapps-amazoncloudreader (Ubuntu)
Fix Released
Undecided
Unassigned
unity-webapps-facebookapps (Ubuntu)
Fix Released
Undecided
Unassigned
unity-webapps-librefm (Ubuntu)
Fix Released
Undecided
Unassigned
unity-webapps-pandora-com (Ubuntu)
Fix Released
Undecided
Unassigned
webapps-applications (Ubuntu)
Fix Released
Undecided
Unassigned

Bug Description

This addon exposes a toDataURL() function to the web which allows content to convert an image (specified by a URL) to a data URI. It seems to work by drawing the image to a canvas and using the canvas.toDataURL() mechanism. However, this function seems to bypass all same-origin checks and returns valid data even if the image URL doesn't have the same origin as the document URL.

canvas.toDataURL() will throw a SecurityError exception if the canvas is not origin-clean. A canvas is not origin clean if you call ctx.drawImage() with a URL which does not have the same origin as the document that the canvas is in. However, the canvas used for the conversion is created in chrome context, so it has full privileges and the usual security mechanisms are bypassed completely.

[Test Case]
This can be reproduced with the following test case (I loaded this at http://localhost/test.html):

<html>
<head></head>
<body>
<p id="foo"/>
<script type="text/javascript">
    window.external
          .getUnityObject(1)
          .toDataURL("http://www.ubuntu.com/sites/default/themes/ubuntu10/images/footer_logo.png",
                     function(a, b) {
        document.getElementById("foo").innerHTML = b;
    });
</script>
</html>

In this example, you will see that toDataURL() throws as expected and an alert appears ("The operation is insecure"):

<html>
<head></head>
<body>
<p id="foo"/>
<script type="text/javascript">
    var img = new Image();
    var canvas = document.createElement('canvas');
    var ctx = canvas.getContext('2d');
    img.onload = function() {
        try {
            ctx.drawImage(img, 0, 0);
            document.getElementById("foo").innerHTML = canvas.toDataURL();
        } catch(e) { alert(e); }
    };

    img.src = "http://www.ubuntu.com/sites/default/themes/ubuntu10/images/footer_logo.png";
</script>
</html>

[Regression Risks]
The fix consists mostly in removing code from the exposed API (toDataURL).

Related branches

CVE References

Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

This is CVE-2012-0958

Changed in unity-firefox-extension (Ubuntu):
assignee: nobody → Ken VanDine (ken-vandine)
Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

Ken,

Could you take a look at this, and give an ETA on a security fix? Thanks.

Maxim Ermilov (zaspire)
Changed in unity-firefox-extension:
assignee: nobody → Maxim Ermilov (zaspire)
Maxim Ermilov (zaspire)
Changed in unity-firefox-extension:
status: New → Fix Committed
Revision history for this message
Marc Deslauriers (mdeslaur) wrote :
information type: Private Security → Public Security
Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

Can I push the r331 commit as a security update, or will that break existing scripts?

Changed in unity-chromium-extension:
status: New → Fix Committed
assignee: nobody → Alexandre Abreu (abreu-alexandre)
Revision history for this message
Maxim Ermilov (zaspire) wrote :

> Can I push the r331 commit as a security update, or will that break existing scripts?
no, It will break some scripts

Revision history for this message
Alexandre Abreu (abreu-alexandre) wrote :

To be more precise, from what I see it'll break, LibreFm, Pandora and AmazonCloudReader "only".
Those will be updated in Universe ASAP.

description: updated
Changed in unity-chromium-extension:
status: Fix Committed → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package unity-chromium-extension - 2.4.4-0ubuntu1

---------------
unity-chromium-extension (2.4.4-0ubuntu1) raring; urgency=low

  * New upstream release.
    - No installation process triggered when a url matches more than one URL
      in the list of available apps (LP: #1078325)
    - Bypasses Same Origin Policy checks via toDataURL (LP: #1069817)
    - Extension options page is broken & does not work (LP: #1076452)
    - Race condition related to integration/install infobar (LP: #1068308)
    - WebApps Unity plugin for Chromium keeps crashing (LP: #1070433)
 -- Ken VanDine <email address hidden> Thu, 15 Nov 2012 11:21:16 -0500

Changed in unity-chromium-extension (Ubuntu):
status: New → Fix Released
Maxim Ermilov (zaspire)
Changed in unity-firefox-extension:
status: Fix Committed → Fix Released
Revision history for this message
Chris Halse Rogers (raof) wrote : Please test proposed package

Hello Chris, or anyone else affected,

Accepted unity-chromium-extension into quantal-proposed. The package will build now and be available at http://launchpad.net/ubuntu/+source/unity-chromium-extension/2.4.4-0ubuntu0.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please change the bug tag from verification-needed to verification-done. If it does not, change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Changed in unity-chromium-extension (Ubuntu Quantal):
status: New → Fix Committed
tags: added: verification-needed
Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

What's the status on the security fix for unity-firefox-extension?

I was told the fix would break API, so updated versions of the webscripts would be uploaded, and a new unity-firefox-extension was going to be uploaded to quantal-proposed. Has any progress been made?

Revision history for this message
Víctor R. Ruiz (vrruiz) wrote :

Scripts that have been fixed to avoid using toDataURL() API: AmazonCloudReader, FacebookApps, GooglePlus, LibreFm, cnn-news, pandora-com and LibreFm. The commit is available at lp:webapps-applications revision 412 http://bazaar.launchpad.net/~webapps/webapps-applications/trunk/revision/412?start_revid=412

Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

Proposed updated packages for Quantal for this issue are in the security team PPA:
https://launchpad.net/~ubuntu-security-proposed/+archive/ppa/+packages

Revision history for this message
Víctor R. Ruiz (vrruiz) wrote :

I've passed the manual test suite and everything looks good. I also passed Amazon Cloud Reader and it worked fine.

Revision history for this message
Didier Roche-Tolomelli (didrocks) wrote :

The unity-firefox-extension with this fix has been in fact already uploaded to raring with version 2.4.2-0ubuntu1: http://launchpadlibrarian.net/124260453/unity-firefox-extension_2.4.1-0ubuntu3_2.4.2-0ubuntu1.diff.gz

Changed in unity-firefox-extension (Ubuntu):
status: New → Fix Committed
Changed in unity-firefox-extension (Ubuntu):
status: Fix Committed → Fix Released
no longer affects: webapps-applications (Ubuntu Quantal)
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package unity-webapps-amazoncloudreader - 2.2ubuntu0.1

---------------
unity-webapps-amazoncloudreader (2.2ubuntu0.1) quantal-security; urgency=low

  * SECURITY UPDATE: same origin policy bypass via toDataURL() (LP: #1069817)
    - AmazonCloudReader.user.js: Remove use of toDataURL.
    - CVE-2012-0958
 -- Marc Deslauriers <email address hidden> Wed, 12 Dec 2012 11:42:41 -0500

Changed in unity-webapps-amazoncloudreader (Ubuntu):
status: New → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package unity-webapps-facebookapps - 2.2ubuntu0.1

---------------
unity-webapps-facebookapps (2.2ubuntu0.1) quantal-security; urgency=low

  * SECURITY UPDATE: same origin policy bypass via toDataURL() (LP: #1069817)
    - FacebookApps.user.js: Remove use of toDataURL.
    - CVE-2012-0958
 -- Marc Deslauriers <email address hidden> Wed, 12 Dec 2012 11:45:22 -0500

Changed in unity-webapps-facebookapps (Ubuntu):
status: New → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package unity-webapps-librefm - 2.2ubuntu0.1

---------------
unity-webapps-librefm (2.2ubuntu0.1) quantal-security; urgency=low

  * SECURITY UPDATE: same origin policy bypass via toDataURL() (LP: #1069817)
    - LibreFM.user.js: Remove use of toDataURL.
    - CVE-2012-0958
 -- Marc Deslauriers <email address hidden> Wed, 12 Dec 2012 11:48:41 -0500

Changed in unity-webapps-librefm (Ubuntu):
status: New → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package unity-webapps-pandora-com - 2.2ubuntu0.1

---------------
unity-webapps-pandora-com (2.2ubuntu0.1) quantal-security; urgency=low

  * SECURITY UPDATE: same origin policy bypass via toDataURL() (LP: #1069817)
    - pandora-com.user.js: Remove use of toDataURL.
    - CVE-2012-0958
 -- Marc Deslauriers <email address hidden> Wed, 12 Dec 2012 11:50:33 -0500

Changed in unity-webapps-pandora-com (Ubuntu):
status: New → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package unity-firefox-extension - 2.4.1-0ubuntu1.2

---------------
unity-firefox-extension (2.4.1-0ubuntu1.2) quantal-security; urgency=low

  * SECURITY UPDATE: same origin policy bypass via toDataURL() (LP: #1069817)
    - debian/patches/CVE-2012-0958.patch: merge Unity.toDataURL to
      Unity.init in unity-firefox-extension/content/unity-api.js.
    - CVE-2012-0958
 -- Marc Deslauriers <email address hidden> Wed, 12 Dec 2012 10:54:19 -0500

Changed in unity-firefox-extension (Ubuntu Quantal):
status: New → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package webapps-applications - 2.4.10-0ubuntu3

---------------
webapps-applications (2.4.10-0ubuntu3) raring; urgency=low

  * debian/patches/lp_1069817.patch:
    - fix script breakage due to toDataUrl fix (LP: #1069817)
 -- Didier Roche <email address hidden> Thu, 13 Dec 2012 13:12:01 +0100

Changed in webapps-applications (Ubuntu):
status: New → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package unity-chromium-extension - 2.4.4-0ubuntu0.2

---------------
unity-chromium-extension (2.4.4-0ubuntu0.2) quantal-security; urgency=low

  * New upstream release.
    - No installation process triggered when a url matches more than one URL
      in the list of available apps (LP: #1078325)
    - Bypasses Same Origin Policy checks via toDataURL (LP: #1069817)
    - Extension options page is broken & does not work (LP: #1076452)
    - Race condition related to integration/install infobar (LP: #1068308)
    - WebApps Unity plugin for Chromium keeps crashing (LP: #1070433)
 -- Ken VanDine <email address hidden> Thu, 15 Nov 2012 15:23:34 -0500

Changed in unity-chromium-extension (Ubuntu Quantal):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.