Project: chromium Issues People Development process History Sign in
New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.
Starred by 1 user
Status: Fixed
Owner: ----
Closed: Oct 2012
Cc:
EstimatedDays: ----
NextAction: ----
OS: ----
Pri: 0
Type: Bug-Security



Sign in to add a comment
Security: Pwnium 2 TCMalloc profile bug
Project Member Reported by jorgelo@chromium.org, Oct 10 2012 Back to list
Pwnium 2 TCMalloc profile bug.
 
Labels: CVE-2012-5112 Mstone-22 SecSeverity-High SecImpacts-Stable SecImpacts-Beta CVE-2012-5112
Status: Fixed
Comment 7 by wad@chromium.org, Oct 10 2012
Cc: sumit@chromium.org wad@chromium.org ddrew@chromium.org
As requested, impact from a CrOS perspective.

Arbitrary file write as user chronos outside of the sandbox allows for signed-in user profile tampering, limited pre-sign-in state tampering, and limited log tampering (for those owned by the signed in user).  This would allow an attacker to replace Bookmarks, Preferences, or another local profile file or files.  Notably, replacing a well-known, pre-installed extension manifest file and associated start file would allow cross-origin bypass leading to data exfiltration and persistence across signed in sessions with updates for that extension disabled.  SecSeverity-High applies to CrOS too even if explicit out-of-sandbox arbitrary code execution is stopped by existing CrOS mitigations.
Labels: reward-60000 reward-unpaid
Verified that this CL made it into the CrOS 2465.209.0 (Chrome 21.0.1180.92) build this morning.
Labels: -reward-unpaid
Payment sent for wire.
Cc: srikanth@chromium.org klo...@chromium.org
We need to get this merged into Clank, too. As with the SVG one, it should be an easy merge.
Clank doesn't use TCMalloc.
Excellent, thanks. :)
Project Member Comment 14 by bugdroid1@chromium.org, Mar 10 2013
Labels: -Type-Security -Mstone-22 -SecSeverity-High -SecImpacts-Stable -SecImpacts-Beta Security-Impact-Stable Security-Impact-Beta M-22 Security-Severity-High Type-Bug-Security
Labels: -Restrict-View-SecurityTeam
Project Member Comment 16 by bugdroid1@chromium.org, Mar 21 2013
Labels: -Security-Severity-High Security_Severity-High
Project Member Comment 17 by bugdroid1@chromium.org, Mar 21 2013
Labels: -Security-Impact-Stable Security_Impact-Stable
Project Member Comment 18 by bugdroid1@chromium.org, Mar 21 2013
Labels: -Security-Impact-Beta Security_Impact-Beta
Project Member Comment 19 by sheriffbot@chromium.org, Jun 14 2016
Labels: -security_impact-beta
Project Member Comment 20 by sheriffbot@chromium.org, Oct 1 2016
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member Comment 21 by sheriffbot@chromium.org, Oct 1 2016
Labels: Restrict-View-SecurityNotify
Project Member Comment 22 by sheriffbot@chromium.org, Oct 2 2016
Labels: -Restrict-View-SecurityNotify
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Labels: allpublic
Sign in to add a comment