New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 154983 link

Starred by 1 user

Issue metadata

Status: Fixed
Owner: ----
Closed: Oct 2012
Cc:
EstimatedDays: ----
NextAction: ----
OS: ----
Pri: 1
Type: Bug-Security



Sign in to add a comment

Security: Pwnium 2 TCMalloc profile bug

Project Member Reported by jorgelo@chromium.org, Oct 10 2012

Issue description

Pwnium 2 TCMalloc profile bug.
 
Labels: CVE-2012-5112 Mstone-22 SecSeverity-High SecImpacts-Stable SecImpacts-Beta CVE-2012-5112
Status: Fixed

Comment 7 by wad@chromium.org, Oct 10 2012

Cc: sumit@chromium.org wad@chromium.org ddrew@chromium.org
As requested, impact from a CrOS perspective.

Arbitrary file write as user chronos outside of the sandbox allows for signed-in user profile tampering, limited pre-sign-in state tampering, and limited log tampering (for those owned by the signed in user).  This would allow an attacker to replace Bookmarks, Preferences, or another local profile file or files.  Notably, replacing a well-known, pre-installed extension manifest file and associated start file would allow cross-origin bypass leading to data exfiltration and persistence across signed in sessions with updates for that extension disabled.  SecSeverity-High applies to CrOS too even if explicit out-of-sandbox arbitrary code execution is stopped by existing CrOS mitigations.
Labels: reward-60000 reward-unpaid
Verified that this CL made it into the CrOS 2465.209.0 (Chrome 21.0.1180.92) build this morning.
Labels: -reward-unpaid
Payment sent for wire.
Cc: srikanth@chromium.org klo...@chromium.org
We need to get this merged into Clank, too. As with the SVG one, it should be an easy merge.
Clank doesn't use TCMalloc.
Excellent, thanks. :)
Project Member

Comment 14 by bugdroid1@chromium.org, Mar 10 2013

Labels: -Type-Security -Mstone-22 -SecSeverity-High -SecImpacts-Stable -SecImpacts-Beta Security-Impact-Stable Security-Impact-Beta M-22 Security-Severity-High Type-Bug-Security
Labels: -Restrict-View-SecurityTeam
Project Member

Comment 16 by bugdroid1@chromium.org, Mar 21 2013

Labels: -Security-Severity-High Security_Severity-High
Project Member

Comment 17 by bugdroid1@chromium.org, Mar 21 2013

Labels: -Security-Impact-Stable Security_Impact-Stable
Project Member

Comment 18 by bugdroid1@chromium.org, Mar 21 2013

Labels: -Security-Impact-Beta Security_Impact-Beta
Project Member

Comment 19 by sheriffbot@chromium.org, Jun 14 2016

Labels: -security_impact-beta
Project Member

Comment 20 by sheriffbot@chromium.org, Oct 1 2016

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member

Comment 21 by sheriffbot@chromium.org, Oct 1 2016

Labels: Restrict-View-SecurityNotify
Project Member

Comment 22 by sheriffbot@chromium.org, Oct 2 2016

Labels: -Restrict-View-SecurityNotify
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Labels: allpublic
Labels: CVE_description-submitted
Project Member

Comment 25 by sheriffbot@chromium.org, Jul 29

Labels: -Pri-0 Pri-1

Sign in to add a comment