New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.
Starred by 1 user

Issue metadata

Status: Fixed
Owner:
Closed: Oct 2012
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: ----
Pri: 1
Type: Bug-Security



Sign in to add a comment

Pwnium SVG use after free

Project Member Reported by jsc...@chromium.org, Oct 10 2012

Issue description

Details forthcoming
 

Comment 2 by k...@google.com, Oct 10 2012

Fixed with webkit revision 130855
Labels: CVE-2012-5112 SecImpacts-Stable SecImpacts-Beta Mstone-22
Status: Fixed
Note: CVE covers entire Pwnium 2 chain.

Comment 5 by palmer@chromium.org, Oct 23 2012

Cc: srikanth@chromium.org klo...@chromium.org
We need to get this merged into Clank as well. Should be an easy merge.

Comment 6 by klo...@chromium.org, Oct 23 2012

Chris, are you going to cherry-pick this in? Tomorrow is last day.

Comment 7 by palmer@google.com, Oct 23 2012

I looked into it, and although the fix is tiny, it depends on a previous, larger fix. It's not likely the merge would be clean.
Thanks for looking into it. Lets just pick this up with the next update for Chrome on Android beyond M18

Comment 9 by pdr@chromium.org, Oct 23 2012

What's the change that it depends on?

Comment 10 by palmer@google.com, Oct 23 2012

It's at least as far back as WebKit r100046 (when the SVGElementInstance::detach method was born). It might go back further, I'm not sure.
Project Member

Comment 11 by bugdroid1@chromium.org, Mar 10 2013

Labels: -Type-Security -Area-WebKit -WebKit-SVG -SecSeverity-High -SecImpacts-Stable -SecImpacts-Beta -Mstone-22 Cr-Content Security-Impact-Stable Security-Impact-Beta Cr-Content-SVG M-22 Security-Severity-High Type-Bug-Security
Labels: -Restrict-View-SecurityTeam
Project Member

Comment 13 by bugdroid1@chromium.org, Mar 21 2013

Labels: -Security-Severity-High Security_Severity-High
Project Member

Comment 14 by bugdroid1@chromium.org, Mar 21 2013

Labels: -Security-Impact-Stable Security_Impact-Stable
Project Member

Comment 15 by bugdroid1@chromium.org, Mar 21 2013

Labels: -Security-Impact-Beta Security_Impact-Beta
Project Member

Comment 16 by bugdroid1@chromium.org, Apr 5 2013

Labels: -Cr-Content Cr-Blink
Project Member

Comment 17 by bugdroid1@chromium.org, Apr 6 2013

Labels: -Cr-Content-SVG Cr-Blink-SVG
Project Member

Comment 18 by sheriffbot@chromium.org, Jun 14 2016

Labels: -security_impact-beta
Project Member

Comment 19 by sheriffbot@chromium.org, Oct 1 2016

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member

Comment 20 by sheriffbot@chromium.org, Oct 1 2016

Labels: Restrict-View-SecurityNotify
Project Member

Comment 21 by sheriffbot@chromium.org, Oct 2 2016

Labels: -Restrict-View-SecurityNotify
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Labels: allpublic
Labels: CVE_description-submitted
Project Member

Comment 24 by sheriffbot@chromium.org, Jul 29

Labels: -Pri-0 Pri-1

Sign in to add a comment