New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.
Starred by 1 user

Issue metadata

Status: Fixed
Owner:
Closed: Oct 2012
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: ----
Pri: 1
Type: Bug-Security



Sign in to add a comment
link

Issue 154987: Pwnium SVG use after free

Reported by jsc...@chromium.org, Oct 10 2012 Project Member

Issue description

Details forthcoming
 

Comment 2 by k...@google.com, Oct 10 2012

Fixed with webkit revision 130855

Comment 3 by scarybea...@gmail.com, Oct 10 2012

Labels: CVE-2012-5112 SecImpacts-Stable SecImpacts-Beta Mstone-22
Status: Fixed
Note: CVE covers entire Pwnium 2 chain.

Comment 5 by palmer@chromium.org, Oct 23 2012

Cc: srikanth@chromium.org klo...@chromium.org
We need to get this merged into Clank as well. Should be an easy merge.

Comment 6 by klo...@chromium.org, Oct 23 2012

Chris, are you going to cherry-pick this in? Tomorrow is last day.

Comment 7 by palmer@google.com, Oct 23 2012

I looked into it, and although the fix is tiny, it depends on a previous, larger fix. It's not likely the merge would be clean.

Comment 8 by srikanth@chromium.org, Oct 23 2012

Thanks for looking into it. Lets just pick this up with the next update for Chrome on Android beyond M18

Comment 9 by pdr@chromium.org, Oct 23 2012

What's the change that it depends on?

Comment 10 by palmer@google.com, Oct 23 2012

It's at least as far back as WebKit r100046 (when the SVGElementInstance::detach method was born). It might go back further, I'm not sure.

Comment 11 by bugdroid1@chromium.org, Mar 10 2013

Project Member
Labels: -Type-Security -Area-WebKit -WebKit-SVG -SecSeverity-High -SecImpacts-Stable -SecImpacts-Beta -Mstone-22 Cr-Content Security-Impact-Stable Security-Impact-Beta Cr-Content-SVG M-22 Security-Severity-High Type-Bug-Security

Comment 12 by scarybea...@gmail.com, Mar 21 2013

Labels: -Restrict-View-SecurityTeam

Comment 13 by bugdroid1@chromium.org, Mar 21 2013

Project Member
Labels: -Security-Severity-High Security_Severity-High

Comment 14 by bugdroid1@chromium.org, Mar 21 2013

Project Member
Labels: -Security-Impact-Stable Security_Impact-Stable

Comment 15 by bugdroid1@chromium.org, Mar 21 2013

Project Member
Labels: -Security-Impact-Beta Security_Impact-Beta

Comment 16 by bugdroid1@chromium.org, Apr 5 2013

Project Member
Labels: -Cr-Content Cr-Blink

Comment 17 by bugdroid1@chromium.org, Apr 6 2013

Project Member
Labels: -Cr-Content-SVG Cr-Blink-SVG

Comment 18 by sheriffbot@chromium.org, Jun 14 2016

Project Member
Labels: -security_impact-beta

Comment 19 by sheriffbot@chromium.org, Oct 1 2016

Project Member
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Comment 20 by sheriffbot@chromium.org, Oct 1 2016

Project Member
Labels: Restrict-View-SecurityNotify

Comment 21 by sheriffbot@chromium.org, Oct 2 2016

Project Member
Labels: -Restrict-View-SecurityNotify
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Comment 22 by mbarbe...@chromium.org, Oct 2 2016

Labels: allpublic

Comment 23 by awhalley@chromium.org, Apr 25 2018

Labels: CVE_description-submitted

Comment 24 by sheriffbot@chromium.org, Jul 29 2018

Project Member
Labels: -Pri-0 Pri-1

Sign in to add a comment