New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.
Starred by 3 users
Status: Fixed
Owner:
Last visit 22 days ago
Closed: Dec 2012
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: All
Pri: 1
Type: Bug-Security



Sign in to add a comment
HyphenatorHostMsg_OpenDictionary IPC allows arbitrary file reads from a compromised renderer
Project Member Reported by jsc...@chromium.org, Dec 20 2012 Back to list
The locale string contains arbitrary characters including path traversals and NULs. So, a string like "../../../etc/passwd\x00" would traverse out of the intended directory and send the compromised renderer a handle to the passwd file.

This security regression was introduced here:
http://src.chromium.org/viewvc/chrome?view=rev&revision=154663

 
Comment 1 by odean@chromium.org, Dec 20 2012
Cc: hbono@chromium.org
Owner: groby@chromium.org
Pssing to groby@ as I believe hbono@ has other projects these days. If this is best owned by you, Hironori, feel free to reclaim. 

T
Comment 2 by tony@chromium.org, Dec 20 2012
We could whitelist the locale value.  E.g., we could maybe run |locale| through base::i18n::GetCanonicalLocale.  I'm not sure what happens if we pass in something that's complete nonsense into GetCanonicalLocale.
Comment 3 by groby@chromium.org, Dec 20 2012
Status: Started
Working on validating the locale browser side. (We've already got a list of accepted dictionary locales)
Comment 4 by groby@chromium.org, Dec 21 2012
Labels: Merge-Requested
Fixed in ToT. 
Project Member Comment 5 by bugdroid1@chromium.org, Dec 21 2012
The following revision refers to this bug:
    http://src.chromium.org/viewvc/chrome?view=rev&revision=174304

------------------------------------------------------------------------
r174304 | groby@chromium.org | 2012-12-21T01:17:59.824121Z

Changed paths:
   M http://src.chromium.org/viewvc/chrome/trunk/src/content/browser/hyphenator/hyphenator_message_filter.cc?r1=174304&r2=174303&pathrev=174304
   M http://src.chromium.org/viewvc/chrome/trunk/src/chrome/common/spellcheck_common.cc?r1=174304&r2=174303&pathrev=174304

[Spellcheck, Security] Filter against invalid locales.

Prevents passing up of garbage strings from renderer (and thus, prevents opening of arbitrary files)

BUG= 167122 


Review URL: https://chromiumcodereview.appspot.com/11618046
------------------------------------------------------------------------
Labels: -Restrict-View-SecurityTeam -Merge-Requested Restrict-View-SecurityNotify Merge-Approved
Status: Fixed
Cool. I'll do the merge for M24 patch 1.

Thanks for an awesome fast response.
Project Member Comment 7 by bugdroid1@chromium.org, Jan 2 2013
Labels: -Merge-Approved merge-merged-1312
The following revision refers to this bug:
    http://src.chromium.org/viewvc/chrome?view=rev&revision=174841

------------------------------------------------------------------------
r174841 | cevans@chromium.org | 2013-01-02T20:54:07.136679Z

Changed paths:
   M http://src.chromium.org/viewvc/chrome/branches/1312/src/chrome/common/spellcheck_common.cc?r1=174841&r2=174840&pathrev=174841
   M http://src.chromium.org/viewvc/chrome/branches/1312/src/content/browser/hyphenator/hyphenator_message_filter.cc?r1=174841&r2=174840&pathrev=174841

Merge 174304
> [Spellcheck, Security] Filter against invalid locales.
> 
> Prevents passing up of garbage strings from renderer (and thus, prevents opening of arbitrary files)
> 
> BUG= 167122 
> 
> 
> Review URL: https://chromiumcodereview.appspot.com/11618046

TBR=groby@chromium.org
Review URL: https://codereview.chromium.org/11742008
------------------------------------------------------------------------
Labels: Release-0
Project Member Comment 9 by bugdroid1@chromium.org, Jan 2 2013
Labels: merge-merged-1364
The following revision refers to this bug:
    http://src.chromium.org/viewvc/chrome?view=rev&revision=174842

------------------------------------------------------------------------
r174842 | cevans@chromium.org | 2013-01-02T20:57:59.631803Z

Changed paths:
   M http://src.chromium.org/viewvc/chrome/branches/1364/src/content/browser/hyphenator/hyphenator_message_filter.cc?r1=174842&r2=174841&pathrev=174842
   M http://src.chromium.org/viewvc/chrome/branches/1364/src/chrome/common/spellcheck_common.cc?r1=174842&r2=174841&pathrev=174842

Merge 174304
> [Spellcheck, Security] Filter against invalid locales.
> 
> Prevents passing up of garbage strings from renderer (and thus, prevents opening of arbitrary files)
> 
> BUG= 167122 
> 
> 
> Review URL: https://chromiumcodereview.appspot.com/11618046

TBR=groby@chromium.org
Review URL: https://codereview.chromium.org/11748005
------------------------------------------------------------------------
Labels: CVE-2012-5148
Project Member Comment 11 by bugdroid1@chromium.org, Jan 9 2013
Project Member Comment 12 by bugdroid1@chromium.org, Jan 29 2013
The following revision refers to this bug:
    http://src.chromium.org/viewvc/chrome?view=rev&revision=179458

------------------------------------------------------------------------
r179458 | cevans@chromium.org | 2013-01-29T23:14:53.771939Z

Changed paths:
   M http://src.chromium.org/viewvc/chrome/branches/1364/src/base/platform_file.h?r1=179458&r2=179457&pathrev=179458
   M http://src.chromium.org/viewvc/chrome/branches/1364/src/base/platform_file_posix.cc?r1=179458&r2=179457&pathrev=179458
   M http://src.chromium.org/viewvc/chrome/branches/1364/src/chrome/test/base/v8_unit_test.cc?r1=179458&r2=179457&pathrev=179458
   M http://src.chromium.org/viewvc/chrome/branches/1364/src/skia/ext/vector_canvas_unittest.cc?r1=179458&r2=179457&pathrev=179458
   M http://src.chromium.org/viewvc/chrome/branches/1364/src/base/file_util.cc?r1=179458&r2=179457&pathrev=179458
   M http://src.chromium.org/viewvc/chrome/branches/1364/src/base/file_util.h?r1=179458&r2=179457&pathrev=179458
   M http://src.chromium.org/viewvc/chrome/branches/1364/src/base/platform_file_win.cc?r1=179458&r2=179457&pathrev=179458
   M http://src.chromium.org/viewvc/chrome/branches/1364/src/base/platform_file.cc?r1=179458&r2=179457&pathrev=179458

Merge 175642 (also includes 175980)
> Don't allow path traversal paths on the base file helpers
> 
> This forces explicit normalization of paths and make path escaping security bugs much harder to exploit. See for example  bug 167122 
> 
> BUG= 168890 
> TEST=included tests
> Review URL: https://codereview.chromium.org/11782005

TBR=cpu@chromium.org
Review URL: https://codereview.chromium.org/12095045
------------------------------------------------------------------------
Project Member Comment 13 by bugdroid1@chromium.org, Mar 10 2013
Labels: -Type-Security -Area-Internals -Feature-Spellcheck -mstone-24 -SecImpacts-Stable -SecImpacts-Beta -SecSeverity-Medium Security-Impact-Beta Security-Severity-Medium Cr-Internals M-24 Security-Impact-Stable Cr-UI-Browser-Spellcheck Type-Bug-Security
Labels: -Restrict-View-SecurityNotify
Project Member Comment 15 by bugdroid1@chromium.org, Mar 21 2013
Labels: -Security-Impact-Stable Security_Impact-Stable
Project Member Comment 16 by bugdroid1@chromium.org, Mar 21 2013
Labels: -Security-Severity-Medium Security_Severity-Medium
Project Member Comment 17 by bugdroid1@chromium.org, Mar 21 2013
Labels: -Security-Impact-Beta Security_Impact-Beta
Project Member Comment 18 by sheriffbot@chromium.org, Jun 14 2016
Labels: -security_impact-beta
Project Member Comment 19 by sheriffbot@chromium.org, Oct 1 2016
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member Comment 20 by sheriffbot@chromium.org, Oct 2 2016
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Labels: allpublic
Components: -UI>Browser>Spellcheck UI>Browser>Language>Spellcheck
Sign in to add a comment