New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 167122 link

Starred by 3 users

Issue metadata

Status: Fixed
Owner:
Last visit > 30 days ago
Closed: Dec 2012
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: All
Pri: 1
Type: Bug-Security



Sign in to add a comment

HyphenatorHostMsg_OpenDictionary IPC allows arbitrary file reads from a compromised renderer

Project Member Reported by jsc...@chromium.org, Dec 20 2012

Issue description

The locale string contains arbitrary characters including path traversals and NULs. So, a string like "../../../etc/passwd\x00" would traverse out of the intended directory and send the compromised renderer a handle to the passwd file.

This security regression was introduced here:
http://src.chromium.org/viewvc/chrome?view=rev&revision=154663

 

Comment 1 by odean@chromium.org, Dec 20 2012

Cc: hbono@chromium.org
Owner: groby@chromium.org
Pssing to groby@ as I believe hbono@ has other projects these days. If this is best owned by you, Hironori, feel free to reclaim. 

T

Comment 2 by tony@chromium.org, Dec 20 2012

We could whitelist the locale value.  E.g., we could maybe run |locale| through base::i18n::GetCanonicalLocale.  I'm not sure what happens if we pass in something that's complete nonsense into GetCanonicalLocale.

Comment 3 by groby@chromium.org, Dec 20 2012

Status: Started
Working on validating the locale browser side. (We've already got a list of accepted dictionary locales)

Comment 4 by groby@chromium.org, Dec 21 2012

Labels: Merge-Requested
Fixed in ToT. 
Project Member

Comment 5 by bugdroid1@chromium.org, Dec 21 2012

The following revision refers to this bug:
    http://src.chromium.org/viewvc/chrome?view=rev&revision=174304

------------------------------------------------------------------------
r174304 | groby@chromium.org | 2012-12-21T01:17:59.824121Z

Changed paths:
   M http://src.chromium.org/viewvc/chrome/trunk/src/content/browser/hyphenator/hyphenator_message_filter.cc?r1=174304&r2=174303&pathrev=174304
   M http://src.chromium.org/viewvc/chrome/trunk/src/chrome/common/spellcheck_common.cc?r1=174304&r2=174303&pathrev=174304

[Spellcheck, Security] Filter against invalid locales.

Prevents passing up of garbage strings from renderer (and thus, prevents opening of arbitrary files)

BUG= 167122 


Review URL: https://chromiumcodereview.appspot.com/11618046
------------------------------------------------------------------------
Labels: -Restrict-View-SecurityTeam -Merge-Requested Restrict-View-SecurityNotify Merge-Approved
Status: Fixed
Cool. I'll do the merge for M24 patch 1.

Thanks for an awesome fast response.
Project Member

Comment 7 by bugdroid1@chromium.org, Jan 2 2013

Labels: -Merge-Approved merge-merged-1312
The following revision refers to this bug:
    http://src.chromium.org/viewvc/chrome?view=rev&revision=174841

------------------------------------------------------------------------
r174841 | cevans@chromium.org | 2013-01-02T20:54:07.136679Z

Changed paths:
   M http://src.chromium.org/viewvc/chrome/branches/1312/src/chrome/common/spellcheck_common.cc?r1=174841&r2=174840&pathrev=174841
   M http://src.chromium.org/viewvc/chrome/branches/1312/src/content/browser/hyphenator/hyphenator_message_filter.cc?r1=174841&r2=174840&pathrev=174841

Merge 174304
> [Spellcheck, Security] Filter against invalid locales.
> 
> Prevents passing up of garbage strings from renderer (and thus, prevents opening of arbitrary files)
> 
> BUG= 167122 
> 
> 
> Review URL: https://chromiumcodereview.appspot.com/11618046

TBR=groby@chromium.org
Review URL: https://codereview.chromium.org/11742008
------------------------------------------------------------------------
Labels: Release-0
Project Member

Comment 9 by bugdroid1@chromium.org, Jan 2 2013

Labels: merge-merged-1364
The following revision refers to this bug:
    http://src.chromium.org/viewvc/chrome?view=rev&revision=174842

------------------------------------------------------------------------
r174842 | cevans@chromium.org | 2013-01-02T20:57:59.631803Z

Changed paths:
   M http://src.chromium.org/viewvc/chrome/branches/1364/src/content/browser/hyphenator/hyphenator_message_filter.cc?r1=174842&r2=174841&pathrev=174842
   M http://src.chromium.org/viewvc/chrome/branches/1364/src/chrome/common/spellcheck_common.cc?r1=174842&r2=174841&pathrev=174842

Merge 174304
> [Spellcheck, Security] Filter against invalid locales.
> 
> Prevents passing up of garbage strings from renderer (and thus, prevents opening of arbitrary files)
> 
> BUG= 167122 
> 
> 
> Review URL: https://chromiumcodereview.appspot.com/11618046

TBR=groby@chromium.org
Review URL: https://codereview.chromium.org/11748005
------------------------------------------------------------------------
Labels: CVE-2012-5148
Project Member

Comment 11 by bugdroid1@chromium.org, Jan 9 2013

Project Member

Comment 12 by bugdroid1@chromium.org, Jan 29 2013

The following revision refers to this bug:
    http://src.chromium.org/viewvc/chrome?view=rev&revision=179458

------------------------------------------------------------------------
r179458 | cevans@chromium.org | 2013-01-29T23:14:53.771939Z

Changed paths:
   M http://src.chromium.org/viewvc/chrome/branches/1364/src/base/platform_file.h?r1=179458&r2=179457&pathrev=179458
   M http://src.chromium.org/viewvc/chrome/branches/1364/src/base/platform_file_posix.cc?r1=179458&r2=179457&pathrev=179458
   M http://src.chromium.org/viewvc/chrome/branches/1364/src/chrome/test/base/v8_unit_test.cc?r1=179458&r2=179457&pathrev=179458
   M http://src.chromium.org/viewvc/chrome/branches/1364/src/skia/ext/vector_canvas_unittest.cc?r1=179458&r2=179457&pathrev=179458
   M http://src.chromium.org/viewvc/chrome/branches/1364/src/base/file_util.cc?r1=179458&r2=179457&pathrev=179458
   M http://src.chromium.org/viewvc/chrome/branches/1364/src/base/file_util.h?r1=179458&r2=179457&pathrev=179458
   M http://src.chromium.org/viewvc/chrome/branches/1364/src/base/platform_file_win.cc?r1=179458&r2=179457&pathrev=179458
   M http://src.chromium.org/viewvc/chrome/branches/1364/src/base/platform_file.cc?r1=179458&r2=179457&pathrev=179458

Merge 175642 (also includes 175980)
> Don't allow path traversal paths on the base file helpers
> 
> This forces explicit normalization of paths and make path escaping security bugs much harder to exploit. See for example  bug 167122 
> 
> BUG= 168890 
> TEST=included tests
> Review URL: https://codereview.chromium.org/11782005

TBR=cpu@chromium.org
Review URL: https://codereview.chromium.org/12095045
------------------------------------------------------------------------
Project Member

Comment 13 by bugdroid1@chromium.org, Mar 10 2013

Labels: -Type-Security -Area-Internals -Feature-Spellcheck -mstone-24 -SecImpacts-Stable -SecImpacts-Beta -SecSeverity-Medium Security-Impact-Beta Security-Severity-Medium Cr-Internals M-24 Security-Impact-Stable Cr-UI-Browser-Spellcheck Type-Bug-Security
Labels: -Restrict-View-SecurityNotify
Project Member

Comment 15 by bugdroid1@chromium.org, Mar 21 2013

Labels: -Security-Impact-Stable Security_Impact-Stable
Project Member

Comment 16 by bugdroid1@chromium.org, Mar 21 2013

Labels: -Security-Severity-Medium Security_Severity-Medium
Project Member

Comment 17 by bugdroid1@chromium.org, Mar 21 2013

Labels: -Security-Impact-Beta Security_Impact-Beta
Project Member

Comment 18 by sheriffbot@chromium.org, Jun 14 2016

Labels: -security_impact-beta
Project Member

Comment 19 by sheriffbot@chromium.org, Oct 1 2016

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member

Comment 20 by sheriffbot@chromium.org, Oct 2 2016

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Labels: allpublic
Components: -UI>Browser>Spellcheck UI>Browser>Language>Spellcheck
Labels: CVE_description-submitted

Sign in to add a comment