New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.
Starred by 0 users
Status: Fixed
Owner:
Closed: Oct 2014
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: All
Pri: 1
Type: Bug-Security



Sign in to add a comment
UNKNOWN in NetworkASync::QueueDeletion
Project Member Reported by ClusterFuzz, Jan 23 2014 Back to list
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5092928267485184

Fuzzer: Fermin_swf_bitflip
Job Type: Linux_asan_chrome_media

Crash Type: UNKNOWN
Crash Address: 0x005000000058
Crash State:
  - crash stack -
  NetworkASync::QueueDeletion
  URLStream::StreamDestroy
  PepperURLStreamProvider::PepperDidFinish
  

Minimized Testcase (58.98 Kb): https://cluster-fuzz.appspot.com/download/AMIfv9706zHH0CZyUutkukG08ZfAyjG3yd_gOoc-iJm7GmuWqwug93ppzJbGRfI1wi3Fn2ZmqAZRC04tmdOloZVJJmBhJyAnwGvp29teG6TogagWZEGMIp0N-9vM5l8vWFA8Khz0WcJIaJ6c8M4NSCGfAwrgh2yRD8g-YsC25OJTiwEmFyWnjH4
 
Cc: jsc...@chromium.org fjserna@google.com
Owner: viettrungluu@chromium.org
Status: Assigned
Trung, can you please take a look or help to find an owner for this pepper bug.
Project Member Comment 2 by ClusterFuzz, Jan 23 2014
Labels: Pri-1
Project Member Comment 3 by ClusterFuzz, Jan 25 2014
ClusterFuzz has detected this issue as fixed in latest custom build.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5092928267485184

Fuzzer: Fermin_swf_bitflip
Job Type: Linux_asan_chrome_media

Crash Type: UNKNOWN
Crash Address: 0x005000000058
Crash State:
  - crash stack -
  NetworkASync::QueueDeletion
  URLStream::StreamDestroy
  PepperURLStreamProvider::PepperDidFinish
  

Minimized Testcase: https://cluster-fuzz.appspot.com/download/AMIfv9706zHH0CZyUutkukG08ZfAyjG3yd_gOoc-iJm7GmuWqwug93ppzJbGRfI1wi3Fn2ZmqAZRC04tmdOloZVJJmBhJyAnwGvp29teG6TogagWZEGMIp0N-9vM5l8vWFA8Khz0WcJIaJ6c8M4NSCGfAwrgh2yRD8g-YsC25OJTiwEmFyWnjH4

If you suspect that the result above is incorrect, try re-doing that job on the testcase report page.
Project Member Comment 4 by ClusterFuzz, Jan 28 2014
Labels: Missing_Impact-2
Comment 5 by cdn@chromium.org, Jan 28 2014
Trung, ping. Did you get a chance to take a look at this?
Comment 6 by jsc...@chromium.org, Jan 28 2014
Cc: viettrungluu@chromium.org teravest@chromium.org
Owner: yzshen@chromium.org
Trung hasn't work on Pepper for a while. You're better off CC'ing some of the current Pepper devs.

@yzshen - Could you please find an owner for this bug?
Comment 7 by yzshen@chromium.org, Jan 28 2014
Hi, Justin.

Is it okay to forward this kind of security bugs to Adobe people?
Now that the crash occurs in Flash source code, I think it may be easier for Adobe people to figure it out.

Thanks!
Yes it is ok to do that. Also, feel free to cc them here.
Comment 9 by yzshen@chromium.org, Jan 28 2014
Cc: xzh...@adobe.com smori...@adobe.com jecl...@adobe.com yzshen@chromium.org
Owner: jecl...@adobe.com
Status: ExternalDependency
Hi, Jeromie.

Would you please find an OWNER to take a look? Thanks!
Comment 10 by jecl...@adobe.com, Jan 28 2014
No problem, thanks for the report.  

For future reference, this looks like a great CC list on the Adobe side for ClusterFuzz issues.  If you could add Vincent Lee <vilee@adobe.com> as well, that would be ideal. 

This is Adobe 3700333.  We'll get it triaged and assigned.  Please let me know if you have questions or concerns.

Thanks!
Cc: vi...@adobe.com
Project Member Comment 12 by ClusterFuzz, Jan 29 2014
Labels: -Missing_Impact-2 Missing_Impact-3
Project Member Comment 13 by ClusterFuzz, Jan 31 2014
Labels: -Missing_Impact-3 Missing_Impact-4
Project Member Comment 14 by ClusterFuzz, Feb 3 2014
Labels: -Missing_Impact-4 Missing_Impact-5
Project Member Comment 15 by ClusterFuzz, Feb 4 2014
Labels: -Missing_Impact-5 Missing_Impact-6
Labels: -Missing_Impact-6 Security_Impact-Stable Security_Impact-Beta
Any update on the fix for this issue ?
Project Member Comment 17 by ClusterFuzz, Feb 4 2014
Labels: M-32
Adobe guys, any update on the fix ??
Project Member Comment 19 by ClusterFuzz, Feb 17 2014
Labels: -M-32 M-33
Adobe guys, please respond here with the bug status update.
Comment 21 by jecl...@adobe.com, Feb 21 2014
The issue is assigned and we've done an initial assessment.  It look like a pretty straightforward fix, but we've been slammed between build system hardening and back-to-back 0-days over the last couple weeks.  We're in the endgame for the King release, which lands 3/11.  This fix is targeted to the next available release vehicle, which is the King+1 release, currently scheduled to land on 3/31.
Project Member Comment 22 by ClusterFuzz, Mar 31 2014
Labels: -M-33 M-34
jeclark/adobe: Any updates on this? Did the fix land as scheduled on 3/31? (see comment #21)
Comment 24 by jecl...@adobe.com, Apr 8 2014
This issue is assigned and has been investigated.  A fix is currently targeted to King+1, but the target date is now mid-May due to a schedule change in the King release.
So what has happened here ? Has the fix landed and merged and we are waiting for release in mid-may ?? Or is it still under investigation ??
Comment 26 by jecl...@adobe.com, Apr 9 2014
We have not fixed the issue yet.  The current target is for the mid-may release.
Is this going as per planned ? Is the fix already in and coming in mid-may release ?
Comment 28 by jecl...@adobe.com, May 8 2014
This issue has not been resolved and is now targeted to the Lombard release in June.  If this is not acceptable, I would encourage you to escalate through your management channels.
Project Member Comment 29 by ClusterFuzz, May 13 2014
Labels: -M-34 M-35
Labels: -M-35 M-36
So, if the fix gets out in June, this will actually be fixed in M36 at the earliest, possibly more like M37. Right?
Did this get released ?
Comment 32 by jecl...@adobe.com, Jul 8 2014
No, it was investigated and we understand the root-cause, but the fix is high-risk.  It is currently slated for our Market release (September), but I'm pushing to get it shipped in the next patch.
Labels: Cr-Internals-Plugins-Flash
Labels: -Security_Impact-Beta
Bulk update
@jeclark, this fix made it into Market right?  If so, can we close this?
@jeclark, this fix made it into Market right?  If so, can we close this?
Comment 37 by jecl...@adobe.com, Oct 21 2014
Yep, this fix has shipped and can be closed.
Status: Fixed
Project Member Comment 39 by ClusterFuzz, Oct 22 2014
Labels: -Restrict-View-SecurityTeam Merge-Triage M-39 M-38 Restrict-View-SecurityNotify
Adding Merge-Triage label for tracking purposes.

Once your fix had sufficient bake time (on canary, dev as appropriate), please nominate your fix for merge by adding the Merge-Requested label.

When your merge is approved by the release manager, please start merging with higher milestone label first. Make sure to re-request merge for every milestone in the label list. You can get branch information on omahaproxy.appspot.com.

- Your friendly ClusterFuzz
Labels: -Merge-Triage Merge-NA
Labels: Release-0-M39
Project Member Comment 42 by ClusterFuzz, Jan 28 2015
Labels: -Restrict-View-SecurityNotify
Bulk update: removing view restriction from closed bugs.
Project Member Comment 43 by sheriffbot@chromium.org, Oct 1 2016
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member Comment 44 by sheriffbot@chromium.org, Oct 2 2016
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Labels: allpublic
Sign in to add a comment