New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.
Starred by 2 users

Issue metadata

Status: Fixed
Owner: ----
Closed: Nov 2010
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: ----
Pri: 2
Type: Bug-Security
M-9

Restricted
  • Only users with EditIssue permission may comment.



Sign in to add a comment

Crash loading invalid crx extension file

Reported by briankir...@gmail.com, Nov 11 2010 Back to list

Issue description


VULNERABILITY DETAILS
There is a browser crash when loading a corrupt extension file

VERSION
Chrome Version: 7.0.517.44 stable
Operating System: Windows

REPRODUCTION CASE
1. Open the attached crx file
2. Click "continue" when prompted
3. The browser crashes


 
crash.crx
178 bytes Download

Comment 1 by jsc...@chromium.org, Nov 11 2010

Labels: -Pri-0 -Area-Undefined Pri-2 Area-Internals SecSeverity-Low Feature-Extensions Mstone-9
Status: Available
We're bombing out on a zero-length allocation in SandboxedExtensionUnpacker::ValidateSignature due to an empty signature. It's a really easy fix; we just need to add the following to the header validation checks we're already doing:

  if (header.signature_size == 0) {
    ReportFailure("Key length is zero");
    return false;
  }

I can make the change when I get some free time today. I'll keep it as low severity for now, but but we might just drop the security flags entirely since it's just a DoS, and it requires accepting the extension installation prompt.

Comment 2 by jsc...@chromium.org, Nov 11 2010

Comment 3 by jsc...@chromium.org, Nov 11 2010

Status: FixUnreleased
Committed revision 65821.

Comment 4 by bugdro...@gmail.com, Nov 11 2010

The following revision refers to this bug:
    http://src.chromium.org/viewvc/chrome?view=rev&revision=65821

------------------------------------------------------------------------
r65821 | jschuh@google.com | Thu Nov 11 10:43:01 PST 2010

Changed paths:
 M http://src.chromium.org/viewvc/chrome/trunk/src/chrome/browser/extensions/sandboxed_extension_unpacker.cc?r1=65821&r2=65820&pathrev=65821

SandboxedExtensionUnpacker::ValidateSignature should check for an empty signature

Without an expicit check we crash on a hard int3 when trying to allocate 0 bytes.

BUG= 62791 
TEST=None.
Review URL: http://codereview.chromium.org/4723007
------------------------------------------------------------------------
@briankircho: we can credit you in our release notes with your real name, if you like?
Sure, you can use Brian Kirchoff for that

Comment 7 by jsc...@chromium.org, Feb 16 2011

Labels: -Restrict-View-SecurityTeam
Status: Fixed

Comment 8 by jsc...@chromium.org, Mar 21 2011

Labels: Type-Security
Labels: SecImpacts-Stable
Batch update.
Project Member

Comment 10 by bugdroid1@chromium.org, Oct 13 2012

Labels: Restrict-AddIssueComment-Commit
Owner: ----
This issue has been closed for some time. No one will pay attention to new comments.
If you are seeing this bug or have new data, please click New Issue to start a new bug.
Project Member

Comment 11 by bugdroid1@chromium.org, Mar 10 2013

Labels: -Area-Internals -SecSeverity-Low -Feature-Extensions -Mstone-9 -Type-Security -SecImpacts-Stable Security-Severity-Low Security-Impact-Stable Cr-Platform-Extensions Cr-Internals M-9 Type-Bug-Security
Project Member

Comment 12 by bugdroid1@chromium.org, Mar 13 2013

Labels: -Restrict-AddIssueComment-Commit Restrict-AddIssueComment-EditIssue
Project Member

Comment 13 by bugdroid1@chromium.org, Mar 21 2013

Labels: -Security-Severity-Low Security_Severity-Low
Project Member

Comment 14 by bugdroid1@chromium.org, Mar 21 2013

Labels: -Security-Impact-Stable Security_Impact-Stable
Labels: hasTestcase
Project Member

Comment 16 by sheriffbot@chromium.org, Oct 1 2016

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member

Comment 17 by sheriffbot@chromium.org, Oct 1 2016

Labels: Restrict-View-SecurityNotify
Project Member

Comment 18 by sheriffbot@chromium.org, Oct 2 2016

Labels: -Restrict-View-SecurityNotify
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Labels: allpublic

Sign in to add a comment