Regression: heap-buffer-overflow in url::Parsed::Parsed
Reported by
chromium...@gmail.com,
Nov 3 2016
|
||||||||||
Issue descriptionVERSION Chrome Version: 56.0.2907.0 canary (64-bit) Operating System: Windows 7 REPRODUCTION CASE 1. Navigate to chrome://md-settings 2. Scroll down to "On startup" and select "Open a Specific page or set of pages" 3. Add two new site URLs then try to edit the second added site URL 4. Open chrome://md-settings on a new tab and Scroll down to "On startup" 5. Try to remove the second added site URL and switch the first tab (chrome://md-settings) and click on edit. Note: I don't know why I cannot get the asan trace symbolized on Windows.
,
Nov 3 2016
Does it also happen on the old Options page (I think you can still get to it on canary at chrome://settings-frame)?
,
Nov 4 2016
No I don't see any crash on the old options page (chrome://settings).
,
Nov 4 2016
,
Nov 4 2016
This issue is a security regression. If you are not able to fix this quickly, please revert the change that introduced it. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Nov 4 2016
,
Nov 4 2016
Given that MD Settings has not shipped (not even to Dev), should this be a RB for beta?
,
Nov 4 2016
FYI, candidate fix is at https://codereview.chromium.org/2477693005.
,
Nov 8 2016
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/05f574e9836e8345bbb59f9b828bf2d773331f82 commit 05f574e9836e8345bbb59f9b828bf2d773331f82 Author: dpapad <dpapad@chromium.org> Date: Tue Nov 08 01:08:52 2016 MD Settings: Close edit startup URL dialog, if underlying URL list changes. BUG= 661867 CQ_INCLUDE_TRYBOTS=master.tryserver.chromium.linux:closure_compilation Review-Url: https://codereview.chromium.org/2477693005 Cr-Commit-Position: refs/heads/master@{#430455} [modify] https://crrev.com/05f574e9836e8345bbb59f9b828bf2d773331f82/chrome/browser/resources/settings/on_startup_page/startup_urls_page.html [modify] https://crrev.com/05f574e9836e8345bbb59f9b828bf2d773331f82/chrome/browser/resources/settings/on_startup_page/startup_urls_page.js [modify] https://crrev.com/05f574e9836e8345bbb59f9b828bf2d773331f82/chrome/test/data/webui/settings/startup_urls_page_test.js [modify] https://crrev.com/05f574e9836e8345bbb59f9b828bf2d773331f82/ui/webui/resources/cr_elements/cr_scrollable_behavior.js
,
Nov 8 2016
,
Nov 8 2016
,
Nov 14 2016
,
Nov 18 2016
Changing to type Bug as the panel didn't this was exploitable
,
Feb 14 2017
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
||||||||||
►
Sign in to add a comment |
||||||||||
Comment 1 by nparker@chromium.org
, Nov 3 2016Components: UI>Settings
Labels: Security_Severity-Medium Security_Impact-Head OS-Mac OS-Windows Pri-1
Owner: dpa...@chromium.org
Status: Assigned (was: Unconfirmed)