New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 826019 link

Starred by 1 user

Issue metadata

Status: Fixed
Owner:
Closed: May 2018
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux , Android , Windows , iOS , Chrome , Mac , Fuchsia
Pri: 1
Type: Bug-Security
Team-Security-UX



Sign in to add a comment

Security: IDN URL Spoofing with using U+0525

Reported by chromium...@gmail.com, Mar 26 2018

Issue description

VERSION
Chrome Version: 67.0.3379.0
Operating System: Mac

REPRODUCTION CASE

U+0525 (ԥ) was missed in  bug 813814 .

http://xn--e1ajo5gd53eyktj.com/ => https://ӏіпкеԁіԥ.com
 
Screen Shot 2018-03-26 at 22.29.04.png
30.6 KB View Download
Cc: js...@chromium.org mgiuca@chromium.org
Components: UI>Browser>Omnibox UI>Security>UrlFormatting
Labels: Security_Severity-Medium Security_Impact-Stable OS-Android OS-Chrome OS-Fuchsia OS-iOS OS-Linux OS-Mac OS-Windows
Status: Untriaged (was: Unconfirmed)

Comment 2 by cthomp@chromium.org, Mar 26 2018

Owner: js...@chromium.org
Status: Assigned (was: Untriaged)
Assigning to jshin since this seems to follow directly on the CL from the linked bug.
Project Member

Comment 3 by sheriffbot@chromium.org, Mar 27 2018

Labels: M-66
Project Member

Comment 4 by sheriffbot@chromium.org, Mar 27 2018

Labels: Pri-1

Comment 5 by js...@chromium.org, Apr 3 2018

Cc: -js...@chromium.org markda...@google.com sffc@google.com bstell@google.com
While going through the set  ( https://goo.gl/bcjPQu ) in  bug 793628 , I missed it because U+0525 (ԥ )in that chart does not look much like 'n'. 

Given that  U+043F (п) is considered similar to 'n',  U+0525 should be as well. 



Comment 6 by js...@chromium.org, Apr 3 2018

Going farther ....    These seem to be stretches... 
ԉ 	U+0509	
ԓ 	U+0513
ԡ 	U+0521	

Project Member

Comment 7 by sheriffbot@chromium.org, Apr 18 2018

jshin: Uh oh! This issue still open and hasn't been updated in the last 14 days. This is a serious vulnerability, and we want to ensure that there's progress. Could you please leave an update with the current status and any potential blockers?

If you're not the right owner for this issue, could you please remove yourself as soon as possible or help us find the right one?

If the issue is fixed or you can't reproduce it, please close the bug. If you've started working on a fix, please set the status to Started.

Thanks for your time! To disable nags, add the Disable-Nags label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member

Comment 8 by sheriffbot@chromium.org, May 3 2018

jshin: Uh oh! This issue still open and hasn't been updated in the last 29 days. This is a serious vulnerability, and we want to ensure that there's progress. Could you please leave an update with the current status and any potential blockers?

If you're not the right owner for this issue, could you please remove yourself as soon as possible or help us find the right one?

If the issue is fixed or you can't reproduce it, please close the bug. If you've started working on a fix, please set the status to Started.

Thanks for your time! To disable nags, add the Disable-Nags label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Comment 9 by js...@chromium.org, May 11 2018

Labels: -M-66 M-67

Comment 10 by js...@chromium.org, May 14 2018

Status: Started (was: Assigned)
https://chromium-review.googlesource.com/c/chromium/src/+/1055894
Project Member

Comment 11 by bugdroid1@chromium.org, May 16 2018

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/f8bc31acf099873ebc623e92908477f2e99c17f6

commit f8bc31acf099873ebc623e92908477f2e99c17f6
Author: Jungshik Shin <jshin@chromium.org>
Date: Wed May 16 02:11:14 2018

Add a few more confusability mapping entries

U+0153(œ) => ce
U+00E6(æ), U+04D5 (ӕ) => ae
U+0499(ҙ) => 3
U+0525(ԥ) => n

Bug:  835554 ,  826019 ,  836885 
Test: components_unittests --gtest_filter=*IDN*
Change-Id: Ic89211f70359d3d67cc25c1805b426b72cdb16ae
Reviewed-on: https://chromium-review.googlesource.com/1055894
Commit-Queue: Jungshik Shin <jshin@chromium.org>
Reviewed-by: Peter Kasting <pkasting@chromium.org>
Cr-Commit-Position: refs/heads/master@{#558928}
[modify] https://crrev.com/f8bc31acf099873ebc623e92908477f2e99c17f6/components/url_formatter/idn_spoof_checker.cc
[modify] https://crrev.com/f8bc31acf099873ebc623e92908477f2e99c17f6/components/url_formatter/top_domains/test_domains.list
[modify] https://crrev.com/f8bc31acf099873ebc623e92908477f2e99c17f6/components/url_formatter/top_domains/test_skeletons.gperf
[modify] https://crrev.com/f8bc31acf099873ebc623e92908477f2e99c17f6/components/url_formatter/url_formatter_unittest.cc

Comment 12 by js...@chromium.org, May 17 2018

Status: Fixed (was: Started)
Project Member

Comment 13 by sheriffbot@chromium.org, May 18 2018

Labels: -Restrict-View-SecurityTeam Restrict-View-SecurityNotify
Labels: reward-topanel
Labels: -M-67 M-68
Labels: -reward-topanel reward-0
I'm afraid the VRP panel declined to reward for this one.
Project Member

Comment 17 by sheriffbot@chromium.org, Jun 8

Labels: Merge-Request-68
Project Member

Comment 18 by sheriffbot@chromium.org, Jun 8

Labels: -Merge-Request-68 Hotlist-Merge-Review Merge-Review-68
This bug requires manual review: M68 has already been promoted to the beta branch, so this requires manual review
Please contact the milestone owner if you have questions.
Owners: cmasso@(Android), kariahda@(iOS), bhthompson@(ChromeOS), abdulsyed@(Desktop)

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Labels: -Merge-Review-68
Labels: Release-0-M68
Project Member

Comment 21 by sheriffbot@chromium.org, Aug 24

Labels: -Restrict-View-SecurityNotify allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Labels: CVE-2018-6175 CVE_description-missing
Labels: idn-spoof

Sign in to add a comment