Bugtraq mailing list archives
Uninit memory disclosure via truncated images in Firefox
From: Michal Zalewski <lcamtuf () coredump cx>
Date: Thu, 4 Sep 2014 12:47:00 -0700
Yello, The recent release of Firefox 32 fixes another interesting image parsing issue found by afl [1]: following a refactoring of memory management code, the past few versions of the browser ended up using uninitialized memory for certain types of truncated images, which is easily measurable with a simple <canvas> + toDataURL() harness that examines all the fuzzer-generated test cases. Depending on a variety of factors, problems like that may leak secrets across web origins, or more prosaically, may help attackers bypass security measures such as ASLR. Here's a short proof-of-concept that should work if you haven't updated to 32 yet: http://lcamtuf.coredump.cx/ffgif/ This is tracked as CVE-2014-1564, Mozilla bug 1045977, MFSA 2014-69. [1] http://code.google.com/p/american-fuzzy-lop/ PS. Mildly interesting: http://www.chromium.org/Home/chromium-security/client-identification-mechanisms
Current thread:
- Uninit memory disclosure via truncated images in Firefox Michal Zalewski (Sep 08)