lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <CALx_OUB4m29ut-O21uXLX-YWBx6Qn4uHxPM6bgt-ONUOwoKUbA@mail.gmail.com>
Date: Thu, 4 Sep 2014 12:47:00 -0700
From: Michal Zalewski <lcamtuf@...edump.cx>
To: bugtraq <bugtraq@...urityfocus.com>
Subject: Uninit memory disclosure via truncated images in Firefox

Yello,

The recent release of Firefox 32 fixes another interesting image
parsing issue found by afl [1]: following a refactoring of memory
management code, the past few versions of the browser ended up using
uninitialized memory for certain types of truncated images, which is
easily measurable with a simple <canvas> + toDataURL() harness that
examines all the fuzzer-generated test cases.

Depending on a variety of factors, problems like that may leak secrets
across web origins, or more prosaically, may help attackers bypass
security measures such as ASLR. Here's a short proof-of-concept that
should work if you haven't updated to 32 yet:

http://lcamtuf.coredump.cx/ffgif/

This is tracked as CVE-2014-1564, Mozilla bug 1045977, MFSA 2014-69.

[1] http://code.google.com/p/american-fuzzy-lop/

PS. Mildly interesting:
http://www.chromium.org/Home/chromium-security/client-identification-mechanisms

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ