Control: found 510589 17.0.2-1 On Sat 2013-01-19 11:16:14 -0800, Daniel Kahn Gillmor wrote:
> I've rebuilt nspr 2:4.9.4-2 with this option and installed it; i'm also > running icedove under gdb. I'll report if i get anything to replicate. I just got another crash with icedove 17.0.2-1, but i've been running nspr 2:4.9.5-1 (which i hadn't managed to rebuild with DEB_BUILD_OPTIONS=debug yet), so i don't have any specific assert() output to share yet. I'm re-building 4.9.5 right now to enable debugging in it in case i can trigger it again. Mike, do you think this bug report should be shifted to nspr from icedove? i'm not sure how to best track this behavior down. it seems like a racy sort of thing, and i'm just hitting it randomly by virtue of processing so much mail. this is frustrating because it makes it rather difficult to reproduce reliably :( here is the console output and gdb backtrace: 2013-02-25 13:46:40.217 [DEBUG] enigmailMessengerOverlay.js: messageFrameUnload 2013-02-25 13:46:40.217 [DEBUG] enigmailMsgHdrViewOverlay.js: this.messageUnload 2013-02-25 13:46:40.219 [DEBUG] enigmailMsgHdrViewOverlay.js: _listener_onStartHeaders 2013-02-25 13:46:40.219 [DEBUG] enigmailMessengerOverlay.js: setAttachmentReveal 2013-02-25 13:46:40.220 [DEBUG] enigmailCommon.jsm: getFrame: name=messagepane 2013-02-25 13:46:40.220 [DEBUG] enigmailMsgHdrViewOverlay.js: msgFrame=[object Window] 2013-02-25 13:46:40.221 [DEBUG] enigmailMsgHdrViewOverlay.js: enigmailPrepSecurityInfo 2013-02-25 13:46:40.259 [DEBUG] enigmailMsgHdrViewOverlay.js: _listener_onEndHeaders 2013-02-25 13:46:40.259 [DEBUG] enigmailMessengerOverlay.js: setAttachmentReveal 2013-02-25 13:46:40.284 [DEBUG] enigmailMessengerOverlay.js: messageDecrypt: [object Event] 2013-02-25 13:46:40.296 [DEBUG] enigmailCommon.jsm: dispatchEvent f= 2013-02-25 13:46:40.297 [DEBUG] enigmailCommon.jsm: dispatchEvent running mainEvent 2013-02-25 13:46:40.297 [DEBUG] enigmailMessengerOverlay.js: messageDecryptCb: 2013-02-25 13:46:40.297 [DEBUG] enigmailMessengerOverlay.js: header content-type: text/plain; charset=ISO-8859-1 2013-02-25 13:46:40.297 [DEBUG] enigmailMessengerOverlay.js: header content-transfer-encoding: 7bit 2013-02-25 13:46:40.297 [DEBUG] enigmailMessengerOverlay.js: header x-enigmail-version: 1.5 2013-02-25 13:46:40.297 [DEBUG] enigmailMessengerOverlay.js: header x-pgp-encoding-format: 2013-02-25 13:46:40.297 [DEBUG] enumerateMimeParts: - text/plain; charset=ISO-8859-1 2013-02-25 13:46:40.297 [DEBUG] enumerateMimeParts: 1 - text/plain; charset=ISO-8859-1 2013-02-25 13:46:40.297 [DEBUG] enigmailMessengerOverlay.js: embedded objects: / 2013-02-25 13:46:40.298 [DEBUG] enigmailMessengerOverlay.js: messageParse: false 2013-02-25 13:46:40.298 [DEBUG] enigmailCommon.jsm: getFrame: name=messagepane 2013-02-25 13:46:40.298 [DEBUG] enigmailMessengerOverlay.js: msgFrame=[object Window] 2013-02-25 13:46:40.298 [DEBUG] enigmailMessengerOverlay.js: bodyElement=[object HTMLBodyElement] 2013-02-25 13:46:40.299 [DEBUG] enigmailMessengerOverlay.js: messageParseCallback: false, false, importOnly=false, charset=ISO-8859-1, msgUrl=imap://d...@che.mayfirst.org:143/fetch%3EUID%3E.INBOX%3E313891, retry=1, signature='' 2013-02-25 13:46:40.299 [DEBUG] enigmail.js: Enigmail.decryptMessage: 2040 bytes, 0 2013-02-25 13:46:40.299 [DEBUG] enigmail.js: Enigmail.decryptMessage: oldSignature= 2013-02-25 13:46:40.299 [DEBUG] enigmail.js: Enigmail.locateArmoredBlock: 0, '' 2013-02-25 13:46:40.299 [DEBUG] enigmail.js: Enigmail.locateArmoredBlock: blockType=SIGNED MESSAGE 2013-02-25 13:46:40.299 [DEBUG] enigmail.js: Enigmail.extractSignaturePart: part=3 2013-02-25 13:46:40.299 [DEBUG] enigmailCommon.jsm: decryptMessageStart: verifyOnly=true 2013-02-25 13:46:40.299 enigmailCommon.jsm: execStart: command = /usr/bin/gpg --charset utf-8 --display-charset utf-8 --batch --no-tty --status-fd 2 --decrypt, needPassphrase=false, domWindow=[object ChromeWindow], listener=[object Object] 2013-02-25 13:46:40.299 [CONSOLE] enigmail> /usr/bin/gpg --charset utf-8 --display-charset utf-8 --batch --no-tty --status-fd 2 --decrypt [New Thread 0x7fff8d8ff700 (LWP 32708)] [New Thread 0x7fff8afff700 (LWP 32707)] [New Thread 0x7fff895fe700 (LWP 32709)] [New Thread 0x7fff8eaff700 (LWP 32710)] [New Thread 0x7fff8a7fe700 (LWP 32712)] [New Thread 0x7fff8fbff700 (LWP 32711)] [Thread 0x7fff8eaff700 (LWP 32710) exited] [Thread 0x7fff8afff700 (LWP 32707) exited] 2013-02-25 13:46:40.512 [DEBUG] enigmail.js: decryptMessage: got plaintext: 'On 02/24/2013 03:23 PM, Henri Salo wrote: > Hello list, > > With wpscan-team I noticed that file jwplayer.swf in WordPress > plugin smart-flv is vulnerable to reflected XSS vulnerability. > > URL: http://wordpress.org/extend/plugins/smart-flv/ > 416d0313c5f286c3a8e9daff520a9f44439b93f7 > http://plugins.svn.wordpress.org/smart-flv/trunk/jwplayer.swf > > With user interaction (clicking the page): > https://example.com/wp-content/plugins/smart-flv/jwplayer.swf?file=1.mp4&link=javascript:alert%28%22horse%22%29&linktarget=_self&displayclick=link > > No interaction: > https://example.com/wp-content/plugins/smart-flv/jwplayer.swf?playerready=alert%28%22horse%22%29 > > WordPress guys could you report this to the developer since I > don't know his/her email address, thanks? Could you also tell me if > there is a way to contact plugin developers directly, thank you. > Please include CVE to changelog if possible. > > -- Henri Salo ps. http://paste.nerv.fi/36167527-horse.jpeg > Please use CVE-2013-1765 for this issue. -- Kurt Seifried Red Hat Security Response Team (SRT) PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993 ' [Thread 0x7fff8a7fe700 (LWP 32712) exited] 2013-02-25 13:46:40.512 [DEBUG] enigmailCommon.jsm: decryptMessageEnd: uiFlags=0, verifyOnly=true, noOutput=false 2013-02-25 13:46:40.512 [DEBUG] enigmailCommon.jsm: decryptMessageEnd: stderrStr=[GNUPG:] PLAINTEXT 74 0 gpg: Signature made Mon 25 Feb 2013 01:24:11 PM PST gpg: using RSA key 0x160D45535E267993 [GNUPG:] SIG_ID M9+HI3+F9ZsQZZcEvsN2sIrcGes 2013-02-25 1361827451 [GNUPG:] GOODSIG 160D45535E267993 Kurt Seifried <kseifr...@redhat.com> gpg: Good signature from "Kurt Seifried <kseifr...@redhat.com>" [unknown] [GNUPG:] VALIDSIG A90BF9957350148F66BF7554160D45535E267993 2013-02-25 1361827451 0 4 0 1 2 01 A90BF9957350148F66BF7554160D45535E267993 [GNUPG:] TRUST_UNDEFINED gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. Primary key fingerprint: A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993 2013-02-25 13:46:40.514 enigmailCommon.jsm: parseErrorOutput: [Thread 0x7fff8fbff700 (LWP 32711) exited] [Thread 0x7fff895fe700 (LWP 32709) exited] [Thread 0x7fff8d8ff700 (LWP 32708) exited] 2013-02-25 13:46:40.517 [DEBUG] enigmailCommon.jsm: parseErrorOutput: statusFlags = 00040001 2013-02-25 13:46:40.517 enigmail.js: Enigmail.execCmd: subprocess = '/usr/bin/gpg' 2013-02-25 13:46:40.517 [DEBUG] enigmail.js: WriteFileContents: file=/tmp/foo/eniginp.txt 2013-02-25 13:46:40.518 [ERROR] enigmail.js: CreateFileStream: Failed to create /tmp/foo/eniginp.txt 2013-02-25 13:46:40.518 [ERROR] enigmail.js: WriteFileContents: Failed to write to /tmp/foo/eniginp.txt 2013-02-25 13:46:40.518 [DEBUG] enigmail.js: WriteFileContents: file=/tmp/foo/enigcmd.txt 2013-02-25 13:46:40.518 [ERROR] enigmail.js: CreateFileStream: Failed to create /tmp/foo/enigcmd.txt 2013-02-25 13:46:40.518 [ERROR] enigmail.js: WriteFileContents: Failed to write to /tmp/foo/enigcmd.txt 2013-02-25 13:46:40.518 [DEBUG] enigmail.js: WriteFileContents: file=/tmp/foo/enigenv.txt 2013-02-25 13:46:40.518 [ERROR] enigmail.js: CreateFileStream: Failed to create /tmp/foo/enigenv.txt 2013-02-25 13:46:40.518 [ERROR] enigmail.js: WriteFileContents: Failed to write to /tmp/foo/enigenv.txt 2013-02-25 13:46:40.518 [DEBUG] enigmail.js: Enigmail.execCmd: copied command line/env/input to files /tmp/foo/enigcmd.txt/enigenv.txt/eniginp.txt 2013-02-25 13:46:40.518 [CONSOLE] enigmail> /usr/bin/gpg --charset utf-8 --display-charset utf-8 --batch --no-tty --status-fd 2 --fixed-list-mode --with-colons --list-keys 160D45535E267993 [New Thread 0x7fff8d8ff700 (LWP 32715)] [New Thread 0x7fff8fbff700 (LWP 32717)] [New Thread 0x7fff895fe700 (LWP 32716)] [New Thread 0x7fff8a7fe700 (LWP 32718)] Program received signal SIGSEGV, Segmentation fault. [Switching to Thread 0x7fff9ccfa700 (LWP 8763)] pt_PostNotifyToCvar (cvar=0x0, broadcast=broadcast@entry=0) at ptsynch.c:280 280 ptsynch.c: No such file or directory. (gdb) bt #0 pt_PostNotifyToCvar (cvar=0x0, broadcast=broadcast@entry=0) at ptsynch.c:280 #1 0x00007ffff62fddbb in PR_NotifyCondVar (cvar=<optimized out>) at ptsynch.c:413 #2 0x00007ffff6305989 in ProcessReapedChildInternal (pid=pid@entry=32714, status=<optimized out>) at uxproces.c:531 #3 0x00007ffff6305fa7 in WaitPidDaemonThread (unused=<optimized out>) at uxproces.c:658 #4 0x00007ffff63034b3 in _pt_root (arg=0x7fffddab3360) at ptthread.c:156 #5 0x00007ffff743ab50 in start_thread (arg=<optimized out>) at pthread_create.c:304 #6 0x00007ffff7184a7d in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:112 #7 0x0000000000000000 in ?? () (gdb) and here is tmp/icedove-dbg.log (the NSPR_LOG_FILE): -1741687040[7fff95b5d9d0]: 9a625800:che.mayfirst.org:S-INBOX:CreateNewLineFromSocket: 1886 OK Store completed. -1741687040[7fff95b5d9d0]: nsSocketTransport::PostEvent [this=7fff9043e720 type=3 status=0 param=0] -1741687040[7fff95b5d9d0]: STS dispatch [7fffb5f30f10] -1741687040[7fff95b5d9d0]: Reset callbacks for secinfo=7fff9d5f2bf0 callbacks=0 -1800407296[7fffa3357150]: ...returned after 1 milliseconds -1800407296[7fffa3357150]: nsSocketTransport::OnSocketEvent [this=7fff9043e720 type=3 status=0 param=0] -1800407296[7fffa3357150]: MSG_TIMEOUT_CHANGED -1800407296[7fffa3357150]: STS poll iter [1] -1800407296[7fffa3357150]: active [3] { handler=9043e720 condition=0 pollflags=5 } -1800407296[7fffa3357150]: active [2] { handler=9043fde0 condition=0 pollflags=5 } -1800407296[7fffa3357150]: active [1] { handler=ac31fc80 condition=0 pollflags=5 } -1800407296[7fffa3357150]: active [0] { handler=9043faa0 condition=0 pollflags=5 } -1800407296[7fffa3357150]: calling PR_Poll [active=4 idle=0] -1800407296[7fffa3357150]: poll timeout: 65535 -1800407296[7fffa3357150]: timeout = 65535000 milliseconds -1741687040[7fff95b5d9d0]: 9a625800:che.mayfirst.org:S-INBOX:SendData: 1887 IDLE -1741687040[7fff95b5d9d0]: STS dispatch [7fffaaf75590] -1800407296[7fffa3357150]: ...returned after 0 milliseconds -1800407296[7fffa3357150]: nsSocketOutputStream::Write [this=9043e880 count=11] -1800407296[7fffa3357150]: calling PR_Write [count=11] -1800407296[7fffa3357150]: PR_Write returned [n=11] -1800407296[7fffa3357150]: nsSocketTransport::SendStatus [this=9043e720 status=804b0005] -1800407296[7fffa3357150]: nsSocketOutputStream::AsyncWait [this=9043e880] -1800407296[7fffa3357150]: STS poll iter [1] -1800407296[7fffa3357150]: active [3] { handler=9043e720 condition=0 pollflags=7 } -1800407296[7fffa3357150]: active [2] { handler=9043fde0 condition=0 pollflags=5 } -1800407296[7fffa3357150]: active [1] { handler=ac31fc80 condition=0 pollflags=5 } -1800407296[7fffa3357150]: active [0] { handler=9043faa0 condition=0 pollflags=5 } -1800407296[7fffa3357150]: calling PR_Poll [active=4 idle=0] -1800407296[7fffa3357150]: poll timeout: 65535 -1800407296[7fffa3357150]: timeout = 65535000 milliseconds -1800407296[7fffa3357150]: ...returned after 0 milliseconds -1800407296[7fffa3357150]: nsSocketTransport::OnSocketReady [this=9043e720 outFlags=2] -1800407296[7fffa3357150]: nsSocketOutputStream::OnSocketReady [this=9043e880 cond=0] -1800407296[7fffa3357150]: STS poll iter [1] -1800407296[7fffa3357150]: active [3] { handler=9043e720 condition=0 pollflags=5 } -1800407296[7fffa3357150]: active [2] { handler=9043fde0 condition=0 pollflags=5 } -1800407296[7fffa3357150]: active [1] { handler=ac31fc80 condition=0 pollflags=5 } -1800407296[7fffa3357150]: active [0] { handler=9043faa0 condition=0 pollflags=5 } -1800407296[7fffa3357150]: calling PR_Poll [active=4 idle=0] -1800407296[7fffa3357150]: poll timeout: 65535 -1800407296[7fffa3357150]: timeout = 65535000 milliseconds -1659898112[7fffb5d9aab0]: libc.so.6 decr => 3 -1651509504[7fffb5d9a340]: libc.so.6 decr => 2 -1645349120[7fff9d5f2e10]: libc.so.6 decr => 1 -134355168[7ffff6d6b260]: Unloaded library libc.so.6 -134355168[7ffff6d6b260]: Loaded library libc.so.6 (load lib) -134355168[7ffff6d6b260]: /usr/lib/mozilla/extensions/{3550f703-e582-4d05-9a08-453d09bdfdc6}/{847b3a00-7ab1-11d4-8f02-006008948af5}/platform/Linux_x86_64-gcc3/lib/libsubprocess-x86_64-gcc3.so incr => 26 (find lib) -1800407296[7fffa3357150]: ...returned after 86 milliseconds -1800407296[7fffa3357150]: nsSocketTransport::OnSocketReady [this=9043e720 outFlags=1] -1800407296[7fffa3357150]: nsSocketInputStream::OnSocketReady [this=9043e850 cond=0] -1800407296[7fffa3357150]: STS dispatch [7fffaaf75280] -1800407296[7fffa3357150]: nsSocketInputStream::Read [this=9043e850 count=32768] -1800407296[7fffa3357150]: calling PR_Read [count=32768] -1800407296[7fffa3357150]: PR_Read returned [n=10] -1800407296[7fffa3357150]: nsSocketTransport::SendStatus [this=9043e720 status=804b0006] -1800407296[7fffa3357150]: nsSocketInputStream::Read [this=9043e850 count=32758] -1800407296[7fffa3357150]: calling PR_Read [count=32758] -1800407296[7fffa3357150]: PR_Read returned [n=-1] -1800407296[7fffa3357150]: nsSocketInputStream::AsyncWait [this=9043e850] -1800407296[7fffa3357150]: STS poll iter [1] -1800407296[7fffa3357150]: active [3] { handler=9043e720 condition=0 pollflags=5 } -1800407296[7fffa3357150]: active [2] { handler=9043fde0 condition=0 pollflags=5 } -1800407296[7fffa3357150]: active [1] { handler=ac31fc80 condition=0 pollflags=5 } -1800407296[7fffa3357150]: active [0] { handler=9043faa0 condition=0 pollflags=5 } -1800407296[7fffa3357150]: calling PR_Poll [active=4 idle=0] -1800407296[7fffa3357150]: poll timeout: 65535 -1800407296[7fffa3357150]: timeout = 65535000 milliseconds -1800407296[7fffa3357150]: ...returned after 0 milliseconds -1800407296[7fffa3357150]: STS poll iter [1] -1800407296[7fffa3357150]: active [3] { handler=9043e720 condition=0 pollflags=5 } -1800407296[7fffa3357150]: active [2] { handler=9043fde0 condition=0 pollflags=5 } -1800407296[7fffa3357150]: active [1] { handler=ac31fc80 condition=0 pollflags=5 } -1800407296[7fffa3357150]: active [0] { handler=9043faa0 condition=0 pollflags=5 } -1800407296[7fffa3357150]: calling PR_Poll [active=4 idle=0] -1800407296[7fffa3357150]: poll timeout: 65535 -1800407296[7fffa3357150]: timeout = 65535000 milliseconds -1741687040[7fff95b5d9d0]: ReadNextLine [stream=8d9d8110 nb=10 needmore=0] -1741687040[7fff95b5d9d0]: 9a625800:che.mayfirst.org:S-INBOX:CreateNewLineFromSocket: + idling -134355168[7ffff6d6b260]: Here we do an extension lookup for 'js' -134355168[7ffff6d6b260]: -- LookUpTypeAndDescription for extension 'js' -134355168[7ffff6d6b260]: -- GetFileLocation. Pref: 'helpers.private_mime_types_file' EnvVar: '(null)' -134355168[7ffff6d6b260]: -- GetTypeAndDescriptionFromMimetypesFile -134355168[7ffff6d6b260]: Getting type and description from types file '~/.mime.types' -134355168[7ffff6d6b260]: Using extension 'js' -134355168[7ffff6d6b260]: -- CreateInputStream -134355168[7ffff6d6b260]: Looking in GNOME registry -134355168[7ffff6d6b260]: Got MIMEInfo from GNOME registry -134355168[7ffff6d6b260]: Here we do an extension lookup for 'js' -134355168[7ffff6d6b260]: -- LookUpTypeAndDescription for extension 'js' -134355168[7ffff6d6b260]: -- GetFileLocation. Pref: 'helpers.private_mime_types_file' EnvVar: '(null)' -134355168[7ffff6d6b260]: -- GetTypeAndDescriptionFromMimetypesFile -134355168[7ffff6d6b260]: Getting type and description from types file '~/.mime.types' -134355168[7ffff6d6b260]: Using extension 'js' -134355168[7ffff6d6b260]: -- CreateInputStream -134355168[7ffff6d6b260]: Looking in GNOME registry -134355168[7ffff6d6b260]: Got MIMEInfo from GNOME registry -1641146624[7fff9a61ede0]: libc.so.6 incr => 2 (find lib) -1628440832[7fff9d5f2040]: libc.so.6 incr => 3 (find lib) -1628440832[7fff9d5f2040]: libc.so.6 decr => 2 --dkg
pgpgk63yojp38.pgp
Description: PGP signature
