[Pkg-mozext-maintainers] Bug#559267: Sage Firefox extensions vulnerabilities

Thu Dec 10 11:17:16 UTC 2009

Hi Alan,

Sorry for the delay, very busy days here...

The vulnerability was originally reported in the Sage bugzilla
mailing-list and here you can find the link:

https://www.mozdev.org/bugs/show_bug.cgi?id=20610

and here is the security report detailing the bug:

https://www.mozdev.org/bugs/attachment.cgi?id=5749

I have tried to follow up with the author but still today I haven't got
any response as you can see from the thread.

Recently, we have been contacted by another guy, Dave Schaefer, who
joined the thread above and who is willing to fix the bug. My suggestion
would be to touch base with Dave and then work together to fix the
issue. I am not sure about the author and its current involvement with
the extension code.

Regarding your questions:

Q: Is this a regression of the 2006 vulnerability [4]?

I am not sure about the vulnerability in 2006. What I know is that
according to the Sage author, Peter Andrews, the '2006' bug was fixed
and resolved. That is also reported in this thread:
https://www.mozdev.org/bugs/show_bug.cgi?id=15101
So the current bug is a new bug as far as I can tell you. Also, I can't
access the PoC of the vulnerability in 2006, which should be available here:
https://www.gnucitizen.org/static/blog/2006/09/sage-feed-poc.xml so I am
not sure where the "injection" point was.

Q: Are there more problems I should be aware of besides that?

Potentially, there might be other input-validation issues.

Q: How would you suggest dealing with this?

My suggestion would be to render untrusted content in about:blank
instead of a window with chrome privileges. Second recommendation would
be to filter input based on whitelist and escape output as well. Some
extension developers suggest the use of the
nsIScriptableUnescapeHTML.parseFragment() function to perform input
validation. However, some other developers do not agree with that. I am
not an extension developer, so I am not able to tell you if u can just
rely on that function. Other recommendation would be to have a look to
other RSS readers and see how the handle the feeds, in which location,
and what type of filtering they perform.

My 2 cents,

Roberto

Alan Woodland wrote:
> Hi,
>
> For my sins I'm the maintainer of the Debian package of Sage. I'm
> looking at fixing the security bug that was recently reported [1].
> Both of your names were mentioned in [2] as reporting the bug.
>
> I'm looking to either prepare my own patch, in which a test case and
> some advice would be extremely helpful, or ideally verify and apply an
> existing patch. I've read through the two sets of slides at [3], but
> there doesn't seem to be much detail on the actual exploit or a test
> case. There are some references online to 'the author [of sage] being
> made aware of patches', but nothing public that I can find.
>
> Q: Is this a regression of the 2006 vulnerability [4]? Are there more
> problems I should be aware of besides that?
> Q: How would you suggest dealing with this?
>
> Thanks,
> Alan
>
> P.S. If you want to discuss this privately I can send/receive PGP
> encrypted mails to my @debian.org address using the key in the Debian
> keyring.
>
> [1] http://bugs.debian.org/559267
> [2] http://www.securityfocus.com/bid/37120\
> [3] http://malerisch.net/docs/security_docs.html
> [4] http://www.gnucitizen.org/blog/cross-context-scripting-with-sage/
>   

-- 
Roberto Suggi Liverani
Senior Security Consultant
Mob. +64 21 928 780
www.security-assessment.com