[tor-bugs] #21962 [Applications/Tor Browser]: Segmentation fault with "high" security when changing in about:addons to "Extensions" or "Appearance"
Tor Bug Tracker & Wiki
blackhole at torproject.org
Wed Apr 19 17:42:52 UTC 2017
#21962: Segmentation fault with "high" security when changing in about:addons to
"Extensions" or "Appearance"
-------------------------------------------------+-------------------------
Reporter: viktorj | Owner:
| arthuredelstein
Type: defect | Status:
| accepted
Priority: Very High | Milestone:
Component: Applications/Tor Browser | Version:
Severity: Major | Resolution:
Keywords: tbb-crash, tbb-usability, ff52-esr, | Actual Points:
tbb-7.0-must-alpha, TorBrowserTeam201704 |
Parent ID: | Points:
Reviewer: | Sponsor:
| Sponsor4
-------------------------------------------------+-------------------------
Comment (by mcs):
Kathy and I tracked down the root cause of the crash (which is also
causing SVG images to not appear in about:preferences). Apparently, for
some subresource documents, SVG elements are created before the document
is attached to the parent window. This causes `NS_SVGEnabledForChannel()`
to fail to perform its whitelist check for documents such as
`toolkit/mozapps/extensions/content/extensions.xml` (because we end up
with a NULL `topDocURI`), which in turn causes SVGs to be disabled at
first and later allowed (because ultimately the subresource is part of
about:addons, which is whitelisted).
I am not sure what changed between Firefox 45 and 52 to cause this
problem, but adding a check against the system principal in this specific
case seems to fix things. It is also worth noting that Mozilla's patch for
https://bugzilla.mozilla.org/show_bug.cgi?id=1216893 uses
`IsSystemPrincipal()` checks too.
We will post a patch soon.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/21962#comment:8>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list