-
Notifications
You must be signed in to change notification settings - Fork 252
CVE 2015 1260
Hayden Nier edited this page Dec 19, 2016
·
11 revisions
Tina Howard and Hayden Nier
Fix Commit:
- Magnus Jedvert on Tuesday April 14 2015
- 0fc74681d3f353c9c7835b33d689882a3cc5807b
Vulnerability Commit:
- e4af29985a69116a4d37bf7c8130336c63542adc introduced by Sevolk
- This vulnerability occurred due to a unify request failure handling in content ::UserMediaClientImp
Found By:
- A cluster bot on April 1st, 2015 with bug: 472617
- Khalil Zhani is credited with discovering the vulnerability and received $1000 compensation.
- Magnus Jedvert in bug: 474370
- Magnus found the bug due to microphone enablement and the free’s being used.
Was there a bounty awarded?
- $1000 compensation was awarded to Khalil for discovering the vulnerability, but not fixing
Automation Testing and Discussion:
- Discussion occurred here
- When the fix was committed, testing occurred for the build to ensure that the fix didn't break anything
Description:
Attackers can execute arbitrary Java Script code upon completion of a getUserMedia request. The fix prevented the RenderFrame object from being destroyed within the getusermedia subroutine, thus eliminating the "free" in the "user-after-free" vulnerability. During testing and fixing, this was deemed medium severity.
Unify request failure handling in content::UserMediaClientImpl
Unify UserMediaClientImpl::GetUserMediaRequestFailed and UserMediaClientImpl::GetUserMediaRequestTrackStartedFailed and make sure all possible enum values are handled in the switch.