Ubuntu
unity-firefox-extension package

Bypasses Same Origin Policy checks via toDataURL()

Bug #1069817 reported by Chris Coulson on 2012-10-22

260

This bug affects 1 person

	Status	Importance	Assigned to
WebApps: unity-chromium-extensions	Fix Released	Undecided	Alexandre Abreu
WebApps: unity-firefox-extension	Fix Released	Undecided	Maxim Ermilov
unity-chromium-extension (Ubuntu)	Fix Released	Undecided	Unassigned
Quantal	Fix Released	Undecided	Unassigned
unity-firefox-extension (Ubuntu)	Fix Released	Undecided	Ken VanDine
Quantal	Fix Released	Undecided	Unassigned
unity-webapps-amazoncloudreader (Ubuntu)	Fix Released	Undecided	Unassigned
unity-webapps-facebookapps (Ubuntu)	Fix Released	Undecided	Unassigned
unity-webapps-librefm (Ubuntu)	Fix Released	Undecided	Unassigned
unity-webapps-pandora-com (Ubuntu)	Fix Released	Undecided	Unassigned
webapps-applications (Ubuntu)	Fix Released	Undecided	Unassigned

Bug Description

This addon exposes a toDataURL() function to the web which allows content to convert an image (specified by a URL) to a data URI. It seems to work by drawing the image to a canvas and using the canvas.toDataURL() mechanism. However, this function seems to bypass all same-origin checks and returns valid data even if the image URL doesn't have the same origin as the document URL.

canvas.toDataURL() will throw a SecurityError exception if the canvas is not origin-clean. A canvas is not origin clean if you call ctx.drawImage() with a URL which does not have the same origin as the document that the canvas is in. However, the canvas used for the conversion is created in chrome context, so it has full privileges and the usual security mechanisms are bypassed completely.

[Test Case]
This can be reproduced with the following test case (I loaded this at http://localhost/test.html):

<html>
<head></head>
<body>
<p id="foo"/>
<script type="text/javascript">
    window.external
          .getUnityObject(1)
          .toDataURL("http://www.ubuntu.com/sites/default/themes/ubuntu10/images/footer_logo.png",
                     function(a, b) {
        document.getElementById("foo").innerHTML = b;
    });
</script>
</html>

In this example, you will see that toDataURL() throws as expected and an alert appears ("The operation is insecure"):

<html>
<head></head>
<body>
<p id="foo"/>
<script type="text/javascript">
    var img = new Image();
    var canvas = document.createElement('canvas');
    var ctx = canvas.getContext('2d');
    img.onload = function() {
        try {
            ctx.drawImage(img, 0, 0);
            document.getElementById("foo").innerHTML = canvas.toDataURL();
        } catch(e) { alert(e); }
    };

img.src = "http://www.ubuntu.com/sites/default/themes/ubuntu10/images/footer_logo.png";
</script>
</html>

[Regression Risks]
The fix consists mostly in removing code from the exposed API (toDataURL).

See original description

Tags:

Related branches

lp://staging/~zaspire/unity-firefox-extension/merge-Unity.toDataURL-Unity.init

Merged into lp://staging/unity-firefox-extension

PS Jenkins bot (community): Approve (continuous-integration) on 2012-10-23

WebApps: Pending requested 2012-10-23

lp://staging/unity-firefox-extension

lp://staging/~abreu-alexandre/unity-chromium-extension/fix-1069817

Merged into lp://staging/unity-chromium-extension/trunk at revision 201

Alexandre Abreu (community): Approve on 2012-11-13

lp://staging/~ken-vandine/unity-firefox-extension/unwind

CVE References

2012-0958

Revision history for this message

Marc Deslauriers (mdeslaur) wrote on 2012-10-22:

This is CVE-2012-0958

Changed in unity-firefox-extension (Ubuntu):
assignee:	nobody → Ken VanDine (ken-vandine)

Revision history for this message

Marc Deslauriers (mdeslaur) wrote on 2012-10-22:

Ken,

Could you take a look at this, and give an ETA on a security fix? Thanks.

Maxim Ermilov (zaspire) on 2012-10-23

Changed in unity-firefox-extension:
assignee:	nobody → Maxim Ermilov (zaspire)

Maxim Ermilov (zaspire) on 2012-10-24

Changed in unity-firefox-extension:
status:	New → Fix Committed

Revision history for this message

Marc Deslauriers (mdeslaur) wrote on 2012-11-06:

Seems this is public now:

http://bazaar.launchpad.net/~webapps/unity-firefox-extension/trunk/revision/331

information type:

Private Security → Public Security

Revision history for this message

Marc Deslauriers (mdeslaur) wrote on 2012-11-13:

Can I push the r331 commit as a security update, or will that break existing scripts?

Alexandre Abreu (abreu-alexandre) on 2012-11-13

Changed in unity-chromium-extension:
status:	New → Fix Committed
assignee:	nobody → Alexandre Abreu (abreu-alexandre)

Revision history for this message

Maxim Ermilov (zaspire) wrote on 2012-11-14:

> Can I push the r331 commit as a security update, or will that break existing scripts?
no, It will break some scripts

Revision history for this message

Alexandre Abreu (abreu-alexandre) wrote on 2012-11-14:

To be more precise, from what I see it'll break, LibreFm, Pandora and AmazonCloudReader "only".
Those will be updated in Universe ASAP.

Alexandre Abreu (abreu-alexandre) on 2012-11-14

description:

updated

Ken VanDine (ken-vandine) on 2012-11-15

Changed in unity-chromium-extension:
status:	Fix Committed → Fix Released

Revision history for this message

Launchpad Janitor (janitor) wrote on 2012-11-15:

This bug was fixed in the package unity-chromium-extension - 2.4.4-0ubuntu1

---------------
unity-chromium-extension (2.4.4-0ubuntu1) raring; urgency=low

  * New upstream release.
    - No installation process triggered when a url matches more than one URL
      in the list of available apps (LP: #1078325)
    - Bypasses Same Origin Policy checks via toDataURL (LP: #1069817)
    - Extension options page is broken & does not work (LP: #1076452)
    - Race condition related to integration/install infobar (LP: #1068308)
    - WebApps Unity plugin for Chromium keeps crashing (LP: #1070433)
-- Ken VanDine <email address hidden> Thu, 15 Nov 2012 11:21:16 -0500

Changed in unity-chromium-extension (Ubuntu):
status:	New → Fix Released

Maxim Ermilov (zaspire) on 2012-11-30

Changed in unity-firefox-extension:
status:	Fix Committed → Fix Released

Revision history for this message

Chris Halse Rogers (raof) wrote on 2012-12-05: Please test proposed package

Hello Chris, or anyone else affected,

Accepted unity-chromium-extension into quantal-proposed. The package will build now and be available at http://launchpad.net/ubuntu/+source/unity-chromium-extension/2.4.4-0ubuntu0.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please change the bug tag from verification-needed to verification-done. If it does not, change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Changed in unity-chromium-extension (Ubuntu Quantal):
status:	New → Fix Committed
tags:	added: verification-needed

Revision history for this message

Marc Deslauriers (mdeslaur) wrote on 2012-12-11:

What's the status on the security fix for unity-firefox-extension?

I was told the fix would break API, so updated versions of the webscripts would be uploaded, and a new unity-firefox-extension was going to be uploaded to quantal-proposed. Has any progress been made?

Revision history for this message

Víctor R. Ruiz (vrruiz) wrote on 2012-12-12:

#10

Scripts that have been fixed to avoid using toDataURL() API: AmazonCloudReader, FacebookApps, GooglePlus, LibreFm, cnn-news, pandora-com and LibreFm. The commit is available at lp:webapps-applications revision 412 http://bazaar.launchpad.net/~webapps/webapps-applications/trunk/revision/412?start_revid=412

Revision history for this message

Marc Deslauriers (mdeslaur) wrote on 2012-12-12:

#11

Proposed updated packages for Quantal for this issue are in the security team PPA:
https://launchpad.net/~ubuntu-security-proposed/+archive/ppa/+packages

Revision history for this message

Víctor R. Ruiz (vrruiz) wrote on 2012-12-12:

#12

I've passed the manual test suite and everything looks good. I also passed Amazon Cloud Reader and it worked fine.

Revision history for this message

Didier Roche-Tolomelli (didrocks) wrote on 2012-12-13:

#13

The unity-firefox-extension with this fix has been in fact already uploaded to raring with version 2.4.2-0ubuntu1: http://launchpadlibrarian.net/124260453/unity-firefox-extension_2.4.1-0ubuntu3_2.4.2-0ubuntu1.diff.gz

Changed in unity-firefox-extension (Ubuntu):
status:	New → Fix Committed

Didier Roche-Tolomelli (didrocks) on 2012-12-13

Changed in unity-firefox-extension (Ubuntu):
status:	Fix Committed → Fix Released

Didier Roche-Tolomelli (didrocks) on 2012-12-13

no longer affects:

webapps-applications (Ubuntu Quantal)

Revision history for this message

Launchpad Janitor (janitor) wrote on 2012-12-13:

#14

This bug was fixed in the package unity-webapps-amazoncloudreader - 2.2ubuntu0.1

---------------
unity-webapps-amazoncloudreader (2.2ubuntu0.1) quantal-security; urgency=low

  * SECURITY UPDATE: same origin policy bypass via toDataURL() (LP: #1069817)
    - AmazonCloudReader.user.js: Remove use of toDataURL.
    - CVE-2012-0958
-- Marc Deslauriers <email address hidden> Wed, 12 Dec 2012 11:42:41 -0500

Changed in unity-webapps-amazoncloudreader (Ubuntu):
status:	New → Fix Released

Revision history for this message

Launchpad Janitor (janitor) wrote on 2012-12-13:

#15

This bug was fixed in the package unity-webapps-facebookapps - 2.2ubuntu0.1

---------------
unity-webapps-facebookapps (2.2ubuntu0.1) quantal-security; urgency=low

  * SECURITY UPDATE: same origin policy bypass via toDataURL() (LP: #1069817)
    - FacebookApps.user.js: Remove use of toDataURL.
    - CVE-2012-0958
-- Marc Deslauriers <email address hidden> Wed, 12 Dec 2012 11:45:22 -0500

Changed in unity-webapps-facebookapps (Ubuntu):
status:	New → Fix Released

Revision history for this message

Launchpad Janitor (janitor) wrote on 2012-12-13:

#16

This bug was fixed in the package unity-webapps-librefm - 2.2ubuntu0.1

---------------
unity-webapps-librefm (2.2ubuntu0.1) quantal-security; urgency=low

  * SECURITY UPDATE: same origin policy bypass via toDataURL() (LP: #1069817)
    - LibreFM.user.js: Remove use of toDataURL.
    - CVE-2012-0958
-- Marc Deslauriers <email address hidden> Wed, 12 Dec 2012 11:48:41 -0500

Changed in unity-webapps-librefm (Ubuntu):
status:	New → Fix Released

Revision history for this message

Launchpad Janitor (janitor) wrote on 2012-12-13:

#17

This bug was fixed in the package unity-webapps-pandora-com - 2.2ubuntu0.1

---------------
unity-webapps-pandora-com (2.2ubuntu0.1) quantal-security; urgency=low

  * SECURITY UPDATE: same origin policy bypass via toDataURL() (LP: #1069817)
    - pandora-com.user.js: Remove use of toDataURL.
    - CVE-2012-0958
-- Marc Deslauriers <email address hidden> Wed, 12 Dec 2012 11:50:33 -0500

Changed in unity-webapps-pandora-com (Ubuntu):
status:	New → Fix Released

Revision history for this message

Launchpad Janitor (janitor) wrote on 2012-12-13:

#18

This bug was fixed in the package unity-firefox-extension - 2.4.1-0ubuntu1.2

---------------
unity-firefox-extension (2.4.1-0ubuntu1.2) quantal-security; urgency=low

  * SECURITY UPDATE: same origin policy bypass via toDataURL() (LP: #1069817)
    - debian/patches/CVE-2012-0958.patch: merge Unity.toDataURL to
      Unity.init in unity-firefox-extension/content/unity-api.js.
    - CVE-2012-0958
-- Marc Deslauriers <email address hidden> Wed, 12 Dec 2012 10:54:19 -0500

Changed in unity-firefox-extension (Ubuntu Quantal):
status:	New → Fix Released

Revision history for this message

Launchpad Janitor (janitor) wrote on 2012-12-13:

#19

This bug was fixed in the package webapps-applications - 2.4.10-0ubuntu3

---------------
webapps-applications (2.4.10-0ubuntu3) raring; urgency=low

* debian/patches/lp_1069817.patch:
- fix script breakage due to toDataUrl fix (LP: #1069817)
-- Didier Roche <email address hidden> Thu, 13 Dec 2012 13:12:01 +0100

Changed in webapps-applications (Ubuntu):
status:	New → Fix Released

Revision history for this message

Launchpad Janitor (janitor) wrote on 2013-07-02:

#20

This bug was fixed in the package unity-chromium-extension - 2.4.4-0ubuntu0.2

---------------
unity-chromium-extension (2.4.4-0ubuntu0.2) quantal-security; urgency=low

Changed in unity-chromium-extension (Ubuntu Quantal):
status:	Fix Committed → Fix Released

Report a bug

This report contains Public Security information

Everyone can see this security related information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.

Ubuntuunity-firefox-extension package

Bypasses Same Origin Policy checks via toDataURL()

Bug Description

Related branches

CVE References

Other bug subscribers

Remote bug watches

Ubuntu
unity-firefox-extension package