Mozilla Nederland LogoDe Nederlandse

The Pirate Bay News & Update: Google Chrome And Mozilla Firefox Flagged ... - Parent Herald

Nieuws verzameld via Google - di, 18/10/2016 - 05:31


The Pirate Bay News & Update: Google Chrome And Mozilla Firefox Flagged ...
Parent Herald
According to reports, The Pirate Bay is flagged by Google Chrome and Mozilla Firefox due to safety issues. Google Chrome and Mozilla Firefox, tagged The Pirate Bay and other popular torrent providers as fraudulent sites. In addition, Chrome and Firefox ...
The Pirate Bay Shutdown Update: Flagged by Google Chrome! Can It Really ...Gamenguide

alle 7 nieuwsartikelen »
Categorieën: Mozilla-nl planet

Daniel Stenberg: curl up in Nuremberg!

Mozilla planet - ma, 17/10/2016 - 22:45

I’m very happy to announce that the curl project is about to run our first ever curl meeting and developers conference.

March 18-19, Nuremberg Germany

Everyone interested in curl, libcurl and related matters is invited to participate. We only ask of you to register and pay the small fee. The fee will be used for food and more at the event.

You’ll find the full and detailed description of the event and the specific location in the curl wiki.

The agenda for the weekend is purposely kept loose to allow for flexibility and unconference-style adding things and topics while there. You will thus have the chance to present what you like and affect what others present. Do tell us what you’d like to talk about or hear others talk about! The sign-up for the event isn’t open yet, as we first need to work out some more details.

We have a dedicated mailing list for discussing the meeting, called curl-meet, so please consider yourself invited to join in there as well!

Thanks a lot to SUSE for hosting!

Feel free to help us make a cool logo for the event!


(The 19th birthday of curl is suitably enough the day after, on March 20.)

Categorieën: Mozilla-nl planet

Air Mozilla: Mozilla Weekly Project Meeting, 17 Oct 2016

Mozilla planet - ma, 17/10/2016 - 20:00

Mozilla Weekly Project Meeting The Monday Project Meeting

Categorieën: Mozilla-nl planet

Firefox Nightly: These Weeks in Firefox: Issue 3

Mozilla planet - ma, 17/10/2016 - 17:00

The Firefox Desktop team met yet again last Tuesday to share updates. Here are some fresh updates that we think you might find interesting:

Highlights Contributor(s) of the Week Project Updates Context Graph Electrolysis (e10s) Platform UI Privacy / Security Search

Here are the raw meeting notes that were used to derive this list.

Want to help us build Firefox? Get started here!

Here’s a tool to find some mentored, good first bugs to hack on.

Categorieën: Mozilla-nl planet

Firefox Nightly: Better default bookmarks for Nightly

Mozilla planet - ma, 17/10/2016 - 15:41

Because software defaults matter, we have just changed the default bookmarks for the Nightly channel to be more useful to power-users deeply interested in day to day progress of Firefox and potentially willing to help Mozilla improve their browser through bug and crash reports, shared telemetry data and technical feedback.

Users on the Nightly channels had the same bookmarks than users on the release channel, these bookmarks target end-users with limited technical knowledge and link to Mozilla sites providing end-user support, add-ons or propose a tour of Firefox features. Not very compelling for a tech-savvy audience that installed pre-alpha software!

As of last week, new Nightly users or existing Nightly users creating a new profile have a different set of bookmarks that are more likely to meet their interest in the technical side of Mozilla and contributing to Firefox as an alpha tester. Here is what the default bookmarks are:

New Nightly Bookmarks

There are links to this blog of course, to Planet Mozilla, to the Mozilla Developer Network, to the Nightly Testers Tools add-on, to about:crashes and to the IRC #nightly channel in case you find a bug and would like to talk to other Nightly users about it and of course a link to Bugzilla. The Firefox tour link was also replaced by a link to the contribute page on

It’s a minor change to the profile data as we don’t want to make of Nightly a different product from Firefox, but I hope another small step in the direction of empowering our more technical user base to help Mozilla build the most stable and reliable browser for hundreds of millions of people!

Categorieën: Mozilla-nl planet

Internet für alle: Mozilla lobt Innovationspreis aus -

Nieuws verzameld via Google - ma, 17/10/2016 - 14:59

Internet für alle: Mozilla lobt Innovationspreis aus
Die „Equal Rating Innovation Challenge“ von Mozilla soll dabei helfen, eine weitere Milliarde Menschen online zu bringen. Immer noch verfügen mehr als vier Milliarden über keinen Zugang zum Netz, also etwa 55 Prozent der Weltbevölkerung. Mit insgesamt ...

Categorieën: Mozilla-nl planet

Microsoft Update Catalogus werkt nu met Chrome en Firefox -

Nieuws verzameld via Google - ma, 17/10/2016 - 14:18

Microsoft Update Catalogus werkt nu met Chrome en Firefox
De Microsoft Update Catalogus is nu ook toegankelijk voor gebruikers van Google Chrome en Mozilla Firefox. Voorheen was de website alleen te gebruiken via Internet Explorer, aangezien ondersteuning van ActiveX door de browser verplicht was.

Categorieën: Mozilla-nl planet

Giorgos Logiotatidis: Systemd Unit to activate loopback devices before LVM

Mozilla planet - ma, 17/10/2016 - 13:53

In a Debian server I'm using LVM to create a single logical volume from multiple different volumes. One of the volumes is a loop-back device which refers to a file in another filesystem.

The loop-back device needs to be activated before the LVM service starts or the later will fail due to missing volumes. To do so a special systemd unit needs to be created which will not have the default dependencies of units and will get executed before lvm2-activation-early service.

Systemd will set a number of dependencies for all units by default to bring the system into a usable state before starting most of the units. This behavior is controlled by DefaultDependencies flag. Leaving DefaultDependencies to its default True value creates a dependency loop which systemd will forcefully break to finish booting the system. Obviously this non-deterministic flow can result in different than desired execution order which in turn will fail the LVM volume activation.

Setting DefaultDependencies to False will disable all but essential dependencies and will allow our unit to execute in time. Systemd manual confirms that we can set the option to false:

Generally, only services involved with early boot or late shutdown should set this option to false.

The second is to execute before lvm2-activation-early. This is simply achieved by setting Before=lvm2-activation-early.

The third and last step is to set the command to execute. In my case it's /sbin/losetup /dev/loop0 /volume.img as I want to create /dev/loop0 from the file /volume.img. Set the process type to oneshot so systemd waits for the process to exit before it starts follow-up units. Again from the systemd manual

Behavior of oneshot is similar to simple; however, it is expected that the process has to exit before systemd starts follow-up units.

Place the unit file in /etc/systemd/system and in the next reboot the loop-back device should be available to LVM.

Here's the final unit file:

[Unit] Description=Activate loop device DefaultDependencies=no After=systemd-udev-settle.service Before=lvm2-activation-early.service Wants=systemd-udev-settle.service [Service] ExecStart=/sbin/losetup /dev/loop0 /volume.img Type=oneshot [Install]

See also: - Anthony's excellent LVM Loopback How-To

Categorieën: Mozilla-nl planet

Mozilla: Tech company announces $250k Equal Rating Innovation Challenge - Pulse Nigeria

Nieuws verzameld via Google - ma, 17/10/2016 - 13:51

Mozilla: Tech company announces $250k Equal Rating Innovation Challenge
Pulse Nigeria
Mozilla has announced the launch of its global Equal Rating Innovation Challenge, a competition which invites contributions on ways to provide unfettered access to the open Internet for anyone across the globe. The Equal Rating Innovation Challenge ...

Categorieën: Mozilla-nl planet

Mozilla launches $250000 contest including mentorship - The Exchange (press release) (blog)

Nieuws verzameld via Google - ma, 17/10/2016 - 12:08

The Exchange (press release) (blog)

Mozilla launches $250000 contest including mentorship
The Exchange (press release) (blog)
Mozilla has today announced the launch of its global Equal Rating Innovation Challenge, a competition which invites contributions on ways to provide unfettered access to the open Internet for anyone across the globe. As part of its initiative, Mozilla ...

en meer »
Categorieën: Mozilla-nl planet

Firefox Nightly: DevTools now display white space text nodes in the DOM inspector

Mozilla planet - ma, 17/10/2016 - 11:59

Web developers don’t write all their code in just one line of text. They use white space between their HTML elements because it makes markup more readable: spaces, returns, tabs.

In most instances, this white space seems to have no effect and no visual output, but the truth is that when a browser parses HTML it will automatically generate anonymous text nodes for elements not contained in a node. This includes white space (which is, after all a type of text).

If these auto generated text nodes are inline level, browsers will give them a non-zero width and height, and you will find strange gaps between the elements in the context, even if you haven’t set any margin or padding on nearby elements.

This behaviour can be hard to debug, but Firefox DevTools are now able to display these whitespace nodes, so you can quickly spot where do the gaps come from in your markup, and fix the issues.


Whitespace debugging in DevTools in action

The demo shows two examples with slightly different markup to highlight the differences both in browser rendering and what DevTools are showing.

The first example has one img per line, so the markup is readable, but the browser renders gaps between the images:

<img src="..." /> <img src="..." />

The second example has all the img tags in one line, which makes the markup unreadable, but it also doesn’t have gaps in the output:

<img src="..." /><img src="..." />

If you inspect the nodes in the first example, you’ll find a new whitespace indicator that denotes the text nodes created for the browser for the whitespace in the code. No more guessing! You can even delete the node from the inspector, and see if that removes mysterious gaps you might have in your website.

Categorieën: Mozilla-nl planet

Mozilla's Browse Free or Die campaign is problematic - Ghacks Technology News

Nieuws verzameld via Google - ma, 17/10/2016 - 08:50

Ghacks Technology News

Mozilla's Browse Free or Die campaign is problematic
Ghacks Technology News
Browse Free or Die is a campaign by Mozilla, makers of Firefox, that has been designed to reward Firefox users with a free sticker. Firefox users who answer questions on their first experience are mentioned explicitly on the project site over on Github.

Categorieën: Mozilla-nl planet

Mozilla's Browse Free or Die campaign is problematic - Ghacks Technology News

Nieuws verzameld via Google - ma, 17/10/2016 - 08:48

Ghacks Technology News

Mozilla's Browse Free or Die campaign is problematic
Ghacks Technology News
Browse Free or Die is a campaign by Mozilla, makers of Firefox, that has been designed to reward Firefox users with a free sticker. Firefox users who answer questions on their first experience are mentioned explicitly on the project site over on Github.

Categorieën: Mozilla-nl planet

The Servo Blog: These Weeks In Servo 81

Mozilla planet - ma, 17/10/2016 - 02:30

In the last two weeks, we landed 171 PRs in the Servo organization’s repositories.

Planning and Status

Our overall roadmap is available online and now includes the Q4 plans and tentative outline of some ideas for 2017. Please check it out and provide feedback!

This week’s status updates are here.

Notable Additions
  • bholley added benchmark support to mach’s ability to run unit tests
  • frewsxcv implemented the value property on <select>
  • pcwalton improved the rendering of by fixing percentages in top and bottom
  • joewalker added support for font-kerning in Stylo
  • ms2ger implemented blob URL support in the fetch stack
  • scottrinh hid some canvas-related interfaces from workers
  • pcwalton improved by avoiding vertical alignment of absolutely positioned children in table rows
  • namsoocho added font-variant-position for Stylo
  • mmatyas fixed Android and ARM compilation issues in WebRender
  • pcwalton improved by avoiding incorrect block element position modifications
  • heycam factored out a UrlOrNone type to avoid some duplication in property bindings code
  • manishearth vendored bindings for Gecko’s nsString
  • awesomeannirudh implemented the -moz-text-align-last property
  • mrobinson added a custom debug formatter for ClippingRegion
  • manishearth implemented column-count for Stylo
  • anholt added the WebGL uniformMatrix*fv methods
  • UK992 made our build environment warn if it finds the MinGW Python, which breaks Windows MinGW builds
  • nox updated Rust
  • waffles added image-rendering support for Stylo
  • glennw fixed routing of touch events to the correct iframe
  • jdub added some bindings generation builder functions
  • larsberg picked up the last fix to get Servo on MSVC working
  • glennw added fine-grained GPU profiling to WebRender
  • canaltinova implemented some missing gradient types for Stylo
  • pcwalton implemented vertical-align: middle and fixed some vertical-align issues
  • splav added initial support for the root SVG element
  • glennw added transform support for text runs in WebRender
  • nox switched many crates to serde_derive, avoiding a fragile nightly dependency in our ecosystem
  • wafflespeanut added font-stretch support to Stylo
  • aneeshusa fixed the working directory for CI steps auto-populated from the in-tree rules
  • dati91 added mock WebBluetooth device support, in order to implement the WebBluetooth Test API
  • aneeshusa fixed a potential GitHub token leak in our documentation build
  • pcwalton fixed placement of inline hypothetical boxes for absolutely positioned elements, which fixes the Rust docs site
  • SimonSapin changed PropertyDeclarationBlock to use parking_lot::RwLock
  • shinglyu restored the layout trace viewer to aid in debugging layout
  • KiChjang implemented CSS transition DOM events
  • nox added intemediary, Rust-only WebIDL interfaces that replaced lots of unnecessary code duplication
  • mathieuh improved web compatibility by matching the new specification changes related to XMLHttpRequest events
  • emilio improved web compatibility by adding more conformance checks to various WebGL APIs
  • mortimergoro implemented several missing WebGL APIs
  • g-k created tests verifying the behaviour of browser cookie implementations
New Contributors

Interested in helping build a web browser? Take a look at our curated list of issues that are good for new contributors!


Canaltinova implemented parsing for many gradients so that they can be used in Firefox via Stylo and also provided comparisons:

Radial gradient support in Stylo

Categorieën: Mozilla-nl planet

Ernstig lek kon aanvaller rootrechten op ChromeOS geven -

Nieuws verzameld via Google - zo, 16/10/2016 - 10:46

Ernstig lek kon aanvaller rootrechten op ChromeOS geven
Volgens de Mozilla-ontwikkelaar laat de kwetsbaarheid zien dat beveiligingslekken die op het eerste gezicht onschuldig lijken toch vergaande gevolgen kunnen hebben en er mensen met voldoende kennis zijn om daar uiteindelijk exploits voor te ...

Categorieën: Mozilla-nl planet

Robert O'Callahan: Ironic World Standards Day

Mozilla planet - zo, 16/10/2016 - 05:34

Apparently World Standards Day is on October 14. Except in the USA it's celebrated on October 27 and in Canada on October 5.

Are they trying to be ironic?

Categorieën: Mozilla-nl planet

Cameron Kaiser: It's Talos time (plus: 45.5.0 beta 2 now with more AltiVec IDCT)

Mozilla planet - zo, 16/10/2016 - 02:16
It's Talos time. You can now plunk down your money for an open, auditable, non-x86 workstation-class computer that doesn't suck. It's PowerPC. It's modern. It's beefy. It's awesome.

Let's not mince words, however: it's also not cheap, and you're gonna plunk down a lot if you want this machine. The board runs $4100 and that's without the CPU, which is pledged for separately though you can group them in the same order (this is a little clunky and I don't know why Raptor did it this way). To be sure, I think we all suspected this would be the case but now it's clear the initial prices were underestimates. Although some car repairs and other things have diminished my budget (I was originally going to get two of these), I still ponied up for a board and for one of the 190W octocore POWER8 CPUs, since this appears to be the sweetspot for those of us planning to use it as a workstation (remember each core has eight threads via SMT for a grand total of 64, and this part has the fastest turbo clock speed at 3.857GHz). That ran me $5340. I think after the RAM, disks, video card, chassis and PSU I'll probably be all in for around $7000.

Too steep? I don't blame you, but you can still help by donating to the project and enable those of us who can afford to jump in first to smoothe the way out for you. Frankly, this is the first machine I consider a meaningful successor to the Quad G5 (the AmigaOne series isn't quite there yet). Non-x86 doesn't have the economies of scale of your typical soulless Chipzilla craptop or beige box, but if we can collectively help Raptor get this project off the ground you'll finally have an option for your next big machine when you need something free, open and unchained -- and there's a lot of chains in modern PCs that you don't control. You can donate as little as $10 and get this party started, or donate $250 and get to play with one remotely for a few months. Call it a rental if you like. No, I don't get a piece of this, I don't have stock in Raptor and I don't owe them a favour. I simply want this project to succeed. And if you're reading this blog, odds are you want that too.

The campaign ends December 15. Donate, buy, whatever. Let's do this.

My plans are, even though I confess I'll be running it little-endian (since unfortunately I don't think we have much choice nowadays), to make it as much a true successor to the last Power Mac as possible. Yes, I'll be sinking time into a JIT for it, which should fully support asm.js to truly run those monster applications we're seeing more and more of, porting over our AltiVec code with an endian shift (since the POWER8 has VMX), and working on a viable and fast way of running legacy Power Mac software on it, either through KVM or QEMU or whatever turns out to be the best option. If this baby gets off the ground, you have my promise that doing so will be my first priority, because this is what I wanted the project for in the first place. We have a chance to resurrect the Power Mac, folks, and in a form that truly kicks ass. Don't waste the opportunity.

Now, having said all that, I do think Raptor has made a couple tactical errors. Neither are fatal, but neither are small.

First, there needs to be an intermediate pledge level between the bare board and the $18,000 (!!!!) Warren Buffett edition. I have no doubt the $18,000 machine will be the Cadillac of this line, but like Cadillacs, there isn't $18,000 worth of parts in it (maybe, maybe, $10K), and this project already has a bad case of sticker shock without slapping people around with that particular dead fish. Raptor needs to slot something in the middle that isn't quite as wtf-inducing and I'll bet they'll be appealing to those people willing to spend a little more to get a fully configured box. (I might have been one of those people, but I won't have the chance now.)

Second, the pledge threshold of $3.7 million is not ludicrous when you consider what has to happen to manufacture these things, but it sure seems that way. Given that this can only be considered a boutique system at this stage, it's going to take a lot of punters like yours truly to cross that point, which is why your donations even if you're not willing to buy right now are critical to get this thing jumpstarted. I don't know Raptor's finances, but they gave themselves a rather high hurdle here and I hope it doesn't doom the whole damn thing.

On the other hand, doesn't look like Apple's going to be updating the Mac Pro any time soon, so if you're in the market ...

On to 45.5.0 beta 2 (downloads, hashes). The two major changes in this version is that I did some marginal reduction in the overhead of graphics primitives calls, and completed converting to AltiVec all of the VP9 inverse discrete cosine and Hadamard transforms. Feel free to read all 152K of it, patterned largely off the SSE2 version but still mostly written by hand; I also fixed the convolver on G4 systems and made it faster too. This is probably the biggest amount of time required by the computer while decoding frames. I can do some more by starting on the intraframe predictors but that will probably not yield speed ups as dramatic. My totally unscientific testing is yielding these recommendations for specific machines:

1.0GHz iMac G4 (note: not technically supported, but a useful comparison): maximum watchable resolution 144p VP9
1.33GHz iBook G4, reduced performance: same
1.33GHz iBook G4, highest performance: good at 144p VP9, max at 240p VP9, but VP8 is better
1.67GHz DLSD PowerBook G4: ditto, VP8 better here too
2.5GHz Quad G5, reduced performance: good at 240p VP9, max at 360p VP9
2.5GHz Quad G5, highest performance: good at 360p VP9, max at 480p VP9

I'd welcome your own assessments, but since VP8 (i.e., MediaSource Extensions off) is "good enough" on the G5 and actually currently better on the G4, I've changed my mind again and I'll continue to ship with MSE turned off so that it still works as people expect. However, they'll still be able to toggle the option in our pref panel, which also was fixed to allow toggling PDF.js (that was a stupid bug caused by missing a change I forgot to pull forward into the released build). When VP9 is clearly better on all supported configurations then we'll reexamine this.

No issues have been reported regarding little-endian JavaScript typed arrays or our overall new hybrid endian strategy, or with the minimp3 platform decoder, so both of those features are go. Download and try it.

Have you donated yet?

Categorieën: Mozilla-nl planet

Mozilla ruft Wettbewerb für weltweiten Internetzugang aus - Heise Newsticker

Nieuws verzameld via Google - za, 15/10/2016 - 13:13

Heise Newsticker

Mozilla ruft Wettbewerb für weltweiten Internetzugang aus
Heise Newsticker
Die „Equal Rating Innovation Challenge“ soll bezahlbares Internet für alle bringen. Besonders gefragt sind Ideen für offene und freie Zugänge statt geschlossener Netze wie Facebooks Free Basics. Mit der „Equal Rating Innovation Challenge“ hat Mozilla ...
Offene Alternative zu Facebooks Mozilla will die ... - t3nt3n Magazin
Equal Rating: Mozilla finanziert Alternative zu Facebooks Gratis
Equal Rating Innovation Challenge: Mozilla ruft Ideenwettbewerb für ...Augsburger Allgemeine
alle 6 nieuwsartikelen »
Categorieën: Mozilla-nl planet

Mozilla Addons Blog: Add-ons Update – 2016/10

Mozilla planet - vr, 14/10/2016 - 23:20

Here’s the state of the add-ons world this month.

The Review Queues

In the past month, 1,755 listed add-on submissions were reviewed:

  • 1,438 (82%) were reviewed in fewer than 5 days.
  • 119 (7%) were reviewed between 5 and 10 days.
  • 198 (11%) were reviewed after more than 10 days.

There are 223 listed add-ons awaiting review.

If you’re an add-on developer and are looking for contribution opportunities, please consider joining us. Add-on reviewers are critical for our success, and can earn cool gear for their work. Visit our wiki page for more information.


The compatibility blog post for Firefox 50 is up, and the bulk validation was run recently. The compatibility blog post for Firefox 51 has published yesterday. It’s worth pointing out that the Firefox 50 cycle will be twice as long, so 51 won’t be released until January 24th, 2017.

Multiprocess Firefox is now enabled for users without add-ons, and add-ons will be gradually phased in, so make sure you’ve tested your add-on and either use WebExtensions or set the multiprocess compatible flag in your add-on manifest.

As always, we recommend that you test your add-ons on Beta and Firefox Developer Edition to make sure that they continue to work correctly. End users can install the Add-on Compatibility Reporter to identify and report any add-ons that aren’t working anymore.


We would like to thank Atique Ahmed Ziad, Surya Prashanth, freaktechnik, shubheksha, bjdixon, zombie, berraknil, Krizzu, rackstar17, paenglab, and Trishul Goel (long list!) for their recent contributions to the add-ons world. You can read more about their work in our recognition page.

Categorieën: Mozilla-nl planet

Daniel Stenberg: a single byte write opened a root execution exploit

Mozilla planet - vr, 14/10/2016 - 22:36

Thursday, September 22nd 2016. An email popped up in my inbox.

Subject: ares_create_query OOB write

As one of the maintainers of the c-ares project I’m receiving mails for suspected security problems in c-ares and this was such a one. In this case, the email with said subject came from an individual who had reported a ChromeOS exploit to Google.

It turned out that this particular c-ares flaw was one important step in a sequence of necessary procedures that when followed could let the user execute code on ChromeOS from JavaScript – as the root user. I suspect that is pretty much the worst possible exploit of ChromeOS that can be done. I presume the reporter will get a fair amount of bug bounty reward for this.

The setup and explanation on how this was accomplished is very complicated and I am deeply impressed by how this was figured out, tracked down and eventually exploited in a repeatable fashion. But bear with me. Here comes a very simplified explanation on how a single byte buffer overwrite with a fixed value could end up aiding running exploit code as root.

The main Google bug for this problem is still not open since they still have pending mitigations to perform, but since the c-ares issue has been fixed I’ve been told that it is fine to talk about this publicly.

c-ares writes a 1 outside its buffer

c-ares has a function called ares_create_query. It was added in 1.10 (released in May 2013) as an updated version of the older function ares_mkquery. This detail is mostly interesting because Google uses an older version than 1.10 of c-ares so in their case the flaw is in the old function. This is the two functions that contain the problem we’re discussing today. It used to be in the ares_mkquery function but was moved over to ares_create_query a few years ago (and the new function got an additional argument). The code was mostly unchanged in the move so the bug was just carried over. This bug was actually already present in the original ares project that I forked and created c-ares from, back in October 2003. It just took this long for someone to figure it out and report it!

I won’t bore you with exactly what these functions do, but we can stick to the simple fact that they take a name string as input, allocate a memory area for the outgoing packet with DNS protocol data and return that newly allocated memory area and its length.

Due to a logic mistake in the function, you could trick the function to allocate a too short buffer by passing in a string with an escaped trailing dot. An input string like “one.two.three\.” would then cause the allocated memory area to be one byte too small and the last byte would be written outside of the allocated memory area. A buffer overflow if you want. The single byte written outside of the memory area is most commonly a 1 due to how the DNS protocol data is laid out in that packet.

This flaw was given the name CVE-2016-5180 and was fixed and announced to the world in the end of September 2016 when c-ares 1.12.0 shipped. The actual commit that fixed it is here.

What to do with a 1?

Ok, so a function can be made to write a single byte to the value of 1 outside of its allocated buffer. How do you turn that into your advantage?

The Redhat security team deemed this problem to be of “Moderate security impact” so they clearly do not think you can do a lot of harm with it. But behold, with the right amount of imagination and luck you certainly can!

Back to ChromeOS we go.

First, we need to know that ChromeOS runs an internal HTTP proxy which is very liberal in what it accepts – this is the software that uses c-ares. This proxy is a key component that the attacker needed to tickle really badly. So by figuring out how you can send the correctly crafted request to the proxy, it would send the right string to c-ares and write a 1 outside its heap buffer.

ChromeOS uses dlmalloc for managing the heap memory. Each time the program allocates memory, it will get a pointer back to the request memory region, and dlmalloc will put a small header of its own just before that memory region for its own purpose. If you ask for N bytes with malloc, dlmalloc will use ( header size + N ) and return the pointer to the N bytes the application asked for. Like this:


With a series of cleverly crafted HTTP requests of various sizes to the proxy, the attacker managed to create a hole of freed memory where he then reliably makes the c-ares allocated memory to end up. He knows exactly how the ChromeOS dlmalloc system works and its best-fit allocator, how big the c-ares malloc will be and thus where the overwritten 1 will end up. When the byte 1 is written after the memory, it is written into the header of the next memory chunk handled by dlmalloc:


The specific byte of that following dlmalloc header that it writes to, is used for flags and the lowest bits of size of that allocated chunk of memory.

Writing 1 to that byte clears 2 flags, sets one flag and clears the lowest bits of the chunk size. The important flag it sets is called prev_inuse and is used by dlmalloc to tell if it can merge adjacent areas on free. (so, if the value 1 simply had been a 2 instead, this flaw could not have been exploited this way!)

When the c-ares buffer that had overflowed is then freed again, dlmalloc gets fooled into consolidating that buffer with the subsequent one in memory (since it had toggled that bit) and thus the larger piece of assumed-to-be-free memory is partly still being in use. Open for manipulations!


Using that memory buffer mess

This freed memory area whose end part is actually still being used opened up the play-field for more “fun”. With doing another creative HTTP request, that memory block would be allocated and used to store new data into.

The attacker managed to insert the right data in that further end of the data block, the one that was still used by another part of the program, mostly since the proxy pretty much allowed anything to get crammed into the request. The attacker managed to put his own code to execute in there and after a few more steps he ran whatever he wanted as root. Well, the user would have to get tricked into running a particular JavaScript but still…

I cannot even imagine how long time it must have taken to make this exploit and how much work and sweat that were spent. The report I read on this was 37 very detailed pages. And it was one of the best things I’ve read in a long while! When this goes public in the future, I hope at least parts of that description will become available for you as well.

A lesson to take away from this?

No matter how limited or harmless a flaw may appear at a first glance, it can serve a malicious purpose and serve as one little step in a long chain of events to attack a system. And there are skilled people out there, ready to figure out all the necessary steps.

Categorieën: Mozilla-nl planet