关键漏洞信息 Bug ID: 1906727 CVE: CVE-2024-7522 Summary: AddressSanitizer: heap-buffer-overflow in GetIntegerValue nsAttrValueInlines.h Status: Closed Resolution: VERIFIED FIXED Severity: S2 (High) Priority: Not set Product: Core Component: DOM: Editor Milestone: 130 Branch Steps to Reproduce 1. Download Firefox Asan 2. Visit attached testcase.html 3. Firefox Asan tab crash with output AddressSanitizer: heap-buffer-overflow Affected Versions Firefox ESR 128 Firefox ESR 115 Firefox 129+ Fix Details Patch: - Bug 1906727 - Make check attr value type first r=peterv! - Bug 1906727 - Make check attr value type first r=peterv! Security Approval Request How easily could an exploit be constructed based on the patch?: It touches the entrance from JS. Therefore, if they realize that it's a handler of document.exeCommand, they might find the way to reproduce this. Do comments in the patch/check-in comment, or tests included in the patch paint a bulls-eye on the security problem?: No Which branches (beta, release, and/or ESR) are affected by this flaw, and do the release status flags reflect this affected/unaffected state correctly?: beta, ESR128, ESR115 If not all supported branches, which bug introduced the flaw?: None Do you have backports for the affected branches?: Yes If not, how different, hard to create, and risky will they be?: How likely is this patch to cause regressions; how much testing does it need?: This fixes the use of the internal API, shouldn't cause any regressions. Is the patch ready to land after security approval is given?: Yes Is Android affected?: Yes