Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Thu, 26 Oct 2023 23:11:32 +0300
From: Turistu <turistu@...il.com>
To: oss-security@...ts.openwall.com
Subject: Re: with firefox on X11, any page can pastejack you
 anytime

On Tue, Oct 17, 2023 at 03:17:36AM +0300, turistu wrote:
> ### Firefox Patch
> ```
> diff -r 9b362770f30b layout/generic/nsFrameSelection.cpp
> --- a/layout/generic/nsFrameSelection.cpp	Fri Oct 06 12:03:17 2023 +0000
> +++ b/layout/generic/nsFrameSelection.cpp	Sun Oct 08 11:04:41 2023 +0300
> @@ -3345,6 +3345,10 @@
>      return;  // Don't care if we are still dragging.
>    }
>  
> +  if (aReason & nsISelectionListener::JS_REASON) {
> +    return;
> +  }
> +
>    if (!aDocument || aSelection.IsCollapsed()) {
>  #ifdef DEBUG_CLIPBOARD
>      fprintf(stderr, "CLIPBOARD: no selection/collapsed selection\n");
> ```
> 
> The idea of this patch was to *always* prevent javascript from indirectly
> messing with the primary selection via the Selection API. However, it turned
> out that the `JS_REASON` flag was not reliable; if javascript calls some
> function like `addRange()` or `selectAllChildren()` while the user has started
> dragging but hasn't released the mouse button yet, that code will be called
> *without* that flag but with the text set by javascript, not the text
> selected by the user. However, I think that this patch is still enough

They have recently added a (functionally identical) patch to mozilla-central:
https://hg.mozilla.org/mozilla-central/rev/88e0043c5aa4234dada941ac2fd0ded875210508

So the most egregious issue should be fixed in their "nighly" pre-release
version of firefox soon.

I have updated my write-up with that and more info at:
https://github.com/turistu/odds-n-ends/blob/main/firefox/pastejack.md

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.