Bug 1898732 (CVE-2020-16012)

Summary:	CVE-2020-16012 Mozilla: Variable time processing of cross-origin images during drawImage calls
Product:	[Other] Security Response	Reporter:	Doran Moppert <dmoppert>
Component:	vulnerability	Assignee:	Red Hat Product Security <security-response-team>
Status:	CLOSED ERRATA	QA Contact:
Severity:	medium	Docs Contact:
Priority:	medium
Version:	unspecified	CC:	cschalle, erack, gecko-bugs-nobody, jhorak, spotrh, stransky, tpopela, yaneti
Target Milestone:	---	Keywords:	Security
Target Release:	---
Hardware:	All
OS:	Linux
Whiteboard:
Fixed In Version:	firefox 78.5, thunderbird 78.5, chromium-browser 87.0.4280.66	Doc Type:	If docs needed, set a value
Doc Text:		Story Points:	---
Clone Of:		Environment:
Last Closed:	2020-11-30 11:33:59 UTC	Type:	---
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:
Bug Depends On:	1895993, 1895994, 1895995, 1895996, 1895997, 1895998, 1895999, 1898749, 1898750, 1898751, 1898752, 1898753, 1898754, 1898755, 1899246, 1899247, 1899248
Bug Blocks:	1895990

Description Doran Moppert 2020-11-18 00:42:43 UTC

When drawing a transparent image on top of an unknown cross-origin image, the Skia library `drawImage` function took a variable amount of time depending on the content of the underlying image. This resulted in potential cross-origin information exposure of image content through timing side-channel attacks.



External Reference:

https://www.mozilla.org/en-US/security/advisories/mfsa2020-51/#CVE-2020-16012

Comment 1 Doran Moppert 2020-11-18 00:42:47 UTC

Acknowledgments:

Name: the Mozilla project
Upstream: Aleksejs Popovs

Comment 6 Tomas Hoger 2020-11-20 21:40:53 UTC

Mozilla advisory links the following (currently non-public) bug as Mozilla upstream bug for this issue:

https://bugzilla.mozilla.org/show_bug.cgi?id=1642028

Using its bug id, it is possible to locate this commit fixing this issue:

https://hg.mozilla.org/mozilla-central/rev/48c0f5033c286bd515b6f16e0905ff4ca94faf98

This flaw affects the Skia library bundled with Firefox and Thunderbird.  Skia upstream commit for this issue is:

https://skia.googlesource.com/skia/+/5d3314c53ce5c966591f0b02349103f51f986e6e%5E%21/

The Skia library is also bundled with Google Chrome / Chromium browser and this issue was corrected there in version 87.0.4280.66:

https://chromereleases.googleblog.com/2020/11/stable-channel-update-for-desktop_17.html

The Chrome / Chromium bug (also currently non-public) is:

https://bugs.chromium.org/p/chromium/issues/detail?id=1088224

This bug Chromium bug id is referenced from the Skia commit.

Comment 13 errata-xmlrpc 2020-11-30 08:35:23 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.0 Update Services for SAP Solutions

Via RHSA-2020:5240 https://access.redhat.com/errata/RHSA-2020:5240

Comment 14 errata-xmlrpc 2020-11-30 08:39:57 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.1 Extended Update Support

Via RHSA-2020:5231 https://access.redhat.com/errata/RHSA-2020:5231

Comment 15 errata-xmlrpc 2020-11-30 08:46:53 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.1 Extended Update Support

Via RHSA-2020:5233 https://access.redhat.com/errata/RHSA-2020:5233

Comment 16 errata-xmlrpc 2020-11-30 08:49:23 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2020:5236 https://access.redhat.com/errata/RHSA-2020:5236

Comment 17 errata-xmlrpc 2020-11-30 08:53:15 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.2 Extended Update Support

Via RHSA-2020:5232 https://access.redhat.com/errata/RHSA-2020:5232

Comment 18 errata-xmlrpc 2020-11-30 08:57:49 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.2 Extended Update Support

Via RHSA-2020:5234 https://access.redhat.com/errata/RHSA-2020:5234

Comment 19 errata-xmlrpc 2020-11-30 08:58:30 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6

Via RHSA-2020:5238 https://access.redhat.com/errata/RHSA-2020:5238

Comment 20 errata-xmlrpc 2020-11-30 10:38:32 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2020:5237 https://access.redhat.com/errata/RHSA-2020:5237

Comment 21 Product Security DevOps Team 2020-11-30 11:33:59 UTC

This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-16012

Comment 22 errata-xmlrpc 2020-11-30 18:25:17 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2020:5235 https://access.redhat.com/errata/RHSA-2020:5235

Comment 23 errata-xmlrpc 2020-11-30 19:42:39 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6

Via RHSA-2020:5257 https://access.redhat.com/errata/RHSA-2020:5257

Comment 24 errata-xmlrpc 2020-11-30 23:05:16 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2020:5239 https://access.redhat.com/errata/RHSA-2020:5239

Comment 25 errata-xmlrpc 2020-12-01 15:24:33 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.0 Update Services for SAP Solutions

Via RHSA-2020:5314 https://access.redhat.com/errata/RHSA-2020:5314