741376 – (CVE-2011-2366) CVE-2011-2366 Mozilla: WebGL cross-domain image theft

Bug 741376 (CVE-2011-2366) - CVE-2011-2366 Mozilla: WebGL cross-domain image theft

Summary: CVE-2011-2366 Mozilla: WebGL cross-domain image theft

Keywords:
Status:	CLOSED NOTABUG
Alias:	CVE-2011-2366
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	739517
TreeView+	depends on / blocked

Reported:	2011-09-26 17:37 UTC by Josh Bressers
Modified:	2021-02-24 14:39 UTC (History)
CC List:	1 user (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2011-09-29 04:43:43 UTC
Embargoed:

Attachments	(Terms of Use)

Description Josh Bressers 2011-09-26 17:37:27 UTC

This issue is detailed here:
http://www.contextis.co.uk/resources/blog/webgl/

The proof-of-concept consists in loading a cross-domain image as a WebGL
texture, and rendering each pixel using a shader program that takes an
amount of time proportional to the R, G, B values of pixels. By timing
this, they get an approximation of the image.


Upstream bug:
https://bugzilla.mozilla.org/show_bug.cgi?id=655987

Comment 1 Huzaifa S. Sidhpurwala 2011-09-29 04:43:43 UTC

RHEL-4/5/6 ships firefox 3.6.x, which does not have support for WebGL.

Statement:

Not Vulnerable. This issue did not affect the version of Firefox as shipped with Red Hat Enterprise Linux 4, 5 or 6.

Note You need to log in before you can comment on or make changes to this bug.