Closed Bug 1100043 Opened 10 years ago Closed 10 years ago

Updater doesn't validate signature

Categories

(Firefox :: Untriaged, defect)

Product:
Firefox
Component:
Untriaged
Version:
33 Branch
Platform:
x86_64
Linux
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED DUPLICATE of bug 973933

People

(Reporter: jvoss, Unassigned)

Details

Attachments

(1 file)

This mar file deletes the contents of the firefox installation.
586 bytes, application/octet-stream
Details 
User Agent: Mozilla/5.0 (X11; Linux x86_64; rv:33.0) Gecko/20100101 Firefox/33.0
Build ID: 20141113143407

Steps to reproduce:

mkdir marfuzz
tar xf ~/Downloads/firefox-33.0.3.tar.bz2
cd marfuzz/
cp -i ~/Downloads/firefox-33.0.3-33.1.1.partial.mar update.mar
okteta update.mar
# Set all bytes in the signature to 'A'
/usr/local/bin/firefox-33.1.1/updater ~/src/marfuzz/ ~/src/firefox/



Actual results:

Updater updated the firefox directory with the update.mar without checking its signature.


Expected results:

Updater should have failed validation and not modified the firefox directory.
Flags: needinfo?(robert.strong.bugs)
This attachment causes updater to delete the current Firefox installation. It is the proof of concept for this bug. It contains an invalid signature which is not checked.
Download this file and run the following in its directory:
mv rmrf1.mar update.mar
/path/to/firefox/updater "$PWD" /path/to/firefox/
This bug demonstrates that mar signing isn't implemented on platforms other than windows yet and the bugs to implement mar are public so this isn't security sensitive.

Duping to bug where we are implementing mar signing for platforms other than windows.
Group: core-security
Status: UNCONFIRMED → RESOLVED
Closed: 10 years ago
Flags: needinfo?(robert.strong.bugs)
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: