Closed Bug 1156835 Opened 9 years ago Closed 4 years ago

Investigate if the fix for bug 1087565 still has problems because of the use of the command line to pass the secret.

Categories

(Core :: IPC, defect, P3)

Product:
Core
Component:
IPC
Platform:
All
Windows
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Tracking Flags:
Tracking Status
firefox-esr68 76+ fixed
firefox77 --- fixed
firefox78 --- fixed
firefox79 --- fixed

People

(Reporter: bobowen, Unassigned)

References

(Blocks 1 open bug)

Details

(Keywords: sec-audit, Whiteboard: sb+) 

The fix for bug 1087565 is based on the Chrome patch for the same problem.

In bug 1087565 comment 8, a question was raised over whether the way the shared secret is passed to the other process is secure enough.

This bug is to investigate that and fix it, if it is deemed to be problem.
I wasn't sure what sec-* rating this should have as we're not sure if this is even a problem.
Flags: needinfo?(dveditz)
Flags: needinfo?(dveditz)
Keywords: sec-audit
Group: core-security
Whiteboard: sb?
Whiteboard: sb? → sb+
Priority: -- → P2
Moving to p3 because no activity for at least 1 year(s).
See https://github.com/mozilla/bug-handling/blob/master/policy/triage-bugzilla.md#how-do-you-triage for more information
Priority: P2 → P3

Now that bug 1557282 made it so that sandboxed processes cannot open each other, I think we can safely close this bug.
It seems reasonable to assume that not having permissions to open a process would block any ability to read its command line information.

Status: NEW → RESOLVED
Closed: 4 years ago
status-firefox77: --- → fixed
status-firefox78: --- → fixed
status-firefox79: --- → fixed
status-firefox-esr68: --- → fixed
status-firefox-esr78: --- → fixed
Depends on: 1557282
Resolution: --- → FIXED
Group: dom-core-security → core-security-release
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.