Closed
Bug 1235876
(CVE-2016-1948)
Opened 9 years ago
Closed 9 years ago
LWT permissions exposed to man-in-the-middle attacks
Categories
(Firefox for Android Graveyard :: General, defect)
Tracking
(firefox44 fixed, firefox45 fixed, firefox46 fixed, b2g-v2.5 fixed)
RESOLVED
FIXED
Firefox 46
People
(Reporter: Margaret, Assigned: Margaret)
References
Details
(Keywords: sec-low, Whiteboard: [post-critsmash-triage][adv-main44+])
Attachments
(1 file)
1.08 KB,
patch
|
Gijs
:
review+
ritu
:
approval-mozilla-aurora+
ritu
:
approval-mozilla-beta+
|
Details | Diff | Splinter Review |
To install a lightweight theme, we listen for custom events from addons.mozilla.org, and we check the document URI to make sure these events are actually coming from addons.mozilla.org:
https://dxr.mozilla.org/mozilla-central/rev/9ddf0da90fb3bc1ae29966dc596013fc54a44bd2/mobile/android/chrome/content/browser.js#3251-3259
However, we don't check the scheme to ensure it's https. We should do that. Desktop already does this:
https://dxr.mozilla.org/mozilla-central/rev/9ddf0da90fb3bc1ae29966dc596013fc54a44bd2/browser/base/content/browser-addons.js#631-647
To fix this bug, make the mobile code do what the desktop code does.
Assignee | ||
Comment 1•9 years ago
|
||
Actually, this is a security bug for all add-ons. See the desktop bug:
https://bugzilla.mozilla.org/show_bug.cgi?id=1128126
Assignee: nobody → margaret.leibovic
Group: firefox-core-security
Assignee | ||
Updated•9 years ago
|
Mentor: margaret.leibovic
Summary: Check scheme before handling lightweight theme events → Addon permissions exposed to man-in-the-middle attacks
Whiteboard: [lang=js][good first bug]
Assignee | ||
Comment 2•9 years ago
|
||
Actually, the patch in bug 1128126 contains a fix for XPIProvider.jsm, which protects Fennec for the non-LWT case.
But I'll still write a patch for the LWT case.
See Also: → CVE-2015-0812
Summary: Addon permissions exposed to man-in-the-middle attacks → LWT permissions exposed to man-in-the-middle attacks
Assignee | ||
Comment 3•9 years ago
|
||
Attachment #8702984 -
Flags: review?(gijskruitbosch+bugs)
Updated•9 years ago
|
Attachment #8702984 -
Flags: review?(gijskruitbosch+bugs) → review+
Assignee | ||
Comment 4•9 years ago
|
||
https://hg.mozilla.org/integration/fx-team/rev/fe8054f2ac3e765c8d3b51df78222cd0777c4163
Bug 1235876 - Check scheme before handling lightweight theme events. r=Gijs
Assignee | ||
Comment 5•9 years ago
|
||
Comment on attachment 8702984 [details] [diff] [review]
Check scheme before handling lightweight theme events. r=Gijs
Looking at bug 1128126 comment 16, this is likely a sec-low, given that it only affects lightweight themes (not add-ons). So I went ahead and landed it.
Approval Request Comment
[Feature/regressing bug #]: None.
[User impact if declined]: Potential for MTIM attacks when installing a lightweight theme.
[Describe test coverage new/current, TreeHerder]: No automated tests, verified locally this doesn't regress LWT installs.
[Risks and why]: Low-risk, adds check to make sure URI installing LWTs is https.
[String/UUID change made/needed]: None.
Attachment #8702984 -
Flags: approval-mozilla-beta?
Attachment #8702984 -
Flags: approval-mozilla-aurora?
Assignee | ||
Updated•9 years ago
|
Attachment #8702984 -
Attachment description: CCheck scheme before handling lightweight theme events. r=Gijs → Check scheme before handling lightweight theme events. r=Gijs
Comment on attachment 8702984 [details] [diff] [review]
Check scheme before handling lightweight theme events. r=Gijs
Sec issue with a simple fix, Beta44+, Aurora45+
Attachment #8702984 -
Flags: approval-mozilla-beta?
Attachment #8702984 -
Flags: approval-mozilla-beta+
Attachment #8702984 -
Flags: approval-mozilla-aurora?
Attachment #8702984 -
Flags: approval-mozilla-aurora+
Comment 7•9 years ago
|
||
Status: NEW → RESOLVED
Closed: 9 years ago
Resolution: --- → FIXED
Target Milestone: --- → Firefox 46
Comment 8•9 years ago
|
||
Comment 9•9 years ago
|
||
Updated•9 years ago
|
Group: firefox-core-security → core-security-release
Comment 10•9 years ago
|
||
status-b2g-v2.5:
--- → fixed
Updated•9 years ago
|
Alias: CVE-2016-1948
Updated•9 years ago
|
Flags: qe-verify-
Whiteboard: [adv-main44+] → [post-critsmash-triage][adv-main44+]
Updated•8 years ago
|
Group: core-security-release
Updated•4 years ago
|
Product: Firefox for Android → Firefox for Android Graveyard
You need to log in
before you can comment on or make changes to this bug.
Description
•