Closed
Bug 1328594
Opened 8 years ago
Closed 8 years ago
approved addon Savogram 1.3.2 does remote script injection into every page, got shipped to users which are stuck on it
Categories
(Toolkit :: Blocklist Policy Requests, defect)
Toolkit
Blocklist Policy Requests
Tracking
()
RESOLVED
FIXED
People
(Reporter: aryx, Assigned: jorgev)
References
()
Details
The addon Savogram in version 1.3.2 loads a remote script on every page via m_inc.js (this was the only change from version 1.3.1).
Version 1.3.2 is not public, Spoji in #amo-editors mentioned that it got rejected and version 1.3.1 got approved at the end of July.
According to the addon install logs (thanks to the developer of https://addons.mozilla.org/firefox/addon/addon-status-logger/ ), I installed that add-on at
2016/08/28 21:00:50 - Installing : Savogram, type = extension, scope = PROFILE, version = 1.3.1, needsRestart = false
and it updated to 1.3.2 at
2016/09/21 22:24:48 - Installing : Savogram, type = extension, scope = PROFILE, version = 1.3.2, needsRestart = false
So either the decision what addon version should ship as update was broken or it got approved and later set to reject. For the latter case, there should be a procedure in general that a fixed version with a higher version number has to be released soon after this status change so the users can't be abandoned on a vulnerable version.
|
||
Comment 1•8 years ago
|
||
I think it's OK to blocklist the vulnerable version since we notified the author that the issues need to be corrected asap and didn't get any reply reply.
Jorge, can we blocklist googlotim@gmail.com (version 1.3.2 only!) for remote script injection and unsafe DOM manipulation, please?
Assignee: nobody → jorge
Group: client-services-security
Component: Security → Blocklisting
Product: addons.mozilla.org → Toolkit
|
Assignee | |
Comment 2•8 years ago
|
||
Status: NEW → RESOLVED
Closed: 8 years ago
Resolution: --- → FIXED
You need to log in
before you can comment on or make changes to this bug.
Description
•