Closed
Bug 1337304
(CVE-2017-5397)
Opened 7 years ago
Closed 7 years ago
Fennec cache directory is world writable
Categories
(Firefox for Android Graveyard :: General, defect, P1)
Tracking
(fennec51+, firefox51blocking fixed, firefox52+ fixed, firefox-esr52 fixed, firefox53+ fixed, firefox54 fixed)
People
(Reporter: jchen, Assigned: jchen)
Details
(Keywords: sec-critical, Whiteboard: [adv-main51.0.3+])
Attachments
(1 file)
|
2.19 KB,
patch
|
snorp
:
review+
ritu
:
approval-mozilla-aurora+
ritu
:
approval-mozilla-beta+
ritu
:
approval-mozilla-release+
abillings
:
sec-approval+
|
Details | Diff | Splinter Review |
This is bad. We set the Fennec cache directory to be world writable here [1]. Now that we default to extracting libraries to the cache directory, it means any app can change our extracted libraries and inject arbitrary code. [1] https://dxr.mozilla.org/mozilla-central/rev/af8a2573d0f1e9cc6f2ba0ab67d7a702a197f177/mobile/android/geckoview/src/main/java/org/mozilla/gecko/mozglue/GeckoLoader.java#219
|
Assignee | |
Comment 1•7 years ago
|
||
installations that already had the permissions set.
Attachment #8834330 -
Flags: review?(snorp)
|
||
Updated•7 years ago
|
Priority: -- → P1
Comment on attachment 8834330 [details] [diff] [review] Patch gets rid of those lines, and reverts the permission for existing Review of attachment 8834330 [details] [diff] [review]: ----------------------------------------------------------------- Ugh. Nice catch. ::: mozglue/linker/Mappable.cpp @@ +149,5 @@ > "not extracting"); > return nullptr; > } > + > + // Ensure that the cache dir is private. Maybe mention this bug there, otherwise it's kind of a puzzling change. The cache directory is private by default.
Attachment #8834330 -
Flags: review?(snorp) → review+
We obviously need to uplift this immediately, and probably consider a dot release.
Eugen, I forget, what verification do we do on the extracted files on startup?
Flags: needinfo?(esawin)
Keywords: sec-critical
|
||
Comment 5•7 years ago
|
||
(In reply to James Willcox (:snorp) (jwillcox@mozilla.com) from comment #4) > Eugen, I forget, what verification do we do on the extracted files on > startup? None, we only check the CRC as provided by the APK against the cached CRC.
Flags: needinfo?(esawin)
tracking-fennec: --- → 51+
status-firefox51:
--- → affected
status-firefox52:
--- → affected
status-firefox53:
--- → affected
status-firefox54:
--- → affected
|
||
Updated•7 years ago
|
|
||
Updated•7 years ago
|
Assignee: nobody → nchen
|
|
Assignee | |
Comment 6•7 years ago
|
||
Comment on attachment 8834330 [details] [diff] [review] Patch gets rid of those lines, and reverts the permission for existing [Security approval request comment] How easily could an exploit be constructed based on the patch? It would be fairly easy to write an inconspicuous Android app that exploits this, but users would have to be tricked into installing that app first. Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem? Yes it's fairly obvious what the problem is. Which older supported branches are affected by this flaw? All branches up to release If not all supported branches, which bug introduced the flaw? Do you have backports for the affected branches? If not, how different, hard to create, and risky will they be? Very easy and not risky. How likely is this patch to cause regressions; how much testing does it need? Tested locally and unlikely to cause regressions.
Attachment #8834330 -
Flags: sec-approval?
|
||
Comment 7•7 years ago
|
||
Comment on attachment 8834330 [details] [diff] [review] Patch gets rid of those lines, and reverts the permission for existing sec-approval+ for trunk.
Attachment #8834330 -
Flags: sec-approval? → sec-approval+
Hi Jim, Wes, can we get this patch landed on all branches asap? I'd like to gtb 51.0.3 (Fennec only dot release) in the next hour or so.
Flags: needinfo?(wkocher)
Flags: needinfo?(nchen)
Comment on attachment 8834330 [details] [diff] [review] Patch gets rid of those lines, and reverts the permission for existing Approving for uplift to Aurora53, Beta52, Release51
Attachment #8834330 -
Flags: approval-mozilla-release+
Attachment #8834330 -
Flags: approval-mozilla-beta+
Attachment #8834330 -
Flags: approval-mozilla-aurora+
|
|
||
Comment 10•7 years ago
|
||
https://hg.mozilla.org/integration/mozilla-inbound/rev/4f8620080eef03f82c57ac963aeeddf54a8af8e2
Flags: needinfo?(wkocher)
Flags: needinfo?(nchen)
|
|
||
Comment 11•7 years ago
|
||
| uplift | ||
https://hg.mozilla.org/releases/mozilla-aurora/rev/c51d7c9daa24 https://hg.mozilla.org/releases/mozilla-beta/rev/69819951895f https://hg.mozilla.org/releases/mozilla-release/rev/0a1c7512c881
https://hg.mozilla.org/mozilla-central/rev/4f8620080eef
Status: NEW → RESOLVED
Closed: 7 years ago
Resolution: --- → FIXED
Target Milestone: --- → Firefox 54
|
|
||
Updated•7 years ago
|
Alias: CVE-2017-5397
|
||
Updated•7 years ago
|
Group: firefox-core-security → core-security-release
|
|
||
Comment 13•7 years ago
|
||
https://hg.mozilla.org/releases/mozilla-esr52/rev/69819951895f
status-firefox-esr52:
--- → fixed
|
|
||
Updated•7 years ago
|
Whiteboard: [adv-main51.0.3+]
|
||
Comment 14•7 years ago
|
||
Comment on attachment 8834330 [details] [diff] [review] Patch gets rid of those lines, and reverts the permission for existing Review of attachment 8834330 [details] [diff] [review]: ----------------------------------------------------------------- ::: mozglue/linker/Mappable.cpp @@ +150,5 @@ > return nullptr; > } > + > + // Ensure that the cache dir is private. > + chmod(cachePath, 0770); This was the wrong level to be doing this. And this still leaves the directory group-writable. Which is fine-ish on Android, but I like to keep this code not making any Android-only assumptions.
|
|
||
Updated•7 years ago
|
Group: core-security-release
|
||
Updated•3 years ago
|
Product: Firefox for Android → Firefox for Android Graveyard
You need to log in
before you can comment on or make changes to this bug.
Description
•