Closed
Bug 1428175
Opened 6 years ago
Closed 6 years ago
Disable SAB in Fennec
Categories
(Firefox for Android Graveyard :: General, enhancement)
Firefox for Android Graveyard
General
Tracking
(Not tracked)
VERIFIED
FIXED
People
(Reporter: snorp, Assigned: keeler)
References
Details
Attachments
(3 files, 1 obsolete file)
Similar to bug 1423225, we need to disable SharedArrayBuffer in Fennec to mitigate fallout from the Meltdown and Spectre exploits.
Assignee | ||
Comment 1•6 years ago
|
||
Let me know if I should also get review from anyone else.
Comment 2•6 years ago
|
||
Does this need to be a hidden bug? We've had a blog post and a security advisory and shipped 57.0.4 with this same fix. IIUI this hotfix would only be needed by folks who hadn't yet updated Fennec itself (app updates are often only enabled when connected via wifi).
Flags: needinfo?(snorp)
Keywords: sec-other
Reporter | ||
Updated•6 years ago
|
Attachment #8939971 -
Flags: review?(snorp) → review+
Comment 3•6 years ago
|
||
We're ready to ship this to Fennec 55 & 56 users. Could either :gchang or :sylvestre get the hotfix process going for this when ready?
Flags: needinfo?(sledru)
Flags: needinfo?(gchang)
Assignee | ||
Comment 4•6 years ago
|
||
https://hg.mozilla.org/releases/firefox-hotfixes/rev/0ceaf63e654b562b15f77961cc7f46811bc185b1
Assignee | ||
Comment 5•6 years ago
|
||
Comment 6•6 years ago
|
||
Ioana, could you please help with that? Thanks!
Flags: needinfo?(sledru) → needinfo?(ioana.chiorean)
Comment 7•6 years ago
|
||
I tried the hotfix on: - Fennec Nightly 59 -- changed in about:config the pref xpinstall.signatures.required to false -- allow and download the addon -- check in about:config the pref javascript.options.shared_memory is changed - For Fennec 58 and 56 (and all bellow too) (as per Selena's request/commnent) -- you get an error message and you are not able to open the addon (with or without pref xpinstall changes) -- after discussing with Keeler he mentioned we need a signed version for it.
Flags: needinfo?(ioana.chiorean)
Comment 8•6 years ago
|
||
Oh, I didn't realize that it was signed... Robert, could you please sign it? Thanks (not sure if you are the right person)
Flags: needinfo?(rhelmer)
Comment 9•6 years ago
|
||
(In reply to Sylvestre Ledru [:sylvestre] from comment #8) > Oh, I didn't realize that it was signed... > > Robert, could you please sign it? Thanks (not sure if you are the right > person) I don't have access to sign these, but more importantly Fennec does not support system add-on updates as far as I am aware (bug 1260213) It may still support the old Hotfix Add-on https://wiki.mozilla.org/Add-ons/Hotfix
Flags: needinfo?(rhelmer) → needinfo?(sledru)
Comment 10•6 years ago
|
||
(In reply to Robert Helmer [:rhelmer] from comment #9) > (In reply to Sylvestre Ledru [:sylvestre] from comment #8) > > Oh, I didn't realize that it was signed... > > > > Robert, could you please sign it? Thanks (not sure if you are the right > > person) > > I don't have access to sign these, but more importantly Fennec does not > support system add-on updates as far as I am aware (bug 1260213) > > It may still support the old Hotfix Add-on > https://wiki.mozilla.org/Add-ons/Hotfix This is a Hotfix, and is supported by Fennec. The wiki page doesn't mention who can sign these. Do we need someone from the Add-ons team?
Flags: needinfo?(rhelmer)
Comment 11•6 years ago
|
||
Ah, I found https://wiki.mozilla.org/Add-ons/Hotfix#Deployment. Working through it.
Flags: needinfo?(rhelmer)
Comment 12•6 years ago
|
||
I'm trying to stage the hotfix on AMO, but there's a problem: legacy add-ons don't work on 57 and above unless they're signed with the cert that we use for system add-ons. I don't think we created an equivalent exception for the hotfix, so a far as I understand it, the hotfix won't install on 57. I can force the signing in case it's worth giving it a shot.
Flags: needinfo?(sdeckelmann)
Comment 13•6 years ago
|
||
(In reply to Jorge Villalobos [:jorgev] from comment #12) > I'm trying to stage the hotfix on AMO, but there's a problem: legacy add-ons > don't work on 57 and above unless they're signed with the cert that we use > for system add-ons. I don't think we created an equivalent exception for the > hotfix, so a far as I understand it, the hotfix won't install on 57. > > I can force the signing in case it's worth giving it a shot. That's ok. We only want/need this for 55/56. 57 has the change already shipped.
Flags: needinfo?(sdeckelmann)
Comment 14•6 years ago
|
||
Hi Keeler, Turns out that we need maxVersion should be 56.*. Can you make that change? Thanks!
Flags: needinfo?(dkeeler)
Assignee | ||
Comment 15•6 years ago
|
||
Updated: https://hg.mozilla.org/releases/firefox-hotfixes/rev/b858ef576c7545e333d4b9de7cd707f72304365b I'll attach the updated xpi shortly.
Flags: needinfo?(dkeeler)
Assignee | ||
Comment 16•6 years ago
|
||
Attachment #8940369 -
Attachment is obsolete: true
Comment 17•6 years ago
|
||
The new version is now staged on https://addons-dev.allizom.org/android/addon/firefox-hotfix/
Comment 18•6 years ago
|
||
Ioana -- Could you please retest? We're only interested in Fennec 55/56 behavior, and that it doesn't work on 57.
Flags: needinfo?(ioana.chiorean)
Flags: needinfo?(sledru)
Comment 19•6 years ago
|
||
Tried with Fennec 55, 55.0.2, 56 - changed in about:config the pref xpinstall.signatures.required to false - allow and download the addon - addon is installed - check in about:config the pref javascript.options.shared_memory is changed All good here!
Flags: needinfo?(ioana.chiorean)
Relman team has review this and it's something we need to do. Once QA sign offs are green, we should be good to go.
Comment 21•6 years ago
|
||
Is anything else needed beyond comment #9? I can publish the hotfix as soon as we're good.
Flags: needinfo?(rkothari)
Comment 22•6 years ago
|
||
(In reply to Jorge Villalobos [:jorgev] from comment #21) > Is anything else needed beyond comment #9? I can publish the hotfix as soon > as we're good. Did you mean a comment 20?
Flags: needinfo?(jorge)
Comment 23•6 years ago
|
||
I meant comment #19, since that appeared to cover QA for the staged block.
Flags: needinfo?(jorge)
(In reply to Jorge Villalobos [:jorgev] from comment #21) > Is anything else needed beyond comment #9? I can publish the hotfix as soon > as we're good. IF the QA sign offs are good, please go ahead and push this hotfix out. Thanks!
Flags: needinfo?(rkothari)
Comment 25•6 years ago
|
||
One last thing: the file attached on this bug hasn't been signed. Per https://wiki.mozilla.org/Add-ons/Hotfix#Signatures, the hotfix needs a special signature in order to be automatically updated in Firefox. I don't know if this is also the case for Android. David, do you know if Firefox for Android also checks for that signature? Wei, can you look into signing the file in comment #16?
Flags: needinfo?(wezhou)
Flags: needinfo?(dkeeler)
Assignee | ||
Comment 26•6 years ago
|
||
I'm fairly sure Firefox for Android requires hotfixes to be signed (particularly going by comment 19).
Flags: needinfo?(dkeeler)
Comment 28•6 years ago
|
||
The new version of the hotfix is now live.
Updated•6 years ago
|
Flags: needinfo?(gchang)
Reporter | ||
Updated•6 years ago
|
Flags: needinfo?(snorp)
Reporter | ||
Comment 29•6 years ago
|
||
Whoops, meant to actually comment -- I think we can unhide this bug now since the fix is live and the vulns have been disclosed, etc.
Reporter | ||
Updated•6 years ago
|
Reporter | ||
Updated•6 years ago
|
Group: mozilla-employee-confidential
Reporter | ||
Updated•6 years ago
|
Group: firefox-core-security
Updated•6 years ago
|
Status: RESOLVED → VERIFIED
Updated•3 years ago
|
Product: Firefox for Android → Firefox for Android Graveyard
You need to log in
before you can comment on or make changes to this bug.
Description
•