Closed Bug 1766047 (CVE-2022-34471) Opened 2 years ago Closed 2 years ago

Verify that version of downloaded XPI matches with the version from the update manifest

Tracking

(firefox-esr91 wontfix, firefox100 wontfix, firefox101 wontfix, firefox102+ fixed)

Status:

RESOLVED FIXED

Milestone:

102 Branch

Tracking Flags:

Tracking

Status

firefox-esr91

---

wontfix

firefox100

---

wontfix

firefox101

---

wontfix

firefox102

fixed

People

(Reporter: robwu, Assigned: robwu)

References

Details

(Keywords: sec-moderate, Whiteboard: [addons-jira][post-critsmash-triage][adv-main102+])

Attachments

(2 files)

Bug 1766047 - Reject updates that have a mismatching version 2 years ago Rob Wu [:robwu] 48 bytes, text/x-phabricator-request		Details \| Review
advisory.txt 2 years ago Tom Ritter [:tjr] (OOTO until 4/30 at least) 358 bytes, text/plain		Details

Rob Wu [:robwu]

Assignee

Description

•

2 years ago

We have logic that only select new versions from the update manifest. But after downloading we don't confirm whether the downloaded version matches the expected version. To avoid unintended downgrades when the update manifest has been tampered with on the server's end, we should prevent this from happening.

Rob Wu [:robwu]

Assignee

Updated

•

2 years ago

See Also: → https://mozilla-hub.atlassian.net/browse/WEBEXT-502

Rob Wu [:robwu]

Assignee

Updated

•

2 years ago

Depends on: 1766087

Rob Wu [:robwu]

Assignee

Comment 1

•

2 years ago

Attached file Bug 1766047 - Reject updates that have a mismatching version — Details

Tomislav Jovanovic :zombie

Updated

•

2 years ago

Severity: -- → N/A

Type: task → defect

Priority: -- → P2

Tomislav Jovanovic :zombie

Updated

•

2 years ago

Severity: N/A → S2

Daniel Veditz [:dveditz]

Updated

•

2 years ago

Keywords: sec-moderate

Sebastian Hengst [:aryx] (needinfo me if it's about an intermittent or backout)

Comment 2

•

2 years ago

Reject updates that have a mismatching version r=rpl,geckoview-reviewers,agi
https://hg.mozilla.org/integration/autoland/rev/5fdca54eed615862439eba237461df742a3b46a9
https://hg.mozilla.org/mozilla-central/rev/5fdca54eed61

Group: firefox-core-security → core-security-release

Status: ASSIGNED → RESOLVED

Closed: 2 years ago

status-firefox102: --- → fixed

Resolution: --- → FIXED

Target Milestone: --- → 102 Branch

Ryan VanderMeulen [:RyanVM]

Updated

•

2 years ago

status-firefox100: --- → wontfix

status-firefox101: --- → wontfix

status-firefox-esr91: --- → wontfix

tracking-firefox102: --- → +

Flags: in-testsuite+

Brindusa Tot, Desktop QA

Updated

•

2 years ago

Flags: qe-verify+

Whiteboard: [addons-jira] → [addons-jira][post-critsmash-triage]

Rob Wu [:robwu]

Assignee

Comment 3

•

2 years ago

Covered by unit tests.

Flags: qe-verify+ → qe-verify-

Tom Ritter [:tjr] (OOTO until 4/30 at least)

Updated

•

2 years ago

Whiteboard: [addons-jira][post-critsmash-triage] → [addons-jira][post-critsmash-triage][adv-main102+]

Tom Ritter [:tjr] (OOTO until 4/30 at least)

Comment 4

•

2 years ago

Attached file advisory.txt — Details

Tom Ritter [:tjr] (OOTO until 4/30 at least)

Updated

•

2 years ago

Alias: CVE-2022-34471

Daniel Veditz [:dveditz]

Updated

•

1 year ago

Group: core-security-release

You need to log in before you can comment on or make changes to this bug.

Bugzilla

Quick Search

Verify that version of downloaded XPI matches with the version from the update manifest

Categories

(WebExtensions :: General, defect, P2)

Tracking

(firefox-esr91 wontfix, firefox100 wontfix, firefox101 wontfix, firefox102+ fixed)

People

(Reporter: robwu, Assigned: robwu)

References

Details

(Keywords: sec-moderate, Whiteboard: [addons-jira][post-critsmash-triage][adv-main102+])

Crash Data

Security

(public)

User Story

Attachments

(2 files)

Description

Updated

Updated

Comment 1

Updated

Updated

Updated

Comment 2

Updated

Updated

Comment 3

Updated

Comment 4

Updated

Updated

Attachment

General

Description

File Name

Content Type