libprio could potentially allow a malicious client to corrupt the statistics that the system outputs
Categories
(Toolkit :: General, defect)
Tracking
()
| Tracking | Status | |
|---|---|---|
| firefox111 | --- | fixed |
People
(Reporter: rhelmer, Assigned: simonf)
References
Details
Attachments
(1 file)
I received this report and patch from Henry Corrigan-Gibbs via email:
While looking back at the code for the libprio C library,
I noticed a security-relevant logic bug in the servers'
validation logic.In particular, the bug could potentially allow a malicious
client to corrupt the statistics that the system outputs. So,
it's security-relevant, but is probably low impact -- it just
affects the correctness of the statistics and doesn't involve
memory errors or anything like that.As far as I can tell, the bug does not affect libprio-rs.
The current version of Prio is based on the pilot C library https://github.com/mozilla/libprio which is vendored in mozilla-central (we haven't switched to the Rust version yet https://github.com/divviup/libprio-rs).
I'm not sure if we're actively using the C version of libprio in Firefox, we should consider removing it and moving to libprio-rs instead if there are plans to use it in the future.
Otherwise, we should probably ship the fix in Firefox before disclosing it in GitHub (it's also used by backend tooling, where this patch probably isn't relevant).
|
Reporter | |
Comment 1•2 years ago
|
||
Do you know of any plans to use the C version of libprio? How would you feel about removing it?
|
||
Comment 2•2 years ago
|
||
To my knowledge any existing use of the C library can be discontinued as current efforts aren't engaging with it (though content blocking may need to be asked if they're receiving and using the data from Origin Telemetry). Simon, is this correct?
|
Assignee | |
Comment 3•2 years ago
|
||
Yes, we're now already using the Rust version libprio-rs. We should try to remove the C library from mozilla-central, I think.
|
||
Comment 4•2 years ago
|
||
Makes sense to me!
Rob, should we add a note to the mozilla/libprio repository saying that we're no longer patching security bugs for it?
|
||
Updated•2 years ago
|
|
|
Assignee | |
Comment 5•2 years ago
|
||
|
||
Updated•2 years ago
|
|
|
||
Updated•2 years ago
|
|
|
Reporter | |
Comment 6•2 years ago
|
||
(In reply to Henry Corrigan-Gibbs [:henrycg] from comment #4)
Makes sense to me!
Rob, should we add a note to the mozilla/libprio repository saying that we're no longer patching security bugs for it?
Yes I will do this and also archive it.
|
||
Comment 7•2 years ago
|
||
Backed out for causing multiple failures
- Backout link
- Push with failures
- Failure Log
- Failure line: TEST-UNEXPECTED-FAIL | telemetry/marionette/tests/client/test_main_tab_scalars.py TestMainTabScalars.test_main_tab_scalars | AssertionError: Error waiting for ping: Timed out after 60.1 seconds
|
|
Assignee | |
Updated•2 years ago
|
|
||
Comment 10•2 years ago
|
||
Backed out changeset aefea186c9bc (bug 1810790) for causing mochitest failures on performance/browser_preferences_usage.js
Backout: https://hg.mozilla.org/integration/autoland/rev/ba5f6662ca8058d3e646c042c5bbaa8b0ef027ca
Failure log: https://treeherder.mozilla.org/logviewer?job_id=404340006&repo=autoland&lineNumber=3887
|
|
Assignee | |
Updated•2 years ago
|
|
||
Comment 11•2 years ago
|
||
|
||
Comment 12•2 years ago
|
||
| bugherder | ||
Description
•