Closed Bug 1823077 (CVE-2023-29545) Opened 1 year ago Closed 1 year ago

Save file containing environment variables in "Save Link As" on Firefox 111 Windows

Categories

(Firefox :: Security, defect)

Product:
Firefox
Component:
Security
Version:
Firefox 111
Platform:
Desktop
Windows 10
Type:
defect

Tracking

()

Status:
VERIFIED FIXED
Milestone:
113 Branch
Tracking Flags:
Tracking Status
firefox-esr102 112+ verified
firefox111 --- wontfix
firefox112 + verified
firefox113 + verified

People

(Reporter: haxatron1, Assigned: Gijs)

References

Details

(Keywords: csectype-disclosure, sec-moderate, Whiteboard: [reporter-external] [client-bounty-form] [verif?][adv-main112+][adv-esr102.10+])

Attachments

(3 files)

test.html
53 bytes, text/html
Details
Bug 1823077, r?mhowell
48 bytes, text/x-phabricator-request
diannaS
: approval-mozilla-beta+
RyanVM
: approval-mozilla-esr102+
Details | Review
advisory.txt
359 bytes, text/plain
Details
Attached file test.html

Not sure if you noticed but its still possible to save files containing %% when using "Save Link As" on Firefox 111.0 -- https://www.mozilla.org/en-US/security/advisories/mfsa2023-09/#CVE-2023-28163

STR

  1. Right click Save Link As on this document.
Flags: sec-bounty?

Right click Save Link As on the URL in this document.

o

OS: Unspecified → Windows 10
Hardware: Unspecified → Desktop
Version: unspecified → Firefox 111
Summary: Save file containing %% in "Save Link As" on Firefox 111 Windows → Save file containing environment vairables in "Save Link As" on Firefox 111 Windows
Summary: Save file containing environment vairables in "Save Link As" on Firefox 111 Windows → Save file containing environment variables in "Save Link As" on Firefox 111 Windows
Depends on: CVE-2023-28163
Assignee: nobody → gijskruitbosch+bugs
Status: NEW → ASSIGNED
Attached file Bug 1823077, r?mhowell

CVE-2023-28163 was sec-moderate, so I don't see this being more - arguably it's sec-low because it requires more user action than "just" downloading something (which can be site-triggered, whereas the STR here require the context menu), though the older bug required configuration, so 🤷‍♂️. I've picked sec-moderate for now, but given that I don't see this being sec-high, going to assume I'm OK to land and uplift this...

Flags: needinfo?(dveditz)
Keywords: sec-moderate

https://hg.mozilla.org/mozilla-central/rev/88f9b48c9615

Group: firefox-core-security → core-security-release
Status: ASSIGNED → RESOLVED
Closed: 1 year ago
status-firefox111: --- → wontfix
status-firefox112: --- → affected
status-firefox113: --- → fixed
status-firefox-esr102: --- → affected
Resolution: --- → FIXED
Target Milestone: --- → 113 Branch

Comment on attachment 9323977 [details]
Bug 1823077, r?mhowell

Beta/Release Uplift Approval Request

  • User impact if declined: sec-moderate
  • Is this code covered by automated tests?: No
  • Has the fix been verified in Nightly?: No
  • Needs manual test from QE?: Yes
  • If yes, steps to reproduce: See comment 0
  • List of other uplifts needed: n/a
  • Risk to taking this patch: Low
  • Why is the change risky/not risky? (and alternatives if risky): Very small patch in targeted bit of the windows filepicker code
  • String changes made/needed: Nope
  • Is Android affected?: No
Attachment #9323977 - Flags: approval-mozilla-beta?
Flags: qe-verify+

Comment on attachment 9323977 [details]
Bug 1823077, r?mhowell

ESR Uplift Approval Request

  • If this is not a sec:{high,crit} bug, please state case for ESR consideration: sec-moderate
  • User impact if declined: ditto
  • Fix Landed on Version: 113 w/ beta uplift 112 requested
  • Risk to taking this patch: Low
  • Why is the change risky/not risky? (and alternatives if risky): Very small patch in targeted bit of the windows filepicker code
Attachment #9323977 - Flags: approval-mozilla-esr102?

yes, moderate sounds right.

Flags: sec-bounty?
Flags: sec-bounty+
Flags: needinfo?(dveditz)
Keywords: csectype-disclosure
QA Whiteboard: [qa-triaged]

Comment on attachment 9323977 [details]
Bug 1823077, r?mhowell

Approved for 112.0b6

Attachment #9323977 - Flags: approval-mozilla-beta? → approval-mozilla-beta+

I have reproduced the bug on Win 11 with an affected Nightly build 113.0a1 (2023-03-17).

The issue is verified as fixed on latest Nightly 113.0a1 and Beta 112.0b6 under Win 11 x64. I'll verify the bug in Esr as well, if the patch is approved.

status-firefox112: fixedverified
status-firefox113: fixedverified

Comment on attachment 9323977 [details]
Bug 1823077, r?mhowell

Approved for 102.10esr.

Attachment #9323977 - Flags: approval-mozilla-esr102? → approval-mozilla-esr102+

This is also verified as fixed on 102.10.0esr with Win 11 x64.

Status: RESOLVED → VERIFIED
status-firefox-esr102: fixedverified
Flags: qe-verify+
Whiteboard: [reporter-external] [client-bounty-form] [verif?] → [reporter-external] [client-bounty-form] [verif?][adv-main112+]
Whiteboard: [reporter-external] [client-bounty-form] [verif?][adv-main112+] → [reporter-external] [client-bounty-form] [verif?][adv-main112+][adv-esr102.10+]
Alias: CVE-2023-29545
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: