Closed Bug 1885855 (CVE-2024-3863) Opened 2 years ago Closed 2 years ago

Treat xrm-ms files as executable (so we warn about them)

Categories

(Toolkit :: Downloads API, defect, P3)

Product:
Toolkit
Component:
Downloads API
Platform:
Desktop
Windows
Type:
defect

Tracking

()

Status:
VERIFIED FIXED
Milestone:
126 Branch
Tracking Flags:
Tracking Status
firefox-esr115 125+ verified
firefox124 --- wontfix
firefox125 + verified
firefox126 + verified

People

(Reporter: Gijs, Assigned: mak)

Details

(Keywords: sec-moderate, sec-vector, Whiteboard: [adv-main125+][adv-esr115.10+])

Attachments

(4 files)

Bug 1885855. r=dimi
48 bytes, text/x-phabricator-request
Details | Review
Bug 1885855. r=dimi
48 bytes, text/x-phabricator-request
phab-bot
: approval-mozilla-beta+
Details | Review
Bug 1885855. r=dimi
48 bytes, text/x-phabricator-request
phab-bot
: approval-mozilla-esr115+
Details | Review
advisory.txt
316 bytes, text/plain
Details
No description provided.
Assignee: nobody → mak
Attached file Bug 1885855. r=dimi

Daniel, I assume dependencies of a bug inherit its sec level, so this would also be sec-moderate. Though as I don't want to bend rules, I'm asking for confirmation.

Flags: needinfo?(dveditz)

Sometimes. we have to balance the fact that this is a separate bug in its own right with not wanting to double-count issues and getting teams in trouble for "having too many security bugs". In this case, sec-moderate seem good.

Flags: needinfo?(dveditz)
Keywords: sec-moderate

https://hg.mozilla.org/mozilla-central/rev/094054d6c7d0

Group: firefox-core-security → core-security-release
Status: NEW → RESOLVED
Closed: 2 years ago
status-firefox126: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → 126 Branch

:mak does this impact ESR115 wondering if we need an uplift there also?

status-firefox124: --- → wontfix
status-firefox125: --- → affected
tracking-firefox125: --- → +
tracking-firefox126: --- → +
Flags: needinfo?(mak)

Yes, I'll start asking for uplifts.

Flags: needinfo?(mak)
Attachment #9392778 - Flags: approval-mozilla-beta?

Uplift Approval Request

  • Explanation of risk level: Adding file extension to a list
  • User impact if declined: sec-moderate risk on opening the file
  • Is Android affected?: no
  • Code covered by automated testing: yes
  • Needs manual QE test: yes
  • String changes made/needed: No
  • Fix verified in Nightly: no
  • Risk associated with taking this patch: Low
  • Steps to reproduce for manual QE testing: Try downloading a file with one of these extensions. If you can't find one easily, rename one in a local file explorer and drag to the tabstrip. Expected behaviour is that once downloaded there's a prompt when trying to open it, rather than it immediately opening
Flags: qe-verify+
Attachment #9392787 - Flags: approval-mozilla-esr115?

Uplift Approval Request

  • User impact if declined: sec-moderate risk on opening the file
  • Is Android affected?: no
  • Code covered by automated testing: yes
  • Explanation of risk level: Adding file extension to a list
  • Risk associated with taking this patch: Low
  • Fix verified in Nightly: no
  • Steps to reproduce for manual QE testing: yes
  • Needs manual QE test: yes
  • String changes made/needed: No
OS: All → Windows
Attachment #9392778 - Flags: approval-mozilla-beta? → approval-mozilla-beta+
Attachment #9392787 - Flags: approval-mozilla-esr115? → approval-mozilla-esr115+
QA Whiteboard: [post-critsmash-triage]
QA Whiteboard: [post-critsmash-triage] → [post-critsmash-triage][qa-triaged]

I've reproduced this issue on Win 11 x64 with an affected Nightly build, 2024-03-18. Thank you, Marco for providing the test file.

The issue is verified as fixed on Win 11 x64 using the latest builds, Nightly 126.0a1, Beta 125.0b4 and Esr 115.10.0.

Status: RESOLVED → VERIFIED
status-firefox125: fixedverified
status-firefox126: fixedverified
status-firefox-esr115: fixedverified
Flags: qe-verify+
Whiteboard: [adv-main125+][adv-esr115.10+]
Attached file advisory.txt
Keywords: sec-vector
Alias: CVE-2024-3863
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: