Closed Bug 26603 Opened 25 years ago Closed 23 years ago

security audit of mozilla code

Categories

(Core :: Security, defect, P3)

Product:
Core
Component:
Security
Type:
defect

Tracking

()

Status:
VERIFIED FIXED
Milestone:
mozilla1.0

People

(Reporter: dmosedale, Assigned: security-bugs)

References

Details

(Keywords: meta)

I was reading through a security advisory recently, and started thinking about the recent landing of nsIFile and it occurred to me that it probably be a good idea to do some basic code-auditing like checking for symlink-races. After a bit more thought, I realized this is really just an instance of something larger: an overall code audit. One possible way to structure this is to have some sort of public "Crack Mozilla" campaign shortly before final release. Splash mozilla.org and mozillazine, encouraging people to help us audit. Thoughts?
If I can get a stuffed green Moz out of it, I'll certainly try!
Security is mstoltz's bag, though I'll definitely take it back if he doesn't think that data coming out of such an audit can be discussed publicly.
Assignee: shaver → mstoltz
Good idea - Let's do it. Shaver, let's work together on planning this. I suggest post-PR2, simply because I'm swamped right now and so are many Netscape engineers who should contribute to this. Marking M18.
Status: NEW → ASSIGNED
Target Milestone: --- → M18
moving from architecture to browser product. adding arch keyword.
Component: All → Security: General
Keywords: arch
Product: Architecture → Browser
Version: 5.0 → other
We [note how I waste no time before abusing pronouns] would need to define what level of security we are aiming for before unleashing the slashdot effect on our helpless lizard. In an ideal world, webpages would be able to do little else than be displayed and interact with the user within a small, defined space, but traditionally, Netscape and Internet Explorer have promised far less than this and even contained bugs allowing for the execution of arbitrary code. Categories of security holes might include holes that allow pages, e-mails, or newsgroup postings to: 1. execute arbitrary code 2. view arbitrary content belonging to user 3. block mozilla from loiding in the future (homepage excluded?) 4. determine or reveal user's identity when not wanted (images in mail) 5. edit or delete cookies for other sites 6. view history, cookie lists, or specific cookies 7. abuse another site's trust of user (cross-site posting) 8. abuse user's trust of another site (client-side trojans) 9. exploit user's nonzero reaction time to make him/her run arbitrary code 10. glean information about user's computer (cpu speed, available ram) 11. finley monitor cpu usage by other programs 12. crash an operating system 13. freeze an operating system (hog cpu very well) 14. hog system resources other than cpu (ram, widgets) 15. crash mozilla 16. freeze mozilla for ten seconds or more 17. make it impossible to exit mozilla normally
> stuffed green Moz Better yet, a stuffed green Moz signed by the person at fault for the hole <eg>
Assigning QA to czhang
QA Contact: shaver → czhang
Keywords: nsbeta3
[nsbeta3-] (eric & beard).
Whiteboard: [nsbeta3-]
shaver, mstoltz - is one of you going to run with this? Gerv
I'm going to try and do a series of (Netscape internal) security reviews in the post-PR3 period. I could use some advice on how to get the Mozilla community involved as well.
If you mean on a code level, a post to the NGs and a message on Mozillazine asking for developer help is about all you can do. If you want people to beat on it from the outside, same as above, but we could do wider publicity - security mailing lists, etc... Gerv
Adding rtm keyword as these security review meetings will take place after PR3.
Depends on: 7255, 7257, 16307, 40756
Keywords: arch, nsbeta3meta, rtm
Target Milestone: M18 → M20
How are we doing on format string bugs? Is there some type of automated program or does this have to be checked by hand? :( [david@ender mozilla]$ find mozilla -type f | xargs egrep '(sprintf|strcpy|strcat)' | wc -l 3872
What sort of bug are you referring to? And why can't you use lxr.mozilla.org to do the serach?
Format String Attacks: http://www.guardent.com/rd_whtpr_formatNewsham.html Also seen all over bugtraq recently. I guess I could use lxr, but a find command seems to work just as well.
Not sure this should have been nominated for rtm per-se. It's a good thing to do, but the scope seems pretty large for the time that remains. Getting the community involved ASAP would be a good thing regardless of the timing for the branch release. If we have any fire drills, we might take the results of this into account as well. Does it make sense for this to remain rtm nominated?
Whiteboard: [nsbeta3-] → [nsbeta3-][need minus]
Surely the nomination should stay, but I agree that it's by far too late to "fix" this bug.
At the time, I marked this rtm to remind myself to work on this during the rtm time frame. I nay case, I wasn't planning to mark it Fixed until it was done to my satisfaction, which isn't going to happen by rtm, at any rate. Should I remove rtm, or should I have someone minus it? Or does it really matter?
QA Contact: czhang → junruh
rtm- to get this off the radar.
Whiteboard: [nsbeta3-][need minus] → [nsbeta3-][rtm-]
Mass changing QA to ckritzer.
QA Contact: junruh → ckritzer
Mass adding mozilla0.9 keyword (mass changing milestone doesn't seem to work).
Keywords: mozilla0.9
I'm (also) scared, that Mozilla might still contain traditional security problems, like buffer overruns (no concrete examples, but potentially all code handling net-content in char*s), symlink attacks (libmime writes lots of files to /tmp - I didn't check, if it's actually vulnerable) etc..
Ben, can you look for these? Or encourage others? I'm going to see about reviving Netscape's bug bounty program, so there may be some reward in it...
This is a pretty huge project. I can certainly encourage, but I can't do everything (anything?) myself. Frist, we'd need a plan :-). What exactly has to be done? Where are tutorials on the web, so people without background can help? Then, post this as project (newsgroups, mozillazine, bugtraq?), with code sections (probably modules or CVS dirs) for which people can sign up. Bug bounty? "Find a bug and get 1,000$"? Aren't there automatic checkers for overflows, which cover at least many cases?
Seems like I guessed quite good :) <http://home.netscape.com/newsref/pr/newsrelease68.html>.
Mass changing milestone to Moz1.0 - stuff targeted for late spring/early summer.
Target Milestone: --- → mozilla1.0
Bugs targeted at mozilla1.0 without the mozilla1.0 keyword moved to mozilla1.0.1 (you can query for this string to delete spam or retrieve the list of bugs I've moved)
Target Milestone: mozilla1.0 → mozilla1.0.1
Resetting Milestone (due to mass-change) and adding mozilla 1.0 keyword.
Keywords: nsrtmmozilla1.0
Whiteboard: [nsbeta3-][rtm-]
Target Milestone: mozilla1.0.1 → ---
Target Milestone: --- → mozilla1.0
OK, this review is underway and is being tracked elsewhere, so I'm going to close this bug. If you'd like to help with this effort, take a look at http://www.mozilla.org/projects/security/components/reviewguide.html or email mstoltz@netscape.com with your suggestions.
Status: ASSIGNED → RESOLVED
Closed: 23 years ago
Resolution: --- → FIXED
Marking verified as per above developer comments. The QA team is also involved in this initiative. Please contact bsharma@netscpae.com if you have any testing issues or want to help in the testing area.
Status: RESOLVED → VERIFIED
Repeating my question from <http://bugzilla.mozilla.org/show_bug.cgi?id=40756#c21> at Jun 4th: mstoltz wrote: > this review is underway and is being tracked elsewhere Where is tracked?
You need to log in before you can comment on or make changes to this bug.