758240 - Precompiled binaries may pose a risk to users

Status: RESOLVED FIXED

(Core :: Security, defect)

Description

[Jim Mathies [:jimm]]

Filing this to ask the general question below.

Normally all of our binaries are built on mozilla hardware internally. However certain pre-compiled binaries get checked into mozilla central and distributed to users through our installs (possibly in other cases as well?). A perfect example of this is bug 740694, a case where we added options to an nsis plugin dll and checked in the compiled binary for use by the installer. In this case the dll was built on my local workstation, the same workstation my family uses to surf the web.

I'm quite certain the system I use to develop on is clean of malware, but that doesn't mean it is. So I'm curious if we scan our final distribution before we package it up and release it.

Comment 1

[Daniel Veditz [:dveditz]]

Pretty sure we do scan builds on the release machines. I know we scan our staging server (but, do the scanners we use know how to unpack our NSIS installers?).

Doing builds this way means we might not have the source for such binaries, or have out of date source if there were local changes. This could lead to license issues and an inability to recreate a build, in addition to all the potential security problems.

Comment 2

[Chris AtLee [:catlee]]

Yes, we scan all our release bits. We unpack the 7z self-extracting exes as well as mar files to scan inside them too. e.g. here's our virus scan log for 13.0b6:

http://ftp.mozilla.org/pub/mozilla.org/firefox/candidates/13.0b6-candidates/build1/logs/release-mozilla-beta-antivirus-bm13-build1-build3.txt.gz

clamscan natively supports .tar.bz2 so we don't need to unpack that explicitly