Closed Bug 804046 Opened 12 years ago Closed 12 years ago

[Security Review][Action item] Updates for B2G - fuzz MAR format

Categories

(mozilla.org :: Security Assurance, task, P2)

Product:
mozilla.org
Component:
Security Assurance
Platform:
x86
macOS
Type:
task

Tracking

(Not tracked)

Status:
RESOLVED INVALID

People

(Reporter: pauljt, Unassigned)

References

(
URL
)

Details

During the discussion of B2G updates, the threat of a malicious MAR file being delivered to a device was discussed. Update manifests are delivered over SSL, and contain a URL and a hash of the update. The update itself is downloaded over http (to support CDNs I think). 

The threat here is that an attacker with network control (mitm) could modify/replace the update contents. However the attack surface is pretty small since the first thing that happens after download is that the hash of the file is checked. So any fuzzing wouldnt really be against the MAR format, it would be against that hash check. 

So I don't think there really is an action here, but thought I should document this for completeness.
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → INVALID
Blocks: 772404
No longer blocks: b2g-app-updates
You need to log in before you can comment on or make changes to this bug.