[Security Review] MMS support

RESOLVED FIXED

Status

mozilla.org
Security Assurance
P1
normal
RESOLVED FIXED
5 years ago
4 years ago

People

(Reporter: pauljt, Assigned: pauljt)

Tracking

(Blocks: 1 bug)

Details

(Whiteboard: [pending secreview][start mm/dd/yyyy][target mm/dd/yyyy], URL)

(Assignee)

Description

5 years ago
Review app and underlying platform change that support MMS.
(Assignee)

Updated

5 years ago
Blocks: 744684
(Assignee)

Comment 1

5 years ago
Large complex feature, large attack surface ->P1
Priority: P2 → P1
Assignee: nobody → ptheriault
OS: Mac OS X → All
Hardware: x86 → All
(Assignee)

Comment 2

4 years ago
Reviewed MMS app inside gaia SMS app, and a high level review of MMS gecko code. The main control for MMS,as with SMS is that it is protected by the 'sms' permission, which is certified only. 

Gaia Components: 
One potential issue was identified relating to MMS. See 912885 for details.
Other notes rolled into SMS gaia review: https://wiki.mozilla.org/Security/Reviews/Gaia/sms

Gecko Components:
- Re-uses existing system messages (sms-sent, sms-recieved) which have permission checks on them
- Only content accessible interface (apart from readonly) is under navigator, and requires 'sms' permission
- Examined code to look for any risk of malformed MMS causing issues. Most parsing happens at Gaia layer though.

Would be good to fuzz MMS (in a similar manner to existing SMS fuzzing). I'll raise a separate bug for this testing.
Status: NEW → RESOLVED
Last Resolved: 4 years ago
Resolution: --- → FIXED
(In reply to Paul Theriault [:pauljt] from comment #2)

> Gaia Components: 
> One potential issue was identified relating to MMS. See 912885 for details.

Note that I still have a sec-approval request there ;)
You need to log in before you can comment on or make changes to this bug.