[tor-commits] [Git][tpo/applications/tor-browser-spec][main] 2 commits: Bug 40055: FF108 Audit

Tue Sep 12 00:41:27 UTC 2023


richard pushed to branch main at The Tor Project / Applications / tor-browser-spec


Commits:
e8e6f825 by Richard Pospesel at 2023-09-11T23:56:52+00:00
Bug 40055: FF108 Audit

- - - - -
fc74e1ae by Richard Pospesel at 2023-09-12T00:41:12+00:00
Bug 40061: FF114 Audit

- - - - -


2 changed files:

- + audits/FF108_AUDIT
- + audits/FF114_AUDIT


Changes:

=====================================
audits/FF108_AUDIT
=====================================
@@ -0,0 +1,80 @@
+# General
+
+The audit begins at the commit hash where the previous audit ended. Use code_audit.sh for creating the diff and highlighting potentially problematic code. The audit is scoped to a specific language (currently C/C++, Rust, Java/Kotlin, and Javascript).
+
+The output includes the entire patch where the new problematic code was introduced. Search for `XXX MATCH XXX` to find the next potential violation.
+
+`code_audit.sh` contains the list of known problematic APIs. New usage of these functions are documented and analyzed in this audit.
+
+## Firefox: https://github.com/mozilla/gecko-dev.git
+
+- Start: `1187da3c99c93ad941eea0809d3b2c8f81ac5ccf` ( `FIREFOX_107_0_1_RELEASE` )
+- End:   `0ae93a27c796bea7836d4b0885c8a1f2c4c18284`  ( `FIREFOX_108_0_2_RELEASE` )
+
+### Languages:
+- [x] java
+- [x] cpp
+- [x] js
+- [x] rust
+
+Nothing of interest (using `code_audit.sh`)
+
+---
+
+## Application Services: https://github.com/mozilla/application-services.git
+
+- Start: `ce8f1767d991da9d6d26331faecd426210071c7e`  ( `v96.1.0` )
+- End:   `d8b5a386936aa156f4c6d93e6645a6d2188aa788`  ( `v96.2.1` )
+
+### Languages:
+- [x] java
+- [x] cpp
+- [x] js
+- [x] rust
+
+Nothing of interest (using `code_audit.sh`)
+
+## Firefox Android: https://github.com/mozilla-mobile/firefox-android.git
+
+- Start: `0486e931b4427d646af1dcf69a53c90efbe60862`
+- End:   `55d34bf82ad051e25f15c0d1ef5fb8b3a32a7522`
+
+### Languages:
+- [x] java
+- [x] cpp
+- [x] js
+- [x] rust
+
+Nothing of interest (using `code_audit.sh`)
+
+## Fenix: https://github.com/mozilla-mobile/fenix.git
+
+- Start: `171d8a7aa521676d008bfd98bfae34ce8774e5f5` ( `v108.0b1` )
+- End:   `78718ba91dd19f78e94d8f8c462598c29d48069a`  ( `v108.2.0` )
+
+### Languages:
+- [x] java
+- [x] cpp
+- [x] js
+- [x] rust
+
+Nothing of interest (using `code_audit.sh`)
+
+## Ticket Review ##
+
+Bugzilla Query: `https://bugzilla.mozilla.org/buglist.cgi?query_format=advanced&resolution=FIXED&target_milestone=108%20Branch&order=priority%2Cbug_severity&limit=0`
+
+#### Problematic Issues:
+
+- **Remove descriptionheightworkaround.** https://bugzilla.mozilla.org/show_bug.cgi?id=1795944
+  - https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/41959
+  - **RESOLUTOIN** not a security issue, more of a general ESR migration/functionality issue
+- **Proxy environment variables should be upper case / case insensitive** https://bugzilla.mozilla.org/show_bug.cgi?id=1797896
+  - https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/41960
+  - **RESOLUTION**: determined this logic is gated behind our tor configuration settings, and so aren't relevant or a de-anonimisation vector; nothing to do here
+- **Hide cookie banner handling UI by default** https://bugzilla.mozilla.org/show_bug.cgi?id=1798868
+  - https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/41961
+  - **RESOLUTION**: we will hide the UI to enable/disable the feature, and likely enable the feature for everyone
+
+## Export
+- [ ] Export Report and save to `tor-browser-spec/audits`
\ No newline at end of file


=====================================
audits/FF114_AUDIT
=====================================
@@ -0,0 +1,59 @@
+# General
+
+The audit begins at the commit hash where the previous audit ended. Use code_audit.sh for creating the diff and highlighting potentially problematic code. The audit is scoped to a specific language (currently C/C++, Rust, Java/Kotlin, and Javascript).
+
+The output includes the entire patch where the new problematic code was introduced. Search for `XXX MATCH XXX` to find the next potential violation.
+
+`code_audit.sh` contains the list of known problematic APIs. New usage of these functions are documented and analyzed in this audit.
+
+## Firefox: https://github.com/mozilla/gecko-dev.git
+
+- Start: `8a724297d78ba792067a7e4d17d170c6b3af796e` ( `FIREFOX_113_0_2_RELEASE` )
+- End:   `b1d2c35b2699a6d77f6a41ae2338d9c370c5172e`  ( `FIREFOX_114_0_2_RELEASE` )
+
+### Languages:
+- [x] java
+- [x] cpp
+- [x] js
+- [x] rust
+
+Nothing of interest (using `code_audit.sh`)
+
+---
+
+## Application Services: https://github.com/mozilla/application-services.git
+
+- Start: `b126218b17a2273edb2f1ed5806f689440740b23` ( `v114.1` not really, Mozilla created a new branch and there's no tag associated with v114.1 in )
+- End:   `78ab4ce85120f45a4b67b055936e401193eabd68`  ( `v115.0` )
+
+### Languages:
+- [x] java
+- [x] cpp
+- [x] js
+- [x] rust
+
+#### Problematic Commits
+
+- Add Remote Settings client component `d054f01641a3da94dba4076c3ac8236547e2b3f4`
+
+## Firefox Android: https://github.com/mozilla-mobile/firefox-android.git
+
+- Start: `9d87757910437e94a860e1d6f2577d5648ded966`
+- End:   `fa28e4ddf82bedaa65153cbc6bac3ce7d8729ef5`
+
+### Languages:
+- [x] java
+- [x] cpp
+- [x] js
+- [x] rust
+
+Nothing of interest (using `code_audit.sh`)
+
+## Ticket Review ##
+
+Bugzilla Query: `https://bugzilla.mozilla.org/buglist.cgi?query_format=advanced&resolution=FIXED&target_milestone=114%20Branch&order=priority%2Cbug_severity&limit=0`
+
+Nothing of interest (manual inspection)
+
+## Export
+- [x] Export Report and save to `tor-browser-spec/audits`
\ No newline at end of file



View it on GitLab: https://gitlab.torproject.org/tpo/applications/tor-browser-spec/-/compare/724a427b5a24e3163c54d595186212fa4601cbdc...fc74e1ae4b5fea4e1456b60442bae7ea32cc8a4a

-- 
View it on GitLab: https://gitlab.torproject.org/tpo/applications/tor-browser-spec/-/compare/724a427b5a24e3163c54d595186212fa4601cbdc...fc74e1ae4b5fea4e1456b60442bae7ea32cc8a4a
You're receiving this email because of your account on gitlab.torproject.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.torproject.org/pipermail/tor-commits/attachments/20230912/26042828/attachment-0001.htm>
