|
1
|
+# General
|
|
2
|
+
|
|
3
|
+The audit begins at the commit hash where the previous audit ended. Use code_audit.sh for creating the diff and highlighting potentially problematic code. The audit is scoped to a specific language (currently C/C++, Rust, Java/Kotlin, and Javascript).
|
|
4
|
+
|
|
5
|
+The output includes the entire patch where the new problematic code was introduced. Search for `XXX MATCH XXX` to find the next potential violation.
|
|
6
|
+
|
|
7
|
+`code_audit.sh` contains the list of known problematic APIs. New usage of these functions are documented and analyzed in this audit.
|
|
8
|
+
|
|
9
|
+## Firefox: https://github.com/mozilla/gecko-dev.git
|
|
10
|
+
|
|
11
|
+- Start: `1f1c56dc6bae6b3302471f097ed132ef44cded86` ( `FIREFOX_103_0_2_RELEASE` )
|
|
12
|
+- End: `a8c31da1c243a855de8c3b241a437dd1b65684d5` ( `FIREFOX_104_0_2_RELEASE` )
|
|
13
|
+
|
|
14
|
+### Languages:
|
|
15
|
+- [x] java
|
|
16
|
+- [x] cpp
|
|
17
|
+- [x] js
|
|
18
|
+- [x] rust
|
|
19
|
+
|
|
20
|
+#### Problematic Commits
|
|
21
|
+
|
|
22
|
+- Bug 1780014: Add specific telemetry for conservative and first-try handshakes `7a55bf9c230b83c0a195929feaad1f5e77195412`
|
|
23
|
+ - https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/41937
|
|
24
|
+ - **RESOLUTION** nothing to do here, telemetry is gated in the usual fashoin
|
|
25
|
+- Bug 1769994 - [remote] Resolve localhost to an IP before starting httpd.js. `c193147b7b622a9b69e768079553e0d27c05c993`
|
|
26
|
+ - https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/41938
|
|
27
|
+ - **RESOLUTION** nothing to do here, this is a debugger feature not a web content one
|
|
28
|
+---
|
|
29
|
+
|
|
30
|
+## Application Services: https://github.com/mozilla/application-services.git
|
|
31
|
+
|
|
32
|
+- Start: `b70c54882fec606d10e77520b1dd2ae144768747` ( `v94.0.0` )
|
|
33
|
+- End: `78b165b798118e9b5fa62af07aa44d663f386492` ( `v94.1.0` )
|
|
34
|
+
|
|
35
|
+### Languages:
|
|
36
|
+- [x] java
|
|
37
|
+- [x] cpp
|
|
38
|
+- [x] js
|
|
39
|
+- [x] rust
|
|
40
|
+
|
|
41
|
+Nothing of interest (using `code_audit.sh`)
|
|
42
|
+
|
|
43
|
+## Android Components: https://github.com/mozilla-mobile/android-components.git
|
|
44
|
+
|
|
45
|
+- Start: `ae333f064744e005ef22ac86ab8518d9bf7d9820`
|
|
46
|
+- End: `7b0499725d3016a0d9288c337fcde4ffff60acfe` ( `v104.0.10` )
|
|
47
|
+
|
|
48
|
+### Languages:
|
|
49
|
+- [x] java
|
|
50
|
+- [x] cpp
|
|
51
|
+- [x] js
|
|
52
|
+- [x] rust
|
|
53
|
+
|
|
54
|
+Nothing of interest (using `code_audit.sh`)
|
|
55
|
+
|
|
56
|
+## Fenix: https://github.com/mozilla-mobile/fenix.git
|
|
57
|
+
|
|
58
|
+- Start: `3f7ddd5d6ef4f8495092138149d36b42e08dbbdb` ( `v104.0b1 )
|
|
59
|
+- End: `0f9ad767addb7eeef1800ac5bb80e094e3e87f07` ( `v104.2.0` )
|
|
60
|
+
|
|
61
|
+### Languages:
|
|
62
|
+- [x] java
|
|
63
|
+- [x] cpp
|
|
64
|
+- [x] js
|
|
65
|
+- [x] rust
|
|
66
|
+
|
|
67
|
+Nothing of interest (using `code_audit.sh`)
|
|
68
|
+
|
|
69
|
+## Ticket Review ##
|
|
70
|
+
|
|
71
|
+Bugzilla Query: `https://bugzilla.mozilla.org/buglist.cgi?query_format=advanced&resolution=FIXED&target_milestone=104%20Branch&order=priority%2Cbug_severity&limit=0`
|
|
72
|
+
|
|
73
|
+#### Problematic Tickets
|
|
74
|
+
|
|
75
|
+- **Support fetching data from Remote Setting** https://bugzilla.mozilla.org/show_bug.cgi?id=1728871
|
|
76
|
+ - https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/41939
|
|
77
|
+ - **RESOLUTION** nothing to do here, only applies to safe-browsing which we disable
|
|
78
|
+- **When a filetype is set to "always ask" and the user makes a save/open choice in the dialog, we should not also open the downloads panel** https://bugzilla.mozilla.org/show_bug.cgi?id=1739348
|
|
79
|
+ - https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/41940
|
|
80
|
+ - **RESOLUTION** was not a security or privacy issue, just needed to make sure it played nciely with our own custom downloads UX which it does
|
|
81
|
+- **Improve Math.pow accuracy for large exponents** https://bugzilla.mozilla.org/show_bug.cgi?id=1775254
|
|
82
|
+ - https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/41941
|
|
83
|
+ - **RESOLUTION** tjr fortunately verified this doesn't break existing fingerprinting assumptions upstream
|
|
84
|
+
|
|
85
|
+## Export
|
|
86
|
+- [ ] Export Report and save to `tor-browser-spec/audits` |
|
|
\ No newline at end of file |