[tbb-bugs] #19048 [Applications/Tor Browser]: Review Firefox Developer Docs and Undocumented bugs since FF45esr

Wed Mar 15 14:30:39 UTC 2017

#19048: Review Firefox Developer Docs and Undocumented bugs since FF45esr
-------------------------------------------------+-------------------------
 Reporter:  gk                                   |          Owner:  tbb-
                                                 |  team
     Type:  task                                 |         Status:  new
 Priority:  Medium                               |      Milestone:
Component:  Applications/Tor Browser             |        Version:
 Severity:  Normal                               |     Resolution:
 Keywords:  ff52-esr, tbb-7.0-must,              |  Actual Points:
  TorBrowserTeam201703, GeorgKoppen201703        |
Parent ID:                                       |         Points:
 Reviewer:                                       |        Sponsor:
                                                 |  Sponsor4
-------------------------------------------------+-------------------------

Comment (by mcs):

 Replying to [comment:24 gk]:
 > > b) When reviewing bugs, Kathy and I noticed that there seem to be a
 lot of crasher bugs associated with DOM Animation, e.g., UAF bugs. I think
 this is disabled by default via:
 > >  dom.animations-api.core.enabled = false
 > > or maybe we also need to add the following if we want to turn it off
 completely?
 > >  dom.animations-api.element-animate.enabled
 > > This might be something for the security slider eventually.
 >
 > Have you checked whether those crasher bugs made it ever into releases?
 The current metric for the slider was looking at sec-high and sec-critical
 bugs that got fixed on the release channel. Just looking at mozilla50
 might spoil our metrics.

 You make a good point. It is difficult to tell if a bug made it into an
 actual release (at least I am not sure how to tell). If it did, it should
 be included in the Mozilla Security Advisory list, and I did find a couple
 of items there:
  https://www.mozilla.org/en-
 US/security/advisories/mfsa2016-85/#CVE-2016-5277
  https://www.mozilla.org/en-
 US/security/advisories/mfsa2017-01/#CVE-2017-5379
 But there is always a collection of memory safety bugs for which little
 detail is available, and I cannot see all of the bugs. I did find one bug
 that way:
  https://bugzilla.mozilla.org/show_bug.cgi?id=1289701

 > > c) As part of our release procedures, do we double-check the HPKP
 expiration? We do not want to have a repeat of the problem where the pins
 expired. Mozilla seems to have bugs for each release, e.g.,
 > >  https://bugzilla.mozilla.org/show_bug.cgi?id=1307530
 >
 > Hey, that got mentioned in the mozilla49 notes already (see my reply in
 the previous comment). :)

 Oops. I think I am repeating myself. I think I am repeating myself.

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/19048#comment:25>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online