Opened 5 years ago

Closed 5 years ago

#13684 closed defect (fixed)

Backport of Mozilla #1066190

Reported by: arthuredelstein Owned by: tbb-team
Priority: Medium Milestone:
Component: Applications/Tor Browser Version:
Severity: Keywords: TorBrowserTeam201411R
Cc: Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

Camilo has kindly provided us with a patch. To be attached below.

Child Tickets

Attachments (1)

0001-Bug-13684-Backport-Mozilla-s-Bug-1066190.patch (3.1 KB) - added by arthuredelstein 5 years ago.

Download all attachments as: .zip

Change History (9)

Changed 5 years ago by arthuredelstein

comment:1 Changed 5 years ago by arthuredelstein

This patch fixes an issue discovered recently in certificate pinning.

comment:2 Changed 5 years ago by arthuredelstein

Keywords: MikePerry201411R added
Status: newneeds_review

comment:3 Changed 5 years ago by mikeperry

What's Mozilla's plan for this fix? I haven't seen any mention of a new chemspill release, and I can't access that bug in their bugtracker.

I assume this is pinning-related and not going to be backported to 31ESR for that reason, but has this patch already been merged to mozilla-central and tagged in an official release? Taking a rush security fix before its ready might be asking for trouble, especially if it is some subtle interaction between cert validation and pinning.

comment:4 in reply to:  3 Changed 5 years ago by arthuredelstein

Replying to mikeperry:

What's Mozilla's plan for this fix? I haven't seen any mention of a new chemspill release, and I can't access that bug in their bugtracker.

I assume this is pinning-related and not going to be backported to 31ESR for that reason, but has this patch already been merged to mozilla-central and tagged in an official release? Taking a rush security fix before its ready might be asking for trouble, especially if it is some subtle interaction between cert validation and pinning.

Yes, it's pinning-related and in mozilla-central. I also can't see the Bugzilla bug, but here are two references:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1584
https://www.mozilla.org/security/advisories/mfsa2014-80/
Mozilla describes it as a "moderate" security issue.

The original commit on mozilla-central:
https://hg.mozilla.org/mozilla-central/rev/d02e70f0bf3d
https://github.com/mozilla/gecko-dev/commit/db0e8cfdbd7507e3883dc19c19cf218e268a9dd4

That version was also included in the FF33 release:
https://hg.mozilla.org/releases/mozilla-release/rev/1e3320340bd2
https://github.com/mozilla/gecko-dev/commit/344af881b5cc4ff31ea19fbd5b5833b29464f2f1

> git branch -a --contains 344af881b5cc4ff31ea19fbd5b5833b29464f2f1
  remotes/m-c/GECKO330_2014100710_RELBRANCH
  remotes/m-c/GECKO330_2014101104_RELBRANCH
  remotes/m-c/GECKO331_2014102917_RELBRANCH
  remotes/m-c/GECKO331_2014103013_RELBRANCH
  remotes/m-c/GECKO331_2014110614_RELBRANCH
  remotes/m-c/MOBILE330_2014100810_RELBRANCH
  remotes/m-c/MOBILE330_2014101104_RELBRANCH
  remotes/m-c/MOBILE331_2014110511_RELBRANCH
  remotes/m-c/MOBILE331_2014110613_RELBRANCH
  remotes/m-c/b2g34_v2_1
  remotes/m-c/beta
  remotes/m-c/release

comment:5 Changed 5 years ago by mikeperry

Why is the attached version from Camillo different than the ones that landed on either mozilla-central or Firefox 33?

comment:6 Changed 5 years ago by arthuredelstein

There was substantial refactoring after the last certificate pinning ticket we included and before the original version of this patch. So Camilo created a backport that applies to our older version of certificate pinning. My understanding is, it is supposed to be functionally equivalent.

comment:7 Changed 5 years ago by mikeperry

Keywords: TorBrowserTeam201411R added; MikePerry201411R removed

comment:8 Changed 5 years ago by mikeperry

Resolution: fixed
Status: needs_reviewclosed

This was merged for 4.5-alpha-1.

Note: See TracTickets for help on using tickets.