Backport of Mozilla #1066190

Camilo has kindly provided us with a patch. To be attached below.

added TorBrowserTeam201411R component::applications/tor browser owner::tbb-team priority::medium resolution::fixed status::closed type::defect labels

Trac:
0001-Bug-13684-Backport-Mozilla-s-Bug-1066190.patch

This patch fixes an issue discovered recently in certificate pinning.

Trac:
Status: new to needs_review
Keywords: N/A deleted, MikePerry201411R added

What's Mozilla's plan for this fix? I haven't seen any mention of a new chemspill release, and I can't access that bug in their bugtracker.

I assume this is pinning-related and not going to be backported to 31ESR for that reason, but has this patch already been merged to mozilla-central and tagged in an official release? Taking a rush security fix before its ready might be asking for trouble, especially if it is some subtle interaction between cert validation and pinning.

Replying to mikeperry:

What's Mozilla's plan for this fix? I haven't seen any mention of a new chemspill release, and I can't access that bug in their bugtracker.

I assume this is pinning-related and not going to be backported to 31ESR for that reason, but has this patch already been merged to mozilla-central and tagged in an official release? Taking a rush security fix before its ready might be asking for trouble, especially if it is some subtle interaction between cert validation and pinning.

Yes, it's pinning-related and in mozilla-central. I also can't see the Bugzilla bug, but here are two references: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1584 https://www.mozilla.org/security/advisories/mfsa2014-80/ Mozilla describes it as a "moderate" security issue.

The original commit on mozilla-central: https://hg.mozilla.org/mozilla-central/rev/d02e70f0bf3d https://github.com/mozilla/gecko-dev/commit/db0e8cfdbd7507e3883dc19c19cf218e268a9dd4

That version was also included in the FF33 release: https://hg.mozilla.org/releases/mozilla-release/rev/1e3320340bd2 https://github.com/mozilla/gecko-dev/commit/344af881b5cc4ff31ea19fbd5b5833b29464f2f1

> git branch -a --contains 344af881b5cc4ff31ea19fbd5b5833b29464f2f1
  remotes/m-c/GECKO330_2014100710_RELBRANCH
  remotes/m-c/GECKO330_2014101104_RELBRANCH
  remotes/m-c/GECKO331_2014102917_RELBRANCH
  remotes/m-c/GECKO331_2014103013_RELBRANCH
  remotes/m-c/GECKO331_2014110614_RELBRANCH
  remotes/m-c/MOBILE330_2014100810_RELBRANCH
  remotes/m-c/MOBILE330_2014101104_RELBRANCH
  remotes/m-c/MOBILE331_2014110511_RELBRANCH
  remotes/m-c/MOBILE331_2014110613_RELBRANCH
  remotes/m-c/b2g34_v2_1
  remotes/m-c/beta
  remotes/m-c/release

Why is the attached version from Camillo different than the ones that landed on either mozilla-central or Firefox 33?

There was substantial refactoring after the last certificate pinning ticket we included and before the original version of this patch. So Camilo created a backport that applies to our older version of certificate pinning. My understanding is, it is supposed to be functionally equivalent.

Trac:
Keywords: MikePerry201411R deleted, TorBrowserTeam201411R added

This was merged for 4.5-alpha-1.

Trac:
Resolution: N/A to fixed
Status: needs_review to closed

closed

moved to tpo/applications/tor-browser#13684 (closed)