Opened 11 months ago

Closed 11 months ago

Last modified 5 months ago

#32618 closed defect (fixed)

Backport 1467970 and 1590526

Reported by: sysrqb Owned by: gk
Priority: Medium Milestone:
Component: Applications/Tor Browser Version:
Severity: Normal Keywords: TorBrowserTeam201911R
Cc: tbb-team Actual Points: 0.2
Parent ID: Points:
Reviewer: Sponsor:

Description

Mozilla landed a defense-in-depth security improvement, but they aren't planning on backporting it for esr68.

1467970 is the original patch and 1590526 corrects some regressions.

1467970: https://hg.mozilla.org/mozilla-central/rev/c8a2c27a1128

1590526 (uplift on 71 beta): https://hg.mozilla.org/releases/mozilla-beta/rev/1542e80327c2

Child Tickets

Change History (7)

comment:1 Changed 11 months ago by sysrqb

Keywords: TorBrowserTeam201911 added

We can try squeezing this into the 9.5a3.

comment:2 Changed 11 months ago by gk

Actual Points: 0.2
Keywords: TorBrowserTeam201911R added; TorBrowserTeam201911 removed
Status: newneeds_review

bug_32618 (https://gitweb.torproject.org/user/gk/tor-browser.git/log/?h=bug_32618) has the backports. I did not build the changes yet but I looked at possible parseFromString() calls that might still be problematic AND on esr68 while not being present anymore when the patches landed on Mozilla's branches. We are good here, though.

I also double-checked that the patches for those two bugs are the only ones we need to backport:

Bug 1585769 is relevant here but the picture-in-picture video feature is only enabled in Windows nightlies if the code is esr68, so I think we can avoid backporting that fix.
Bug 1585588 is not affecting us as we don't ship that extension and it should be fixed by bug 1590526 anyway (which fixed bug 1576508 as well).

comment:3 Changed 11 months ago by sysrqb

Cc: tbb-team added
Owner: changed from tbb-team to gk
Status: needs_reviewassigned

comment:4 Changed 11 months ago by sysrqb

Status: assignedneeds_review

comment:5 Changed 11 months ago by sysrqb

Resolution: fixed
Status: needs_reviewclosed

Thanks! Looks good. Picked these as 1dc18678aa3ae2b604664653cf924671638a0bb6 and 94363e6fcad34c5beaf53ffa4b3a9ae5694dddf8.

comment:6 Changed 10 months ago by gk

Keywords: tbb-backport added

Maybe something to at least consider for backporting.

comment:7 Changed 5 months ago by gk

Keywords: tbb-backport removed

No backport for those tickets/fixes. They will emerge with 9.5.

Note: See TracTickets for help on using tickets.