Skip to content

FF95 Audit

General

The audit begins at the commit hash where the previous audit ended. Use code_audit.sh for creating the diff and highlighting potentially problematic code. The audit is scoped to a specific language (currently C/C++, Rust, Java/Kotlin, and Javascript).

The output includes the entire patch where the new problematic code was introduced. Search for XXX MATCH XXX to find the next potential violation.

code_audit.sh contains the list of known problematic APIs. New usage of these functions are documented and analyzed in this audit.

Firefox: https://github.com/mozilla/gecko-dev.git

  • Start: 6c9b6e1483551f220cd409e4e584349bc74a8231 ( FIREFOX_RELEASE_95_BASE )
  • End: 6a277ae5bdf6554793cd0da292a9c9ea804b4ed9 ( FIREFOX_RELEASE_96_BASE )

Languages:

  • java
  • cpp
  • js
  • rust

Nothing of interest (using code_audit.sh)


Application Services: https://github.com/mozilla/application-services.git

  • Start: df1a47fde89f49201b1e839f960e8f16eb95a55d ( v87.1.0 )
  • End: 5ceeb43598871a7d8550acc574a6a3fb93803ad7 ( v87.3.0 )

Languages:

  • java
  • cpp
  • js
  • rust

Nothing of interest (using code_audit.sh)

Android Components: https://github.com/mozilla-mobile/android-components.git

  • Start: ef09fecd91dfcbffb85d9f4907b76cc9e5a0b70e ( v95.0.0 )
  • End: 93066a8f082fa2db3d38d361d0a538c438d2e1b8 ( v95.0.15 )

Languages:

  • java
  • cpp
  • js
  • rust

Nothing of interest (using code_audit.sh)

Fenix: https://github.com/mozilla-mobile/fenix.git

  • Start: 9ab24a371b2dd51d18dab2f7f49facc6d2fd56ad ( v95.0.0-beta.1 )
  • End: d01642a0b1e3819cd2802b42a8a6aae43eb5ff12 ( releases_v95.0.0 )

Languages:

  • java
  • cpp
  • js
  • rust

Nothing of interest (using code_audit.sh)

Ticket Review

Review List

95 https://bugzilla.mozilla.org/buglist.cgi?query_format=advanced&resolution=FIXED&target_milestone=95%20Branch&order=priority%2Cbug_severity&limit=0

foreach PROBLEMATIC_TICKET:

$(PROBLEMATIC_TICKET)

  • Summary
  • Review Result: (SAFE|BAD)

Regression/Prior Vuln Review

Review proxy bypass bugs; check for new vectors to look for:

Export

  • Export Report and save to tor-browser-spec/audits
Edited by morgan
To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information