FF100 Audit

General

The audit begins at the commit hash where the previous audit ended. Use code_audit.sh for creating the diff and highlighting potentially problematic code. The audit is scoped to a specific language (currently C/C++, Rust, Java/Kotlin, and Javascript).

The output includes the entire patch where the new problematic code was introduced. Search for XXX MATCH XXX to find the next potential violation.

code_audit.sh contains the list of known problematic APIs. New usage of these functions are documented and analyzed in this audit.

Firefox: https://github.com/mozilla/gecko-dev.git

• Start: cd4dcd48476d8cb29f4770f6fb659e440ff84345 ( FIREFOX_RELEASE_100_BASE )
• End: 59930a20119813ea25546eaca75dcc3bbc500039 ( FIREFOX_RELEASE_101_BASE )

Languages:

• java
• cpp
• js
• rust

Nothing of interest (using code_audit.sh)

---

Application Services: https://github.com/mozilla/application-services.git

• Start: 21f2904245a956366cae798e16035156c8232cad ( v93.0.2 )
• End: 6a4737d1c043d71dfac67e270ee4afa4fb6c73b4 ( v93.2.1 )

Languages:

• java
• cpp
• js
• rust

Nothing of interest (using code_audit.sh)

Android Components: https://github.com/mozilla-mobile/android-components.git

• Start: ba604c57073b3ed91cc863e5d9a7aa9d7e7a4b95 ( v100.0.0 )
• End: 7b24cbd76371562a9e9a842ca351dae7599d53f3 ( v100.0.12 )

Languages:

• java
• cpp
• js
• rust

Nothing of interest (using code_audit.sh)

Fenix: https://github.com/mozilla-mobile/fenix.git

• Start: 89d64fc0e8204b6f2f442a656108ee2dc9bffbef ( v100.0.0-beta.1 )
• End: 827b01341f76e9ee8c152260992eb5f22a775791 ( releases_v100.0.0 )

Languages:

• java
• cpp
• js
• rust

Nothing of interest (using code_audit.sh)

Ticket Review

100 https://bugzilla.mozilla.org/buglist.cgi?query_format=advanced&resolution=FIXED&target_milestone=100%20Branch&order=priority%2Cbug_severity&limit=0

• https://bugzilla.mozilla.org/show_bug.cgi?id=1760621 : @boklm tor-browser#41142
• https://bugzilla.mozilla.org/show_bug.cgi?id=1758781 : @pierov tor-browser#41143 (closed)
• https://bugzilla.mozilla.org/show_bug.cgi?id=1752906 : @ma1 tor-browser#41144 (closed)
• https://bugzilla.mozilla.org/show_bug.cgi?id=1759592 : @dan tor-browser#41145 (closed)
• https://bugzilla.mozilla.org/show_bug.cgi?id=1699658 : @dan tor-browser#41146 (closed)

Nothing of interest (manual inspection)

OR (foreach)**

foreach PROBLEMATIC_TICKET:

$(PROBLEMATIC_TICKET)

• Summary
• Review Result: (SAFE|BAD)

Regression/Prior Vuln Review

Review proxy bypass bugs; check for new vectors to look for:

• https://gitlab.torproject.org/groups/tpo/applications/-/issues?scope=all&utf8=%E2%9C%93&state=opened&label_name[]=Proxy%20Bypass
  • Look for new features like these. Especially external app launch vectors

Export

• Export Report and save to tor-browser-spec/audits