FF105 Audit
General
The audit begins at the commit hash where the previous audit ended. Use code_audit.sh for creating the diff and highlighting potentially problematic code. The audit is scoped to a specific language (currently C/C++, Rust, Java/Kotlin, and Javascript).
The output includes the entire patch where the new problematic code was introduced. Search for XXX MATCH XXX to find the next potential violation.
code_audit.sh contains the list of known problematic APIs. New usage of these functions are documented and analyzed in this audit.
Firefox: https://github.com/mozilla/gecko-dev.git
- Start:
a8c31da1c243a855de8c3b241a437dd1b65684d5(FIREFOX_104_0_2_RELEASE) - End:
2dd649f09f70ec5b9304d62daeb427a86bbc5a36(FIREFOX_105_0_3_RELEASE)
Languages:
-
java -
cpp -
js -
rust
Nothing of interest (using code_audit.sh)
Application Services: https://github.com/mozilla/application-services.git
- Start:
78b165b798118e9b5fa62af07aa44d663f386492(v94.1.0) - End:
be8254df118b2fc2aae726e1d13ca4c982bec920(v94.3.1)
Languages:
-
java -
cpp -
js -
rust
Nothing of interest (using code_audit.sh)
Android Components: https://github.com/mozilla-mobile/android-components.git
- Start:
b3e0289b3f07929c0403ac6e672c88b5db079748 - End:
658c2d239f9aef5927f654aa36a0b0739b116d92(v105.0.8)
Languages:
-
java -
cpp -
js -
rust
Nothing of interest (using code_audit.sh)
Fenix: https://github.com/mozilla-mobile/fenix.git
- Start:
a5d13e2ef26d4eb98a32c94b6c6530771e90cd56(v105.0b1) - End:
01fbfd63743f30ebca31bbfb775bddef94a01a3e(v105.2.0)
Languages:
-
java -
cpp -
js -
rust
Nothing of interest (using code_audit.sh)
Ticket Review
Bugzilla Query: https://bugzilla.mozilla.org/buglist.cgi?query_format=advanced&resolution=FIXED&target_milestone=105%20Branch&order=priority%2Cbug_severity&limit=0
Problematic Issues
-
Use the WER runtime exception module to catch early crashes https://bugzilla.mozilla.org/show_bug.cgi?id=1682520
- RESOLUTION: no new functionality here, just making it work better by moving the registration earlier in the Firefox boot process
- Add a pref to disable Spectre mitigations for Fission web content processes https://bugzilla.mozilla.org/show_bug.cgi?id=1774178
-
Add Surrogate COM Server to handle native Windows notifications when Firefox is closed. https://bugzilla.mozilla.org/show_bug.cgi?id=1774083
- RESOLUTOIN COM sever registration happens in the official firefox installer which we do not use, so nothing to do here
-
Add a cookie banner service to automatically handle website cookie banners https://bugzilla.mozilla.org/show_bug.cgi?id=1783019
- RESOLUTION disabled this feature until fully audit, may bring back in the 13.5 time-frame
-
Add a locale parameter to the text recognition API https://bugzilla.mozilla.org/show_bug.cgi?id=1782579
- RESOLUTION we'v diabled this system entirely in tor-browser#42057 (closed)
-
Broken since Firefox 102.0: no instant fallback to direct connection when proxy became unreachable while runtime https://bugzilla.mozilla.org/show_bug.cgi?id=1779005
- RESOLUTION: Tor Browser uses explicitly configured proxy settings so this auto-detect system is no used/does not apply to us
- On systems with IPv6 preferred DNS resolution clients will fail to connect when "localhost" is used as host for the WebSocket server https://bugzilla.mozilla.org/show_bug.cgi?id=1769994
-
Hide the text recognition context menu if the macOS version doesn't support APIs https://bugzilla.mozilla.org/show_bug.cgi?id=1782981
- RESOLUTION we'v diabled this system entirely in tor-browser#42057 (closed)
-
Implement a context menu modal for text recognition https://bugzilla.mozilla.org/show_bug.cgi?id=1782578
- RESOLUTION we've disabled this system entirely in tor-browser#42057 (closed)
Export
-
Export Report and save to tor-browser-spec/audits