Backport Android security fixes from Firefox 121 to 115.6 - based Tor Browser
Explanation of Variables
-
$(ESR_VERSION)
: the Mozilla defined ESR version, used in various places for building tor-browser tags, labels, etc-
Example:
102.8.0
-
Example:
-
$(RR_VERSION)
: the Mozilla defined Rapid-Release version; Tor Browser for Android is based off of the$(ESR_VERSION)
, but Mozilla's Firefox for Android is based off of the$(RR_VERSION)
so we need to keep track of security vulnerabilities to backport from the monthly Rapid-Release train and our frozen ESR train.-
Example:
110
-
Example:
-
$(PROJECT_NAME)
: the name of the browser project, eitherbase-browser
ortor-browser
-
$(TOR_BROWSER_MAJOR)
: the Tor Browser major version-
Example:
12
-
Example:
-
$(TOR_BROWSER_MINOR)
: the Tor Browser minor version-
Example: either
0
or5
; Alpha's is always(Stable + 5) % 10
-
Example: either
-
$(BUILD_N)
: a project's build revision within a its branch; many of the Firefox-related projects have a$(BUILD_N)
suffix and may differ between projects even when they contribute to the same build.-
Example:
build1
-
Example:
NOTE: It is assumed the tor-browser
rebases (stable and alpha) have already happened and there exists a build1
build tags for both base-browser
and tor-browser
(stable and alpha)
Bookkeeping
-
Link this issue to the appropriate Release Prep issues (stable and alpha).
https://www.mozilla.org/en-US/security/advisories/
Security Vulnerabilities Report:- Potentially Affected Components:
-
firefox
/geckoview
: https://github.com/mozilla/gecko-dev -
application-services
: https://github.com/mozilla/application-services -
android-components
(ESR 102 only): https://github.com/mozilla-mobile/firefox-android -
fenix
(ESR 102 only): https://github.com/mozilla-mobile/firefox-android -
firefox-android
: https://github.com/mozilla-mobile/firefox-android
-
NOTE: android-components
and fenix
used to have their own repos, but since November 2022 they have converged to a single firefox-android
repo. Any backports will require manually porting patches over to our legacy repos until we have transitioned to ESR 115.
-
Go through the Security Vulnerabilities fixed in Firefox $(RR_VERSION)
report and create a candidate list of CVEs which potentially need to be backported in this issue:- CVEs which are explicitly labeled as 'Android' only
- CVEs which are fixed in Rapid Release but not in ESR
- 'Memory safety bugs' fixed in Rapid Release but not in ESR
-
Foreach issue: - Create link to the CVE on mozilla.org
- Create link to the associated Bugzilla issues (found in the CVE description)
- Create links to the relevant
gecko-dev
/other commit hashes which need to be backported OR a brief justification for why the fix does not need to be backported- To find the
gecko-dev
version of amozilla-central
, search for a unique string in the relevantmozilla-central
commit message in thegecko-dev/release
branch log. - NOTE: This process is unfortunately somewhat poorly defined/ad-hoc given the general variation in how Bugzilla issues are labeled and resolved. In general this is going to involve a bit of hunting to identify needed commits or determining whether or not the fix is relevant.
- To find the
CVEs
-
CVE-2023-6869: Content can paint outside of sandboxed iframe - Bug 1799036
- Note: NO backport (sec low, complicate back-out/fix in a regression bug story)
-
CVE-2023-6870: Android Toast notifications may obscure fullscreen event notifications - Bug 1823316
- Note: Backported (firefox-android!52 (merged))
-
CVE-2023-6871: Lack of protocol handler warning in some instances - Bug 1828334
- Note: NO backport (unlikely issue for us, mozdevs advised against uplift/backport)
-
CVE-2023-6866: TypedArrays lack sufficient exception handling - Bug 1849037
- Note: NO backport (very complex 3 commits patch w/dependencies, they're tracking 115esr for 122+)
-
CVE-2023-6872: Browsing history leaked to syslogs via GNOME - Bug 1849186
- Note: NO backport (it's @pierov's uplift we had to disable b/c UX)
-
CVE-2023-6135: NSS susceptible to "Minerva" attack - Bug 1853908
- Note: NO backport (3rd party, AFAICT we can't do anything about this, but network latency should save our bacon until Moz does)
-
CVE-2023-6873: Memory safety bugs fixed in Firefox 121 - Bug 1855327
- Note: NO backport (undisclosed, no commit found)
-
CVE-2023-6873: Memory safety bugs fixed in Firefox 121 - Bug 1862723
- Note: NO backport (unaffected)
-
CVE-2023-6868: WebPush requests on Firefox for Android did not require VAPID key - Bug 1865488
- Note: Backported (firefox-android!52 (merged))
-
CVE-2023-6862: Use-after-free in nsDNSService - Bug 1868042
- Note: NO backport (fixed in 115.6)
https://gitlab.torproject.org/tpo/applications/tor-browser.git
tor-browser:-
Backport any Android-specific security fixes from Firefox rapid-release -
Backport patches to tor-browser
stable branch -
Open MR -
Merge -
Rebase patches onto: -
base-browser
stable -
tor-browser
alpha -
base-browser
alpha
-
-
Sign/Tag commits: -
Tag:
$(PROJECT_NAME)-$(ESR_VERSION)-$(TOR_BROWSER_MAJOR).$(TOR_BROWSER_MINOR)-1-$(BUILD_N)
-
Message:
Tagging $(BUILD_N) for $(ESR_VERSION)-based stable|alpha)
-
base-browser
stable -
tor-browser
stable -
base-browser
alpha -
tor-browser
alpha
-
Tag:
-
Push tags to upstream
-
- OR
-
No backports
https://gitlab.torproject.org/tpo/applications/application-services
application-services:-
NOTE: we will need to setup a gitlab copy of this repo and update
tor-browser-build
before we can apply security backports here -
Backport any Android-specific security fixes from Firefox rapid-release -
Backport patches to application-services
stable branch -
Open MR -
Merge -
Rebase patches onto application-services
alpha -
Sign/Tag commits: -
Tag:
application-services-$(ESR_VERSION)-$(TOR_BROWSER_MAJOR).$(TOR_BROWSER_MINOR)-1-$(BUILD_N)
-
Message:
Tagging $(BUILD_N) for $(ESR_VERSION)-based stable|alpha
-
application-services
stable -
application-services
alpha
-
Tag:
-
Push tags to upstream
-
- OR
-
No backports
https://gitlab.torproject.org/tpo/applications/android-components.git
android-components (Optional, ESR 102):-
Backport any Android-specific security fixes from Firefox rapid-release -
NOTE: Since November 2022, this repo has been merged with
fenix
into a singularfirefox-android
repo: https://github.com/mozilla-mobile/firefox-android. Any backport will require a patch rewrite to apply to our legacyandroid-components
project. -
Backport patches to android-components
stable branch -
Open MR -
Merge -
Rebase patches onto android-components
alpha -
Sign/Tag commits: -
Tag:
android-components-$(ESR_VERSION)-$(TOR_BROWSER_MAJOR).$(TOR_BROWSER_MINOR)-1-$(BUILD_N)
-
Message:
Tagging $(BUILD_N) for $(ESR_VERSION)-based stable|alpha)
-
android-components
stable -
android-components
alpha
-
Tag:
-
Push tags to upstream
-
NOTE: Since November 2022, this repo has been merged with
- OR
-
No backports
https://gitlab.torproject.org/tpo/applications/fenix.git
fenix (Optional, ESR 102):-
Backport any Android-specific security fixes from Firefox rapid-release -
NOTE: Since February 2023, this repo has been merged with
android-components
into a singularfirefox-android
repo: https://github.com/mozilla-mobile/firefox-android. Any backport will require a patch rewrite to apply to our legacyfenix
project. -
Backport patches to fenix
stable branch -
Open MR -
Merge -
Rebase patches onto fenix
alpha -
Sign/Tag commits: -
Tag:
tor-browser-$(ESR_VERSION)-$(TOR_BROWSER_MAJOR).$(TOR_BROWSER_MINOR)-1-$(BUILD_N)
-
Message:
Tagging $(BUILD_N) for $(ESR_VERSION)-based stable|alpha)
-
fenix
stable -
fenix
alpha
-
Tag:
-
Push tags to upstream
-
NOTE: Since February 2023, this repo has been merged with
- OR
-
No backports
https://gitlab.torproject.org/tpo/applications/firefox-android
firefox-android:-
Backport any Android-specific security fixes from Firefox rapid-release -
Backport patches to firefox-android
stable branch -
Open MR -
Merge -
Rebase patches onto fenix
alpha -
Sign/Tag commits: -
Tag:
firefox-android-$(ESR_VERSION)-$(TOR_BROWSER_MAJOR).$(TOR_BROWSER_MINOR)-1-$(BUILD_N)
-
Message:
Tagging $(BUILD_N) for $(ESR_VERSION)-based stable|alpha)
-
firefox-android
stable -
firefox-android
alpha
-
Tag:
-
Push tags to upstream
-
- OR
-
No backports
Edited by ma1