Backport Android and desktop security fixes from Firefox 126

Explanation of Variables

$(ESR_VERSION): the Mozilla defined ESR version, used in various places for building tor-browser tags, labels, etc
- Example: 102.8.0
$(RR_VERSION): the Mozilla defined Rapid-Release version; Tor Browser for Android is based off of the $(ESR_VERSION), but Mozilla's Firefox for Android is based off of the $(RR_VERSION) so we need to keep track of security vulnerabilities to backport from the monthly Rapid-Release train and our frozen ESR train.
- Example: 110
$(PROJECT_NAME): the name of the browser project, either base-browser or tor-browser
$(TOR_BROWSER_MAJOR): the Tor Browser major version
- Example: 12
$(TOR_BROWSER_MINOR): the Tor Browser minor version
- Example: either 0 or 5; Alpha's is always (Stable + 5) % 10
$(BUILD_N): a project's build revision within a its branch; many of the Firefox-related projects have a $(BUILD_N) suffix and may differ between projects even when they contribute to the same build.
- Example: build1

NOTE: It is assumed the tor-browser rebases (stable and alpha) have already happened and there exists a build1 build tags for both base-browser and tor-browser (stable and alpha)

Bookkeeping

Link this issue to the appropriate Release Prep issues (stable and alpha).

Security Vulnerabilities Report: https://www.mozilla.org/en-US/security/advisories/

Potentially Affected Components:
- firefox/geckoview: https://github.com/mozilla/gecko-dev
- application-services: https://github.com/mozilla/application-services
- android-components (ESR 102 only): https://github.com/mozilla-mobile/firefox-android
- fenix (ESR 102 only): https://github.com/mozilla-mobile/firefox-android
- firefox-android: https://github.com/mozilla-mobile/firefox-android

NOTE: android-components and fenix used to have their own repos, but since November 2022 they have converged to a single firefox-android repo. Any backports will require manually porting patches over to our legacy repos until we have transitioned to ESR 115.

Go through the Security Vulnerabilities fixed in Firefox $(RR_VERSION) report and create a candidate list of CVEs which potentially need to be backported in this issue:
- CVEs which are explicitly labeled as 'Android' only
- CVEs which are fixed in Rapid Release but not in ESR
- 'Memory safety bugs' fixed in Rapid Release but not in ESR
Foreach issue:
- Create link to the CVE on mozilla.org
  - Example: https://www.mozilla.org/en-US/security/advisories/mfsa2023-05/#CVE-2023-25740
- Create link to the associated Bugzilla issues (found in the CVE description)
- Create links to the relevant gecko-dev/other commit hashes which need to be backported OR a brief justification for why the fix does not need to be backported
  - To find the gecko-dev version of a mozilla-central, search for a unique string in the relevant mozilla-central commit message in the gecko-dev/release branch log.
  - NOTE: This process is unfortunately somewhat poorly defined/ad-hoc given the general variation in how Bugzilla issues are labeled and resolved. In general this is going to involve a bit of hunting to identify needed commits or determining whether or not the fix is relevant.

CVEs

tor-browser: https://gitlab.torproject.org/tpo/applications/tor-browser.git

application-services: https://gitlab.torproject.org/tpo/applications/application-services

android-components (Optional, ESR 102): https://gitlab.torproject.org/tpo/applications/android-components.git

fenix (Optional, ESR 102): https://gitlab.torproject.org/tpo/applications/fenix.git

firefox-android: https://gitlab.torproject.org/tpo/applications/firefox-android

Edited May 10, 2024 by ma1