Skip to content

Backport security fixes from Firefox 129

Explanation of Variables
  • $(ESR_VERSION): the Mozilla defined ESR version, used in various places for building tor-browser tags, labels, etc
    • Example: 102.8.0
  • $(RR_VERSION): the Mozilla defined Rapid-Release version; Tor Browser for Android is based off of the $(ESR_VERSION), but Mozilla's Firefox for Android is based off of the $(RR_VERSION) so we need to keep track of security vulnerabilities to backport from the monthly Rapid-Release train and our frozen ESR train.
    • Example: 110
  • $(PROJECT_NAME): the name of the browser project, either base-browser or tor-browser
  • $(TOR_BROWSER_MAJOR): the Tor Browser major version
    • Example: 12
  • $(TOR_BROWSER_MINOR): the Tor Browser minor version
    • Example: either 0 or 5; Alpha's is always (Stable + 5) % 10
  • $(BUILD_N): a project's build revision within a its branch; many of the Firefox-related projects have a $(BUILD_N) suffix and may differ between projects even when they contribute to the same build.
    • Example: build1

NOTE: It is assumed the tor-browser rebases (stable and alpha) have already happened and there exists a build1 build tags for both base-browser and tor-browser (stable and alpha)

Bookkeeping

  • Link this issue to the appropriate Release Prep issues (stable and alpha).

Security Vulnerabilities Report: https://www.mozilla.org/en-US/security/advisories/

NOTE: android-components and fenix used to have their own repos, but since November 2022 they have converged to a single firefox-android repo. Any backports will require manually porting patches over to our legacy repos until we have transitioned to ESR 115.

  • Go through the Security Vulnerabilities fixed in Firefox $(RR_VERSION) report and create a candidate list of CVEs which potentially need to be backported in this issue:
    • CVEs which are explicitly labeled as 'Android' only
    • CVEs which are fixed in Rapid Release but not in ESR
    • 'Memory safety bugs' fixed in Rapid Release but not in ESR
  • Foreach issue:
    • Create link to the CVE on mozilla.org
    • Create link to the associated Bugzilla issues (found in the CVE description)
    • Create links to the relevant gecko-dev/other commit hashes which need to be backported OR a brief justification for why the fix does not need to be backported
      • To find the gecko-dev version of a mozilla-central, search for a unique string in the relevant mozilla-central commit message in the gecko-dev/release branch log.
      • NOTE: This process is unfortunately somewhat poorly defined/ad-hoc given the general variation in how Bugzilla issues are labeled and resolved. In general this is going to involve a bit of hunting to identify needed commits or determining whether or not the fix is relevant.

CVEs

tor-browser: https://gitlab.torproject.org/tpo/applications/tor-browser.git

  • Backport any Android-specific security fixes from Firefox rapid-release
    • Backport patches to tor-browser stable branch
    • Open MR
    • Merge
    • Rebase patches onto:
      • base-browser stable
      • tor-browser alpha
      • base-browser alpha
    • Sign/Tag commits:
      • Tag: $(PROJECT_NAME)-$(ESR_VERSION)-$(TOR_BROWSER_MAJOR).$(TOR_BROWSER_MINOR)-1-$(BUILD_N)
      • Message: Tagging $(BUILD_N) for $(ESR_VERSION)-based stable|alpha)
      • base-browser stable
      • tor-browser stable
      • base-browser alpha
      • tor-browser alpha
    • Push tags to upstream
  • OR
  • No backports

application-services: https://gitlab.torproject.org/tpo/applications/application-services

  • NOTE: we will need to setup a gitlab copy of this repo and update tor-browser-build before we can apply security backports here
  • Backport any Android-specific security fixes from Firefox rapid-release
    • Backport patches to application-services stable branch
    • Open MR
    • Merge
    • Rebase patches onto application-services alpha
    • Sign/Tag commits:
      • Tag: application-services-$(ESR_VERSION)-$(TOR_BROWSER_MAJOR).$(TOR_BROWSER_MINOR)-1-$(BUILD_N)
      • Message: Tagging $(BUILD_N) for $(ESR_VERSION)-based stable|alpha
      • application-services stable
      • application-services alpha
    • Push tags to upstream
  • OR
  • No backports

android-components (Optional, ESR 102): https://gitlab.torproject.org/tpo/applications/android-components.git

  • Backport any Android-specific security fixes from Firefox rapid-release
    • NOTE: Since November 2022, this repo has been merged with fenix into a singular firefox-android repo: https://github.com/mozilla-mobile/firefox-android. Any backport will require a patch rewrite to apply to our legacy android-components project.
    • Backport patches to android-components stable branch
    • Open MR
    • Merge
    • Rebase patches onto android-components alpha
    • Sign/Tag commits:
      • Tag: android-components-$(ESR_VERSION)-$(TOR_BROWSER_MAJOR).$(TOR_BROWSER_MINOR)-1-$(BUILD_N)
      • Message: Tagging $(BUILD_N) for $(ESR_VERSION)-based stable|alpha)
      • android-components stable
      • android-components alpha
    • Push tags to upstream
  • OR
  • No backports

fenix (Optional, ESR 102): https://gitlab.torproject.org/tpo/applications/fenix.git

  • Backport any Android-specific security fixes from Firefox rapid-release
    • NOTE: Since February 2023, this repo has been merged with android-components into a singular firefox-android repo: https://github.com/mozilla-mobile/firefox-android. Any backport will require a patch rewrite to apply to our legacy fenix project.
    • Backport patches to fenix stable branch
    • Open MR
    • Merge
    • Rebase patches onto fenix alpha
    • Sign/Tag commits:
      • Tag: tor-browser-$(ESR_VERSION)-$(TOR_BROWSER_MAJOR).$(TOR_BROWSER_MINOR)-1-$(BUILD_N)
      • Message: Tagging $(BUILD_N) for $(ESR_VERSION)-based stable|alpha)
      • fenix stable
      • fenix alpha
    • Push tags to upstream
  • OR
  • No backports

firefox-android: https://gitlab.torproject.org/tpo/applications/firefox-android

  • Backport any Android-specific security fixes from Firefox rapid-release
    • Backport patches to firefox-android stable branch
    • Open MR
    • Merge
    • Rebase patches onto fenix alpha
    • Sign/Tag commits:
      • Tag: firefox-android-$(ESR_VERSION)-$(TOR_BROWSER_MAJOR).$(TOR_BROWSER_MINOR)-1-$(BUILD_N)
      • Message: Tagging $(BUILD_N) for $(ESR_VERSION)-based stable|alpha)
      • firefox-android stable
      • firefox-android alpha
    • Push tags to upstream
  • OR
  • No backports
Edited by ma1
To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information