[tor-commits] [tor-browser-spec/master] Bug 40019: Add FF90 audit

sysrqb at torproject.org sysrqb at torproject.org
Thu Jul 8 03:08:04 UTC 2021


commit cdda784cb76aeba1a6856e151b26139c04e97595
Author: Matthew Finkel <sysrqb at torproject.org>
Date:   Thu Jul 8 03:05:32 2021 +0000

    Bug 40019: Add FF90 audit
---
 audits/FF90_NETWORK_AUDIT | 77 +++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 77 insertions(+)

diff --git a/audits/FF90_NETWORK_AUDIT b/audits/FF90_NETWORK_AUDIT
new file mode 100644
index 0000000..7a667c1
--- /dev/null
+++ b/audits/FF90_NETWORK_AUDIT
@@ -0,0 +1,77 @@
+============ General =============
+
+The audit begins at the commit hash where the previous audit ended. Use
+code_audit.sh for creating the diff and highlighting potentially problematic
+code. The audit is scoped to a specific language (currently C/C++, Rust,
+Java/Kotlin, and Javascript).
+
+The output includes the entire patch where the new problematic code was
+introduced. Search for "XXX MATCH XXX" to find the next potential violation.
+
+code_audit.sh contains the list of known problematic APIs. New usage of these
+functions are documented and analyzed in this audit.
+
+============ Firefox General Portion =============
+
+Start: 3862f77749dd50e54c3d9eea32fb59e84d978c96 # FIREFOX_89_0_RELEASE
+End:   5e8ffbe1bf6d448cb235cb0a64a56646a6537b22 # FIREFOX_90_0b12_BUILD1
+
+# Nothing of interest (using `code_audit.sh`)
+
+============ Application Services Portion =============
+
+Start: ad7b64fa03eeeb00815125e635d1fb8809befd40 # v74.0.1
+End:   dd09c25f14dbf45f1637ed8dca2d1e5ff668479f # v77.0.2
+
+# a994a18d2cfec9ef404029885a64985126d8e265
+#  - Restructured Nimbus-SDK to prep for move to app-services repo.
+#  - Review Result: Safe
+
+# 5cbae43a3cc4c461108c2a7ff9f57018f982046f
+#  - Move Nimbus.kt from Android Components (#4036)
+#  - Review Result: Safe
+
+============ Android Components Portion =============
+
+Start: 5204f4025ce8b60c64f92eb3f60ee644cafd4fc8 # v75.0.22
+End:   536cb9fe133e555109c3f25024148260aace6dab # v90.0.11
+
+# Issue #10162
+#  - Don't show the contextual menu for blocked urls
+#  - Review Result: Safe
+
+# 8ef0c763d42c554c50dc37815d6e3cdd4361373f
+#  - Move Nimbus.kt to Application Services
+#  - Review Result: Safe
+
+# b19c84beca0d6f31e145cd5e49896176b8b592c6
+#  - Restore Nimbus object passing in threads, observers and logtag
+#  - Review Result: Safe
+
+# Issue #9189
+#  - Refactor service-pocket to support recommended articles.
+#  - Review Result: Safe (background requests are not isolated)
+
+============ Fenix Portion =============
+
+Start: edea181c543ffee077bb3ca52830ba8d320358b2  # v89.1.1
+End:   6d43c622b4515becbf29ba7956ec2fbe1e5bdc31  # v90.0.0-beta.6
+
+# Issue #19693
+#  - Display a biometric prompt when a credit card is selected to autofill (#19697)
+#  - Review Result: Safe
+
+# Issue #11819
+#  - Show the mic in widget only if setting is enabled
+#  - Review Result: Safe
+
+# Issue #18264
+#  - Add biometric prompt to credit card settings (#19505)
+#  - Review Result: Safe
+
+============ Regression/Prior Vuln Review =========
+
+Review proxy bypass bugs; check for new vectors to look for:
+ - https://gitlab.torproject.org/groups/tpo/applications/-/issues?scope=all&utf8=%E2%9C%93&state=opened&label_name[]=Proxy%20Bypass
+   - Look for new features like these. Especially external app launch vectors
+



More information about the tor-commits mailing list