Bug 1074235 – MozillaFirefox: background tab crash reports sent inadvertently without user opt-in

Bug 1074235 - MozillaFirefox: background tab crash reports sent inadvertently without user opt-in


Summary:	MozillaFirefox: background tab crash reports sent inadvertently without user ...

Status:	RESOLVED FIXED

Classification:	openSUSE
Product:	openSUSE Distribution
Classification:	openSUSE
Component:	Firefox
Version:	Leap 42.3
Hardware:	Other Other

Priority:	P5 - None Severity: Normal (vote)
Target Milestone:	---
Assigned To:	E-mail List
QA Contact:	E-mail List

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:
	Show dependency tree / graph

Create test case

Clone This Bug

Reported:	2017-12-29 18:48 UTC by Andreas Stieger
Modified:	2022-09-06 16:40 UTC (History)
CC List:	3 users (show)

See Also:
Found By:	Security Response Team
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Andreas Stieger 2017-12-29 18:48:57 UTC

https://www.mozilla.org/en-US/firefox/52.5.3/releasenotes/
https://www.mozilla.org/en-US/firefox/57.0.3/releasenotes/

Firefox was affected by a crash reporting issue that inadvertently
sends background tab crash reports to Mozilla without user opt-in 

https://bugzilla.mozilla.org/show_bug.cgi?id=1427111
Fixed in 52.5.3 ESR and 57.0.3

May explain some observations alleged in bug 1073399.

Comment 1 Swamp Workflow Management 2017-12-29 22:30:05 UTC

This is an autogenerated message for OBS integration:
This bug (1074235) was mentioned in
https://build.opensuse.org/request/show/560650 42.2+42.3 / MozillaFirefox

Comment 2 Frank Krüger 2017-12-30 10:09:09 UTC

(In reply to Andreas Stieger from comment #0)
> https://www.mozilla.org/en-US/firefox/52.5.3/releasenotes/
> https://www.mozilla.org/en-US/firefox/57.0.3/releasenotes/
> 
> Firefox was affected by a crash reporting issue that inadvertently
> sends background tab crash reports to Mozilla without user opt-in 
> 
> https://bugzilla.mozilla.org/show_bug.cgi?id=1427111
> Fixed in 52.5.3 ESR and 57.0.3
> 
> May explain some observations alleged in bug 1073399.

Given the above-mentioned bug and the dicussion, e.g., at https://bugzilla.mozilla.org/show_bug.cgi?id=1424781 on datareporting and telemetry, are there any plans on the SUSE security side to re-evaluate possible privacy issues for Firefox and Thunderbird?

Comment 3 Andreas Stieger 2017-12-30 20:58:57 UTC

https://build.opensuse.org/request/show/560624
https://build.opensuse.org/request/show/560625
https://build.opensuse.org/request/show/560783

Comment 4 Andreas Stieger 2017-12-30 21:32:05 UTC

(In reply to Frank Kruger from comment #2)
> Given the above-mentioned bug and the dicussion, e.g., at
> https://bugzilla.mozilla.org/show_bug.cgi?id=1424781 on datareporting and
> telemetry, are there any plans on the SUSE security side to re-evaluate
> possible privacy issues for Firefox and Thunderbird?

Security team is skeptical but rarely wears tinfoil hats. I do not think that we are likely to evaluate this on general privacy concerns alone, as in the "evil organization" sense.

Aspects that we would delegate to the maintainer and the openSUSE project at large to handle:

* Differing opinions about whether telemetry features should be allowed
* same, on the vendor and it's policies

Reasons why we would look into it:

* Ineffective transport encryption or certificate chain validation
* Generally ineffective user settings (such as this bug)
* Attacker triggered transfer of information to an unintended destination,
  or extraction of unintended information
* Without involving an attacker, if information sent differs from the declared content 
* Behavior is drastically from the user expectations or documentation
  (e.g. demonstrable trojan)
* Anything else that crosses a security boundary

I hope that answers your question. I would like to stress that I am in no way entirely dismissive of these concerns. We would just like to start the discussion slightly more refined than the summary of bug 1073399.

Comment 5 Frank Krüger 2017-12-30 23:36:40 UTC

(In reply to Andreas Stieger from comment #4)
> (In reply to Frank Kruger from comment #2)
> > Given the above-mentioned bug and the dicussion, e.g., at
> > https://bugzilla.mozilla.org/show_bug.cgi?id=1424781 on datareporting and
> > telemetry, are there any plans on the SUSE security side to re-evaluate
> > possible privacy issues for Firefox and Thunderbird?
> 
> Security team is skeptical but rarely wears tinfoil hats. I do not think
> that we are likely to evaluate this on general privacy concerns alone, as in
> the "evil organization" sense.
> 
> Aspects that we would delegate to the maintainer and the openSUSE project at
> large to handle:
> 
> * Differing opinions about whether telemetry features should be allowed
> * same, on the vendor and it's policies
> 
> Reasons why we would look into it:
> 
> * Ineffective transport encryption or certificate chain validation
> * Generally ineffective user settings (such as this bug)
> * Attacker triggered transfer of information to an unintended destination,
>   or extraction of unintended information
> * Without involving an attacker, if information sent differs from the
> declared content 
> * Behavior is drastically from the user expectations or documentation
>   (e.g. demonstrable trojan)
> * Anything else that crosses a security boundary
> 
> I hope that answers your question. I would like to stress that I am in no
> way entirely dismissive of these concerns. We would just like to start the
> discussion slightly more refined than the summary of bug 1073399.

I do agree. Thank you for clarification.

Comment 6 Frank Krüger 2017-12-31 08:10:31 UTC

(In reply to Andreas Stieger from comment #3)
> https://build.opensuse.org/request/show/560624
> https://build.opensuse.org/request/show/560625
> https://build.opensuse.org/request/show/560783

FYI the links result in an 500 error page. Other requests work fine.

Comment 7 Swamp Workflow Management 2017-12-31 09:20:06 UTC

This is an autogenerated message for OBS integration:
This bug (1074235) was mentioned in
https://build.opensuse.org/request/show/560869 Factory / MozillaFirefox

Comment 8 Swamp Workflow Management 2017-12-31 20:09:10 UTC

openSUSE-RU-2017:3457-1: An update that has one recommended fix can now be installed.

Category: recommended (moderate)
Bug References: 1074235
CVE References: 
Sources used:
openSUSE Leap 42.3 (src):    MozillaFirefox-52.5.3-72.1
openSUSE Leap 42.2 (src):    MozillaFirefox-52.5.3-57.27.1

Comment 9 Swamp Workflow Management 2018-01-03 14:20:10 UTC

This is an autogenerated message for OBS integration:
This bug (1074235) was mentioned in
https://build.opensuse.org/request/show/561348 Factory / MozillaFirefox

Comment 10 Swamp Workflow Management 2018-01-04 23:00:11 UTC

This is an autogenerated message for OBS integration:
This bug (1074235) was mentioned in
https://build.opensuse.org/request/show/561754 Factory / MozillaFirefox

Comment 21 Swamp Workflow Management 2019-10-31 11:19:15 UTC

SUSE-SU-2019:2872-1: An update that fixes 51 vulnerabilities is now available.

Category: security (important)
Bug References: 1010399,1010405,1010406,1010408,1010409,1010421,1010423,1010424,1010425,1010426,1025108,1043008,1047281,1074235,1092611,1120374,1137990,1149429,1154738,959933,983922
CVE References: CVE-2016-2830,CVE-2016-5289,CVE-2016-5292,CVE-2016-9063,CVE-2016-9067,CVE-2016-9068,CVE-2016-9069,CVE-2016-9071,CVE-2016-9073,CVE-2016-9075,CVE-2016-9076,CVE-2016-9077,CVE-2017-7789,CVE-2018-5150,CVE-2018-5151,CVE-2018-5152,CVE-2018-5153,CVE-2018-5154,CVE-2018-5155,CVE-2018-5157,CVE-2018-5158,CVE-2018-5159,CVE-2018-5160,CVE-2018-5163,CVE-2018-5164,CVE-2018-5165,CVE-2018-5166,CVE-2018-5167,CVE-2018-5168,CVE-2018-5169,CVE-2018-5172,CVE-2018-5173,CVE-2018-5174,CVE-2018-5175,CVE-2018-5176,CVE-2018-5177,CVE-2018-5178,CVE-2018-5179,CVE-2018-5180,CVE-2018-5181,CVE-2018-5182,CVE-2018-5183,CVE-2019-11757,CVE-2019-11758,CVE-2019-11759,CVE-2019-11760,CVE-2019-11761,CVE-2019-11762,CVE-2019-11763,CVE-2019-11764,CVE-2019-15903
Sources used:
SUSE OpenStack Cloud Crowbar 8 (src):    MozillaFirefox-68.2.0-109.95.2
SUSE OpenStack Cloud 8 (src):    MozillaFirefox-68.2.0-109.95.2
SUSE OpenStack Cloud 7 (src):    MozillaFirefox-68.2.0-109.95.2
SUSE Linux Enterprise Software Development Kit 12-SP5 (src):    MozillaFirefox-68.2.0-109.95.2
SUSE Linux Enterprise Software Development Kit 12-SP4 (src):    MozillaFirefox-68.2.0-109.95.2
SUSE Linux Enterprise Server for SAP 12-SP3 (src):    MozillaFirefox-68.2.0-109.95.2
SUSE Linux Enterprise Server for SAP 12-SP2 (src):    MozillaFirefox-68.2.0-109.95.2
SUSE Linux Enterprise Server for SAP 12-SP1 (src):    MozillaFirefox-68.2.0-109.95.2
SUSE Linux Enterprise Server 12-SP5 (src):    MozillaFirefox-68.2.0-109.95.2
SUSE Linux Enterprise Server 12-SP4 (src):    MozillaFirefox-68.2.0-109.95.2
SUSE Linux Enterprise Server 12-SP3-LTSS (src):    MozillaFirefox-68.2.0-109.95.2
SUSE Linux Enterprise Server 12-SP3-BCL (src):    MozillaFirefox-68.2.0-109.95.2
SUSE Linux Enterprise Server 12-SP2-LTSS (src):    MozillaFirefox-68.2.0-109.95.2
SUSE Linux Enterprise Server 12-SP2-BCL (src):    MozillaFirefox-68.2.0-109.95.2
SUSE Linux Enterprise Server 12-SP1-LTSS (src):    MozillaFirefox-68.2.0-109.95.2
SUSE Linux Enterprise Desktop 12-SP4 (src):    MozillaFirefox-68.2.0-109.95.2
SUSE Enterprise Storage 5 (src):    MozillaFirefox-68.2.0-109.95.2
HPE Helion Openstack 8 (src):    MozillaFirefox-68.2.0-109.95.2

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 23 Swamp Workflow Management 2019-12-11 20:23:45 UTC

SUSE-SU-2019:14246-1: An update that fixes 118 vulnerabilities is now available.

Category: security (important)
Bug References: 1000036,1001652,1025108,1029377,1029902,1040164,104105,1042670,1043008,1044946,1047925,1047936,1048299,1049186,1050653,1056058,1058013,1066242,1066953,1070738,1070853,1072320,1072322,1073796,1073798,1073799,1073803,1073808,1073818,1073823,1073829,1073830,1073832,1073846,1074235,1077230,1079761,1081750,1082318,1087453,1087459,1087463,1088573,1091764,1094814,1097158,1097375,1097401,1097404,1097748,1104841,1105019,1107030,1109465,1117473,1117626,1117627,1117629,1117630,1120644,1122191,1123482,1124525,1127532,1129346,1130694,1130840,1133452,1133810,1134209,1138459,1140290,1140868,1141853,1144919,1145665,1146090,1146091,1146093,1146094,1146095,1146097,1146099,1146100,1149323,1153423,1154738,1447070,1447409,744625,744629,845955,865853,905528,917607,935856,937414,947747,948045,948602,955142,957814,957815,961254,962297,966076,966077,985201,986541,991344,998743
CVE References: CVE-2013-2882,CVE-2013-6639,CVE-2013-6640,CVE-2013-6668,CVE-2014-0224,CVE-2015-3193,CVE-2015-3194,CVE-2015-5380,CVE-2015-7384,CVE-2016-2086,CVE-2016-2178,CVE-2016-2183,CVE-2016-2216,CVE-2016-5172,CVE-2016-5325,CVE-2016-6304,CVE-2016-6306,CVE-2016-7052,CVE-2016-7099,CVE-2017-1000381,CVE-2017-10686,CVE-2017-11111,CVE-2017-11499,CVE-2017-14228,CVE-2017-14849,CVE-2017-14919,CVE-2017-15896,CVE-2017-15897,CVE-2017-17810,CVE-2017-17811,CVE-2017-17812,CVE-2017-17813,CVE-2017-17814,CVE-2017-17815,CVE-2017-17816,CVE-2017-17817,CVE-2017-17818,CVE-2017-17819,CVE-2017-17820,CVE-2017-18207,CVE-2017-3735,CVE-2017-3736,CVE-2017-3738,CVE-2018-0732,CVE-2018-1000168,CVE-2018-12115,CVE-2018-12116,CVE-2018-12121,CVE-2018-12122,CVE-2018-12123,CVE-2018-20406,CVE-2018-20852,CVE-2018-7158,CVE-2018-7159,CVE-2018-7160,CVE-2018-7161,CVE-2018-7167,CVE-2019-10160,CVE-2019-11709,CVE-2019-11710,CVE-2019-11711,CVE-2019-11712,CVE-2019-11713,CVE-2019-11714,CVE-2019-11715,CVE-2019-11716,CVE-2019-11717,CVE-2019-11718,CVE-2019-11719,CVE-2019-11720,CVE-2019-11721,CVE-2019-11723,CVE-2019-11724,CVE-2019-11725,CVE-2019-11727,CVE-2019-11728,CVE-2019-11729,CVE-2019-11730,CVE-2019-11733,CVE-2019-11735,CVE-2019-11736,CVE-2019-11738,CVE-2019-11740,CVE-2019-11742,CVE-2019-11743,CVE-2019-11744,CVE-2019-11746,CVE-2019-11747,CVE-2019-11748,CVE-2019-11749,CVE-2019-11750,CVE-2019-11751,CVE-2019-11752,CVE-2019-11753,CVE-2019-11757,CVE-2019-11758,CVE-2019-11759,CVE-2019-11760,CVE-2019-11761,CVE-2019-11762,CVE-2019-11763,CVE-2019-11764,CVE-2019-13173,CVE-2019-15903,CVE-2019-5010,CVE-2019-5737,CVE-2019-9511,CVE-2019-9512,CVE-2019-9513,CVE-2019-9514,CVE-2019-9515,CVE-2019-9516,CVE-2019-9517,CVE-2019-9518,CVE-2019-9636,CVE-2019-9811,CVE-2019-9812,CVE-2019-9947
Sources used:
SUSE Linux Enterprise Server 11-SP4-LTSS (src):    MozillaFirefox-68.2.0-78.51.4, MozillaFirefox-branding-SLED-68-21.9.8, firefox-atk-2.26.1-2.8.4, firefox-cairo-1.15.10-2.13.4, firefox-gcc5-5.3.1+r233831-14.1, firefox-gcc8-8.2.1+r264010-2.5.1, firefox-gdk-pixbuf-2.36.11-2.8.4, firefox-glib2-2.54.3-2.14.7, firefox-gtk3-3.10.9-2.15.3, firefox-harfbuzz-1.7.5-2.7.4, firefox-libffi-3.2.1.git259-2.3.3, firefox-libffi-gcc5-5.3.1+r233831-14.1, firefox-pango-1.40.14-2.7.4, mozilla-nspr-4.21-29.6.1, mozilla-nss-3.45-38.9.3

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.