Closed
Bug 804046
Opened 12 years ago
Closed 12 years ago
[Security Review][Action item] Updates for B2G - fuzz MAR format
Categories
(mozilla.org :: Security Assurance, task, P2)
Tracking
(Not tracked)
RESOLVED
INVALID
People
(Reporter: pauljt, Unassigned)
References
()
Details
During the discussion of B2G updates, the threat of a malicious MAR file being delivered to a device was discussed. Update manifests are delivered over SSL, and contain a URL and a hash of the update. The update itself is downloaded over http (to support CDNs I think).
The threat here is that an attacker with network control (mitm) could modify/replace the update contents. However the attack surface is pretty small since the first thing that happens after download is that the hash of the file is checked. So any fuzzing wouldnt really be against the MAR format, it would be against that hash check.
So I don't think there really is an action here, but thought I should document this for completeness.
Reporter | ||
Updated•12 years ago
|
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → INVALID
Reporter | ||
Updated•12 years ago
|
You need to log in
before you can comment on or make changes to this bug.
Description
•