Bug 1625531 (CVE-2018-12383)
Summary: | CVE-2018-12383 Mozilla: Setting a master password post-Firefox 58 does not delete unencrypted previously stored passwords | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Doran Moppert <dmoppert> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED ERRATA | QA Contact: | |
Severity: | low | Docs Contact: | |
Priority: | low | ||
Version: | unspecified | CC: | cschalle, gecko-bugs-nobody, jhorak, security-response-team, stransky |
Target Milestone: | --- | Keywords: | Reopened, Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | If docs needed, set a value | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2018-09-28 01:23:28 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 1623037, 1623039, 1623040, 1625533, 1625535, 1632064, 1632065, 1632532, 1632968, 1636821 | ||
Bug Blocks: | 1623023, 1632061, 1636820 |
Description
Doran Moppert
2018-09-05 07:15:19 UTC
Acknowledgments: Name: the Mozilla project Upstream: Jurgen Gaeremyn More information including wontfix decision in the upstream ticket: https://bugzilla.mozilla.org/show_bug.cgi?id=1475775 Mitigation: To mitigate against this flaw, examine user profile directories for the presence of both `key3.db` and `key4.db` files. If both are present, `key3.db` should be deleted. This issue has been addressed in the following products: Red Hat Enterprise Linux 6 Via RHSA-2018:2834 https://access.redhat.com/errata/RHSA-2018:2834 This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2018:2835 https://access.redhat.com/errata/RHSA-2018:2835 Statement: Upstream decided to not fix this issue in Firefox ESR 60.2 given the low impact. A future ESR update may correct this flaw. This flaw would impact users who had saved passwords from Firefox 58 or earlier that were not protected by a master password (resulting in an un-encrypted `key3.db`), but set a master password when using Firefox 59 or newer (resulting in an encrypted `key4.db`). The old key file was kept around to facilitate downgrading to Firefox 58. This flaw cannot be exploited through email in Thunderbird as scripting is disabled in this for email content. It may be possible to exploit through Feeds (Atom or RSS) or other browser-like contexts. This issue has been addressed in the following products: Red Hat Enterprise Linux 6 Via RHSA-2018:3403 https://access.redhat.com/errata/RHSA-2018:3403 This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2018:3458 https://access.redhat.com/errata/RHSA-2018:3458 |