Bug 1745687 (CVE-2019-11733)
| Summary: | CVE-2019-11733 firefox: stored passwords in 'Saved Logins' can be copied without master password entry | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | msiddiqu |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED ERRATA | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | unspecified | CC: | 0xalen+redhat, anto.trande, bsanford, dmoppert, gecko-bugs-nobody, jhorak, john.j5live, kengert, mboisver, pjasicek, rhughes, rstrode, sandmann, stransky, tpelka |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Firefox 68.0.2 | Doc Type: | If docs needed, set a value |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2019-09-12 12:46:06 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 1745688, 1745828, 1745829, 1745831 | ||
| Bug Blocks: | 1745825 | ||
|
Description
msiddiqu
2019-08-26 16:07:57 UTC
Created firefox tracking bugs for this issue: Affects: fedora-all [bug 1745688] External References: https://www.mozilla.org/en-US/security/advisories/mfsa2019-24/ I am using 68.0.2 on F30 and I still see something I am not sure is correct. What I am seeing is: 1. Set Master password 2. Go go Gmail, enter Gmail password and add account and password to Master, when prompted. 3. Logout of Gmail and close browser. 4. Open Firefox, load Gmail and I am asked for Master before I can get to Gmail. 5. Logout of Gmail and don't close browser. 6. Log into Gmail and without prompting from entering Master password I can see and copy the existing password from Gmail. It seems like closing the browser is the gating factor. I only have Gmail added to the Master. This issue has been addressed in the following products: Red Hat Enterprise Linux 6 Via RHSA-2019:2694 https://access.redhat.com/errata/RHSA-2019:2694 (In reply to Bill Sanford from comment #3) > I am using 68.0.2 on F30 and I still see something I am not sure is correct. > > What I am seeing is: > > 1. Set Master password > 2. Go go Gmail, enter Gmail password and add account and password to Master, > when prompted. > 3. Logout of Gmail and close browser. > 4. Open Firefox, load Gmail and I am asked for Master before I can get to > Gmail. > 5. Logout of Gmail and don't close browser. > 6. Log into Gmail and without prompting from entering Master password I can > see and copy the existing password from Gmail. > > It seems like closing the browser is the gating factor. I only have Gmail > added to the Master. Since we don't have access to the upsstream security bug, we've move it to upstream to decide: https://bugzilla.mozilla.org/show_bug.cgi?id=1580203 Bill, according to upstream, everything is okay: https://bugzilla.mozilla.org/show_bug.cgi?id=1580203#c1 This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2019:2729 https://access.redhat.com/errata/RHSA-2019:2729 This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2019-11733 |