User:Ashughes/Test Plans/CVE-2012-5076
From MozillaWiki
Contents
CVE-2012-5076 Test Plan
The following is a test plan to qualify softblocking Java 7u5, 7u6, and 7u7 on all platforms for Firefox 17 and earlier (bug 812896).
How to Test
1. Go to about:config, change the following prefs and restart Firefox
- find the extensions.blocklist.url pref and change the addons.mozilla.org part of the value to addons-dev.allizom.org
- find the app.update.interval pref and change the value to 60
- find the extensions.blocklist.interval pref and change the value to 60
- find the app.update.lastUpdateTime.blocklist-background-update-timer and reset it
2. Run the following in Error Console:
Components.classes["@mozilla.org/extensions/blocklist;1"].getService(Components.interfaces.nsITimerCallback).notify(null);
3. Wait a minute then try to load some plugin content (java demos)
4. If the block does not appear to be working, verify your blocklist.xml file contains the staged blocklist.
- Windows: %appdata%/Mozilla/Firefox/Profiles/%profile%/blocklist.xml
- Downloads
- Archived versions of JRE (oldapps.com)
- Expected Results
- A softblock displays a prompt indicating their version of the plugin is vulnerable, but it provides a checkbox on the dialog to give the user opportunity to opt-out and keep their plugin enabled.
- Types of blocklist behaviour
Ubuntu Guide
Run the following commands from terminal (assumes Java tarball in Downloads folder)
- 32-bit
- rm -v ~/.mozilla/plugins/libnpjp2.so
- sudo rm -r -v /opt/java
- sudo mkdir -p -v /opt/java/32
- cd Downloads && tar xvzf ~/Downloads/jre-NuN-linux-i586.tar.gz
- sudo mv -v ~/Downloads/jre1.N.0_NN /opt/java/32
- sudo update-alternatives --install "/usr/bin/java" "java" "/opt/java/32/jre1.N.0_NN/bin/java" 1
- sudo update-alternatives --set java /opt/java/32/jre1.N.0_NN/bin/java
- mkdir ~/.mozilla/plugins
- ln -s /opt/java/32/jre1.N.0_NN/lib/i386/libnpjp2.so ~/.mozilla/plugins/
- Start Firefox and you should see Java listed in Add-ons Manager::Plugins
- 64-bit
- rm -v ~/.mozilla/plugins/libnpjp2.so
- sudo rm -r -v /opt/java
- sudo mkdir -p -v /opt/java/64
- cd Downloads && tar xvzf ~/Downloads/jre-NuN-linux-x64.tar.gz
- sudo mv -v ~/Downloads/jre1.N.0_NN /opt/java/64
- sudo update-alternatives --install "/usr/bin/java" "java" "/opt/java/64/jre1.N.0_NN/bin/java" 1
- sudo update-alternatives --set java /opt/java/64/jre1.N.0_NN/bin/java
- mkdir ~/.mozilla/plugins
- ln -s /opt/java/64/jre1.N.0_NN/lib/amd64/libnpjp2.so ~/.mozilla/plugins/
- Start Firefox and you should see Java listed in Add-ons Manager::Plugins
OSX Guide
- Search for "JavaAppletPlugin.plugin" in Finder and move it to Trash
- Install the Java Runtime downloaded from oracle.com
Staging
Firefox 17 | Windows 7 | Mac OSX 10.8 | Ubuntu 12.04 |
Java 7u5 (softblock) | FAIL [1] | FAIL [2] | FAIL [1] |
Java 7u9 (unblocked) | PASS | FAIL [2] | PASS |
Firefox 16 | Windows 7 | Mac OSX 10.8 | Ubuntu 12.04 |
Java 7u6 (softblock) | FAIL [1] | FAIL [2] | PASS |
Java 7u9 (unblocked) | PASS | PASS | |
Firefox 10esr | Windows 7 | Mac OSX 10.8 | Ubuntu 12.04 |
Java 7u7 (softblock) | FAIL [1] | PASS | PASS |
Java 7u9 (unblocked) | PASS | FAIL [2] | PASS |
Issues Found
- Release: Java disabled on first-run, can be enabled in Add-ons Manager; enabling and pinging blocklist triggers Softblock
- Beta: Java disabled on first-run, applet won't initialize when Java enabled in Firefox 17.0b6
- OSX: On one machine I see the above two issues. On a different machine with 10.8, whether I run 17b6 or 17RC, I get asked by the operating system to isntall Java SE 6 if I want to run Firefox whenever I try to load an applet.
Live
Plugin | Windows 7 | Mac OSX 10.7 | Ubuntu 12.04 |
Java 7u7 | 17.0: softblocked on ping (7u7) 16.0.2: softblocked on ping (7u7) |
17.0: softblocked on ping (7u7) 16.0.1: softblocked on ping (7u7) |
17.0: softblocked on ping (7u7) 16.0: softblocked on ping (7u7) |
Java 7 to 7u4 | 17.0: hardblocked on firstrun (7u4) 16.0: hardblocked on firstrun (7u4) |
17.0: n/a (JRE not available) 16.0.2: n/a (JRE not available) |
17.0: hardblocked on firstrun (7u3) 16.0.1: hardblocked on firstrun (7u3) |
Java 6u32 and earlier | 17.0: hardblocked on firstrun (6u31) 16.0.1: hardblocked on firstrun (6u31) |
17.0: n/a (JRE not available) 16.0.2: n/a (JRE not available) |
17.0: hardblocked on firstrun (6u32) 16.0: hardblocked on firstrun (6u32) |