User:Ashughes/Test Plans/CVE-2012-5076

From MozillaWiki
Jump to: navigation, search

CVE-2012-5076 Test Plan

The following is a test plan to qualify softblocking Java 7u5, 7u6, and 7u7 on all platforms for Firefox 17 and earlier (bug 812896).

How to Test

1. Go to about:config, change the following prefs and restart Firefox

  • find the extensions.blocklist.url pref and change the addons.mozilla.org part of the value to addons-dev.allizom.org
  • find the app.update.interval pref and change the value to 60
  • find the extensions.blocklist.interval pref and change the value to 60
  • find the app.update.lastUpdateTime.blocklist-background-update-timer and reset it

2. Run the following in Error Console:

Components.classes["@mozilla.org/extensions/blocklist;1"].getService(Components.interfaces.nsITimerCallback).notify(null);

3. Wait a minute then try to load some plugin content (java demos)

4. If the block does not appear to be working, verify your blocklist.xml file contains the staged blocklist.

  • Windows: %appdata%/Mozilla/Firefox/Profiles/%profile%/blocklist.xml
Downloads
Expected Results
  • A softblock displays a prompt indicating their version of the plugin is vulnerable, but it provides a checkbox on the dialog to give the user opportunity to opt-out and keep their plugin enabled.
  • Types of blocklist behaviour

Ubuntu Guide

Run the following commands from terminal (assumes Java tarball in Downloads folder)

32-bit
  • rm -v ~/.mozilla/plugins/libnpjp2.so
  • sudo rm -r -v /opt/java
  • sudo mkdir -p -v /opt/java/32
  • cd Downloads && tar xvzf ~/Downloads/jre-NuN-linux-i586.tar.gz
  • sudo mv -v ~/Downloads/jre1.N.0_NN /opt/java/32
  • sudo update-alternatives --install "/usr/bin/java" "java" "/opt/java/32/jre1.N.0_NN/bin/java" 1
  • sudo update-alternatives --set java /opt/java/32/jre1.N.0_NN/bin/java
  • mkdir ~/.mozilla/plugins
  • ln -s /opt/java/32/jre1.N.0_NN/lib/i386/libnpjp2.so ~/.mozilla/plugins/
  • Start Firefox and you should see Java listed in Add-ons Manager::Plugins
64-bit
  • rm -v ~/.mozilla/plugins/libnpjp2.so
  • sudo rm -r -v /opt/java
  • sudo mkdir -p -v /opt/java/64
  • cd Downloads && tar xvzf ~/Downloads/jre-NuN-linux-x64.tar.gz
  • sudo mv -v ~/Downloads/jre1.N.0_NN /opt/java/64
  • sudo update-alternatives --install "/usr/bin/java" "java" "/opt/java/64/jre1.N.0_NN/bin/java" 1
  • sudo update-alternatives --set java /opt/java/64/jre1.N.0_NN/bin/java
  • mkdir ~/.mozilla/plugins
  • ln -s /opt/java/64/jre1.N.0_NN/lib/amd64/libnpjp2.so ~/.mozilla/plugins/
  • Start Firefox and you should see Java listed in Add-ons Manager::Plugins

OSX Guide

  • Search for "JavaAppletPlugin.plugin" in Finder and move it to Trash
  • Install the Java Runtime downloaded from oracle.com

Staging

Firefox 17 Windows 7 Mac OSX 10.8 Ubuntu 12.04
Java 7u5 (softblock) FAIL [1] FAIL [2] FAIL [1]
Java 7u9 (unblocked) PASS FAIL [2] PASS
Firefox 16 Windows 7 Mac OSX 10.8 Ubuntu 12.04
Java 7u6 (softblock) FAIL [1] FAIL [2] PASS
Java 7u9 (unblocked) PASS PASS
Firefox 10esr Windows 7 Mac OSX 10.8 Ubuntu 12.04
Java 7u7 (softblock) FAIL [1] PASS PASS
Java 7u9 (unblocked) PASS FAIL [2] PASS

Issues Found

  1. Release: Java disabled on first-run, can be enabled in Add-ons Manager; enabling and pinging blocklist triggers Softblock
  2. Beta: Java disabled on first-run, applet won't initialize when Java enabled in Firefox 17.0b6
  3. OSX: On one machine I see the above two issues. On a different machine with 10.8, whether I run 17b6 or 17RC, I get asked by the operating system to isntall Java SE 6 if I want to run Firefox whenever I try to load an applet.

Live

Plugin Windows 7 Mac OSX 10.7 Ubuntu 12.04
Java 7u7 17.0: softblocked on ping (7u7)
16.0.2: softblocked on ping (7u7)
17.0: softblocked on ping (7u7)
16.0.1: softblocked on ping (7u7)
17.0: softblocked on ping (7u7)
16.0: softblocked on ping (7u7)
Java 7 to 7u4 17.0: hardblocked on firstrun (7u4)
16.0: hardblocked on firstrun (7u4)
17.0: n/a (JRE not available)
16.0.2: n/a (JRE not available)
17.0: hardblocked on firstrun (7u3)
16.0.1: hardblocked on firstrun (7u3)
Java 6u32 and earlier 17.0: hardblocked on firstrun (6u31)
16.0.1: hardblocked on firstrun (6u31)
17.0: n/a (JRE not available)
16.0.2: n/a (JRE not available)
17.0: hardblocked on firstrun (6u32)
16.0: hardblocked on firstrun (6u32)