[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-bugs] #31383 [Applications/Tor Browser]: OpenSSL CVE-2019-1552



#31383: OpenSSL CVE-2019-1552
--------------------------------------+-----------------------------------
 Reporter:  cypherpunks               |          Owner:  tbb-team
     Type:  defect                    |         Status:  needs_information
 Priority:  High                      |      Milestone:
Component:  Applications/Tor Browser  |        Version:
 Severity:  Major                     |     Resolution:
 Keywords:                            |  Actual Points:
Parent ID:                            |         Points:
 Reviewer:                            |        Sponsor:
--------------------------------------+-----------------------------------

Comment (by boklm):

 Replying to [comment:15 cypherpunks]:
 > > Hardcoding any path (like suggested with C:\Windows or a path below it
 in comment:6) like e.g. the curl devs did does not do the trick according
 to your line of reasoning.
 > How to teach OpenSSL to dance? Make it compatible with app-local
 installation, no?
 > For Tor Browser, the best option is to disable everything related to
 those paths as it doesn't use them. But you can change them to
 `C:\Windows\Tor Browser` as a so-so workaround.

 Reading https://daniel.haxx.se/blog/2019/06/24/openssl-engine-code-
 injection-in-curl/ it seems that the issue can happen when a program loads
 the openssl configuration file from the default path, which is done with
 the openssl function `CONF_modules_load_file`. However we don't call this
 function in tor, so it doesn't look like we are vulnerable to this issue.

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/31383#comment:16>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs