[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-talk] Is Tor Browser 5.5.1 vulnerable to any of the graphite font vulnerabilities?

To: tor-talk@xxxxxxxxxxxxxxxxxxxx
Subject: Re: [tor-talk] Is Tor Browser 5.5.1 vulnerable to any of the graphite font vulnerabilities?
From: Cain Ungothep <ungocain@xxxxxxxxxx>
Date: Fri, 12 Feb 2016 07:20:05 +0100
Delivered-to: archiver@xxxxxxxx
Delivery-date: Fri, 12 Feb 2016 01:27:36 -0500
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yandex.com; s=mail; t=1455258005; bh=FurGzvjMfomHnZO7a5yAcrnBTjtdb16oJnU5Ospv3b0=; h=From:To:Subject:Date; b=BbywO0GGMz5JtRHa1u5z7cAX5zrcfT5yFrnHt5ZdZyZNzpsag1d++Fn+L39JOzzJq 9n43hkyU42XmH8AvOswUHJMlnWXXq2h97gCsrbae8jVDqUgtEl3i92HXtRTwJnMT+z QXZywWElBbcEjmlyjRAbrITkYnmsdqe57RWqwvdc=
List-archive: <http://lists.torproject.org/pipermail/tor-talk/>
List-help: <mailto:tor-talk-request@lists.torproject.org?subject=help>
List-id: "all discussion about theory, design, and development of Onion Routing" <tor-talk.lists.torproject.org>
List-post: <mailto:tor-talk@lists.torproject.org>
List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk>, <mailto:tor-talk-request@lists.torproject.org?subject=subscribe>
List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-talk>, <mailto:tor-talk-request@lists.torproject.org?subject=unsubscribe>
Reply-to: tor-talk@xxxxxxxxxxxxxxxxxxxx
Sender: "tor-talk" <tor-talk-bounces@xxxxxxxxxxxxxxxxxxxx>

> I would
> like to know if Tor Browser 5.5.1 is vulnerable. Thanks

Looks like it is:

https://gitweb.torproject.org/builders/tor-browser-bundle.git/commit/?id=7a36dbece35a307675f396a019dccf6e431efb44

That build corresponds to a branch which includes the commit that
supposedly fixed bug 1246093, and this commit was only pushed less than
48 hours ago.

NOTE: Torbutton's security slider at level "High" says "Some font rendering
features are disabled" and "[...] The Graphite font rendering mechanism
is disabled."  It would be good to know if this prevents the
vulnerability.

> [1]: https://www.mozilla.org/en-US/security/advisories/mfsa2016-14/
> [2]:
> http://blog.talosintel.com/2016/02/vulnerability-spotlight-libgraphite.html
> [3]:
> https://blog.torproject.org/blog/tor-browser-551-released#comment-155968
-- 
tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Follow-Ups:
- Re: [tor-talk] Is Tor Browser 5.5.1 vulnerable to any of the graphite font vulnerabilities?
  - From: Georg Koppen

Prev by Author: Re: [tor-talk] Recommended setting for NoScript's Javascript?
Next by Author: Re: [tor-talk] automatic Tor browser updates
Previous by thread: [tor-talk] Is Tor Browser 5.5.1 vulnerable to any of the graphite font vulnerabilities?
Next by thread: Re: [tor-talk] Is Tor Browser 5.5.1 vulnerable to any of the graphite font vulnerabilities?
Index(es):
- Author
- Thread