[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-bugs] #31383 [Applications/Tor Browser]: OpenSSL CVE-2019-1552



#31383: OpenSSL CVE-2019-1552
--------------------------------------+-----------------------------------
 Reporter:  cypherpunks               |          Owner:  tbb-team
     Type:  defect                    |         Status:  needs_information
 Priority:  High                      |      Milestone:
Component:  Applications/Tor Browser  |        Version:
 Severity:  Major                     |     Resolution:
 Keywords:                            |  Actual Points:
Parent ID:                            |         Points:
 Reviewer:                            |        Sponsor:
--------------------------------------+-----------------------------------
Changes (by gk):

 * status:  reopened => needs_information


Comment:

 Replying to [comment:6 cypherpunks]:
 > No, it's not fixed. `Program Files (x86)` looks even like the same hole
 for 32-bit Windows. Fixing compilation doesn't mean fixing a CVE. Anyway,
 that's for the default fallback only.
 >
 > Your scenario is different, because you ship OpenSSL with a portable
 application, which is known as an app-local installation. That's why you
 are not allowed to use the default paths of system-wide OpenSSL. You have
 been warned about that in ticket:23396#comment:14, but still can't realize
 what it means, it seems :(

 Not sure what you mean. This is what we get for 64bit Windows:
 {{{
 001f5900: 4f50 454e 5353 4c44 4952 3a20 2243 3a2f  OPENSSLDIR: "C:/
 001f5910: 5072 6f67 7261 6d20 4669 6c65 732f 436f  Program Files/Co
 001f5920: 6d6d 6f6e 2046 696c 6573 2f53 534c 2200  mmon Files/SSL".
 001f5930: 454e 4749 4e45 5344 4952 3a20 2243 3a2f  ENGINESDIR: "C:/
 001f5940: 5072 6f67 7261 6d20 4669 6c65 732f 4f70  Program Files/Op
 001f5950: 656e 5353 4c2f 6c69 622f 656e 6769 6e65  enSSL/lib/engine
 001f5960: 732d 315f 3122 0000 6275 696c 7420 6f6e  s-1_1"..built on
 }}}
 and 32bit
 {{{
 001db520: 6777 0000 4f50 454e 5353 4c44 4952 3a20  gw..OPENSSLDIR:
 001db530: 2243 3a2f 5072 6f67 7261 6d20 4669 6c65  "C:/Program File
 001db540: 7320 2878 3836 292f 436f 6d6d 6f6e 2046  s (x86)/Common F
 001db550: 696c 6573 2f53 534c 2200 0000 454e 4749  iles/SSL"...ENGI
 001db560: 4e45 5344 4952 3a20 2243 3a2f 5072 6f67  NESDIR: "C:/Prog
 001db570: 7261 6d20 4669 6c65 7320 2878 3836 292f  ram Files (x86)/
 001db580: 4f70 656e 5353 4c2f 6c69 622f 656e 6769  OpenSSL/lib/engi
 001db590: 6e65 732d 315f 3122 0000 0000 ceb4 5d6b  nes-1_1"......]k
 }}}
 What's wrong with those paths? They should not be user-writable. I mean
 that's actually part of the OpenSSL fix for that CVE. If that's wrong it
 seems to me a bug against OpenSSL should get filed.

 > If you read the wiki above, you would know that you should use a "rule
 of thumb" and set `--prefix/--openssldir` properly. But assuming that the
 Tor Browser's directory is still user-writable in most installations :(,
 what paths should be used as safe? `C:\Windows` (or even `%WINDIR%`, if
 supported?) or some path in it? What is the consensus here?

 Yes, the Tor Browser directory user-writable is not the issue here,
 though. It's that OPENSSLDIR/ENGINEDIR were user-writable. Are you
 claiming `C:\Program Files` and `C:\Program Files (x86)` are user-
 writable? If not, then why is the issue not fixed?

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/31383#comment:7>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs