Re: [tor-bugs] #20772 [Applications/Tor Browser]: src="data:< ; base64 images rendered when "Show images"="Blocked"

["Tor Bug Tracker & Wiki" <blackhole@xxxxxxxxxxxxxx>]

#20772: src="data:<;base64 images rendered when "Show images"="Blocked"
--------------------------------------+--------------------------
 Reporter:  cypherpunks               |          Owner:  tbb-team
     Type:  defect                    |         Status:  assigned
 Priority:  High                      |      Milestone:
Component:  Applications/Tor Browser  |        Version:
 Severity:  Major                     |     Resolution:
 Keywords:                            |  Actual Points:
Parent ID:                            |         Points:
 Reviewer:                            |        Sponsor:
--------------------------------------+--------------------------
Changes (by cypherpunks):

 * priority:  Medium => High
 * severity:  Normal => Major


Comment:

 Active SVG exploits targetting TBB in the wild;
 https://blog.torproject.org/blog/tor-browser-607-released#comment-223692
 Having an option to disable the image parser would allow mitigating future
 image bugs during the time between discovery and the time it's patched and
 users download the new version.

 This applies to TBB proper, not just the exceptionally understaffed
 derivatives (eg https://dev.guardianproject.info/issues/8039).

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/20772#comment:5>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs