[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-bugs] #12642 [Ooni]: Can Network Attacker Downgrade Dependency Install Security?

Subject: Re: [tor-bugs] #12642 [Ooni]: Can Network Attacker Downgrade Dependency Install Security?
From: "Tor Bug Tracker & Wiki" <blackhole@xxxxxxxxxxxxxx>
Date: Thu, 17 Jul 2014 13:24:28 -0000
Auto-submitted: auto-generated
Delivered-to: archiver@xxxxxxxx
Delivery-date: Thu, 17 Jul 2014 09:24:37 -0400
In-reply-to: <049.8bb05b0b6f1dcc9caf9b607f1b0c43ce@xxxxxxxxxxxxxx>
List-archive: <http://lists.torproject.org/pipermail/tor-bugs/>
List-help: <mailto:tor-bugs-request@lists.torproject.org?subject=help>
List-id: "auto: Tor bug tracker status mails" <tor-bugs.lists.torproject.org>
List-post: <mailto:tor-bugs@lists.torproject.org>
List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs>, <mailto:tor-bugs-request@lists.torproject.org?subject=subscribe>
List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-bugs>, <mailto:tor-bugs-request@lists.torproject.org?subject=unsubscribe>
References: <049.8bb05b0b6f1dcc9caf9b607f1b0c43ce@xxxxxxxxxxxxxx>
Reply-to: tor-assistants@xxxxxxxxxxxxxx
Sender: "tor-bugs" <tor-bugs-bounces@xxxxxxxxxxxxxxxxxxxx>

#12642: Can Network Attacker Downgrade Dependency Install Security?
---------------------------+---------------------
     Reporter:  earthrise  |      Owner:  hellais
         Type:  defect     |     Status:  new
     Priority:  normal     |  Milestone:
    Component:  Ooni       |    Version:
   Resolution:             |   Keywords:
Actual Points:             |  Parent ID:
       Points:             |
---------------------------+---------------------

Comment (by hellais):

 The user must make sure that the pip command does not return any errors.
 Failing to do so can lead to a compromise.

 If you are using that procedure in a script you should check for the
 return code of `pip`. If the return code is != 0 then it should hard fail
 and not continue to the python setup.py step.

 Is there something that should be done to address this issue? Should the
 documentation for the README.md of ooni-backend be more clear?

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/12642#comment:1>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

References:
- [tor-bugs] #12642 [Ooni]: Can Network Attacker Downgrade Dependency Install Security?
  - From: Tor Bug Tracker & Wiki

Prev by Author: Re: [tor-bugs] #12595 [Tor]: Think of better data structures for guard nodes
Next by Author: Re: [tor-bugs] #12642 [Ooni]: Can Network Attacker Downgrade Dependency Install Security?
Previous by thread: [tor-bugs] #12642 [Ooni]: Can Network Attacker Downgrade Dependency Install Security?
Next by thread: Re: [tor-bugs] #12642 [Ooni]: Can Network Attacker Downgrade Dependency Install Security?
Index(es):
- Author
- Thread