[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-bugs] #28332 [Core Tor/Nyx]: Nyx configurashion editor reproducibly crashes if custom ordering is set

#28332: Nyx configurashion editor reproducibly crashes if custom ordering is set
--------------------------+------------------------------
 Reporter:  wagon         |          Owner:  atagar
     Type:  defect        |         Status:  closed
 Priority:  Medium        |      Milestone:
Component:  Core Tor/Nyx  |        Version:  Tor: 0.3.4.9
 Severity:  Normal        |     Resolution:  duplicate
 Keywords:  config        |  Actual Points:
Parent ID:                |         Points:
 Reviewer:                |        Sponsor:
--------------------------+------------------------------

Comment (by atagar):

 > So, I can install on my system any trojan, run it, and later verify that
 this trojan was OK? No, it doesn't work this way.

 Ummm... no. It doesn't.

 ```
 moirai:~% cd /tmp

 moirai:/tmp% git clone https://git.torproject.org/nyx.git
 Cloning into 'nyx'...
 remote: Counting objects: 13147, done.
 remote: Compressing objects: 100% (36/36), done.
 remote: Total 13147 (delta 17), reused 0 (delta 0)
 Receiving objects: 100% (13147/13147), 10.73 MiB | 2.10 MiB/s, done.
 Resolving deltas: 100% (10090/10090), done.
 Checking connectivity... done.

 moirai:/tmp% cd nyx

 moirai:/tmp/nyx% git rev-parse HEAD
 d3dd23cec8cab7eea4969d0c462a2e1abfa5b19d

 [ ok, the cryptographic signature is correct ]

 moirai:/tmp/nyx% ./run_nyx --help
 ```

 There's no need to install, and if you have the HEAD signature that can be
 used for verification just the same as a gpg signed tarball. It provides
 the same thing. The only thing you *can't* safely trust is this message
 from me that's providing you with the above signature. If a meanie snagged
 my trac password, exploited the Tor git repository (to circumvent the
 https), and MITM your connection you're completely right - someone could
 do something nasty.

 But this is both requires the exploitation of multiple core Tor systems
 (in which case honestly your system is the least of our worries) and it
 wouldn't exploit root since nyx **does not need to be installed** to /usr.

 Anywho, if you're still worried I can pgp sign this message later. I'm at
 work at the moment so I don't have my keys handy but if you're really that
 worried let me know.

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/28332#comment:5>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs