[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
Re: [tor-bugs] #17931 [Tor Browser]: Tor Browser Hardened Crash
#17931: Tor Browser Hardened Crash
-------------------------------------------------+-------------------------
Reporter: pege | Owner: tbb-
Type: defect | team
Priority: Immediate | Status:
Component: Tor Browser | needs_revision
Severity: Blocker | Milestone:
Keywords: tbb-hardened, tbb-crash, | Version:
TorBrowserTeam201512R | Resolution:
Parent ID: | Actual Points:
Sponsor: | Points:
-------------------------------------------------+-------------------------
Changes (by mikeperry):
* status: needs_review => needs_revision
Comment:
The core problem here is that LogMessageToConsole() is dangerous,
undocumented, and borderline deceptive. We should absolutely patch this
function to change LogMessageToConsole() to accept only a single non-
format argument, to guard against future vulnerabilities coming down from
Mozilla or even by new TBB devs in the far future. In fact, it is already
misused in Mozilla's own sandboxing code in ./security/sandbox/chromium-
shim/sandbox/win/loggingCallbacks.h. If a sandbox violation is able to
force a log message there that has a format string, this could also lead
to sandbox breakout from the e10s sandbox. We might even be able to claim
Mozilla's bug bounty for this. Regardless, a Mozilla bug should be filed.
I hear rumors of an NSS bugfix coming out tomorrow. If that bug affects
the NSS in ESR, we should wait to pick that up. Otherwise, we should make
a release with a fix for this ASAP.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/17931#comment:13>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs