[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

[tor-bugs] #22595 [Applications/Tor Browser]: Timestamps in tor-browser tar file are set to a fixed value

Subject: [tor-bugs] #22595 [Applications/Tor Browser]: Timestamps in tor-browser tar file are set to a fixed value
From: "Tor Bug Tracker & Wiki" <blackhole@xxxxxxxxxxxxxx>
Date: Tue, 13 Jun 2017 15:44:42 -0000
Auto-submitted: auto-generated
Delivered-to: archiver@xxxxxxxx
Delivery-date: Tue, 13 Jun 2017 11:44:57 -0400
List-archive: <http://lists.torproject.org/pipermail/tor-bugs/>
List-help: <mailto:tor-bugs-request@lists.torproject.org?subject=help>
List-id: "auto: Tor bug tracker status mails" <tor-bugs.lists.torproject.org>
List-post: <mailto:tor-bugs@lists.torproject.org>
List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs>, <mailto:tor-bugs-request@lists.torproject.org?subject=subscribe>
List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-bugs>, <mailto:tor-bugs-request@lists.torproject.org?subject=unsubscribe>
Reply-to: no-reply@xxxxxxxxxxxxxx, tor-assistants@xxxxxxxxxxxxxx
Sender: "tor-bugs" <tor-bugs-bounces@xxxxxxxxxxxxxxxxxxxx>

#22595: Timestamps in tor-browser tar file are set to a fixed value
------------------------------------------+----------------------
     Reporter:  cypherpunks               |      Owner:  tbb-team
         Type:  defect                    |     Status:  new
     Priority:  Medium                    |  Milestone:
    Component:  Applications/Tor Browser  |    Version:
     Severity:  Normal                    |   Keywords:
Actual Points:                            |  Parent ID:
       Points:                            |   Reviewer:
      Sponsor:                            |
------------------------------------------+----------------------
 In the tor-browser tar files, every file's modification time is set to the
 same value (Jan 1, 2000).

 As a result, tools such as rsync that look at modification times to
 determine whether two files differ will fail in strange ways.

 For example, after running the following commands:

     mkdir tb1 tb2
     tar -xJf tor-browser-linux64-6.5.2_en-US.tar.xz -C tb1
     tar -xJf tor-browser-linux64-7.0_en-US.tar.xz -C tb2
     rsync -a --delete tb2/ tb1/

 a reasonable user would expect that 'tb1' would contain a working copy of
 Tor Browser. However, several files would be out of date:

     tor-browser_en-US/Browser/application.ini
     tor-browser_en-US/Browser/browser/blocklist.xml
     tor-browser_en-US/Browser/liblgpllibs.so
     tor-browser_en-US/Browser/libnssdbm3.so
     tor-browser_en-US/Browser/libplds4.so
     tor-browser_en-US/Browser/libsmime3.so
     tor-browser_en-US/Browser/platform.ini
     tor-browser_en-US/Browser/TorBrowser/Docs/sources/bundle.inputs

 with potentially disastrous consequences. (I have no idea whether any of
 the above constitute a security issue in this instance.)

 I presume that the timestamps are set to a fixed value in order to make
 the tar files more easily reproducible. However, there are many ways to do
 that without creating new security problems:

 - set each timestamp to a hash of the file contents

 - set every timestamp to a fixed value derived from the Tor Browser
 version number

 - set every timestamp to the date of the most recent commit in some
 particular git repository

 ... basically, anything other than setting every timestamp to exactly the
 same value for every release.

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/22595>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Follow-Ups:
- Re: [tor-bugs] #22595 [Applications/Tor Browser]: Timestamps in tor-browser tar file are set to a fixed value
  - From: Tor Bug Tracker & Wiki
- Re: [tor-bugs] #22595 [Applications/Tor Browser]: Timestamps in tor-browser tar file are set to a fixed value
  - From: Tor Bug Tracker & Wiki

Prev by Author: Re: [tor-bugs] #16364 [Applications/Tor Browser]: Add an option to resize the browser window to the "safe default"
Next by Author: Re: [tor-bugs] #22343 [Applications/Tor Browser]: Save as... in the context menu results in using the catch-all circuit
Previous by thread: Re: [tor-bugs] #22594 [Metrics/Onionoo]: Escape characters in contact lines break hourly updater
Next by thread: Re: [tor-bugs] #22595 [Applications/Tor Browser]: Timestamps in tor-browser tar file are set to a fixed value
Index(es):
- Author
- Thread