[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-bugs] #30957 [Applications/Tor Browser]: Allow '.asc' files to be downloaded using Tor browser (PGP ascii)

To: undisclosed-recipients: ;
Subject: Re: [tor-bugs] #30957 [Applications/Tor Browser]: Allow '.asc' files to be downloaded using Tor browser (PGP ascii)
From: "Tor Bug Tracker & Wiki" <blackhole@xxxxxxxxxxxxxx>
Date: Sat, 07 Sep 2019 08:38:59 -0000
Auto-submitted: auto-generated
Delivered-to: archiver@xxxxxxxx
Delivery-date: Sat, 07 Sep 2019 04:42:10 -0400
In-reply-to: <047.a94210cec81395c7175c077d6da5c7dc@torproject.org>
List-archive: <http://lists.torproject.org/pipermail/tor-bugs/>
List-help: <mailto:tor-bugs-request@lists.torproject.org?subject=help>
List-id: "auto: Tor bug tracker status mails" <tor-bugs.lists.torproject.org>
List-post: <mailto:tor-bugs@lists.torproject.org>
List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs>, <mailto:tor-bugs-request@lists.torproject.org?subject=subscribe>
List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-bugs>, <mailto:tor-bugs-request@lists.torproject.org?subject=unsubscribe>
References: <047.a94210cec81395c7175c077d6da5c7dc@torproject.org>
Reply-to: no-reply@xxxxxxxxxxxxxx, tor-assistants@xxxxxxxxxxxxxx
Sender: "tor-bugs" <tor-bugs-bounces@xxxxxxxxxxxxxxxxxxxx>

#30957: Allow '.asc' files to be downloaded using Tor browser (PGP ascii)
--------------------------------------+-----------------------------------
 Reporter:  torlove                   |          Owner:  tbb-team
     Type:  enhancement               |         Status:  needs_information
 Priority:  Medium                    |      Milestone:
Component:  Applications/Tor Browser  |        Version:
 Severity:  Normal                    |     Resolution:
 Keywords:  tbb-mobile                |  Actual Points:
Parent ID:                            |         Points:
 Reviewer:                            |        Sponsor:
--------------------------------------+-----------------------------------

Comment (by torlove):

 Thanks cypherpunks,

 At what point is it parsed, would it be parsed by the Firefox (and by
 extension the Tor Browser) and so therefore cause a vulnerability in the
 browser. Is there a method of parsing a '.asc' file without introducing a
 '.asc' vulnerabilty?

 If this is an issue then it needs to be solved upstream as a matter of
 some urgency, yes?

 Using a '.asc' file is supposed to be far more secure that a non ascii-
 armoured file, because the character space is far more limited, and thus
 we should be able to ensure that remote code cannot be delivered and
 excuted. I'm not an expert in this field and how to specifically deal with
 buffer overruns and such, but surely, any and all file type downloads need
 to account for this vulnerability, not just text files (or in this
 specific case, '.asc' files).

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/30957#comment:9>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Prev by Author: Re: [tor-bugs] #31614 [Core Tor/Tor]: Implement clean_up_backtrace_handler()
Next by Author: Re: [tor-bugs] #30321 [Applications/Tor Browser]: Adapt Linux toolchain for Firefox 68 ESR
Previous by thread: Re: [tor-bugs] #30965 [Webpages/Website]: Tor Browser is now on F-Droid so remove the "s00n" (soon) from button and make it clickable
Next by thread: Re: [tor-bugs] #30957 [Applications/Tor Browser]: Allow '.asc' files to be downloaded using Tor browser (PGP ascii)
Index(es):
- Author
- Thread