[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
Re: [tor-bugs] #31383 [Applications/Tor Browser]: OpenSSL CVE-2019-1552
#31383: OpenSSL CVE-2019-1552
--------------------------------------+--------------------------
Reporter: cypherpunks | Owner: tbb-team
Type: defect | Status: reopened
Priority: High | Milestone:
Component: Applications/Tor Browser | Version:
Severity: Major | Resolution:
Keywords: | Actual Points:
Parent ID: | Points:
Reviewer: | Sponsor:
--------------------------------------+--------------------------
Changes (by cypherpunks):
* status: closed => reopened
* resolution: fixed =>
Comment:
No, it's not fixed. `Program Files (x86)` looks even like the same hole
for 32-bit Windows. Fixing compilation doesn't mean fixing a CVE. Anyway,
that's for the default fallback only.
Your scenario is different, because you ship OpenSSL with a portable
application, which is known as an app-local installation. That's why you
are not allowed to use the default paths of system-wide OpenSSL. You have
been warned about that in ticket:23396#comment:14, but still can't realize
what it means, it seems :(
If you read the wiki above, you would know that you should use a "rule of
thumb" and set `--prefix/--openssldir` properly. But assuming that the Tor
Browser's directory is still user-writable in most installations :(, what
paths should be used as safe? `C:\Windows` (or even `%WINDIR%`, if
supported?) or some path in it? What is the consensus here?
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/31383#comment:6>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs