[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
Re: [tor-bugs] #31383 [Applications/Tor Browser]: OpenSSL CVE-2019-1552
#31383: OpenSSL CVE-2019-1552
--------------------------------------+-----------------------------------
Reporter: cypherpunks | Owner: tbb-team
Type: defect | Status: needs_information
Priority: High | Milestone:
Component: Applications/Tor Browser | Version:
Severity: Major | Resolution:
Keywords: | Actual Points:
Parent ID: | Points:
Reviewer: | Sponsor:
--------------------------------------+-----------------------------------
Comment (by boklm):
Replying to [comment:15 cypherpunks]:
> > Hardcoding any path (like suggested with C:\Windows or a path below it
in comment:6) like e.g. the curl devs did does not do the trick according
to your line of reasoning.
> How to teach OpenSSL to dance? Make it compatible with app-local
installation, no?
> For Tor Browser, the best option is to disable everything related to
those paths as it doesn't use them. But you can change them to
`C:\Windows\Tor Browser` as a so-so workaround.
Reading https://daniel.haxx.se/blog/2019/06/24/openssl-engine-code-
injection-in-curl/ it seems that the issue can happen when a program loads
the openssl configuration file from the default path, which is done with
the openssl function `CONF_modules_load_file`. However we don't call this
function in tor, so it doesn't look like we are vulnerable to this issue.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/31383#comment:16>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs