Bug#811499: marked as done (torbrowser-launcher: certificate will expire soon: May 2016)

[Debian Bug Tracking System]

Your message dated Sat, 05 Mar 2016 17:20:20 +0000
with message-id <e1acfsk-00050s...@franck.debian.org>
and subject line Bug#811499: fixed in torbrowser-launcher 0.2.3-1
has caused the Debian Bug report #811499,
regarding torbrowser-launcher: certificate will expire soon: May 2016
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
811499: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=811499
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Package: torbrowser-launcher
Version: 0.0.7-1
Severity: grave
Tags: security
Justification: user security hole


Hi.

This is basically a follow up from the lengthy discussion at 
debian-devel:
https://lists.debian.org/debian-devel/2014/06/msg00171.html
(somewhere deeper in the thread).

Admittedly I didn't read through the whole code of torbrowser-launcher.
Some of the issues below might be mitigated when e.g. no locally
downloaded browser would be ever started when the launcher couldn't connect
online to check for new versions... but that would mitigate the
downgrade attacks described below ONLY if connections to the server are
only made via SSL/TLS and if that doesn't allow replaying.
Given that TLS/SSL is very... uhm.. fragile... I wouldn't trust on this.
And one would need to check specifically for a X.509 cert that is known
to belonging to Tor,... checking for just some CA would still allow attacks.

Anyway... the problem described below, that any Tor upstream developer
whose key is accepted by that launcher can introduce any code in a Debian
system, is imho already critical enough.


AFAICS, torbrowser-launcher uses the gnupg keys from upstream
to verify the downloaded executables.
As already pointed out in the aforementioned thread, this has
several critical security issues:

- anyone from these upstream people, whose key is included, and
who are not DDs, can in principle introduce any software they like
into the Debian system of any single user or all users.
This is especially problematic, since it allows selective attacks on
single users, which are not possible via the package management system
where it's guaranteed, that all users will download the same binaries,
which in turn increases the chance that any backdoor/etc. is found.

- since it automatically determines the most recent version and downloads
it, it completely circumvents the package management system.
People won't notice via their usual means (aptitude, or other notifiers)
that there are newer versions (possibly fixing critical security issues)
unless they run the torbrowser-launcher again?
(or is it always run via that?)

- another really big problem are blocking/downgrade attacks.
AFAICS from a shore glance, there is no (cryptographically secured) check
as to whether the information from the server (i.e. the currently most
recent version) is really current, i.e. a "valid from-through information".
This should allow attackers very easily to perform replay/downgrade attacks
tricking people into downloading old versions with already known security
issues.
Since thes are signed with valid keys (but AFIACS with no valid from/through
information) the downloader will just happily accept them.
I'm not sure, but I guess it doesn't help if you download things via https.
Another issue are blocking attacks... when no connection can be made at all
to the tor download servers, will it start the currently downloaded version
of the bundle or will it simply fail? In case it doesn't fail, it could
again be used to trick people into using software with known security
deficiencies.



Such "downloader packages" are quite danerous per se,... as it's very
tricky to really securely do it.
Usually the best way is to hard code a secure hash (i.e. not MD5) of
the upstream package which is currently considered secure... every time
a new upstream version comes out, a new downloader package should come
out as well with a new hash,...so that people regularly (via the package
management system) notice about [security] updates.




Cheers,
Chris.


btw:
Apart from that... I've always wondered how secure something like
torbrowser bundle can be... per se, they will always lag a bit behind
FF with security updates,... and FF in turn already has enough security
issues.

btw2: Since torbrowser-launcher is probably usually launched as
normal user, I marked this as "user security hole" only.
But given that torbrowser-launcher will typically be run on
desktops/notebooks... successfully attacking that user is usually
equivalent to root exploit (the attacker could simply wait for
the user to sudo/su to root and keylog his password).
So actually severity is IMHO critical.

--- End Message ---

--- Begin Message ---

Source: torbrowser-launcher
Source-Version: 0.2.3-1

We believe that the bug you reported is fixed in the latest version of
torbrowser-launcher, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 811...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Holger Levsen <hol...@debian.org> (supplier of updated torbrowser-launcher 
package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Sat, 05 Mar 2016 16:23:04 +0100
Source: torbrowser-launcher
Binary: torbrowser-launcher
Architecture: source
Version: 0.2.3-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Privacy Tools Maintainers 
<pkg-privacy-maintain...@lists.alioth.debian.org>
Changed-By: Holger Levsen <hol...@debian.org>
Description:
 torbrowser-launcher - helps download and run the Tor Browser Bundle
Closes: 753173 796216 797337 797339 802013 811499
Changes:
 torbrowser-launcher (0.2.3-1) unstable; urgency=medium
 .
   * New upstream version. Drop all debian/patches. Quoting from upstream
     CHANGELOG.md:
     - Removed certificate pinning to https://www.torproject.org to avoid issues
       with upcoming certificate change, and hard-coded minimum Tor Browser
       version in the release (Closes: #811499)
     - Fix issue with detecting language (Closes: #753173)
     - Make Tor SOCKS5 proxy configurable, for users not running on 9050
      (Closes: #797339, #797337)
     - Improved AppArmor profiles
     - Added Russian translation
     - Switched from xpm icons to png icons (Closes: #802013)
     - Changed "Exit" button to "Cancel" button (Closes: #796216)
     - New package description (inspired by #812664)
   * debian/control:
     - Bump standards version to 3.9.7, no changes needed.
     - Use /git/ not /cgit/ in Vcs-* headers.
Checksums-Sha1:
 b05e1f89510f87bcc14b36674a37109aefddf3f0 2235 torbrowser-launcher_0.2.3-1.dsc
 6d653c1624f6d428384a6c260c9f6736d572e390 367752 
torbrowser-launcher_0.2.3.orig.tar.xz
 64ba80dc2de2bc2e604819ac93e3d11b1403aab7 7344 
torbrowser-launcher_0.2.3-1.debian.tar.xz
Checksums-Sha256:
 44bf0f8ef1f57ffd88c9c4ba66d35770c9b8acdf6f46b18c2191daf51d1a375b 2235 
torbrowser-launcher_0.2.3-1.dsc
 a6970c1ed87fdf8ef36a21145200e21f607549ce540ebd6dc601d6fa286ef9cd 367752 
torbrowser-launcher_0.2.3.orig.tar.xz
 71c610cd4a557e2433a8d8b44d3b41c8af6ebcb7090f4af6e093f71d21e110d5 7344 
torbrowser-launcher_0.2.3-1.debian.tar.xz
Files:
 7fd476738e441eefe7b291eb2dabbc00 2235 contrib/web optional 
torbrowser-launcher_0.2.3-1.dsc
 771b48b8280697733ce40e22987ee980 367752 contrib/web optional 
torbrowser-launcher_0.2.3.orig.tar.xz
 2e157fff36e7f7609109511ae49ca2e4 7344 contrib/web optional 
torbrowser-launcher_0.2.3-1.debian.tar.xz

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQIVAwUBVtr+CgkauFYGmqocAQqkdg/7BaLFKU5t4eAJ12dJqwYof9oWdb9iwpWO
YRrS9dFQRnxgjeemIj+pMzlwcmdHf6ozL2KW7LRDYznz/j8Xfra1dewVXMmzN5nj
pUyFjzmUXcUQhbylPMrXfwaNZw+CkGr+onJVZwzAcLcwZcp7ldmRMWgOw6/RCnFY
ZiodaoXbyODP2jfv2qPSjcwuB46wRch97gcJbkvPLRfLXHpX6SI6mIfnj6LOSzrb
pAOnl1lYSHa9zOndr+84ZLiwDwloqtb5JSTIanZRc1AjkdYfmOFCfwkrwhv0wIoR
PKxY9uoRXivJuLrv/2BECr2eiTP8vhM+iYUrn5BvWq40FgHUG+5CMtkPqzy3DqBJ
LHNSvqS0oyZUBcQnPOK804eGQr6YgLv8wuRj7r8RXNUk4KUo2Or/e272XX4V+JkJ
5T0gqgMkN/NKRe/mqZNEJ4a7B11rTVb+t+llrv8olcyX2FYt2YaSGZEoZyWlNbrw
S/1TsETDWtL0OxJ+tOwb561bcjvu6DZhdoQTYUIwYokyWd1w9QnloQvwnlSVynhw
tWm2dNDHDLznUd7wyzc0VTzyicLgCxitSZnj9Vke+KsQF5qyZsxctL/0ZMw90Vy0
VGSO0MUH81DzFY4ZGbjChEvCyToF12UnT0bR1/X5JMOHxf+2CcdW53EesBQyj5XH
SFKsbYroM20=
=SB1N
-----END PGP SIGNATURE-----

--- End Message ---