Your message dated Mon, 28 Mar 2016 10:17:07 +0000
with message-id <[email protected]>
and subject line Bug#811499: fixed in torbrowser-launcher 0.1.9-1+deb8u3
has caused the Debian Bug report #811499,
regarding torbrowser-launcher: certificate will expire soon: May 2016
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
811499: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=811499
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: torbrowser-launcher
Version: 0.0.7-1
Severity: grave
Tags: security
Justification: user security hole
Hi.
This is basically a follow up from the lengthy discussion at
debian-devel:
https://lists.debian.org/debian-devel/2014/06/msg00171.html
(somewhere deeper in the thread).
Admittedly I didn't read through the whole code of torbrowser-launcher.
Some of the issues below might be mitigated when e.g. no locally
downloaded browser would be ever started when the launcher couldn't connect
online to check for new versions... but that would mitigate the
downgrade attacks described below ONLY if connections to the server are
only made via SSL/TLS and if that doesn't allow replaying.
Given that TLS/SSL is very... uhm.. fragile... I wouldn't trust on this.
And one would need to check specifically for a X.509 cert that is known
to belonging to Tor,... checking for just some CA would still allow attacks.
Anyway... the problem described below, that any Tor upstream developer
whose key is accepted by that launcher can introduce any code in a Debian
system, is imho already critical enough.
AFAICS, torbrowser-launcher uses the gnupg keys from upstream
to verify the downloaded executables.
As already pointed out in the aforementioned thread, this has
several critical security issues:
- anyone from these upstream people, whose key is included, and
who are not DDs, can in principle introduce any software they like
into the Debian system of any single user or all users.
This is especially problematic, since it allows selective attacks on
single users, which are not possible via the package management system
where it's guaranteed, that all users will download the same binaries,
which in turn increases the chance that any backdoor/etc. is found.
- since it automatically determines the most recent version and downloads
it, it completely circumvents the package management system.
People won't notice via their usual means (aptitude, or other notifiers)
that there are newer versions (possibly fixing critical security issues)
unless they run the torbrowser-launcher again?
(or is it always run via that?)
- another really big problem are blocking/downgrade attacks.
AFAICS from a shore glance, there is no (cryptographically secured) check
as to whether the information from the server (i.e. the currently most
recent version) is really current, i.e. a "valid from-through information".
This should allow attackers very easily to perform replay/downgrade attacks
tricking people into downloading old versions with already known security
issues.
Since thes are signed with valid keys (but AFIACS with no valid from/through
information) the downloader will just happily accept them.
I'm not sure, but I guess it doesn't help if you download things via https.
Another issue are blocking attacks... when no connection can be made at all
to the tor download servers, will it start the currently downloaded version
of the bundle or will it simply fail? In case it doesn't fail, it could
again be used to trick people into using software with known security
deficiencies.
Such "downloader packages" are quite danerous per se,... as it's very
tricky to really securely do it.
Usually the best way is to hard code a secure hash (i.e. not MD5) of
the upstream package which is currently considered secure... every time
a new upstream version comes out, a new downloader package should come
out as well with a new hash,...so that people regularly (via the package
management system) notice about [security] updates.
Cheers,
Chris.
btw:
Apart from that... I've always wondered how secure something like
torbrowser bundle can be... per se, they will always lag a bit behind
FF with security updates,... and FF in turn already has enough security
issues.
btw2: Since torbrowser-launcher is probably usually launched as
normal user, I marked this as "user security hole" only.
But given that torbrowser-launcher will typically be run on
desktops/notebooks... successfully attacking that user is usually
equivalent to root exploit (the attacker could simply wait for
the user to sudo/su to root and keylog his password).
So actually severity is IMHO critical.
--- End Message ---
--- Begin Message ---
Source: torbrowser-launcher
Source-Version: 0.1.9-1+deb8u3
We believe that the bug you reported is fixed in the latest version of
torbrowser-launcher, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Holger Levsen <[email protected]> (supplier of updated torbrowser-launcher
package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Mon, 28 Mar 2016 01:33:03 -0400
Source: torbrowser-launcher
Binary: torbrowser-launcher
Architecture: source amd64
Version: 0.1.9-1+deb8u3
Distribution: jessie
Urgency: medium
Maintainer: Anonymity Tools Debian Maintainers
<[email protected]>
Changed-By: Holger Levsen <[email protected]>
Description:
torbrowser-launcher - helps download, update and run the Tor Browser Bundle
Closes: 753173 811499
Changes:
torbrowser-launcher (0.1.9-1+deb8u3) jessie; urgency=medium
.
* Add these patches backported from 0.2.3-1 and 0.2.4-1:
- 0011-Fix-issue-with-detecting-language-fixes-220.patch
to fix issue with detecting language (Closes: #753173)
- 0012-Fail-to-launch-Tor-Browser-if-its-version-is-earlier.patch
- 0012a-Remove-certificate-pinning--github-issue-224.patch
to avoid issues with upcoming certificate change, thus the minimum
Tor Browser version was hard-coded in the release (Closes: #811499)
For more info on patch 0012 and 0012a see
https://github.com/micahflee/torbrowser-launcher/issues/229
- 0013-Prevent-signature-verification-attack-by-passing-bot.patch
fixing CVE-2016-3180, for more info see
https://github.com/micahflee/torbrowser-launcher/issues/229
- 0014-Prevent-attempts-at-directory-traversal-attacks-even.patch
This is an improvement for patch 0012.
- 0099-Bump-version-to-0.1.9-deb8u3.patch to bump version to 0.1.9+deb8u3
in share/torbrowser-launcher/version.
Checksums-Sha1:
2efa32a6f4cb0058c9994343d74068e8e7218afc 2218
torbrowser-launcher_0.1.9-1+deb8u3.dsc
37294aa06aedbb44c45ae6d76e8ab7510d220315 15144
torbrowser-launcher_0.1.9-1+deb8u3.debian.tar.xz
dd3419967093470884d9e5db7153a9eb46c365f9 211114
torbrowser-launcher_0.1.9-1+deb8u3_amd64.deb
Checksums-Sha256:
8eae35d8bd6c588f5eff387eca8951bcce62d83ae29efdd898411d4bca124a43 2218
torbrowser-launcher_0.1.9-1+deb8u3.dsc
6634a8f7bae0095ddf27fe179c96eacc9d21d94517cf969514a93a86e805998e 15144
torbrowser-launcher_0.1.9-1+deb8u3.debian.tar.xz
6d1c158a8a8139ce2febba26140e11dc7ea5ea24bf3c9290a756599caad8bfc3 211114
torbrowser-launcher_0.1.9-1+deb8u3_amd64.deb
Files:
887be56f051000a860cd491bd262b9a6 2218 contrib/python optional
torbrowser-launcher_0.1.9-1+deb8u3.dsc
7df210715baa2eb7a8b4dae6309251d2 15144 contrib/python optional
torbrowser-launcher_0.1.9-1+deb8u3.debian.tar.xz
ef5c25ce47ed01d28e090e5d8aa93311 211114 contrib/python optional
torbrowser-launcher_0.1.9-1+deb8u3_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIVAwUBVvjD5wkauFYGmqocAQr0txAAlcqtEfAq4izkzXvI7eJUMgiqSEhsx5/V
URn9JomdcRnUYENFpaXzxBhzbyTbP8xscg2A3mPUge3jxdmieTsj7VwnEimZW8KH
59S9o9zrLBw4zRtpU5PqoaPHgVn90LhPHvWIpWSPDhZ9KApZKvoZ6Yy2afpAHf/b
NCbO7/1i6/smxtm4jLKm+XBBj+BrBE2z4q6NLqklvofQMz9zMlpzQNLvlvUgLN9K
pAOFC/B0F9ICc3D9+7Qxe4eyj4akw5HVWsk1I0hTfbL8XBsZgltnoLIf95MTfWUg
9bWt8JN4KN794d/4sRkf2vltPlsrgvSnud4MBs56dWOk4XDATVWMiNMWPdteg9VC
2lX4K22QJijCXTkTfW+n1cC65AB2KQFzvOUnfX08tbEK8Z2Bvvw2gD0IgP668QZ3
spXBFbN/FY/gmG0eawNSba+f0ru01lYQqpcOHSZlLF8uIoZesxlr5Jq9M9TXCL3C
DtMiVRnSdsH/8HQpwEEC1XQBdbMl4537KJcjVEGtoMPHx7hMBrBqMStbcs3chky8
QK5Gp+ilL8xCwqO1bk6thd9GiGMmzy0Zp4gKMX2cJyF4Kc1hRnLE2qwQaevx+Emv
XqTjnVjIJzf3WW5X6hj71z7S4oO1nf62J4Qy+Wgm50YUtqQM/K+qixHyQmb+Y0G+
bATQMGlNojg=
=YL/T
-----END PGP SIGNATURE-----
--- End Message ---
