Re: [Tails-dev] MFSA 2015-78 (aka. CVE-2015-4495) vs. Tails
Jacob Appelbaum: On 8/7/15, Georg Koppen g...@torproject.org wrote: Jacob Appelbaum: On 8/7/15, jvoisin julien.voi...@dustri.org wrote: Hello, I disagree with your analysis; while the Apparmor profile (♥) will prevent tragic things like gpg key stealing, please keep in mind that an attacker can access every Firefox files, like cookies (stealing sessions), stored passwords, changing preferences (remember http://net.ipcalf.com/ ?), executing code inside the browser, … I believe that the newest Tor Browser alpha will provide a fix. I hope Mike will chime in here... I don't know what kind of fix you have in mind. All we'll provide is an update to ESR 38.2.0. We are basically about to tag the things and start building. ETA for the alpha is probably Tuesday. Ah ha - great. Thank you for chiming in! The current Tails Tor Browser is 4.5.3 (based on Mozilla Firefox 31.8.0) - so the new alpha won't change anything and the current browser shouldn't be impacted by it. Did I understand that correctly? The stable Tor Browser, which Tails is using, should not be affected, correct. The upcoming alpha fixes the problem for our current alpha, 5.0a4, which is already based on ESR 38. Georg signature.asc Description: OpenPGP digital signature ___ Tails-dev mailing list Tails-dev@boum.org https://mailman.boum.org/listinfo/tails-dev To unsubscribe from this list, send an empty email to tails-dev-unsubscr...@boum.org.
Re: [Tails-dev] RFC: Phrasing for warning users when running in a non-free VM
Sure, sorry about that. My brain read that as tails-dev.. On Fri, Aug 7, 2015 at 4:23 PM, intrigeri intrig...@boum.org wrote: Hi, thanks a lot for caring about UX and phrasing! Now, as said on https://labs.riseup.net/code/issues/5315#note-23, this RFC should rather go to tails...@boum.org. That's where our UX folks discuss, and most of them do not read tails-dev@. May you please resend it there? Cheers, -- intrigeri -- -Austin ___ Tails-dev mailing list Tails-dev@boum.org https://mailman.boum.org/listinfo/tails-dev To unsubscribe from this list, send an empty email to tails-dev-unsubscr...@boum.org.
Re: [Tails-dev] MFSA 2015-78 (aka. CVE-2015-4495) vs. Tails
On 08/07/2015 02:33 PM, Jacob Appelbaum wrote: By the exploit, as I understood things? I could be mistaken and probably am mistaken. I've heard that the vulnerable code is in FF31 - I haven't looked myself yet. https://access.redhat.com/articles/1563163 Considering all Red Hat products that use the Mozilla Firefox browser are affected by this issue, all the way to red hat 5, it might be possible that FF31 be vulnerable to the exploit. Looks like CVE-2015-4495 can be mitigted by disabling PDF.js so it's probably a good idea to go ahead and do that: PDF.js can be disabled as follows: 1. Type about:config in the Firefox address bar 2. Search for the pdfjs.disabled entry 3. Set the pdfjs.disabled entry to True ___ Tails-dev mailing list Tails-dev@boum.org https://mailman.boum.org/listinfo/tails-dev To unsubscribe from this list, send an empty email to tails-dev-unsubscr...@boum.org.
Re: [Tails-dev] MFSA 2015-78 (aka. CVE-2015-4495) vs. Tails
On 8/7/15, intrigeri intrig...@boum.org wrote: Hi, that is: https://www.mozilla.org/en-US/security/advisories/mfsa2015-78/ https://security-tracker.debian.org/tracker/CVE-2015-4495 ... apparently only affect Firefox 38.x, so current Tails stable (1.4.1) is not affected. Most likely Tails 1.5~rc1 is affected, but our AppArmor policy should mitigate the worst possible consequences, so I doubt it's worth adding to the RC announce's known issues section. If anyone has more insight or disagrees, let me know. I've heard that the exploit in the wild doesn't work against esr31 - I haven't heard that it isn't impacted at all. The bad news is that it isn't fixed in esr31 - so while they have fixes in for ff38 - it isn't because that was the only problematic version. :-( ( I think the apparmor profile may contain some of the worst aspects but only until an attacker figures out how to make a hard link. That is not a super high bar for code execution but will at least stop random files from being included without a multi-bug payload. ) All the best, Jacob ___ Tails-dev mailing list Tails-dev@boum.org https://mailman.boum.org/listinfo/tails-dev To unsubscribe from this list, send an empty email to tails-dev-unsubscr...@boum.org.
Re: [Tails-dev] MFSA 2015-78 (aka. CVE-2015-4495) vs. Tails
On Fri, Aug 07, 2015 at 01:48:10PM +, Georg Koppen wrote: Jacob Appelbaum: The current Tails Tor Browser is 4.5.3 (based on Mozilla Firefox 31.8.0) - so the new alpha won't change anything and the current browser shouldn't be impacted by it. Did I understand that correctly? The stable Tor Browser, which Tails is using, should not be affected, correct. The upcoming alpha fixes the problem for our current alpha, 5.0a4, which is already based on ESR 38. Note that Tails 1.5~rc1 includes version 5.0a4-build3 of the Tor Browser. signature.asc Description: Digital signature ___ Tails-dev mailing list Tails-dev@boum.org https://mailman.boum.org/listinfo/tails-dev To unsubscribe from this list, send an empty email to tails-dev-unsubscr...@boum.org.
[Tails-dev] RFC: Phrasing for warning users when running in a non-free VM
Howdy all, I've attached a patch to issue 5315 [1] to warn users when running in a non-free VM (VMWare/Oracle/etc.) I'd like to seek comments on the actual text of the warning. My draft patch has: Both the host operating system and the virtualization software are able to monitor what you are doing in Tails. Additionally, non-free virtualization software cannot be independently audited or inspected for defects. For reference, free (speech) VM users will receive the same warning as they do now, which is: Both the host operating system and the virtualization software are able to monitor what you are doing in Tails. [1] https://labs.riseup.net/code/issues/5315 Thanks, Austin ___ Tails-dev mailing list Tails-dev@boum.org https://mailman.boum.org/listinfo/tails-dev To unsubscribe from this list, send an empty email to tails-dev-unsubscr...@boum.org.
Re: [Tails-dev] MFSA 2015-78 (aka. CVE-2015-4495) vs. Tails
kytv wrote (07 Aug 2015 14:13:19 GMT) : Note that Tails 1.5~rc1 includes version 5.0a4-build3 of the Tor Browser. Anyone up to propose a patch to the call for testing, that warns users about it, please let me know (before I start working on it, likely tomorrow — let's avoid duplicating work). I would appreciate such help a lot. Cheers, -- intrigeri ___ Tails-dev mailing list Tails-dev@boum.org https://mailman.boum.org/listinfo/tails-dev To unsubscribe from this list, send an empty email to tails-dev-unsubscr...@boum.org.
Re: [Tails-dev] RFC: Phrasing for warning users when running in a non-free VM
Hi, thanks a lot for caring about UX and phrasing! Now, as said on https://labs.riseup.net/code/issues/5315#note-23, this RFC should rather go to tails...@boum.org. That's where our UX folks discuss, and most of them do not read tails-dev@. May you please resend it there? Cheers, -- intrigeri ___ Tails-dev mailing list Tails-dev@boum.org https://mailman.boum.org/listinfo/tails-dev To unsubscribe from this list, send an empty email to tails-dev-unsubscr...@boum.org.
Re: [Tails-dev] MFSA 2015-78 (aka. CVE-2015-4495) vs. Tails
On 8/7/15, intrigeri intrig...@boum.org wrote: Jacob Appelbaum wrote (07 Aug 2015 10:37:25 GMT) : I've heard that the exploit in the wild doesn't work against esr31 - I haven't heard that it isn't impacted at all. Mozilla folks have explicitly written on their enterprise list that FF31 is not affected. By the exploit, as I understood things? I could be mistaken and probably am mistaken. I've heard that the vulnerable code is in FF31 - I haven't looked myself yet. ( I think the apparmor profile may contain some of the worst aspects but only until an attacker figures out how to make a hard link. May you please elaborate on the hardlink aspect? It rings a bell, but I don't remember the specifics. If you hard link a file say, /home/amnesia/.gnupg/secring.gpg into ~/Tor Browser/secring.gpg - you can read it with Tor Browser. AppArmor uses file paths to constrain things. That second file path is allowed by the sandbox, even though the file is also outside of that path, AppArmor has no clue. You can test this by doing the following: mkdir ~/OUTOFSANDBOX/ touch ~/OUTOFSANDBOX/apparmor.txt echo out of sandbox ~/OUTOFSANDBOX/apparmor.txt ln ~/OUTOFSANDBOX/apparmor.txt ~/Tor\ Browser/apparmor.txt If you then want to read that ( ~/Tor\ Browser/apparmor.txt ) file with Tor Browser - it will work. Reading the policy for Tor Browser on Tails 1.4.1 - I see the following relevant entries: owner @{HOME}/Tor Browser/ rw, owner @{HOME}/Tor Browser/** rwk, owner @{HOME}/Persistent/Tor Browser/ rw, owner @{HOME}/Persistent/Tor Browser/** rwk, owner /live/persistence/TailsData_unlocked/Persistent/Tor Browser/ rw, owner /live/persistence/TailsData_unlocked/Persistent/Tor Browser/** rwk, owner @{HOME}/.mozilla/firefox/bookmarks/places.sqlite rwk, owner /live/persistence/TailsData_unlocked/bookmarks/places.sqlite rwk, owner @{HOME}/.tor-browser/profile.default/ r, owner @{HOME}/.tor-browser/profile.default/** rwk, Note that none of those include the flag l - which is what is required to make a hard link. That was why I said until an attacker figures out how to make a hard link; if such a hardlink were made, they'd be able to read the contents of the linked file. That is all that I meant with my comment. AppArmor is useful but has some rough edges. All the best, Jacob ___ Tails-dev mailing list Tails-dev@boum.org https://mailman.boum.org/listinfo/tails-dev To unsubscribe from this list, send an empty email to tails-dev-unsubscr...@boum.org.
Re: [Tails-dev] MFSA 2015-78 (aka. CVE-2015-4495) vs. Tails
Hello, I disagree with your analysis; while the Apparmor profile (♥) will prevent tragic things like gpg key stealing, please keep in mind that an attacker can access every Firefox files, like cookies (stealing sessions), stored passwords, changing preferences (remember http://net.ipcalf.com/ ?), executing code inside the browser, … This seems pretty serious to me, since people expect the web-browser to be reasonably trustworthy. ___ Tails-dev mailing list Tails-dev@boum.org https://mailman.boum.org/listinfo/tails-dev To unsubscribe from this list, send an empty email to tails-dev-unsubscr...@boum.org.
Re: [Tails-dev] MFSA 2015-78 (aka. CVE-2015-4495) vs. Tails
On 8/7/15, jvoisin julien.voi...@dustri.org wrote: Hello, I disagree with your analysis; while the Apparmor profile (♥) will prevent tragic things like gpg key stealing, please keep in mind that an attacker can access every Firefox files, like cookies (stealing sessions), stored passwords, changing preferences (remember http://net.ipcalf.com/ ?), executing code inside the browser, … I believe that the newest Tor Browser alpha will provide a fix. I hope Mike will chime in here... This seems pretty serious to me, since people expect the web-browser to be reasonably trustworthy. Agreed. All the best, Jacob ___ Tails-dev mailing list Tails-dev@boum.org https://mailman.boum.org/listinfo/tails-dev To unsubscribe from this list, send an empty email to tails-dev-unsubscr...@boum.org.
Re: [Tails-dev] MFSA 2015-78 (aka. CVE-2015-4495) vs. Tails
Jacob Appelbaum: On 8/7/15, jvoisin julien.voi...@dustri.org wrote: Hello, I disagree with your analysis; while the Apparmor profile (♥) will prevent tragic things like gpg key stealing, please keep in mind that an attacker can access every Firefox files, like cookies (stealing sessions), stored passwords, changing preferences (remember http://net.ipcalf.com/ ?), executing code inside the browser, … I believe that the newest Tor Browser alpha will provide a fix. I hope Mike will chime in here... I don't know what kind of fix you have in mind. All we'll provide is an update to ESR 38.2.0. We are basically about to tag the things and start building. ETA for the alpha is probably Tuesday. That said Mozilla's reasoning for not doing a chemspill for ESR 31 was we determined that the vulnerability isn't present in the current 31 ESR. That's a quote from Liz Henry, the Firefox release manager. Georg signature.asc Description: OpenPGP digital signature ___ Tails-dev mailing list Tails-dev@boum.org https://mailman.boum.org/listinfo/tails-dev To unsubscribe from this list, send an empty email to tails-dev-unsubscr...@boum.org.
Re: [Tails-dev] MFSA 2015-78 (aka. CVE-2015-4495) vs. Tails
On 8/7/15, Georg Koppen g...@torproject.org wrote: Jacob Appelbaum: On 8/7/15, jvoisin julien.voi...@dustri.org wrote: Hello, I disagree with your analysis; while the Apparmor profile (♥) will prevent tragic things like gpg key stealing, please keep in mind that an attacker can access every Firefox files, like cookies (stealing sessions), stored passwords, changing preferences (remember http://net.ipcalf.com/ ?), executing code inside the browser, … I believe that the newest Tor Browser alpha will provide a fix. I hope Mike will chime in here... I don't know what kind of fix you have in mind. All we'll provide is an update to ESR 38.2.0. We are basically about to tag the things and start building. ETA for the alpha is probably Tuesday. Ah ha - great. Thank you for chiming in! The current Tails Tor Browser is 4.5.3 (based on Mozilla Firefox 31.8.0) - so the new alpha won't change anything and the current browser shouldn't be impacted by it. Did I understand that correctly? That said Mozilla's reasoning for not doing a chemspill for ESR 31 was we determined that the vulnerability isn't present in the current 31 ESR. Hey - that's great news - thanks for clearing that up! That's a quote from Liz Henry, the Firefox release manager. Perfect - thank you! All the best, Jacob ___ Tails-dev mailing list Tails-dev@boum.org https://mailman.boum.org/listinfo/tails-dev To unsubscribe from this list, send an empty email to tails-dev-unsubscr...@boum.org.
Re: [Tails-dev] MFSA 2015-78 (aka. CVE-2015-4495) vs. Tails
Jacob Appelbaum wrote (07 Aug 2015 10:37:25 GMT) : I've heard that the exploit in the wild doesn't work against esr31 - I haven't heard that it isn't impacted at all. Mozilla folks have explicitly written on their enterprise list that FF31 is not affected. ( I think the apparmor profile may contain some of the worst aspects but only until an attacker figures out how to make a hard link. May you please elaborate on the hardlink aspect? It rings a bell, but I don't remember the specifics. Cheers, -- intrigeri ___ Tails-dev mailing list Tails-dev@boum.org https://mailman.boum.org/listinfo/tails-dev To unsubscribe from this list, send an empty email to tails-dev-unsubscr...@boum.org.
Re: [Tails-dev] MFSA 2015-78 (aka. CVE-2015-4495) vs. Tails
On Sat, 08 Aug 2015, Romeo Papa wrote: On 08/07/2015 02:33 PM, Jacob Appelbaum wrote: By the exploit, as I understood things? I could be mistaken and probably am mistaken. I've heard that the vulnerable code is in FF31 - I haven't looked myself yet. https://access.redhat.com/articles/1563163 Considering all Red Hat products that use the Mozilla Firefox browser are affected by this issue, all the way to red hat 5, it might be possible that FF31 be vulnerable to the exploit. I think RHEL 5 uses FF38. At least Centos 5 has it: http://mirror.centos.org/centos/5/updates/x86_64/RPMS/ pgpMcwcH37Jes.pgp Description: PGP signature ___ Tails-dev mailing list Tails-dev@boum.org https://mailman.boum.org/listinfo/tails-dev To unsubscribe from this list, send an empty email to tails-dev-unsubscr...@boum.org.
Re: [Tails-dev] MFSA 2015-78 (aka. CVE-2015-4495) vs. Tails
PS: Sorry about all the messages I'm apparently sending while writing up the message I need to see what's happening... After reading further, I've found the debian page saying only 38.1.0esr-3 is vulnerable (https://security-tracker.debian.org/tracker/CVE-2015-4495). But I've also found the origins of the vulnerability from the commits for Firefox 39.0.3, it is from the pdf.js and after tracking the history I believe the bug might have been present since possibly 2 years if not more. https://github.com/mozilla/pdf.js/commit/4f3f983a214867011dda8c5597a4d3523c5f1423 PS: Sorry about all the messages I'm apparently sending while writing up the message I need to see what's happening... ___ Tails-dev mailing list Tails-dev@boum.org https://mailman.boum.org/listinfo/tails-dev To unsubscribe from this list, send an empty email to tails-dev-unsubscr...@boum.org.
Re: [Tails-dev] MFSA 2015-78 (aka. CVE-2015-4495) vs. Tails
On 08/07/2015 02:13 PM, Georg Koppen wrote: we determined that the vulnerability isn't present in the current 31 ESR. That's a quote from Liz Henry, the Firefox release manager. Georg FYI, here's the quote's source: https://bugzilla.mozilla.org/show_bug.cgi?id=1179262#c33 ___ Tails-dev mailing list Tails-dev@boum.org https://mailman.boum.org/listinfo/tails-dev To unsubscribe from this list, send an empty email to tails-dev-unsubscr...@boum.org.