[tbb-bugs] #17895 [Tor Browser]: Tor Browser Bundle installer subject to DLL hijacking

Tor Bug Tracker & Wiki blackhole at torproject.org
Fri Dec 18 20:35:20 UTC 2015


#17895: Tor Browser Bundle installer subject to DLL hijacking
-------------------------+--------------------------
 Reporter:  ericlaw      |          Owner:  tbb-team
     Type:  defect       |         Status:  new
 Priority:  Medium       |      Milestone:
Component:  Tor Browser  |        Version:
 Severity:  Critical     |     Resolution:
 Keywords:               |  Actual Points:
Parent ID:               |         Points:
  Sponsor:               |
-------------------------+--------------------------
Changes (by dcf):

 * owner:  erinn => tbb-team
 * version:  Tor: 0.2.7.6 =>
 * component:  Tor bundles/installation => Tor Browser


Comment:

 According to the blog post, we just need to update NSIS to version 2.49.

 It seems the DLL hijacking fix was actually in version 2.47 (released 08
 December 2015):

 http://sourceforge.net/projects/nsis/files/NSIS%202/2.47/RELEASE.html/view
  * LoadLibrary security hardening to prevent dll hijacking
 ([http://sf.net/p/nsis/bugs/1125 patch #1125])

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/17895#comment:2>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online


More information about the tbb-bugs mailing list