[tbb-bugs] #18782 [Tor Browser]: media tab in Page Info can bypass NoScript on Linux if gstreamer is used (was: media tab in Page Info can bypass NoScript)

Tor Bug Tracker & Wiki blackhole at torproject.org
Fri Apr 15 07:44:10 UTC 2016

#18782: media tab in Page Info can bypass NoScript on Linux if gstreamer is used
 Reporter:  cypherpunks  |          Owner:  tbb-team
     Type:  defect       |         Status:  assigned
 Priority:  Very High    |      Milestone:
Component:  Tor Browser  |        Version:
 Severity:  Critical     |     Resolution:
 Keywords:               |  Actual Points:
Parent ID:               |         Points:
 Reviewer:               |        Sponsor:
Changes (by gk):

 * status:  needs_information => assigned


 Replying to [comment:15 cypherpunks]:
 > So fundamentally, the expected behaviour is not to leak data? To obey
 the security slider? To start shipping TBB with media.gstreamer.enabled
 set to false, or incorporating that setting into the slider?
 > Do you even know if gstreamer has been leaking this whole time and
 should be removed as an option until upstream passes an audit?
 >  - If you can determine gstreamer isn't leaky (meaning outside the Tor
 network) then media.gstreamer.enabled should become part of what the
 security slider controls
 >  - if you cannot determine anything about gstreamer's network activity
 conclusively (?) then it should be removed from interaction from TBB

 See #13020 for the network activity. The sole reason I was asking about
 the expected behavior was that there are a bunch of possible ways to deal
 with this issue and I certainly don't want to pick one users are unhappy
 about as this would result in follow-up bugs leading to extra work.

 And FWIW Tor Browser based on ESR45 won't have this problem anymore as
 Mozilla is not using gstreamer anymore. We'll start shipping that in
 roughly 10 days with the next alpha.

Ticket URL: <https://trac.torproject.org/projects/tor/ticket/18782#comment:18>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tbb-bugs mailing list