[tbb-bugs] #17931 [Tor Browser]: Tor Browser Hardened Crash
Tor Bug Tracker & Wiki
blackhole at torproject.org
Mon Jan 4 16:11:24 UTC 2016
#17931: Tor Browser Hardened Crash
-------------------------------------------------+-------------------------
Reporter: pege | Owner: tbb-
Type: defect | team
Priority: Immediate | Status:
Component: Tor Browser | needs_revision
Severity: Blocker | Milestone:
Keywords: tbb-hardened, tbb-crash, | Version:
TorBrowserTeam201512R | Resolution:
Parent ID: | Actual Points:
Sponsor: | Points:
-------------------------------------------------+-------------------------
Changes (by mikeperry):
* status: needs_review => needs_revision
Comment:
The core problem here is that LogMessageToConsole() is dangerous,
undocumented, and borderline deceptive. We should absolutely patch this
function to change LogMessageToConsole() to accept only a single non-
format argument, to guard against future vulnerabilities coming down from
Mozilla or even by new TBB devs in the far future. In fact, it is already
misused in Mozilla's own sandboxing code in ./security/sandbox/chromium-
shim/sandbox/win/loggingCallbacks.h. If a sandbox violation is able to
force a log message there that has a format string, this could also lead
to sandbox breakout from the e10s sandbox. We might even be able to claim
Mozilla's bug bounty for this. Regardless, a Mozilla bug should be filed.
I hear rumors of an NSS bugfix coming out tomorrow. If that bug affects
the NSS in ESR, we should wait to pick that up. Otherwise, we should make
a release with a fix for this ASAP.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/17931#comment:13>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tbb-bugs
mailing list