[tor-bugs] #9308 [Firefox Patch Issues]: JavaScript's BrowserFeedWriter() leaks installation paths on OS X and Windows

Tor Bug Tracker & Wiki blackhole at torproject.org
Tue Apr 22 19:09:21 UTC 2014 

#9308: JavaScript's BrowserFeedWriter() leaks installation paths on OS X and
Windows
-------------------------------------+-------------------------------------
     Reporter:  cypherpunks          |      Owner:  mikeperry
         Type:  defect               |     Status:  needs_revision
     Priority:  critical             |  Milestone:
    Component:  Firefox Patch        |    Version:
  Issues                             |   Keywords:  tbb-fingerprinting,
   Resolution:                       |  tbb-easy, interview
Actual Points:                       |  Parent ID:
       Points:                       |
-------------------------------------+-------------------------------------

Comment (by gk):

 Replying to [comment:30 arthuredelstein]:
 > My experiments showed that the xpcshell is using various C++ libraries
 > (such as, presumable, the JS compiler and runtime) that are also used
 > by Firefox. The C++ source for this code is part of the Mozilla build.
 > So that's why it would be necessary to build tor-browser.git natively
 > in order to compile the JavaScript: not just to build the xpcshell
 > binary, but also to build all the needed libraries.

 :(

 > > Well, I think we would put it on a mirror and download it when
 fetching the build prerequisites (there are mirror URLs in the fetch-
 inputs.sh we already use). Then we could fiddle with the bundle
 descriptors and put them manually into the omni.ja files.
 >
 >
 > That will definitely work. A mirror alone is dangerous, though, because
 anyone building TBB would need to trust the binary files. So for the
 integrity check, it seems we need
 > two paths for getting the binary .js files -- one locally, where the
 > files are borrowed from the linux build, and one from a mirror, for
 > the case when we don't have time to run the linux build. Then the
 > resulting TB builds can be compared to make sure nothing nefarious has
 > happened. Or can you see a simpler way to verify the binary files'
 > integrity?

 Well, what we are currently doing (e.g. when shipping the msvcr100.dll) is
 putting the resource in question on a mirror we control and adding its
 sha256 sum to the versions files. When there is a new release we tag it
 and sign it. That model gives good enough security for the stopgap we are
 talking about here IMO. A temporary patch for tor-browser.git would be
 cleaner, though, especially as we would not need to touch tor-browser-
 bundle related things and revert the changes later when ESR 31 lands. But
 as I said, dunno how easy that is...

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/9308#comment:31>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tor-bugs mailing list