[tor-bugs] #17895 [Applications/Tor Browser]: Tor Browser Bundle installer subject to DLL hijacking

Tor Bug Tracker & Wiki blackhole at torproject.org
Mon Apr 18 08:55:38 UTC 2016 

#17895: Tor Browser Bundle installer subject to DLL hijacking
-------------------------------------------------+-------------------------
 Reporter:  ericlaw                              |          Owner:  tbb-
     Type:  defect                               |  team
 Priority:  High                                 |         Status:
Component:  Applications/Tor Browser             |  needs_information
 Severity:  Major                                |      Milestone:
 Keywords:  tbb-gitian, tbb-security,            |        Version:
  GeorgKoppen201604, TorBrowserTeam201604        |     Resolution:
Parent ID:                                       |  Actual Points:
 Reviewer:                                       |         Points:
                                                 |        Sponsor:
-------------------------------------------------+-------------------------
Changes (by gk):

 * cc: boklm (added)
 * status:  new => needs_information


Comment:

 Replying to [comment:16 anon]:
 > Is this blocked on upstream NSIS 2.49, NSIS 3.x update, lacking dev
 time, or something else?

 Lack of dev time. We have been mostly busy with getting Tor Browser
 switched to Firefox ESR45 and we restructured our Tor Browser team (we are
 a bit smaller now and I am responsible for the team management stuff, now,
 too).

 What we need here is:
 1) Cross-compiling NSIS
 2) Making sure the resulting .exe files are still bit-by-bit reproducible
 3) Making sure that these files are still working on all supported Windows
 versions (XP - 10)
 4) Making sure stripping the authenticode signature is still reproducible

 Thanks for pointing out that this is not done within 5 minutes.

 That said I agree with this being an important issue and I'd like to have
 this fixed rather sooner than later. Ideally, before the 6.0 gets stable.
 I looked a bit at 1) this morning with NSIS 2.51 but already that step is
 failing badly for me: I took the cross-compiler we generate during our
 Windows build and followed the sparse cross-compile documentation.
 Starting the build just broke with
 {{{
 sh: 1: Syntax error: "(" unexepected
 }}}
 while compiling advsplash.c. I then tried to get the necessary help by
 looking at the way Debian builds NSIS but that did not work either for me.

 boklm: Is this something you would have time to look into?

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/17895#comment:18>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tor-bugs mailing list