[tor-bugs] #28332 [Core Tor/Nyx]: Nyx configurashion editor reproducibly crashes if custom ordering is set
Tor Bug Tracker & Wiki
blackhole at torproject.org
Mon Nov 5 19:49:28 UTC 2018
#28332: Nyx configurashion editor reproducibly crashes if custom ordering is set
--------------------------+------------------------------
Reporter: wagon | Owner: atagar
Type: defect | Status: closed
Priority: Medium | Milestone:
Component: Core Tor/Nyx | Version: Tor: 0.3.4.9
Severity: Normal | Resolution: duplicate
Keywords: config | Actual Points:
Parent ID: | Points:
Reviewer: | Sponsor:
--------------------------+------------------------------
Comment (by atagar):
> So, I can install on my system any trojan, run it, and later verify that
this trojan was OK? No, it doesn't work this way.
Ummm... no. It doesn't.
```
moirai:~% cd /tmp
moirai:/tmp% git clone https://git.torproject.org/nyx.git
Cloning into 'nyx'...
remote: Counting objects: 13147, done.
remote: Compressing objects: 100% (36/36), done.
remote: Total 13147 (delta 17), reused 0 (delta 0)
Receiving objects: 100% (13147/13147), 10.73 MiB | 2.10 MiB/s, done.
Resolving deltas: 100% (10090/10090), done.
Checking connectivity... done.
moirai:/tmp% cd nyx
moirai:/tmp/nyx% git rev-parse HEAD
d3dd23cec8cab7eea4969d0c462a2e1abfa5b19d
[ ok, the cryptographic signature is correct ]
moirai:/tmp/nyx% ./run_nyx --help
```
There's no need to install, and if you have the HEAD signature that can be
used for verification just the same as a gpg signed tarball. It provides
the same thing. The only thing you *can't* safely trust is this message
from me that's providing you with the above signature. If a meanie snagged
my trac password, exploited the Tor git repository (to circumvent the
https), and MITM your connection you're completely right - someone could
do something nasty.
But this is both requires the exploitation of multiple core Tor systems
(in which case honestly your system is the least of our worries) and it
wouldn't exploit root since nyx **does not need to be installed** to /usr.
Anywho, if you're still worried I can pgp sign this message later. I'm at
work at the moment so I don't have my keys handy but if you're really that
worried let me know.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/28332#comment:5>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list