[tor-bugs] #28332 [Core Tor/Nyx]: Nyx configurashion editor reproducibly crashes if custom ordering is set
Tor Bug Tracker & Wiki
blackhole at torproject.org
Tue Nov 6 18:43:40 UTC 2018
#28332: Nyx configurashion editor reproducibly crashes if custom ordering is set
--------------------------+------------------------------
Reporter: wagon | Owner: atagar
Type: defect | Status: closed
Priority: Medium | Milestone:
Component: Core Tor/Nyx | Version: Tor: 0.3.4.9
Severity: Normal | Resolution: duplicate
Keywords: config | Actual Points:
Parent ID: | Points:
Reviewer: | Sponsor:
--------------------------+------------------------------
Comment (by wagon):
> it wouldn't exploit root since `nyx` does not need to be installed to
`/usr`
Then it cannot find Stem:
{{{
$ pip3 list | grep stem
stem (1.7.0-dev)
$ ./run_nyx --help
Traceback (most recent call last):
File "./run_nyx", line 7, in <module>
import nyx
File "[/path/to]/nyx/nyx/__init__.py", line 54, in <module>
import stem
ImportError: No module named stem
}}}
> If a meanie snagged my trac password, exploited the Tor git repository
(to circumvent the https), and MITM your connection you're completely
right - someone could do something nasty. But this is both requires the
exploitation of multiple core Tor systems (in which case honestly your
system is the least of our worries)
There is good security practice: sign your code. It is much simpler than
thinking about possible ways of exploitation.
> if you're still worried I can pgp sign this message later.
I am not hurry with this. Please, sign it when you will have time.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/28332#comment:6>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list