[tor-bugs] #29158 [Applications/Tor Browser]: Add fix for DSA 4371-1 (apt vulnerability)
Tor Bug Tracker & Wiki
blackhole at torproject.org
Wed Jan 23 16:09:58 UTC 2019
#29158: Add fix for DSA 4371-1 (apt vulnerability)
-------------------------------------------+-------------------------------
Reporter: boklm | Owner: tbb-team
Type: defect | Status:
| needs_revision
Priority: High | Milestone:
Component: Applications/Tor Browser | Version:
Severity: Normal | Resolution:
Keywords: TorBrowserTeam201901, tbb-rbm | Actual Points:
Parent ID: | Points:
Reviewer: | Sponsor:
-------------------------------------------+-------------------------------
Changes (by boklm):
* status: needs_review => needs_revision
* keywords: TorBrowserTeam201901R, tbb-rbm => TorBrowserTeam201901, tbb-
rbm
Comment:
Replying to [comment:2 gk]:
> What happens inside the containers if we are installing, say, build
dependencies? Are we good here? I guess I was wondering about the `apt-
get` calls in `container-image/config`.
After checking, debootstrap is not installing packages from
security.debian.org. So we are using a vulnerable apt version in
`container-image/config`.
I think we can fix that by manually installing new apt packages inside the
chroots after creating them with debootstrap in `projects/debootstrap-
image/config`. I will work on a new version of the patch doing that.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/29158#comment:4>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list