[tor-bugs] #31383 [Applications/Tor Browser]: OpenSSL CVE-2019-1552
Tor Bug Tracker & Wiki
blackhole at torproject.org
Fri Sep 27 16:35:07 UTC 2019
#31383: OpenSSL CVE-2019-1552
--------------------------------------+-----------------------------------
Reporter: cypherpunks | Owner: tbb-team
Type: defect | Status: needs_information
Priority: High | Milestone:
Component: Applications/Tor Browser | Version:
Severity: Major | Resolution:
Keywords: | Actual Points:
Parent ID: | Points:
Reviewer: | Sponsor:
--------------------------------------+-----------------------------------
Changes (by gk):
* status: reopened => needs_information
Comment:
Replying to [comment:6 cypherpunks]:
> No, it's not fixed. `Program Files (x86)` looks even like the same hole
for 32-bit Windows. Fixing compilation doesn't mean fixing a CVE. Anyway,
that's for the default fallback only.
>
> Your scenario is different, because you ship OpenSSL with a portable
application, which is known as an app-local installation. That's why you
are not allowed to use the default paths of system-wide OpenSSL. You have
been warned about that in ticket:23396#comment:14, but still can't realize
what it means, it seems :(
Not sure what you mean. This is what we get for 64bit Windows:
{{{
001f5900: 4f50 454e 5353 4c44 4952 3a20 2243 3a2f OPENSSLDIR: "C:/
001f5910: 5072 6f67 7261 6d20 4669 6c65 732f 436f Program Files/Co
001f5920: 6d6d 6f6e 2046 696c 6573 2f53 534c 2200 mmon Files/SSL".
001f5930: 454e 4749 4e45 5344 4952 3a20 2243 3a2f ENGINESDIR: "C:/
001f5940: 5072 6f67 7261 6d20 4669 6c65 732f 4f70 Program Files/Op
001f5950: 656e 5353 4c2f 6c69 622f 656e 6769 6e65 enSSL/lib/engine
001f5960: 732d 315f 3122 0000 6275 696c 7420 6f6e s-1_1"..built on
}}}
and 32bit
{{{
001db520: 6777 0000 4f50 454e 5353 4c44 4952 3a20 gw..OPENSSLDIR:
001db530: 2243 3a2f 5072 6f67 7261 6d20 4669 6c65 "C:/Program File
001db540: 7320 2878 3836 292f 436f 6d6d 6f6e 2046 s (x86)/Common F
001db550: 696c 6573 2f53 534c 2200 0000 454e 4749 iles/SSL"...ENGI
001db560: 4e45 5344 4952 3a20 2243 3a2f 5072 6f67 NESDIR: "C:/Prog
001db570: 7261 6d20 4669 6c65 7320 2878 3836 292f ram Files (x86)/
001db580: 4f70 656e 5353 4c2f 6c69 622f 656e 6769 OpenSSL/lib/engi
001db590: 6e65 732d 315f 3122 0000 0000 ceb4 5d6b nes-1_1"......]k
}}}
What's wrong with those paths? They should not be user-writable. I mean
that's actually part of the OpenSSL fix for that CVE. If that's wrong it
seems to me a bug against OpenSSL should get filed.
> If you read the wiki above, you would know that you should use a "rule
of thumb" and set `--prefix/--openssldir` properly. But assuming that the
Tor Browser's directory is still user-writable in most installations :(,
what paths should be used as safe? `C:\Windows` (or even `%WINDIR%`, if
supported?) or some path in it? What is the consensus here?
Yes, the Tor Browser directory user-writable is not the issue here,
though. It's that OPENSSLDIR/ENGINEDIR were user-writable. Are you
claiming `C:\Program Files` and `C:\Program Files (x86)` are user-
writable? If not, then why is the issue not fixed?
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/31383#comment:7>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list