[tor-bugs] #31383 [Applications/Tor Browser]: OpenSSL CVE-2019-1552
Tor Bug Tracker & Wiki
blackhole at torproject.org
Fri Sep 27 16:58:32 UTC 2019
#31383: OpenSSL CVE-2019-1552
--------------------------------------+-----------------------------------
Reporter: cypherpunks | Owner: tbb-team
Type: defect | Status: needs_information
Priority: High | Milestone:
Component: Applications/Tor Browser | Version:
Severity: Major | Resolution:
Keywords: | Actual Points:
Parent ID: | Points:
Reviewer: | Sponsor:
--------------------------------------+-----------------------------------
Comment (by gk):
Replying to [comment:9 cypherpunks]:
> > What's wrong with those paths?
> They are hard-coded. That's a main bug and vulnerability, in general.
> Also they are not allowed for your app-local OpenSSL.
Where is the vulnerability here and why does it matter whether those paths
are allowed for the app- local OpenSSL?
> > They should not be user-writable. I mean that's actually part of the
OpenSSL fix for that CVE. If that's wrong it seems to me a bug against
OpenSSL should get filed.
> Yes.
> > Are you claiming `C:\Program Files` and `C:\Program Files (x86)` are
user-writable?
> `C:\Program Files (x86)` doesn't exist in 32-bit Windows.
Yeah, I just found
https://github.com/openssl/openssl/pull/9400#issuecomment-517784572.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/31383#comment:10>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list