[tor-bugs] #31383 [Applications/Tor Browser]: OpenSSL CVE-2019-1552
Tor Bug Tracker & Wiki
blackhole at torproject.org
Sat Sep 28 10:33:35 UTC 2019
#31383: OpenSSL CVE-2019-1552
--------------------------------------+-----------------------------------
Reporter: cypherpunks | Owner: tbb-team
Type: defect | Status: needs_information
Priority: High | Milestone:
Component: Applications/Tor Browser | Version:
Severity: Major | Resolution:
Keywords: | Actual Points:
Parent ID: | Points:
Reviewer: | Sponsor:
--------------------------------------+-----------------------------------
Comment (by cypherpunks):
>> Doh, looks like you see Windows for the first time :(
> Actually, I do not, believe me.
"Trust Me, I'm an Engineer" :) I know you do not, I say how it looks like.
And your further questions just increase that feeling.
>> What do you say when you see `D:\Program Files`?
> I was not really talking about that.
About what? `D:\Program Files` instead of `C:\Program Files` on a user's
machine, and the hole is still there.
> I was curious why hardcoding *any* path, like `C:\Program Files` on a
Windows 64bit system, is a vulnerability and what would it be in that
case? That's how I read your comment at least.
Hardcoding paths is a bad security practice (and not only security). Is
this new for you?
Relocatable toolchain is still a miracle in a Linux world, right? On
Windows, developers use environmental variables, e.g.
https://www.quora.com/What-is-the-difference-between-windir-and-systemroot
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/31383#comment:13>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list