[tor-bugs] #31383 [Applications/Tor Browser]: OpenSSL CVE-2019-1552

Tor Bug Tracker & Wiki blackhole at torproject.org
Sat Sep 28 13:59:47 UTC 2019


#31383: OpenSSL CVE-2019-1552
--------------------------------------+-----------------------------------
 Reporter:  cypherpunks               |          Owner:  tbb-team
     Type:  defect                    |         Status:  needs_information
 Priority:  High                      |      Milestone:
Component:  Applications/Tor Browser  |        Version:
 Severity:  Major                     |     Resolution:
 Keywords:                            |  Actual Points:
Parent ID:                            |         Points:
 Reviewer:                            |        Sponsor:
--------------------------------------+-----------------------------------

Comment (by gk):

 Replying to [comment:13 cypherpunks]:
 > >> Doh, looks like you see Windows for the first time :(
 > > Actually, I do not, believe me.
 > "Trust Me, I'm an Engineer" :) I know you do not, I say how it looks
 like. And your further questions just increase that feeling.

 There is no need to drag this down onto a personal level and/or starting
 ad hominem arguments. I told you that on different occasions in different
 tickets. Please stop.

 > >> What do you say when you see `D:\Program Files`?
 > > I was not really talking about that.
 > About what? `D:\Program Files` instead of `C:\Program Files` on a user's
 machine, and the hole is still there.
 > > I was curious why hardcoding *any* path, like `C:\Program Files` on a
 Windows 64bit system, is a vulnerability and what would it be in that
 case? That's how I read your comment at least.
 > Hardcoding paths is a bad security practice (and not only security). Is
 this new for you?

 So, how are we supposed to fix this bug without introducing new
 vulnerabilities in your opinion? Hardcoding any path (like suggested with
 C:\Windows or a path below it in comment:6) like e.g. the `curl` devs did
 does not do the trick according to your line of reasoning.

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/31383#comment:14>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online


More information about the tor-bugs mailing list