SoylentNews

Tor Browser 7.0.3 is Released (Major Security Bugfix Release for Linux Users Only)

posted by takyon on Tuesday August 01 2017, @08:52AM   
from the click-our-summary's-specially-crafted-URLs dept.

An Anonymous Coward writes:

"This release features an important security update to Tor Browser for Linux users. On Linux systems with GVfs/GIO support Firefox allows to bypass proxy settings as it ships a whitelist of supported protocols. Once an affected user navigates to a specially crafted URL the operating system may directly connect to the remote host, bypassing Tor Browser. Tails and Whonix users, and users of our sandboxed Tor Browser are unaffected, though."

---

Original Submission

• Comment Below Threshold (1 child)

  Linux is for fags. Linux is for fags. (Score: -1, Flamebait) by Anonymous Coward on Tuesday August 01 2017, @08:59AM (1 child)

  by Anonymous Coward on Tuesday August 01 2017, @08:59AM (#547566)

  Tor is for child-molesting fags.

  • Comment Below Threshold

    Re:Linux is for fags. (Score: -1, Troll) by Anonymous Coward on Tuesday August 01 2017, @10:28AM

    by Anonymous Coward on Tuesday August 01 2017, @10:28AM (#547583)

    Tor is for child-molesting fags.

    It's all true!

    Parent

• PWNED! PWNED! (Score: 0) by Anonymous Coward on Tuesday August 01 2017, @09:29AM (3 children)

  by Anonymous Coward on Tuesday August 01 2017, @09:29AM (#547570)

  We believe that previous versions of Tor Browser are affected as well (definitely 6.5.2 which I tested).

  There is no particular version this bug got added as the offending code has been in Firefox for years.

  - source [torproject.org]

  • Re:PWNED! (Score: 2) by kaszz on Tuesday August 01 2017, @11:37AM

    by kaszz (4211) on Tuesday August 01 2017, @11:37AM (#547595) Journal

    That might explain some busts in the last years.

    Parent

  • Re:PWNED! Re:PWNED! (Score: 2) by frojack on Tuesday August 01 2017, @08:18PM (1 child)

    by frojack (1554) on Tuesday August 01 2017, @08:18PM (#547743) Journal

    Are we sure it has anything to do with firefox, and not the linux TCP stack?

    I saw a longish discussion on the the opensuse list about this very issue not long ago.

    The application does not have total control of the routing. Any leakage of ultimate destination IP back to the client TCP stack will often trigger route metrics ("cost") to kick in if there are ANY other routes defined and enabled with lower metric.

    --
    No, you are mistaken. I've always had this sig.

    Parent

    • Re:PWNED! (Score: 2) by FatPhil on Wednesday August 02 2017, @08:25AM

      by FatPhil (863) <{pc-soylent} {at} {asdf.fi}> on Wednesday August 02 2017, @08:25AM (#547873) Homepage

      It's because of the design of GVfs (the Gnome Virtual File System, not to be confused with GnomeVFS, the Gnome Virtual File System). The linux TCP stack can happily exist without GVfs/GIO being on the system, so no, it's not the Linux TCP stack that's to blame. That's like blaming bank robberies on highways because getaway drivers use them.

      --
      Great minds discuss ideas; average minds discuss events; small minds discuss people; the smallest discuss themselves

      Parent

• Sandboxing it is. Sandboxing it is. (Score: 2) by kaszz on Tuesday August 01 2017, @11:31AM (3 children)

  by kaszz (4211) on Tuesday August 01 2017, @11:31AM (#547592) Journal

  If security really matters, then sandboxing is at least a minimum measure to take.
  And the sandbox should not even be aware of what the real local network it is operating in.

  • Not sandboxing. REAL FIREWALLING. Not sandboxing. REAL FIREWALLING. (Score: 1, Insightful) by Anonymous Coward on Tuesday August 01 2017, @12:30PM (2 children)

    by Anonymous Coward on Tuesday August 01 2017, @12:30PM (#547607)

    You need to have the system running TBB on an isolated network with a firewalled proxy that in turn only allows Tor connections out. If you did this, as I have, then this direct connect exploit doesn't affect you.

    A VM might be a less secure alternative, but physical system isolation is still the best bet, especially with dumb non-embedded ethernet devices just in case any of management engine systems in use actually CAN be triggered with coded ethernet/IP messages.

    Parent

    • Re:Not sandboxing. REAL FIREWALLING. Re:Not sandboxing. REAL FIREWALLING. (Score: 0) by Anonymous Coward on Wednesday August 02 2017, @08:57PM (1 child)

      by Anonymous Coward on Wednesday August 02 2017, @08:57PM (#548111)

      That system probably has to run something popular too. Otherwise if you're the only person in the world running it, it starts becoming more and more identifying ;).

      Parent

      • Re:Not sandboxing. REAL FIREWALLING. (Score: 0) by Anonymous Coward on Wednesday August 02 2017, @09:00PM

        by Anonymous Coward on Wednesday August 02 2017, @09:00PM (#548113)

        Analogy: http://media.paperblog.fr/i/274/2743468/fashion-faux-pas-jour-dark-vador-est-fan-dhel-L-1.jpeg [paperblog.fr]

        Parent

• GNOME is not Linux GNOME is not Linux (Score: 5, Informative) by Arik on Tuesday August 01 2017, @11:43AM (6 children)

  by Arik (4543) on Tuesday August 01 2017, @11:43AM (#547596) Journal

  Once again the former gives a bad name to, well, anyone foolish enough to ship it.

  --
  If laughter is the best medicine, who are the best doctors?

  • Re:GNOME is not Linux Re:GNOME is not Linux (Score: 3, Informative) by kaszz on Tuesday August 01 2017, @12:41PM (3 children)

    by kaszz (4211) on Tuesday August 01 2017, @12:41PM (#547611) Journal

    GNOME needs systemd which is a product of RedHat. Which is controlled by its chairman Shelton. That is a career military officer.

    Anyone got the message? ;-)

    Parent

    • Re:GNOME is not Linux Re:GNOME is not Linux (Score: 0) by Anonymous Coward on Tuesday August 01 2017, @05:19PM (2 children)

      by Anonymous Coward on Tuesday August 01 2017, @05:19PM (#547708)

      > GNOME needs systemd [...]

      Not exactly. [freebsd.org]

      > Which is controlled by its chairman Shelton. That is a career military officer.

      If a project sees functionality within systemd that is useful, [...] you’ll not get very far with stating that the project is bad for having used that. Or suggesting that there is some conspiracy going on, or that the project maintainer is an idiot. [gnome.org]

      Parent

      • Re:GNOME is not Linux (Score: 3, Insightful) by Arik on Tuesday August 01 2017, @07:07PM

        by Arik (4543) on Tuesday August 01 2017, @07:07PM (#547729) Journal

        1.) That's GNOME 2.32. There were, like, a couple dozen forks of it but I'm not a fan so I haven't kept up with which are still going etc. If you ever see a GNOME 1 fork I would give it a test-drive.
        
        2.) I can generalize that quite a bit. When systemd has a readily apparent benefit, however minor, and the potential negative effects seem abstract and tenuous by comparison, no matter how catastrophic the potential effect, it will be written off and ignored by most humans. As a species, we're just that short-sighted.

        --
        If laughter is the best medicine, who are the best doctors?

        Parent

      • Re:GNOME is not Linux (Score: 0) by Anonymous Coward on Tuesday August 01 2017, @07:07PM

        by Anonymous Coward on Tuesday August 01 2017, @07:07PM (#547730)

        Hah! He says systemd just works, if you say it doesn't work for you you have no credibility. Fuck that guy

        Parent

  • Re:GNOME is not Linux Re:GNOME is not Linux (Score: 2) by FatPhil on Wednesday August 02 2017, @08:29AM (1 child)

    by FatPhil (863) <{pc-soylent} {at} {asdf.fi}> on Wednesday August 02 2017, @08:29AM (#547875) Homepage

    Yeah, I was going to post something similar, framed around the following rhetorical question:
    
    So, who should we blame for this - RedHat (current majority contributor to Gnome), well known for things such as systemd, or Miguel de Icaza (originator of Gnome), well known for trying to push .NET into Linux?

    --
    Great minds discuss ideas; average minds discuss events; small minds discuss people; the smallest discuss themselves

    Parent

    • Re:GNOME is not Linux (Score: 0) by Anonymous Coward on Wednesday August 02 2017, @06:48PM

      by Anonymous Coward on Wednesday August 02 2017, @06:48PM (#548049)

      Pretty sure de Icaza hasn't had anything to do with GNOME - or working - for years. He got a cushy sinecure from Microsoft after he endorsed .NET iirc.

      Parent

• kitchen-sink-and-everything-firefox kitchen-sink-and-everything-firefox (Score: 0) by Anonymous Coward on Tuesday August 01 2017, @06:53PM (2 children)

  by Anonymous Coward on Tuesday August 01 2017, @06:53PM (#547727)

  hmmm .. affected here.
  so where and how does one edit this "whitelist" in firefox?
  I am pretty sure it can be used for other nefarious tasks that don't involve tor ... *humph*

  • Re:kitchen-sink-and-everything-firefox Re:kitchen-sink-and-everything-firefox (Score: 0) by Anonymous Coward on Wednesday August 02 2017, @06:28AM (1 child)

    by Anonymous Coward on Wednesday August 02 2017, @06:28AM (#547863)

    https://gitweb.torproject.org/tor-browser.git/commit/?id=a96f898e0da42de751a5e1367a9899cc96fadb1f [torproject.org]

    Parent

    • Re:kitchen-sink-and-everything-firefox (Score: 0) by Anonymous Coward on Wednesday August 02 2017, @07:33PM

      by Anonymous Coward on Wednesday August 02 2017, @07:33PM (#548076)

      thanks a mega bunch! : )

      Parent