Stories
Slash Boxes
Comments

SoylentNews is people

posted by takyon on Tuesday August 01 2017, @08:52AM   Printer-friendly
from the click-our-summary's-specially-crafted-URLs dept.

"This release features an important security update to Tor Browser for Linux users. On Linux systems with GVfs/GIO support Firefox allows to bypass proxy settings as it ships a whitelist of supported protocols. Once an affected user navigates to a specially crafted URL the operating system may directly connect to the remote host, bypassing Tor Browser. Tails and Whonix users, and users of our sandboxed Tor Browser are unaffected, though."


Original Submission

 
This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 0) by Anonymous Coward on Tuesday August 01 2017, @09:29AM (3 children)

    by Anonymous Coward on Tuesday August 01 2017, @09:29AM (#547570)

    We believe that previous versions of Tor Browser are affected as well (definitely 6.5.2 which I tested).

    There is no particular version this bug got added as the offending code has been in Firefox for years.

    - source [torproject.org]

  • (Score: 2) by kaszz on Tuesday August 01 2017, @11:37AM

    by kaszz (4211) on Tuesday August 01 2017, @11:37AM (#547595) Journal

    That might explain some busts in the last years.

  • (Score: 2) by frojack on Tuesday August 01 2017, @08:18PM (1 child)

    by frojack (1554) Subscriber Badge on Tuesday August 01 2017, @08:18PM (#547743) Journal

    Are we sure it has anything to do with firefox, and not the linux TCP stack?

    I saw a longish discussion on the the opensuse list about this very issue not long ago.

    The application does not have total control of the routing. Any leakage of ultimate destination IP back to the client TCP stack will often trigger route metrics ("cost") to kick in if there are ANY other routes defined and enabled with lower metric.

    --
    No, you are mistaken. I've always had this sig.
    • (Score: 2) by FatPhil on Wednesday August 02 2017, @08:25AM

      by FatPhil (863) <pc-soylentNO@SPAMasdf.fi> on Wednesday August 02 2017, @08:25AM (#547873) Homepage
      It's because of the design of GVfs (the Gnome Virtual File System, not to be confused with GnomeVFS, the Gnome Virtual File System). The linux TCP stack can happily exist without GVfs/GIO being on the system, so no, it's not the Linux TCP stack that's to blame. That's like blaming bank robberies on highways because getaway drivers use them.
      --
      Great minds discuss ideas; average minds discuss events; small minds discuss people; the smallest discuss themselves