[Pkg-privacy-commits] [torbrowser-launcher] 01/01: prepare 0.1.9+deb8u3 upload to jessie, more explaination in debian/changelog shall follow

Holger Levsen holger at moszumanska.debian.org
Sat Mar 26 18:57:30 UTC 2016


This is an automated email from the git hooks/post-receive script.

holger pushed a commit to branch debian/jessie-proposed
in repository torbrowser-launcher.

commit ef8da3330e4bdbf845286dab70e4c490b61e177c
Author: Holger Levsen <holger at layer-acht.org>
Date:   Sat Mar 26 14:56:54 2016 -0400

    prepare 0.1.9+deb8u3 upload to jessie, more explaination in debian/changelog shall follow
---
 debian/changelog                                   |  7 ++
 ...x-issue-with-detecting-language-fixes-220.patch | 25 ++++++
 ...nch-Tor-Browser-if-its-version-is-earlier.patch | 90 ++++++++++++++++++++++
 ...ove-certificate-pinning--github-issue-224.patch | 30 ++++++++
 ...nature-verification-attack-by-passing-bot.patch | 26 +++++++
 ...empts-at-directory-traversal-attacks-even.patch | 33 ++++++++
 ...015-Updated-package-description-fixes-218.patch | 30 ++++++++
 debian/patches/series                              |  7 ++
 8 files changed, 248 insertions(+)

diff --git a/debian/changelog b/debian/changelog
index 8695695..884b6be 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,6 +1,13 @@
 torbrowser-launcher (0.1.9-1+deb8u3) UNRELEASED; urgency=medium
 
   * Bump version to 0.1.9+deb8u3 in share/torbrowser-launcher/version.
+  * Add these patches:
+    - 0011-Fix-issue-with-detecting-language-fixes-220.patch
+    - 0012-Fail-to-launch-Tor-Browser-if-its-version-is-earlier.patch
+    - 0012a-Remove-certificate-pinning--github-issue-224.patch 
+    - 0013-Prevent-signature-verification-attack-by-passing-bot.patch
+    - 0014-Prevent-attempts-at-directory-traversal-attacks-even.patch
+    - 0015-Updated-package-description-fixes-218.patch
 
  -- Holger Levsen <holger at debian.org>  Mon, 18 Jan 2016 14:16:14 +0100
 
diff --git a/debian/patches/0011-Fix-issue-with-detecting-language-fixes-220.patch b/debian/patches/0011-Fix-issue-with-detecting-language-fixes-220.patch
new file mode 100644
index 0000000..2cb1036
--- /dev/null
+++ b/debian/patches/0011-Fix-issue-with-detecting-language-fixes-220.patch
@@ -0,0 +1,25 @@
+From 7c896725304574052f3320d253c9c17c9794cd57 Mon Sep 17 00:00:00 2001
+From: Micah Lee <micah at micahflee.com>
+Date: Tue, 1 Mar 2016 13:14:15 +0100
+Subject: [PATCH] Fix issue with detecting language (fixes #220)
+
+---
+ torbrowser_launcher/common.py | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/torbrowser_launcher/common.py b/torbrowser_launcher/common.py
+index 74c4ddf..1eddb54 100644
+--- a/torbrowser_launcher/common.py
++++ b/torbrowser_launcher/common.py
+@@ -71,7 +71,7 @@ class Common:
+ 
+         # figure out the language
+         available_languages = ['en-US', 'ar', 'de', 'es-ES', 'fa', 'fr', 'it', 'ko', 'nl', 'pl', 'pt-PT', 'ru', 'vi', 'zh-CN']
+-        default_locale = locale.getdefaultlocale()[0]
++        default_locale = locale.getlocale(locale.LC_MESSAGES)[0]
+         if default_locale is None:
+             self.language = 'en-US'
+         else:
+-- 
+2.1.4
+
diff --git a/debian/patches/0012-Fail-to-launch-Tor-Browser-if-its-version-is-earlier.patch b/debian/patches/0012-Fail-to-launch-Tor-Browser-if-its-version-is-earlier.patch
new file mode 100644
index 0000000..944e9fd
--- /dev/null
+++ b/debian/patches/0012-Fail-to-launch-Tor-Browser-if-its-version-is-earlier.patch
@@ -0,0 +1,90 @@
+From a8d1e803798251e051dcf41d9c8a1b2e00710a0c Mon Sep 17 00:00:00 2001
+From: Micah Lee <micah at micahflee.com>
+Date: Tue, 1 Mar 2016 17:37:00 +0100
+Subject: [PATCH] Fail to launch Tor Browser if its version is earlier than the
+ minimum version (#224)
+
+---
+ torbrowser_launcher/launcher.py | 37 +++++++++++++++++++++++++++++++++----
+ 1 file changed, 33 insertions(+), 4 deletions(-)
+
+diff --git a/torbrowser_launcher/launcher.py b/torbrowser_launcher/launcher.py
+index 37047a1..9815e84 100644
+--- a/torbrowser_launcher/launcher.py
++++ b/torbrowser_launcher/launcher.py
+@@ -56,6 +56,9 @@ class Launcher:
+         self.common = common
+         self.url_list = url_list
+ 
++        # this is the current version of Tor Browser, which should get updated with every release
++        self.min_version = '5.5.2'
++
+         # init launcher
+         self.set_gui(None, '', [])
+         self.launch_gui = True
+@@ -92,7 +95,11 @@ class Launcher:
+             self.launch_gui = False
+ 
+         if self.launch_gui:
+-            # set up the window
++            # build the rest of the UI
++            self.build_ui()
++
++    def configure_window(self):
++        if not hasattr(self, 'window'):
+             self.window = gtk.Window(gtk.WINDOW_TOPLEVEL)
+             self.window.set_title(_("Tor Browser"))
+             self.window.set_icon_from_file(self.common.paths['icon_file'])
+@@ -101,9 +108,6 @@ class Launcher:
+             self.window.connect("delete_event", self.delete_event)
+             self.window.connect("destroy", self.destroy)
+ 
+-            # build the rest of the UI
+-            self.build_ui()
+-
+     # download or run TBB
+     def start_launcher(self):
+         # is TBB already installed?
+@@ -129,6 +133,7 @@ class Launcher:
+         self.clear_ui()
+ 
+         self.box = gtk.VBox(False, 20)
++        self.configure_window()
+         self.window.add(self.box)
+ 
+         if 'error' in self.gui:
+@@ -483,7 +488,31 @@ class Launcher:
+ 
+         self.run_task()
+ 
++    def check_min_version(self):
++        installed_version = None
++        for line in open(self.common.paths['tbb']['versions']).readlines():
++            if line.startswith('TORBROWSER_VERSION='):
++                installed_version = line.split('=')[1].strip()
++                break
++
++        if self.min_version <= installed_version:
++            return True
++
++        return False
++
+     def run(self, run_next_task=True):
++        # don't run if it isn't at least the minimum version
++        if not self.check_min_version():
++            message =  _("The version of Tor Browser you have installed is earlier than it should be, which could be a sign of an attack!")
++            print message
++
++            md = gtk.MessageDialog(None, gtk.DIALOG_DESTROY_WITH_PARENT, gtk.MESSAGE_WARNING, gtk.BUTTONS_CLOSE, _(message))
++            md.set_position(gtk.WIN_POS_CENTER)
++            md.run()
++            md.destroy()
++
++            return
++
+         # play modem sound?
+         if self.common.settings['modem_sound']:
+             def play_modem_sound():
+-- 
+2.1.4
+
diff --git a/debian/patches/0012a-Remove-certificate-pinning--github-issue-224.patch b/debian/patches/0012a-Remove-certificate-pinning--github-issue-224.patch
new file mode 100644
index 0000000..7db0ae3
--- /dev/null
+++ b/debian/patches/0012a-Remove-certificate-pinning--github-issue-224.patch
@@ -0,0 +1,30 @@
+diff --git a/torbrowser_launcher/launcher.py b/torbrowser_launcher/launcher.py
+index 633c758..a108c3b 100644
+--- a/torbrowser_launcher/launcher.py
++++ b/torbrowser_launcher/launcher.py
+@@ -460,15 +460,17 @@ class Launcher:
+             torEndpoint = TCP4ClientEndpoint(reactor, '127.0.0.1', 9050)
+ 
+             # default mirror gets certificate pinning, only for requests that use the mirror
+-            if self.common.settings['mirror'] == self.common.default_mirror and '{0}' in url:
+-                agent = SOCKS5Agent(reactor, VerifyTorProjectCert(self.common.paths['torproject_pem']), proxyEndpoint=torEndpoint)
+-            else:
+-                agent = SOCKS5Agent(reactor, proxyEndpoint=torEndpoint)
++            #### disable cert pinning the ugly way as the code has changed too much to do it cleanly in jessie
++            #### see https://github.com/micahflee/torbrowser-launcher/issues/224 for an explaination why this was done
++            ###if self.common.settings['mirror'] == self.common.default_mirror and '{0}' in url:
++            ###    agent = SOCKS5Agent(reactor, VerifyTorProjectCert(self.common.paths['torproject_pem']), proxyEndpoint=torEndpoint)
++            ###else:
++            agent = SOCKS5Agent(reactor, proxyEndpoint=torEndpoint)
+         else:
+-            if self.common.settings['mirror'] == self.common.default_mirror and '{0}' in url:
+-                agent = Agent(reactor, VerifyTorProjectCert(self.common.paths['torproject_pem']))
+-            else:
+-                agent = Agent(reactor)
++            ###if self.common.settings['mirror'] == self.common.default_mirror and '{0}' in url:
++            ###    agent = Agent(reactor, VerifyTorProjectCert(self.common.paths['torproject_pem']))
++            ###else:
++            agent = Agent(reactor)
+ 
+         # actually, agent needs to follow redirect
+         agent = RedirectAgent(agent)
diff --git a/debian/patches/0013-Prevent-signature-verification-attack-by-passing-bot.patch b/debian/patches/0013-Prevent-signature-verification-attack-by-passing-bot.patch
new file mode 100644
index 0000000..699b829
--- /dev/null
+++ b/debian/patches/0013-Prevent-signature-verification-attack-by-passing-bot.patch
@@ -0,0 +1,26 @@
+From e5d3cbb0a3295bff6300797afe840226f4f56397 Mon Sep 17 00:00:00 2001
+From: Micah Lee <micah at micahflee.com>
+Date: Sun, 13 Mar 2016 14:51:08 -0700
+Subject: [PATCH] Prevent signature verification attack by passing both data
+ file as well as sig file into gpg (fixes #229)
+
+---
+ torbrowser_launcher/launcher.py | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/torbrowser_launcher/launcher.py b/torbrowser_launcher/launcher.py
+index d250a6e..442c6f4 100644
+--- a/torbrowser_launcher/launcher.py
++++ b/torbrowser_launcher/launcher.py
+@@ -447,7 +447,7 @@ class Launcher:
+         # verify the PGP signature
+         verified = False
+         FNULL = open(os.devnull, 'w')
+-        p = subprocess.Popen(['/usr/bin/gpg', '--homedir', self.common.paths['gnupg_homedir'], '--verify', self.common.paths['sig_file']], stdout=FNULL, stderr=subprocess.STDOUT)
++        p = subprocess.Popen(['/usr/bin/gpg', '--homedir', self.common.paths['gnupg_homedir'], '--verify', self.common.paths['sig_file'], self.common.paths['tarball_file']], stdout=FNULL, stderr=subprocess.STDOUT)
+         self.pulse_until_process_exits(p)
+         if p.returncode == 0:
+             verified = True
+-- 
+2.1.4
+
diff --git a/debian/patches/0014-Prevent-attempts-at-directory-traversal-attacks-even.patch b/debian/patches/0014-Prevent-attempts-at-directory-traversal-attacks-even.patch
new file mode 100644
index 0000000..6b6372e
--- /dev/null
+++ b/debian/patches/0014-Prevent-attempts-at-directory-traversal-attacks-even.patch
@@ -0,0 +1,33 @@
+From 7f9f55b9e33fdc6dbd6ca20a83027bc042f7dcdb Mon Sep 17 00:00:00 2001
+From: Micah Lee <micah at micahflee.com>
+Date: Sun, 13 Mar 2016 14:56:42 -0700
+Subject: [PATCH] Prevent attempts at directory traversal attacks, even though
+ they do not look exploitable
+
+---
+ torbrowser_launcher/launcher.py | 9 ++++++++-
+ 1 file changed, 8 insertions(+), 1 deletion(-)
+
+diff --git a/torbrowser_launcher/launcher.py b/torbrowser_launcher/launcher.py
+index 442c6f4..a05c4a1 100644
+--- a/torbrowser_launcher/launcher.py
++++ b/torbrowser_launcher/launcher.py
+@@ -435,7 +435,14 @@ class Launcher:
+         tree = ET.parse(self.common.paths['version_check_file'])
+         for up in tree.getroot():
+             if up.tag == 'update' and up.attrib['appVersion']:
+-                return up.attrib['appVersion']
++                version = str(up.attrib['appVersion'])
++
++                # make sure the version does not contain directory traversal attempts
++                # e.g. "5.5.3", "6.0a", "6.0a-hardned" are valid but "../../../../.." is invalid
++                if not re.match(r'^[a-z0-9\.\-]+$', version):
++                    return None
++
++                return version
+         return None
+ 
+     def verify(self):
+-- 
+2.1.4
+
diff --git a/debian/patches/0015-Updated-package-description-fixes-218.patch b/debian/patches/0015-Updated-package-description-fixes-218.patch
new file mode 100644
index 0000000..0a3b74c
--- /dev/null
+++ b/debian/patches/0015-Updated-package-description-fixes-218.patch
@@ -0,0 +1,30 @@
+From 1cb819e8bd18114c013ab47287697fb66a9338fb Mon Sep 17 00:00:00 2001
+From: Micah Lee <micah at micahflee.com>
+Date: Tue, 1 Mar 2016 13:19:37 +0100
+Subject: [PATCH] Updated package description (fixes #218)
+
+---
+ setup.py | 6 ++----
+ 1 file changed, 2 insertions(+), 4 deletions(-)
+
+diff --git a/setup.py b/setup.py
+index 3211ea3..ce7efe2 100644
+--- a/setup.py
++++ b/setup.py
+@@ -65,11 +65,9 @@ setup(
+     url='https://www.github.com/micahflee/torbrowser-launcher',
+     platforms=['GNU/Linux'],
+     license='MIT',
+-    description='A program to help you download, keep updated, and run the Tor Browser Bundle',
++    description='A program to help you securely download and run Tor Browser',
+     long_description="""
+-Tor Browser Launcher is intended to make the Tor Browser Bundle (TBB) easier to maintain and use for GNU/Linux users. You install torbrowser-launcher from your distribution's package manager and it handles downloading the most recent version of TBB for you, in your language and for your architecture. It also adds a "Tor Browser" application launcher to your operating system's menu, and lets you set Tor Browser as your default web browser.
+-
+-When you first launch Tor Browser Launcher, it will download TBB from https://www.torproject.org/, extract it in your home directory, and execute it. When you run it after that it will just execute TBB. When you open Tor Browser after an update, it will download the newer version of TBB for you and extract it over your old TBB directory, so you will maintain your TBB bookmarks and always be running the latest version.
++Tor Browser Launcher is intended to make Tor Browser easier to install and use for GNU/Linux users. You install torbrowser-launcher from your distribution's package manager and it handles downloading the most recent version of Tor Browser for you, in your language and for your architecture. It also adds a "Tor Browser" application launcher to your operating system's menu. When you first launch Tor Browser Launcher, it will download Tor Browser from https://www.torproject.org/, extract i [...]
+ """,
+     packages=['torbrowser_launcher'],
+     scripts=['torbrowser-launcher'],
+-- 
+2.1.4
+
diff --git a/debian/patches/series b/debian/patches/series
index 457b8da..094e745 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -8,4 +8,11 @@
 0008-Eek-removed-testing-code-that-never-should-have-been.patch
 0009-Force-download-URLs-to-be-strings-and-not-unicode-20.patch
 0010-Only-convert-unicode-URLs-to-strings-if-they-are-act.patch
+0011-Fix-issue-with-detecting-language-fixes-220.patch
+0012-Fail-to-launch-Tor-Browser-if-its-version-is-earlier.patch
+0013-Prevent-signature-verification-attack-by-passing-bot.patch
+0014-Prevent-attempts-at-directory-traversal-attacks-even.patch
+0015-Updated-package-description-fixes-218.patch
+0012a-Remove-certificate-pinning--github-issue-224.patch
 0099-Bump-version-to-0.1.9-deb8u3.patch
+

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-privacy/packages/torbrowser-launcher.git



More information about the Pkg-privacy-commits mailing list