[Pkg-privacy-maintainers] Bug#1138831: torbrowser-launcher: crash when downloading file due to apparmor restrictions

Lev Lamberov dogsleg at debian.org
Thu Jun 4 12:58:54 BST 2026 

Package: torbrowser-launcher
Version: 0.3.9-1
Severity: grave
Justification: user security hole

Dear Maintainer,

Apparmor profile for Tor Borwser as shipped in torbrowser-launcher is
too restrictive, which causes crach of Tor Browser when trying to
download any file.

How to reproduce:

Run torbrowser-launcher with apparmor enabled and
/etc/apparmor.d/torbrowser.Browser.firefox in enforce mode. Connect to
Tor network. Open any web page. Try to download any file or even to
save the page (Save As... in the menu).

Log:

$ LC_ALL=C.UTF-8 Browser/start-tor-browser --verbose

(Tor Browser:232643): GVFS-WARNING **: 16:47:35.936: can't init metadata tree /home/dogsleg/.local/share/torbrowser/tbb/x86_64/tor-browser/Browser/.local/share/gvfs-metadata/root: open: Not a directory
**
Gtk:ERROR:../../../gtk/gtkiconhelper.c:495:ensure_surface_for_gicon: assertion failed (error == NULL): Failed to load /usr/share/icons/Adwaita/scalable/status/image-missing.svg: No image loaders are configured. You might need to install a package like glycin-loaders.
Used config: Config {
    image_loader: {},
    image_editor: {},
} (gdk-pixbuf-error-quark, 0)
Bail out! Gtk:ERROR:../../../gtk/gtkiconhelper.c:495:ensure_surface_for_gicon: assertion failed (error == NULL): Failed to load /usr/share/icons/Adwaita/scalable/status/image-missing.svg: No image loaders are configured. You might need to install a package like glycin-loaders. Used config: Config {     image_loader: {},     image_editor: {}, } (gdk-pixbuf-error-quark, 0)
Redirecting call to abort() to mozalloc_abort

Exiting due to channel error.
Exiting due to channel error.
Exiting due to channel error.
Exiting due to channel error.
Exiting due to channel error.
Exiting due to channel error.
Exiting due to channel error.
Browser/start-tor-browser: line 392: 232643 Segmentation fault         TOR_CONTROL_PASSWD=${TOR_CONTROL_PASSWD} ./firefox "${@}" < /dev/null

Disabling /etc/apparmor.d/torbrowser.Browser.firefox or switching it
to complain mode is a workaround, which means that Apparmor profile is
too restrictive. The same error was reported against Firefox and
firejail upstream, please see:
https://github.com/netblue30/firejail/issues/6906.

I consider the reporting bug a security hole, because the mentioned
workaround requires unsafe usage of Tor Browser, that is with disabled
Apparmor protection.

With regards,
Lev


-- System Information:
Debian Release: forky/sid
  APT prefers testing
  APT policy: (990, 'testing'), (500, 'stable-security'), (500, 'unstable'), (500, 'stable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 7.0.7+deb14-amd64 (SMP w/4 CPU threads; PREEMPT)
Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_WARN, TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
Locale: LANG=ru_RU.UTF-8, LC_CTYPE=ru_RU.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages torbrowser-launcher depends on:
ii  ca-certificates             20260223
ii  gnupg                       2.4.9-4
ii  libasound2t64 [libasound2]  1.2.15.3-1+b1
ii  libdbus-glib-1-2            0.114-2+b1
ii  libgtk-3-0t64 [libgtk-3-0]  3.24.52-1
ii  python3                     3.13.9-3+b1
ii  python3-gpg                 2.0.0-2+b1
ii  python3-packaging           26.0-1
ii  python3-pyside6.qtcore      6.10.3-2
ii  python3-pyside6.qtgui       6.10.3-2
ii  python3-pyside6.qtwidgets   6.10.3-2
ii  python3-requests            2.32.5+dfsg-1
ii  python3-socks               1.7.1+dfsg-1

Versions of packages torbrowser-launcher recommends:
ii  tor  0.4.9.8-1

Versions of packages torbrowser-launcher suggests:
ii  apparmor  4.1.7-2

-- no debconf information

More information about the Pkg-privacy-maintainers mailing list