[Pkg-privacy-maintainers] Bug#819409: jessie-pu: package: torbrowser-launcher/0.1.9-1+deb8u3

Holger Levsen holger at layer-acht.org
Mon Mar 28 06:04:55 UTC 2016


package: release.debian.org
tags: jessie
User: release.debian.org at packages.debian.org
Usertags: pu
x-debbugs-cc: pkg-privacy-maintainers at lists.alioth.debian.org

Dear release team,

(this mail is probably more complicated than the changes proposed…)

please accept torbrowser-launcher 0.1.9-1+deb8u3 into the upcoming point
release to prevent breakage when www.tor-project.org changes its ssl
certificate (which is valid til May 3rd 2016, so this is very likely to
happen between the coming pointrelease and the one after…). 
  The patches addressing this issue are 0012, 0012a and 0014. 
Patch 0012a just disables the certificate checking code, the upstream
solution (present in stretch and sid) actually removes the related code,
but as the code has changed quite a bit since then I felt this was safer
this way. 
Patch 0012 adds a safeguard against replay attacks (where old versions
with valid gpg signatures are presented by an attacker controlling the
download host for torbrowser itself) and patch 0014 is an improvement for
0012.
(The github issue referenced in debian/changelog explains this in even
more detail if you are interested.)

0011 is not strictly needed but very nice to have and a simple oneliner.

0013 prevents a gpg signature verification attack (and is a one line
change too.)

https://jenkins.debian.net/view/torbrowser/job/torbrowser-launcher_test_on_jessie_amd64_from_git_branch_debian_jessie_proposed/5
successfully shows this version being used.

 * Add these patches backported from 0.2.3-1 and 0.2.4-1:
   - 0011-Fix-issue-with-detecting-language-fixes-220.patch
     to fix issue with detecting language (Closes: #753173)
   - 0012-Fail-to-launch-Tor-Browser-if-its-version-is-earlier.patch
   - 0012a-Remove-certificate-pinning--github-issue-224.patch 
     to avoid issues with upcoming certificate change, thus the minimum
     Tor Browser version was hard-coded in the release (Closes: #811499)
     For more info on patch 0012 and 0012a see
     https://github.com/micahflee/torbrowser-launcher/issues/229
   - 0013-Prevent-signature-verification-attack-by-passing-bot.patch
     fixing CVE-2016-3180, for more info see
     https://github.com/micahflee/torbrowser-launcher/issues/229
   - 0014-Prevent-attempts-at-directory-traversal-attacks-even.patch
     This is an improvement for patch 0012.
   - 0099-Bump-version-to-0.1.9-deb8u3.patch to bump version to
     0.1.9+deb8u3
     in share/torbrowser-launcher/version.

The full debdiff compared to the version in stable is attached.

Thanks for your work on stable! (And apologies for not uploading
earlier, I got drafted into an unexpected lot of dc17 work (no typo)…)


-- 
cheers,
	Holger
-------------- next part --------------
diff -Nru torbrowser-launcher-0.1.9/debian/changelog torbrowser-launcher-0.1.9/debian/changelog
--- torbrowser-launcher-0.1.9/debian/changelog	2016-01-16 07:55:58.000000000 -0500
+++ torbrowser-launcher-0.1.9/debian/changelog	2016-03-28 01:33:06.000000000 -0400
@@ -1,3 +1,24 @@
+torbrowser-launcher (0.1.9-1+deb8u3) jessie; urgency=medium
+
+  * Add these patches backported from 0.2.3-1 and 0.2.4-1:
+    - 0011-Fix-issue-with-detecting-language-fixes-220.patch
+      to fix issue with detecting language (Closes: #753173)
+    - 0012-Fail-to-launch-Tor-Browser-if-its-version-is-earlier.patch
+    - 0012a-Remove-certificate-pinning--github-issue-224.patch 
+      to avoid issues with upcoming certificate change, thus the minimum
+      Tor Browser version was hard-coded in the release (Closes: #811499)
+      For more info on patch 0012 and 0012a see
+      https://github.com/micahflee/torbrowser-launcher/issues/229
+    - 0013-Prevent-signature-verification-attack-by-passing-bot.patch
+      fixing CVE-2016-3180, for more info see
+      https://github.com/micahflee/torbrowser-launcher/issues/229
+    - 0014-Prevent-attempts-at-directory-traversal-attacks-even.patch
+      This is an improvement for patch 0012.
+    - 0099-Bump-version-to-0.1.9-deb8u3.patch to bump version to 0.1.9+deb8u3
+      in share/torbrowser-launcher/version.
+
+ -- Holger Levsen <holger at debian.org>  Mon, 28 Mar 2016 01:33:03 -0400
+
 torbrowser-launcher (0.1.9-1+deb8u2) jessie; urgency=medium
 
   * Dedicated to the memory of Ian Murdock.
diff -Nru torbrowser-launcher-0.1.9/debian/patches/0011-Fix-issue-with-detecting-language-fixes-220.patch torbrowser-launcher-0.1.9/debian/patches/0011-Fix-issue-with-detecting-language-fixes-220.patch
--- torbrowser-launcher-0.1.9/debian/patches/0011-Fix-issue-with-detecting-language-fixes-220.patch	1969-12-31 19:00:00.000000000 -0500
+++ torbrowser-launcher-0.1.9/debian/patches/0011-Fix-issue-with-detecting-language-fixes-220.patch	2016-03-27 17:27:25.000000000 -0400
@@ -0,0 +1,25 @@
+From 7c896725304574052f3320d253c9c17c9794cd57 Mon Sep 17 00:00:00 2001
+From: Micah Lee <micah at micahflee.com>
+Date: Tue, 1 Mar 2016 13:14:15 +0100
+Subject: [PATCH] Fix issue with detecting language (fixes #220)
+
+---
+ torbrowser_launcher/common.py | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/torbrowser_launcher/common.py b/torbrowser_launcher/common.py
+index 74c4ddf..1eddb54 100644
+--- a/torbrowser_launcher/common.py
++++ b/torbrowser_launcher/common.py
+@@ -71,7 +71,7 @@ class Common:
+ 
+         # figure out the language
+         available_languages = ['en-US', 'ar', 'de', 'es-ES', 'fa', 'fr', 'it', 'ko', 'nl', 'pl', 'pt-PT', 'ru', 'vi', 'zh-CN']
+-        default_locale = locale.getdefaultlocale()[0]
++        default_locale = locale.getlocale(locale.LC_MESSAGES)[0]
+         if default_locale is None:
+             self.language = 'en-US'
+         else:
+-- 
+2.1.4
+
diff -Nru torbrowser-launcher-0.1.9/debian/patches/0012-Fail-to-launch-Tor-Browser-if-its-version-is-earlier.patch torbrowser-launcher-0.1.9/debian/patches/0012-Fail-to-launch-Tor-Browser-if-its-version-is-earlier.patch
--- torbrowser-launcher-0.1.9/debian/patches/0012-Fail-to-launch-Tor-Browser-if-its-version-is-earlier.patch	1969-12-31 19:00:00.000000000 -0500
+++ torbrowser-launcher-0.1.9/debian/patches/0012-Fail-to-launch-Tor-Browser-if-its-version-is-earlier.patch	2016-03-27 17:27:25.000000000 -0400
@@ -0,0 +1,90 @@
+From a8d1e803798251e051dcf41d9c8a1b2e00710a0c Mon Sep 17 00:00:00 2001
+From: Micah Lee <micah at micahflee.com>
+Date: Tue, 1 Mar 2016 17:37:00 +0100
+Subject: [PATCH] Fail to launch Tor Browser if its version is earlier than the
+ minimum version (#224)
+
+---
+ torbrowser_launcher/launcher.py | 37 +++++++++++++++++++++++++++++++++----
+ 1 file changed, 33 insertions(+), 4 deletions(-)
+
+diff --git a/torbrowser_launcher/launcher.py b/torbrowser_launcher/launcher.py
+index 37047a1..9815e84 100644
+--- a/torbrowser_launcher/launcher.py
++++ b/torbrowser_launcher/launcher.py
+@@ -70,6 +70,9 @@
+         self.common = common
+         self.url_list = url_list
+ 
++        # this is the current version of Tor Browser, which should get updated with every release
++        self.min_version = '5.5.2'
++
+         # init launcher
+         self.set_gui(None, '', [])
+         self.launch_gui = True
+@@ -120,7 +123,11 @@
+             self.start_launcher()
+ 
+         if self.launch_gui:
+-            # set up the window
++            # build the rest of the UI
++            self.build_ui()
++
++    def configure_window(self):
++        if not hasattr(self, 'window'):
+             self.window = gtk.Window(gtk.WINDOW_TOPLEVEL)
+             self.window.set_title(_("Tor Browser"))
+             self.window.set_icon_from_file(self.common.paths['icon_file'])
+@@ -129,9 +136,6 @@
+             self.window.connect("delete_event", self.delete_event)
+             self.window.connect("destroy", self.destroy)
+ 
+-            # build the rest of the UI
+-            self.build_ui()
+-
+     # download or run TBB
+     def start_launcher(self):
+         # is TBB already installed?
+@@ -201,6 +205,7 @@
+         self.clear_ui()
+ 
+         self.box = gtk.VBox(False, 20)
++        self.configure_window()
+         self.window.add(self.box)
+ 
+         if 'error' in self.gui:
+@@ -587,7 +592,31 @@
+ 
+         self.run_task()
+ 
++    def check_min_version(self):
++        installed_version = None
++        for line in open(self.common.paths['tbb']['versions']).readlines():
++            if line.startswith('TORBROWSER_VERSION='):
++                installed_version = line.split('=')[1].strip()
++                break
++
++        if self.min_version <= installed_version:
++            return True
++
++        return False
++
+     def run(self, run_next_task=True):
++        # don't run if it isn't at least the minimum version
++        if not self.check_min_version():
++            message =  _("The version of Tor Browser you have installed is earlier than it should be, which could be a sign of an attack!")
++            print message
++
++            md = gtk.MessageDialog(None, gtk.DIALOG_DESTROY_WITH_PARENT, gtk.MESSAGE_WARNING, gtk.BUTTONS_CLOSE, _(message))
++            md.set_position(gtk.WIN_POS_CENTER)
++            md.run()
++            md.destroy()
++
++            return
++
+         # play modem sound?
+         if self.common.settings['modem_sound']:
+             def play_modem_sound():
+-- 
+2.1.4
+
diff -Nru torbrowser-launcher-0.1.9/debian/patches/0012a-Remove-certificate-pinning--github-issue-224.patch torbrowser-launcher-0.1.9/debian/patches/0012a-Remove-certificate-pinning--github-issue-224.patch
--- torbrowser-launcher-0.1.9/debian/patches/0012a-Remove-certificate-pinning--github-issue-224.patch	1969-12-31 19:00:00.000000000 -0500
+++ torbrowser-launcher-0.1.9/debian/patches/0012a-Remove-certificate-pinning--github-issue-224.patch	2016-03-27 17:27:25.000000000 -0400
@@ -0,0 +1,30 @@
+diff --git a/torbrowser_launcher/launcher.py b/torbrowser_launcher/launcher.py
+index 633c758..a108c3b 100644
+--- a/torbrowser_launcher/launcher.py
++++ b/torbrowser_launcher/launcher.py
+@@ -460,15 +460,17 @@ class Launcher:
+             torEndpoint = TCP4ClientEndpoint(reactor, '127.0.0.1', 9050)
+ 
+             # default mirror gets certificate pinning, only for requests that use the mirror
+-            if self.common.settings['mirror'] == self.common.default_mirror and '{0}' in url:
+-                agent = SOCKS5Agent(reactor, VerifyTorProjectCert(self.common.paths['torproject_pem']), proxyEndpoint=torEndpoint)
+-            else:
+-                agent = SOCKS5Agent(reactor, proxyEndpoint=torEndpoint)
++            #### disable cert pinning the ugly way as the code has changed too much to do it cleanly in jessie
++            #### see https://github.com/micahflee/torbrowser-launcher/issues/224 for an explaination why this was done
++            ###if self.common.settings['mirror'] == self.common.default_mirror and '{0}' in url:
++            ###    agent = SOCKS5Agent(reactor, VerifyTorProjectCert(self.common.paths['torproject_pem']), proxyEndpoint=torEndpoint)
++            ###else:
++            agent = SOCKS5Agent(reactor, proxyEndpoint=torEndpoint)
+         else:
+-            if self.common.settings['mirror'] == self.common.default_mirror and '{0}' in url:
+-                agent = Agent(reactor, VerifyTorProjectCert(self.common.paths['torproject_pem']))
+-            else:
+-                agent = Agent(reactor)
++            ###if self.common.settings['mirror'] == self.common.default_mirror and '{0}' in url:
++            ###    agent = Agent(reactor, VerifyTorProjectCert(self.common.paths['torproject_pem']))
++            ###else:
++            agent = Agent(reactor)
+ 
+         # actually, agent needs to follow redirect
+         agent = RedirectAgent(agent)
diff -Nru torbrowser-launcher-0.1.9/debian/patches/0013-Prevent-signature-verification-attack-by-passing-bot.patch torbrowser-launcher-0.1.9/debian/patches/0013-Prevent-signature-verification-attack-by-passing-bot.patch
--- torbrowser-launcher-0.1.9/debian/patches/0013-Prevent-signature-verification-attack-by-passing-bot.patch	1969-12-31 19:00:00.000000000 -0500
+++ torbrowser-launcher-0.1.9/debian/patches/0013-Prevent-signature-verification-attack-by-passing-bot.patch	2016-03-27 17:27:25.000000000 -0400
@@ -0,0 +1,26 @@
+From e5d3cbb0a3295bff6300797afe840226f4f56397 Mon Sep 17 00:00:00 2001
+From: Micah Lee <micah at micahflee.com>
+Date: Sun, 13 Mar 2016 14:51:08 -0700
+Subject: [PATCH] Prevent signature verification attack by passing both data
+ file as well as sig file into gpg (fixes #229)
+
+---
+ torbrowser_launcher/launcher.py | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/torbrowser_launcher/launcher.py b/torbrowser_launcher/launcher.py
+index d250a6e..442c6f4 100644
+--- a/torbrowser_launcher/launcher.py
++++ b/torbrowser_launcher/launcher.py
+@@ -447,7 +447,7 @@ class Launcher:
+         # verify the PGP signature
+         verified = False
+         FNULL = open(os.devnull, 'w')
+-        p = subprocess.Popen(['/usr/bin/gpg', '--homedir', self.common.paths['gnupg_homedir'], '--verify', self.common.paths['sig_file']], stdout=FNULL, stderr=subprocess.STDOUT)
++        p = subprocess.Popen(['/usr/bin/gpg', '--homedir', self.common.paths['gnupg_homedir'], '--verify', self.common.paths['sig_file'], self.common.paths['tarball_file']], stdout=FNULL, stderr=subprocess.STDOUT)
+         self.pulse_until_process_exits(p)
+         if p.returncode == 0:
+             verified = True
+-- 
+2.1.4
+
diff -Nru torbrowser-launcher-0.1.9/debian/patches/0014-Prevent-attempts-at-directory-traversal-attacks-even.patch torbrowser-launcher-0.1.9/debian/patches/0014-Prevent-attempts-at-directory-traversal-attacks-even.patch
--- torbrowser-launcher-0.1.9/debian/patches/0014-Prevent-attempts-at-directory-traversal-attacks-even.patch	1969-12-31 19:00:00.000000000 -0500
+++ torbrowser-launcher-0.1.9/debian/patches/0014-Prevent-attempts-at-directory-traversal-attacks-even.patch	2016-03-27 17:27:25.000000000 -0400
@@ -0,0 +1,28 @@
+From 7f9f55b9e33fdc6dbd6ca20a83027bc042f7dcdb Mon Sep 17 00:00:00 2001
+From: Micah Lee <micah at micahflee.com>
+Date: Sun, 13 Mar 2016 14:56:42 -0700
+Subject: [PATCH] Prevent attempts at directory traversal attacks, even though
+ they do not look exploitable
+
+---
+ torbrowser_launcher/launcher.py | 9 ++++++++-
+ 1 file changed, 8 insertions(+), 1 deletion(-)
+
+--- a/torbrowser_launcher/launcher.py
++++ b/torbrowser_launcher/launcher.py
+@@ -502,7 +502,14 @@
+         tree = ET.parse(self.common.paths['update_check_file'])
+         for up in tree.getroot():
+             if up.tag == 'update' and up.attrib['appVersion']:
+-                return up.attrib['appVersion']
++                version = str(up.attrib['appVersion'])
++
++                # make sure the version does not contain directory traversal attempts
++                # e.g. "5.5.3", "6.0a", "6.0a-hardned" are valid but "../../../../.." is invalid
++                if not re.match(r'^[a-z0-9\.\-]+$', version):
++                    return None
++
++                return version
+         return None
+ 
+     def attempt_update(self):
diff -Nru torbrowser-launcher-0.1.9/debian/patches/0099-Bump-version-to-0.1.9-deb8u3.patch torbrowser-launcher-0.1.9/debian/patches/0099-Bump-version-to-0.1.9-deb8u3.patch
--- torbrowser-launcher-0.1.9/debian/patches/0099-Bump-version-to-0.1.9-deb8u3.patch	1969-12-31 19:00:00.000000000 -0500
+++ torbrowser-launcher-0.1.9/debian/patches/0099-Bump-version-to-0.1.9-deb8u3.patch	2016-03-27 17:27:25.000000000 -0400
@@ -0,0 +1,20 @@
+From b2b52fe240d26ae6d942ec5ab23d99405149da88 Mon Sep 17 00:00:00 2001
+From: Holger Levsen <holger at layer-acht.org>
+Date: Mon, 18 Jan 2016 14:17:09 +0100
+Subject: [PATCH] Bump version to 0.1.9+deb8u3 in
+ share/torbrowser-launcher/version.
+
+---
+ share/torbrowser-launcher/version | 1 +-
+ 1 files changed, 1 insertions(+), 1 deletion(-)
+
+diff --git a/share/torbrowser-launcher/version b/share/torbrowser-launcher/version
+index 1a03094..b735454 100644
+--- a/share/torbrowser-launcher/version
++++ b/share/torbrowser-launcher/version
+@@ -1 +1 @@
+-0.1.9
++0.1.9+deb8u3
+-- 
+1.9.1
+
diff -Nru torbrowser-launcher-0.1.9/debian/patches/series torbrowser-launcher-0.1.9/debian/patches/series
--- torbrowser-launcher-0.1.9/debian/patches/series	2016-01-16 07:31:12.000000000 -0500
+++ torbrowser-launcher-0.1.9/debian/patches/series	2016-03-28 01:22:48.000000000 -0400
@@ -8,3 +8,10 @@
 0008-Eek-removed-testing-code-that-never-should-have-been.patch
 0009-Force-download-URLs-to-be-strings-and-not-unicode-20.patch
 0010-Only-convert-unicode-URLs-to-strings-if-they-are-act.patch
+0011-Fix-issue-with-detecting-language-fixes-220.patch
+0012-Fail-to-launch-Tor-Browser-if-its-version-is-earlier.patch
+0013-Prevent-signature-verification-attack-by-passing-bot.patch
+0014-Prevent-attempts-at-directory-traversal-attacks-even.patch
+0012a-Remove-certificate-pinning--github-issue-224.patch
+0099-Bump-version-to-0.1.9-deb8u3.patch
+
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 811 bytes
Desc: Digital signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-privacy-maintainers/attachments/20160328/b1866d7e/attachment.sig>


More information about the Pkg-privacy-maintainers mailing list