pastebin - collaborative debugging tool
kpaste.net RSS


Untitled
Posted by Anonymous on Thu 22nd Mar 2012 19:43
raw | new post

  1. ####################################################################
  2.          Tor Browser Bundle for Linux (2.2.35-8) "EVIL bug"
  3.                          *** NEVER FORGET ***
  4. ####################################################################
  5. - http://seclists.org/bugtraq/2012/Mar/85
  6. - http://www.securityfocus.com/archive/1/522003/30/0/threaded
  7. ####################################################################
  8. "There is an EVIL bug in at least the Linux (2.2.35-8) Tor Browser Bundle start-tor-browser script. It will log things
  9. like domain names to a file in the root of the browser bundle."
  10.  
  11. https://trac.torproject.org/projects/tor/ticket/5417
  12.  
  13. Ticket #5417 (new defect)
  14.  
  15. RelativeLink.sh in Tor browser bundle has small typo causing debug mode to be always turned on
  16.  
  17. Reported by: cypherpunks
  18. Priority: critical
  19. Component: Tor bundles/installation
  20.  
  21. Description
  22.  
  23. TBB starts in debug mode disregardless of --debug switch used or not. This is caused by small bug on line 208 on
  24. RelativeLink.sh, where it says
  25.  
  26. if [ "${debug}" ];
  27.  
  28. where it should say
  29.  
  30. if [ "${debug}" == 1];
  31.  
  32. or
  33.  
  34. if [ ${debug} -eq 1 ];
  35.  
  36. ####################################################################
  37. Thank you for the warning. I expected something like this to happen, given the last slip up with a mistake in FF versions. This, "error", if you wish to call it such, shouldn't have happened. Again, this is a lack of testing.
  38.  
  39. I hope no one in Iran, China, or other freedom starved regions were screwed because of this.
  40.  
  41. I hope a fix is released and quickly.
  42.  
  43. These mistakes should be posted in the Tor announcements mailing list (no announcements at all since Dec/11 is pathetic) and on the blog.
  44.  
  45. It would help Tor users even more if you were to actually create web forums for discussions (but I doubt you will, we've only been asking for this for years!) where you could sticky-pin these types of mistakes and communicate better with the broad range of users.
  46.  
  47. A large number of people will never use a bug tracker, and/or never use mailing lists. They are simpler minded people or too busy, this is where web based discussion forums come in. Users should not have to scramble to unofficial .onion forums which are up one day and down the next and which may (and have in the past!) contain malicious posts/threads to target the user's browser and/or Tor itself.
  48.  
  49. With errors like this, perhaps you should let Mickey Mouse sign the future Linux release bundles with his fictional GPG key. He couldn't do any worse.
  50.  
  51. I've also noticed FF crashing more often since the last few releases.
  52.  
  53. I guess it's time for us Linux bundle users to run W.I.N.E. and the Windows version of the bundle on Linux so we know we are not getting borked with some new fantastic bug or lack of oversight like this again.
  54.  
  55. But will this post be approved for others to see, or swept under the rug like one previous post about a similar issue.
  56.  
  57. Now I'm looking forward to the next release, not for use, but just to see what type of bug(s) it may contain. THANKS!
  58.  
  59. ####################################################################
  60. Nick Mathewson
  61. Mon, 19 Mar 2012 09:40:43 -0700
  62.  
  63. It seems that a fix was merged yesterday: see
  64. https://trac.torproject.org/projects/tor/ticket/5417 and
  65. https://lists.torproject.org/pipermail/tor-commits/2012-March/041036.html
  66. .
  67.  
  68. I bet there will be new TBBs out very soon.
  69.  
  70. In the meantime, Linux users should delete vidalia-debug-log and
  71. symlink it to /dev/null.  (Haven't tested that, but it should work:
  72.  
  73.   % ln -sf /dev/null /path/to/vidalia-debug-log
  74.   % ls -l /path/to/vidalia-debug-log
  75.  
  76.   lrwxr-xr-x  1 username  username  9 Mar 19 11:53 vidalia-debug-log
  77. -> /dev/null
  78. .)
  79.  
  80. IMO, this is a really good reason for us to move to getting enough
  81. automation done so we can have nightly TBB builds and catch this kind
  82. of thing *before* actual releases come out.
  83.  
  84. --
  85. Nick
  86. ####################################################################
  87. Sebastian Hahn
  88. Tue, 20 Mar 2012 02:20:08 -0700
  89.  
  90. The bug in TBB is quite severe, and it is against its stated goals and
  91. design principles (one of which is leaving no/as little traces as
  92. possible on disk for later forensics). This bug was severe, it was fixed
  93. quickly, and hopefully nobody was impacted too much. Time to move on.
  94. ####################################################################
  95. Read and archive these also (to record history for this "EVIL bug":
  96.  
  97. https://lists.torproject.org/pipermail/tor-commits/2012-March/040941.html
  98. https://lists.torproject.org/pipermail/tor-commits/2012-March/040942.html
  99. https://lists.torproject.org/pipermail/tor-commits/2012-March/040939.html
  100. https://lists.torproject.org/pipermail/tor-commits/2012-March/040945.html
  101. https://lists.torproject.org/pipermail/tor-commits/2012-March/040950.html
  102. https://lists.torproject.org/pipermail/tor-commits/2012-March/040952.html
  103. https://lists.torproject.org/pipermail/tor-commits/2012-March/040953.html
  104. https://lists.torproject.org/pipermail/tor-commits/2012-March/041036.html
  105. https://lists.torproject.org/pipermail/tor-commits/2012-March/041037.html
  106. https://lists.torproject.org/pipermail/tor-commits/2012-March/041038.html
  107. https://lists.torproject.org/pipermail/tor-commits/2012-March/041039.html
  108. https://lists.torproject.org/pipermail/tor-commits/2012-March/041040.html
  109. https://lists.torproject.org/pipermail/tor-commits/2012-March/041043.html
  110. https://lists.torproject.org/pipermail/tor-commits/2012-March/041056.html
  111. ####################################################################
  112. History won't recall this bug and the severity of it unless you
  113. archive this information and the information at the links issued
  114. above.
  115.  
  116. *** NEVER FORGET ***
  117.    *** NEVER FORGET ***
  118.       *** NEVER FORGET ***
  119.          *** NEVER FORGET ***
  120.             *** NEVER FORGET ***
  121.                *** NEVER FORGET ***
  122.                   *** NEVER FORGET ***
  123.                       *** NEVER FORGET ***
  124.                       *** NEVER FORGET ***
  125.                       *** NEVER FORGET ***
  126.                         ! NEVER FORGET !
  127.                           Never Forget
  128.                              Never
  129.                              Forget
  130.                              Never
  131.                              Never
  132.                              
  133.                              Never.

Submit a correction or amendment below (click here to make a fresh posting)
After submitting an amendment, you'll be able to view the differences between the old and new posts easily.

Syntax highlighting:

To highlight particular lines, prefix each line with {%HIGHLIGHT}




All content is user-submitted.
The administrators of this site (kpaste.net) are not responsible for their content.
Abuse reports should be emailed to us at