By: Anon
Note* Anon exposes concerns about the security of Tor, and points us towards email exchanges concerning a Linux bug which log things like domain names to a file in the root of the browser bundle." This will effectively provide a road map of the sites the unsuspecting Tor user
has visited..
####################################################################
Tor Browser Bundle for Linux (2.2.35-8) "EVIL bug"
*** NEVER FORGET ***
####################################################################
- http://seclists.org/bugtraq/2012/Mar/85
- http://www.securityfocus.com/archive/1/ ... 0/threaded
####################################################################
"There is an EVIL bug in at least the Linux (2.2.35-8) Tor Browser Bundle start-tor-browser script. It will log things
like domain names to a file in the root of the browser bundle."
https://trac.torproject.org/projects/tor/ticket/5417
Ticket #5417 (new defect)
RelativeLink.sh in Tor browser bundle has small typo causing debug mode to be always turned on
Reported by: cypherpunks
Priority: critical
Component: Tor bundles/installation
Description
TBB starts in debug mode disregardless of --debug switch used or not. This is caused by small bug on line 208 on
RelativeLink.sh, where it says
if [ "${debug}" ];
where it should say
if [ "${debug}" == 1];
or
if [ ${debug} -eq 1 ];
####################################################################
Thank you for the warning. I expected something like this to happen, given the last slip up with a mistake in FF versions. This, "error", if you wish to call it such, shouldn't have happened. Again, this is a lack of testing.
I hope no one in Iran, China, or other freedom starved regions were screwed because of this.
I hope a fix is released and quickly.
These mistakes should be posted in the Tor announcements mailing list (no announcements at all since Dec/11 is pathetic) and on the blog.
It would help Tor users even more if you were to actually create web forums for discussions (but I doubt you will, we've only been asking for this for years!) where you could sticky-pin these types of mistakes and communicate better with the broad range of users.
A large number of people will never use a bug tracker, and/or never use mailing lists. They are simpler minded people or too busy, this is where web based discussion forums come in. Users should not have to scramble to unofficial .onion forums which are up one day and down the next and which may (and have in the past!) contain malicious posts/threads to target the user's browser and/or Tor itself.
With errors like this, perhaps you should let Mickey Mouse sign the future Linux release bundles with his fictional GPG key. He couldn't do any worse.
I've also noticed FF crashing more often since the last few releases.
I guess it's time for us Linux bundle users to run W.I.N.E. and the Windows version of the bundle on Linux so we know we are not getting borked with some new fantastic bug or lack of oversight like this again.
But will this post be approved for others to see, or swept under the rug like one previous post about a similar issue.
Now I'm looking forward to the next release, not for use, but just to see what type of bug(s) it may contain. THANKS!
####################################################################
Nick Mathewson
Mon, 19 Mar 2012 09:40:43 -0700
It seems that a fix was merged yesterday: see
https://trac.torproject.org/projects/tor/ticket/5417 and
https://lists.torproject.org/pipermail/ ... 41036.html
.
I bet there will be new TBBs out very soon.
In the meantime, Linux users should delete vidalia-debug-log and
symlink it to /dev/null. (Haven't tested that, but it should work:
% ln -sf /dev/null /path/to/vidalia-debug-log
% ls -l /path/to/vidalia-debug-log
lrwxr-xr-x 1 username username 9 Mar 19 11:53 vidalia-debug-log
-> /dev/null
.)
IMO, this is a really good reason for us to move to getting enough
automation done so we can have nightly TBB builds and catch this kind
of thing *before* actual releases come out.
-- Nick #################################################################### Sebastian Hahn Tue, 20 Mar 2012 02:20:08 -0700 The bug in TBB is quite severe, and it is against its stated goals and design principles (one of which is leaving no/as little traces as possible on disk for later forensics). This bug was severe, it was fixed quickly, and hopefully nobody was impacted too much. Time to move on. #################################################################### Read and archive these also (to record history for this "EVIL bug": https://lists.torproject.org/pipermail/ ... 40941.html https://lists.torproject.org/pipermail/ ... 40942.html https://lists.torproject.org/pipermail/ ... 40939.html https://lists.torproject.org/pipermail/ ... 40945.html https://lists.torproject.org/pipermail/ ... 40950.html https://lists.torproject.org/pipermail/ ... 40952.html https://lists.torproject.org/pipermail/ ... 40953.html https://lists.torproject.org/pipermail/ ... 41036.html https://lists.torproject.org/pipermail/ ... 41037.html https://lists.torproject.org/pipermail/ ... 41038.html https://lists.torproject.org/pipermail/ ... 41039.html https://lists.torproject.org/pipermail/ ... 41040.html https://lists.torproject.org/pipermail/ ... 41043.html https://lists.torproject.org/pipermail/ ... 41056.html #################################################################### History won't recall this bug and the severity of it unless you archive this information and the information at the links issued above.
eof
Alan Taylor
PGPBOARD Administrator
London, England