[Pkg-anonymity-tools] Bug#797339: torbrowser-launcher: assumes a hard-coded (and insecure) SOCKS port

[Michael Gold]

Package: torbrowser-launcher
Version: 0.2.0-2

After installing the torbrowser-launcher package and running the program
without any arguments, I immediately saw a "connection refused" error.
Code inspection reveals that the launcher assumes there's a SOCKS server
at 127.0.0.1:9050 that connects to the Tor network.

It is inappropriate to assume Tor is running on this port, as any local
user could be running a service there (Debian bug #797335), possibly to
interfere with torbrowser-launcher.  Assuming the https connection is
secure, this would only be a denial of service or an information leak.

torbrowser-launcher should allow the user to select an alternate TCP or
Unix-domain SOCKS address, and shouldn't connect to an unprivileged one
without confirmation.

- Michael


-- System Information:
Debian Release: stretch/sid
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)
Foreign Architectures: arm64

Kernel: Linux 4.1.0-1-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_CA.UTF-8, LC_CTYPE=en_CA.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: sysvinit (via /sbin/init)

Versions of packages torbrowser-launcher depends on:
ii  gnupg            1.4.19-5
ii  python           2.7.9-1
ii  python-gtk2      2.24.0-4
ii  python-lzma      0.5.3-3
ii  python-parsley   1.2-1
ii  python-psutil    2.2.1-3
ii  python-twisted   15.2.1-1
ii  python-txsocksx  1.15.0.2-1
ii  tor              0.2.6.10-1
ii  wmctrl           1.07-7

torbrowser-launcher recommends no packages.

Versions of packages torbrowser-launcher suggests:
pn  apparmor       <none>
pn  python-pygame  <none>

-- no debconf information
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: Digital signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-anonymity-tools/attachments/20150829/8bb1e678/attachment.sig>