[Pkg-anonymity-tools] Bug#797339: torbrowser-launcher: assumes a hard-coded (and insecure) SOCKS port
Michael Gold
michael at bitplane.org
Sat Aug 29 16:55:28 UTC 2015
Package: torbrowser-launcher
Version: 0.2.0-2
After installing the torbrowser-launcher package and running the program
without any arguments, I immediately saw a "connection refused" error.
Code inspection reveals that the launcher assumes there's a SOCKS server
at 127.0.0.1:9050 that connects to the Tor network.
It is inappropriate to assume Tor is running on this port, as any local
user could be running a service there (Debian bug #797335), possibly to
interfere with torbrowser-launcher. Assuming the https connection is
secure, this would only be a denial of service or an information leak.
torbrowser-launcher should allow the user to select an alternate TCP or
Unix-domain SOCKS address, and shouldn't connect to an unprivileged one
without confirmation.
- Michael
-- System Information:
Debian Release: stretch/sid
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)
Foreign Architectures: arm64
Kernel: Linux 4.1.0-1-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_CA.UTF-8, LC_CTYPE=en_CA.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: sysvinit (via /sbin/init)
Versions of packages torbrowser-launcher depends on:
ii gnupg 1.4.19-5
ii python 2.7.9-1
ii python-gtk2 2.24.0-4
ii python-lzma 0.5.3-3
ii python-parsley 1.2-1
ii python-psutil 2.2.1-3
ii python-twisted 15.2.1-1
ii python-txsocksx 1.15.0.2-1
ii tor 0.2.6.10-1
ii wmctrl 1.07-7
torbrowser-launcher recommends no packages.
Versions of packages torbrowser-launcher suggests:
pn apparmor <none>
pn python-pygame <none>
-- no debconf information
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: Digital signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-anonymity-tools/attachments/20150829/8bb1e678/attachment.sig>
More information about the Pkg-anonymity-tools
mailing list