[Secure-testing-team] Bug#783579: epiphany-browser: leaks DNS queries when used with Tor

Christoph Anton Mitterer calestyo at scientia.net
Tue Apr 28 04:26:53 UTC 2015 

Package: epiphany-browser
Version: 3.14.1-1
Severity: grave
Tags: security


Hi.

Apparently it seems that even when configured to use Tor as proxy,
epiphany is so "smart" to send DNS queries directly to the wire,
thus making any effort of Tor useless.

Just check with wireshark and one can see it.


Marking this as grave so that people get notified about this
inadequacy... actually people in many contries who need to rely
on Tor, can get into severe troubles when their anonymity is compromised.


Chris.

-- System Information:
Debian Release: 8.0
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)

Kernel: Linux 4.0.0-trunk-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_DE.utf8, LC_CTYPE=en_DE.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages epiphany-browser depends on:
ii  dbus-x11                     1.8.16-1
ii  epiphany-browser-data        3.14.1-1
ii  gnome-icon-theme             3.12.0-1
ii  gnome-icon-theme-symbolic    3.12.0-1
ii  gsettings-desktop-schemas    3.14.1-1
ii  iso-codes                    3.57-1
ii  libatk1.0-0                  2.14.0-1
ii  libavahi-client3             0.6.31-5
ii  libavahi-common3             0.6.31-5
ii  libavahi-gobject0            0.6.31-5
ii  libc6                        2.19-18
ii  libcairo-gobject2            1.14.0-2.1
ii  libcairo2                    1.14.0-2.1
ii  libgcr-base-3-1              3.14.0-2
ii  libgcr-ui-3-1                3.14.0-2
ii  libgdk-pixbuf2.0-0           2.31.1-2+b1
ii  libglib2.0-0                 2.42.1-1
ii  libgnome-desktop-3-10        3.14.1-1
ii  libgtk-3-0                   3.14.5-1
ii  libjavascriptcoregtk-4.0-18  2.6.2+dfsg1-4
ii  libnotify4                   0.7.6-2
ii  libnspr4                     2:4.10.8-1
ii  libnspr4-0d                  2:4.10.8-1
ii  libnss3                      2:3.17.2-1.1
ii  libnss3-1d                   2:3.17.2-1.1
ii  libpango-1.0-0               1.36.8-3
ii  libpangocairo-1.0-0          1.36.8-3
ii  libsecret-1-0                0.18-1+b1
ii  libsoup2.4-1                 2.48.0-1
ii  libsqlite3-0                 3.8.7.4-1
ii  libwebkit2gtk-4.0-37         2.6.2+dfsg1-4
ii  libwnck-3-0                  3.4.9-3
ii  libx11-6                     2:1.6.2-3
ii  libxml2                      2.9.2+dfsg1-3
ii  libxslt1.1                   1.1.28-2+b2

Versions of packages epiphany-browser recommends:
ii  ca-certificates  20141019
ii  evince           3.14.1-2
ii  yelp             3.14.1-1

epiphany-browser suggests no packages.

-- no debconf information

More information about the Secure-testing-team mailing list