[tbb-bugs] #20772 [Applications/Tor Browser]: src="data:< ; base64 images rendered when "Show images"="Blocked"

Tor Bug Tracker & Wiki blackhole at torproject.org
Sat Mar 4 04:06:48 UTC 2017 

#20772: src="data:<;base64 images rendered when "Show images"="Blocked"
--------------------------------------+--------------------------
 Reporter:  cypherpunks               |          Owner:  tbb-team
     Type:  defect                    |         Status:  assigned
 Priority:  High                      |      Milestone:
Component:  Applications/Tor Browser  |        Version:
 Severity:  Major                     |     Resolution:
 Keywords:                            |  Actual Points:
Parent ID:                            |         Points:
 Reviewer:                            |        Sponsor:
--------------------------------------+--------------------------

Comment (by cypherpunks):

 Replying to [comment:5 cypherpunks]:
 > Active SVG exploits targetting TBB in the wild;
 https://blog.torproject.org/blog/tor-browser-607-released#comment-223692
 > Having an option to disable the image parser would allow mitigating
 future image bugs during the time between discovery and the time it's
 patched and users download the new version.
 >
 > This applies to TBB proper, not just the exceptionally understaffed
 derivatives (eg https://dev.guardianproject.info/issues/8039).
 It must be very annoying to people when a cypherpunks account undoes a
 priority/severity change that a Tor developer does just before because
 they disagree with it. Why does it have to happen all the time? On behalf
 of cypherpunks everywhere, I apologize.

 Anyway, regarding SVG, Tor Browser's ability to disable SVG is unrelated
 to its disabling of other images. Disabling SVG in fact disables the
 entire parser, such that data:// URIs will not be able to bypass it and
 render it anyway. Only "regular" images which do not have their own
 dedicated options for disabling are affected by this 11 year old issue,
 like PNG, JPEG, etc. Of course, 0days do exist for them, even ones which
 do not require heap spraying and other scripting techniques for exploit
 reliability...

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/20772#comment:6>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tbb-bugs mailing list