[tbb-bugs] #31383 [Applications/Tor Browser]: OpenSSL CVE-2019-1552

[Tor Bug Tracker & Wiki]

#31383: OpenSSL CVE-2019-1552
--------------------------------------+--------------------------
 Reporter:  cypherpunks               |          Owner:  tbb-team
     Type:  defect                    |         Status:  closed
 Priority:  High                      |      Milestone:
Component:  Applications/Tor Browser  |        Version:
 Severity:  Major                     |     Resolution:  invalid
 Keywords:                            |  Actual Points:
Parent ID:                            |         Points:
 Reviewer:                            |        Sponsor:
--------------------------------------+--------------------------
Changes (by gk):

 * status:  needs_information => closed
 * resolution:   => invalid


Comment:

 Replying to [comment:16 boklm]:
 > Replying to [comment:15 cypherpunks]:
 > > > Hardcoding any path (like suggested with C:\Windows or a path below
 it in comment:6) like e.g. the curl devs did does not do the trick
 according to your line of reasoning.
 > > How to teach OpenSSL to dance? Make it compatible with app-local
 installation, no?
 > > For Tor Browser, the best option is to disable everything related to
 those paths as it doesn't use them. But you can change them to
 `C:\Windows\Tor Browser` as a so-so workaround.
 >
 > Reading https://daniel.haxx.se/blog/2019/06/24/openssl-engine-code-
 injection-in-curl/ it seems that the issue can happen when a program loads
 the openssl configuration file from the default path, which is done with
 the openssl function `CONF_modules_load_file`. However we don't call this
 function in tor, so it doesn't look like we are vulnerable to this issue.

 Nice find! So, I think we are actually done here.

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/31383#comment:17>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online