[tbb-bugs] #31383 [Applications/Tor Browser]: OpenSSL CVE-2019-1552
Tor Bug Tracker & Wiki
blackhole at torproject.org
Sat Sep 28 13:59:47 UTC 2019
#31383: OpenSSL CVE-2019-1552
--------------------------------------+-----------------------------------
Reporter: cypherpunks | Owner: tbb-team
Type: defect | Status: needs_information
Priority: High | Milestone:
Component: Applications/Tor Browser | Version:
Severity: Major | Resolution:
Keywords: | Actual Points:
Parent ID: | Points:
Reviewer: | Sponsor:
--------------------------------------+-----------------------------------
Comment (by gk):
Replying to [comment:13 cypherpunks]:
> >> Doh, looks like you see Windows for the first time :(
> > Actually, I do not, believe me.
> "Trust Me, I'm an Engineer" :) I know you do not, I say how it looks
like. And your further questions just increase that feeling.
There is no need to drag this down onto a personal level and/or starting
ad hominem arguments. I told you that on different occasions in different
tickets. Please stop.
> >> What do you say when you see `D:\Program Files`?
> > I was not really talking about that.
> About what? `D:\Program Files` instead of `C:\Program Files` on a user's
machine, and the hole is still there.
> > I was curious why hardcoding *any* path, like `C:\Program Files` on a
Windows 64bit system, is a vulnerability and what would it be in that
case? That's how I read your comment at least.
> Hardcoding paths is a bad security practice (and not only security). Is
this new for you?
So, how are we supposed to fix this bug without introducing new
vulnerabilities in your opinion? Hardcoding any path (like suggested with
C:\Windows or a path below it in comment:6) like e.g. the `curl` devs did
does not do the trick according to your line of reasoning.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/31383#comment:14>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tbb-bugs
mailing list