[tor-bugs] #17895 [Applications/Tor Browser]: Tor Browser Bundle installer subject to DLL hijacking
Tor Bug Tracker & Wiki
blackhole at torproject.org
Thu Apr 21 22:06:15 UTC 2016
#17895: Tor Browser Bundle installer subject to DLL hijacking
-------------------------------------------------+-------------------------
Reporter: ericlaw | Owner: boklm
Type: defect | Status:
Priority: High | needs_review
Component: Applications/Tor Browser | Milestone:
Severity: Major | Version:
Keywords: tbb-gitian, tbb-security, | Resolution:
TorBrowserTeam201604R | Actual Points:
Parent ID: | Points:
Reviewer: | Sponsor:
-------------------------------------------------+-------------------------
Changes (by boklm):
* status: assigned => needs_review
* keywords: tbb-gitian, tbb-security, TorBrowserTeam201604 => tbb-gitian,
tbb-security, TorBrowserTeam201604R
Comment:
Replying to [comment:18 gk]:
>
> What we need here is:
> 1) Cross-compiling NSIS
The branch bug_17895 in my user repo is doing that:
https://gitweb.torproject.org/user/boklm/tor-browser-
bundle.git/commit/?h=bug_17895&id=ed474700d85d135fa1e1bf6ae358a9c781d8dac6
To fix the build issues, we are using the patches from the Debian package.
> 2) Making sure the resulting .exe files are still bit-by-bit
reproducible
I checked that re-bundling results in the same .exe file. I did not check
yet that it is also the case after a `make clean-utils`, I will try it
tomorrow.
> 3) Making sure that these files are still working on all supported
Windows versions (XP - 10)
> 4) Making sure stripping the authenticode signature is still
reproducible
I did not check that yet.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/17895#comment:23>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list