[tor-bugs] #17895 [Applications/Tor Browser]: Tor Browser Bundle installer subject to DLL hijacking
Tor Bug Tracker & Wiki
blackhole at torproject.org
Fri Apr 22 07:35:26 UTC 2016
#17895: Tor Browser Bundle installer subject to DLL hijacking
-------------------------------------------------+-------------------------
Reporter: ericlaw | Owner: boklm
Type: defect | Status:
Priority: High | needs_revision
Component: Applications/Tor Browser | Milestone:
Severity: Major | Version:
Keywords: tbb-gitian, tbb-security, | Resolution:
TorBrowserTeam201604R | Actual Points:
Parent ID: | Points:
Reviewer: | Sponsor:
-------------------------------------------------+-------------------------
Changes (by gk):
* status: needs_review => needs_revision
Comment:
Thanks! This looks good to me. Some nits:
1) in `mkbundle-windows.sh` look at how we treat binutils, gcclibs and all
the others: we should rebuild the utils if there is a new NSIS version,
too. Additionally, we should refresh the link as well in case we are
skipping the utilities build to make sure we are always use the correct
version.
2) We should verify the packages in `verify-tags.sh` as well.
3) You could add the NSIS packages to `versions.alpha`, too
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/17895#comment:24>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list