[tor-bugs] #31383 [Applications/Tor Browser]: OpenSSL CVE-2019-1552
Tor Bug Tracker & Wiki
blackhole at torproject.org
Fri Sep 27 16:50:56 UTC 2019
#31383: OpenSSL CVE-2019-1552
--------------------------------------+-----------------------------------
Reporter: cypherpunks | Owner: tbb-team
Type: defect | Status: needs_information
Priority: High | Milestone:
Component: Applications/Tor Browser | Version:
Severity: Major | Resolution:
Keywords: | Actual Points:
Parent ID: | Points:
Reviewer: | Sponsor:
--------------------------------------+-----------------------------------
Comment (by cypherpunks):
> What's wrong with those paths?
They are hard-coded. That's a main bug and vulnerability, in general.
Also they are not allowed for your app-local OpenSSL.
> They should not be user-writable. I mean that's actually part of the
OpenSSL fix for that CVE. If that's wrong it seems to me a bug against
OpenSSL should get filed.
Yes.
> Are you claiming `C:\Program Files` and `C:\Program Files (x86)` are
user-writable?
`C:\Program Files (x86)` doesn't exist in 32-bit Windows.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/31383#comment:9>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list