Re: [Tails-dev] MFSA 2015-78 (aka. CVE-2015-4495) vs. Tails
Romeo Papa wrote (08 Aug 2015 11:04:32 GMT) : > Do you want me to try and write a quick patch that would disable PDF.js > by default? It's too late to fix 1.5~rc1, and 1.5 won't be affected, so: what for, exactly? (Thanks for the offer anyway :) Cheers, -- intrigeri ___ Tails-dev mailing list Tails-dev@boum.org https://mailman.boum.org/listinfo/tails-dev To unsubscribe from this list, send an empty email to tails-dev-unsubscr...@boum.org.
Re: [Tails-dev] MFSA 2015-78 (aka. CVE-2015-4495) vs. Tails
Hi, Do you want me to try and write a quick patch that would disable PDF.js by default? On 08/08/2015 11:19 AM, intrigeri wrote: > Romeo Papa, do you want to research this further? It would be very > useful to add a mitigation measure when mentioning this security issue > in the "Known issues" section of the 1.5~rc1 call for testing. > > Cheers, > ___ Tails-dev mailing list Tails-dev@boum.org https://mailman.boum.org/listinfo/tails-dev To unsubscribe from this list, send an empty email to tails-dev-unsubscr...@boum.org.
Re: [Tails-dev] MFSA 2015-78 (aka. CVE-2015-4495) vs. Tails
Hi again, intrigeri wrote (08 Aug 2015 09:24:48 GMT) : > ... on the other hand, https://access.redhat.com/articles/1563163 > documents pdfjs.disabled=True as a mitigation. I trust RedHat security > team to have verified that it indeed blocks exploitation. I've documented the security hole + mitigation on https://tails.boum.org/news/test_1.5-rc1/ Commit: https://git-tails.immerda.ch/tails/commit/wiki/src/news/test_1.5-rc1.mdwn?id=af0bcb7138847e1ad8ba6d596309d391b92a7216 sajolida, please have a *quick* look (keep in mind that this will only live 3 days, so there's probably no need to spend 25 minutes making this as perfect as you would like ;) Cheers, -- intrigeri ___ Tails-dev mailing list Tails-dev@boum.org https://mailman.boum.org/listinfo/tails-dev To unsubscribe from this list, send an empty email to tails-dev-unsubscr...@boum.org.
Re: [Tails-dev] MFSA 2015-78 (aka. CVE-2015-4495) vs. Tails
intrigeri wrote (08 Aug 2015 09:19:50 GMT) : > https://bugzilla.mozilla.org/show_bug.cgi?id=1179262#c30 reads: > "Notice that "pdfjs.disabled" shall not be used, at least without > switching the handler." Not sure how one would "switch the handler", > and perhaps it doesn't mean what I think anyway. ... on the other hand, https://access.redhat.com/articles/1563163 documents pdfjs.disabled=True as a mitigation. I trust RedHat security team to have verified that it indeed blocks exploitation. And Arch Linux' ASA-201508-1 also documents the same mitigation. > Romeo Papa, do you want to research this further? It would be very > useful to add a mitigation measure when mentioning this security issue > in the "Known issues" section of the 1.5~rc1 call for testing. s/add/document/ Cheers, -- intrigeri ___ Tails-dev mailing list Tails-dev@boum.org https://mailman.boum.org/listinfo/tails-dev To unsubscribe from this list, send an empty email to tails-dev-unsubscr...@boum.org.
Re: [Tails-dev] MFSA 2015-78 (aka. CVE-2015-4495) vs. Tails
Romeo Papa wrote (07 Aug 2015 23:04:15 GMT) : > PDF.js can be disabled as follows: > 1. Type about:config in the Firefox address bar > 2. Search for the pdfjs.disabled entry > 3. Set the pdfjs.disabled entry to True https://bugzilla.mozilla.org/show_bug.cgi?id=1179262#c30 reads: "Notice that "pdfjs.disabled" shall not be used, at least without switching the handler." Not sure how one would "switch the handler", and perhaps it doesn't mean what I think anyway. Romeo Papa, do you want to research this further? It would be very useful to add a mitigation measure when mentioning this security issue in the "Known issues" section of the 1.5~rc1 call for testing. Cheers, -- intrigeri ___ Tails-dev mailing list Tails-dev@boum.org https://mailman.boum.org/listinfo/tails-dev To unsubscribe from this list, send an empty email to tails-dev-unsubscr...@boum.org.
Re: [Tails-dev] MFSA 2015-78 (aka. CVE-2015-4495) vs. Tails
On 08/07/2015 02:13 PM, Georg Koppen wrote: > "we determined that the vulnerability isn't present in the current 31 > ESR." > > That's a quote from Liz Henry, the Firefox release manager. > > Georg FYI, here's the quote's source: https://bugzilla.mozilla.org/show_bug.cgi?id=1179262#c33 ___ Tails-dev mailing list Tails-dev@boum.org https://mailman.boum.org/listinfo/tails-dev To unsubscribe from this list, send an empty email to tails-dev-unsubscr...@boum.org.
Re: [Tails-dev] MFSA 2015-78 (aka. CVE-2015-4495) vs. Tails
PS: Sorry about all the messages I'm apparently sending while writing up the message I need to see what's happening... After reading further, I've found the debian page saying only 38.1.0esr-3 is vulnerable (https://security-tracker.debian.org/tracker/CVE-2015-4495). But I've also found the origins of the vulnerability from the commits for Firefox 39.0.3, it is from the pdf.js and after tracking the history I believe the bug might have been present since possibly 2 years if not more. https://github.com/mozilla/pdf.js/commit/4f3f983a214867011dda8c5597a4d3523c5f1423 PS: Sorry about all the messages I'm apparently sending while writing up the message I need to see what's happening... ___ Tails-dev mailing list Tails-dev@boum.org https://mailman.boum.org/listinfo/tails-dev To unsubscribe from this list, send an empty email to tails-dev-unsubscr...@boum.org.
Re: [Tails-dev] MFSA 2015-78 (aka. CVE-2015-4495) vs. Tails
On Sat, 08 Aug 2015, Romeo Papa wrote: > On 08/07/2015 02:33 PM, Jacob Appelbaum wrote:> By the exploit, as I > understood things? I could be mistaken and > > probably am mistaken. I've heard that the vulnerable code is in FF31 - > > I haven't looked myself yet. > > https://access.redhat.com/articles/1563163 > > Considering "all Red Hat products that use the Mozilla Firefox browser > are affected by this issue", all the way to red hat 5, it might be > possible that FF31 be vulnerable to the exploit. I think RHEL 5 uses FF38. At least Centos 5 has it: http://mirror.centos.org/centos/5/updates/x86_64/RPMS/ pgpMcwcH37Jes.pgp Description: PGP signature ___ Tails-dev mailing list Tails-dev@boum.org https://mailman.boum.org/listinfo/tails-dev To unsubscribe from this list, send an empty email to tails-dev-unsubscr...@boum.org.
Re: [Tails-dev] MFSA 2015-78 (aka. CVE-2015-4495) vs. Tails
On 08/07/2015 02:33 PM, Jacob Appelbaum wrote:> By the exploit, as I understood things? I could be mistaken and > probably am mistaken. I've heard that the vulnerable code is in FF31 - > I haven't looked myself yet. https://access.redhat.com/articles/1563163 Considering "all Red Hat products that use the Mozilla Firefox browser are affected by this issue", all the way to red hat 5, it might be possible that FF31 be vulnerable to the exploit. Looks like CVE-2015-4495 can be mitigted by disabling PDF.js so it's probably a good idea to go ahead and do that: PDF.js can be disabled as follows: 1. Type about:config in the Firefox address bar 2. Search for the pdfjs.disabled entry 3. Set the pdfjs.disabled entry to True ___ Tails-dev mailing list Tails-dev@boum.org https://mailman.boum.org/listinfo/tails-dev To unsubscribe from this list, send an empty email to tails-dev-unsubscr...@boum.org.
Re: [Tails-dev] MFSA 2015-78 (aka. CVE-2015-4495) vs. Tails
kytv wrote (07 Aug 2015 14:13:19 GMT) : > Note that Tails 1.5~rc1 includes version 5.0a4-build3 of the Tor > Browser. Anyone up to propose a patch to the call for testing, that warns users about it, please let me know (before I start working on it, likely tomorrow — let's avoid duplicating work). I would appreciate such help a lot. Cheers, -- intrigeri ___ Tails-dev mailing list Tails-dev@boum.org https://mailman.boum.org/listinfo/tails-dev To unsubscribe from this list, send an empty email to tails-dev-unsubscr...@boum.org.
Re: [Tails-dev] MFSA 2015-78 (aka. CVE-2015-4495) vs. Tails
On Fri, Aug 07, 2015 at 01:48:10PM +, Georg Koppen wrote: > Jacob Appelbaum: > > > > The current Tails Tor Browser is 4.5.3 (based on Mozilla Firefox > > 31.8.0) - so the new alpha won't change anything and the current > > browser shouldn't be impacted by it. > > > > Did I understand that correctly? > > The stable Tor Browser, which Tails is using, should not be affected, > correct. The upcoming alpha fixes the problem for our current alpha, > 5.0a4, which is already based on ESR 38. Note that Tails 1.5~rc1 includes version 5.0a4-build3 of the Tor Browser. signature.asc Description: Digital signature ___ Tails-dev mailing list Tails-dev@boum.org https://mailman.boum.org/listinfo/tails-dev To unsubscribe from this list, send an empty email to tails-dev-unsubscr...@boum.org.
Re: [Tails-dev] MFSA 2015-78 (aka. CVE-2015-4495) vs. Tails
Jacob Appelbaum: > On 8/7/15, Georg Koppen wrote: >> Jacob Appelbaum: >>> On 8/7/15, jvoisin wrote: Hello, I disagree with your analysis; while the Apparmor profile (♥) will prevent tragic things like gpg key stealing, please keep in mind that an attacker can access every Firefox files, like cookies (stealing sessions), stored passwords, changing preferences (remember http://net.ipcalf.com/ ?), executing code inside the browser, … >>> >>> I believe that the newest Tor Browser alpha will provide a fix. I hope >>> Mike will chime in here... >> >> I don't know what kind of fix you have in mind. All we'll provide is an >> update to ESR 38.2.0. We are basically about to tag the things and start >> building. ETA for the alpha is probably Tuesday. > > Ah ha - great. Thank you for chiming in! > > The current Tails Tor Browser is 4.5.3 (based on Mozilla Firefox > 31.8.0) - so the new alpha won't change anything and the current > browser shouldn't be impacted by it. > > Did I understand that correctly? The stable Tor Browser, which Tails is using, should not be affected, correct. The upcoming alpha fixes the problem for our current alpha, 5.0a4, which is already based on ESR 38. Georg signature.asc Description: OpenPGP digital signature ___ Tails-dev mailing list Tails-dev@boum.org https://mailman.boum.org/listinfo/tails-dev To unsubscribe from this list, send an empty email to tails-dev-unsubscr...@boum.org.
Re: [Tails-dev] MFSA 2015-78 (aka. CVE-2015-4495) vs. Tails
On 8/7/15, Georg Koppen wrote: > Jacob Appelbaum: >> On 8/7/15, jvoisin wrote: >>> Hello, >>> >>> I disagree with your analysis; >>> while the Apparmor profile (♥) will prevent tragic things like gpg key >>> stealing, please keep in mind that an attacker can access every Firefox >>> files, like cookies (stealing sessions), stored passwords, changing >>> preferences (remember http://net.ipcalf.com/ ?), executing code inside >>> the browser, … >> >> I believe that the newest Tor Browser alpha will provide a fix. I hope >> Mike will chime in here... > > I don't know what kind of fix you have in mind. All we'll provide is an > update to ESR 38.2.0. We are basically about to tag the things and start > building. ETA for the alpha is probably Tuesday. Ah ha - great. Thank you for chiming in! The current Tails Tor Browser is 4.5.3 (based on Mozilla Firefox 31.8.0) - so the new alpha won't change anything and the current browser shouldn't be impacted by it. Did I understand that correctly? > > That said Mozilla's reasoning for not doing a chemspill for ESR 31 was > > "we determined that the vulnerability isn't present in the current 31 > ESR." Hey - that's great news - thanks for clearing that up! > > That's a quote from Liz Henry, the Firefox release manager. > Perfect - thank you! All the best, Jacob ___ Tails-dev mailing list Tails-dev@boum.org https://mailman.boum.org/listinfo/tails-dev To unsubscribe from this list, send an empty email to tails-dev-unsubscr...@boum.org.
Re: [Tails-dev] MFSA 2015-78 (aka. CVE-2015-4495) vs. Tails
On 8/7/15, intrigeri wrote: > Jacob Appelbaum wrote (07 Aug 2015 10:37:25 GMT) : >> I've heard that the exploit in the wild doesn't work against esr31 - I >> haven't heard that it isn't impacted at all. > > Mozilla folks have explicitly written on their "enterprise" list that > FF31 is not affected. By the exploit, as I understood things? I could be mistaken and probably am mistaken. I've heard that the vulnerable code is in FF31 - I haven't looked myself yet. > >> ( I think the apparmor profile may contain some of the worst aspects >> but only until an attacker figures out how to make a hard link. > > May you please elaborate on the hardlink aspect? It rings a bell, but > I don't remember the specifics. If you hard link a file say, /home/amnesia/.gnupg/secring.gpg into ~/Tor Browser/secring.gpg - you can read it with Tor Browser. AppArmor uses file paths to constrain things. That second file path is allowed by the sandbox, even though the file is also "outside" of that path, AppArmor has no clue. You can test this by doing the following: mkdir ~/OUTOFSANDBOX/ touch ~/OUTOFSANDBOX/apparmor.txt echo "out of sandbox" >> ~/OUTOFSANDBOX/apparmor.txt ln ~/OUTOFSANDBOX/apparmor.txt ~/Tor\ Browser/apparmor.txt If you then want to read that ( ~/Tor\ Browser/apparmor.txt ) file with Tor Browser - it will work. Reading the policy for Tor Browser on Tails 1.4.1 - I see the following relevant entries: owner "@{HOME}/Tor Browser/" rw, owner "@{HOME}/Tor Browser/**" rwk, owner "@{HOME}/Persistent/Tor Browser/" rw, owner "@{HOME}/Persistent/Tor Browser/**" rwk, owner "/live/persistence/TailsData_unlocked/Persistent/Tor Browser/" rw, owner "/live/persistence/TailsData_unlocked/Persistent/Tor Browser/**" rwk, owner @{HOME}/.mozilla/firefox/bookmarks/places.sqlite rwk, owner /live/persistence/TailsData_unlocked/bookmarks/places.sqlite rwk, owner @{HOME}/.tor-browser/profile.default/ r, owner @{HOME}/.tor-browser/profile.default/** rwk, Note that none of those include the flag "l" - which is what is required to make a hard link. That was why I said "until an attacker figures out how to make a hard link"; if such a hardlink were made, they'd be able to read the contents of the linked file. That is all that I meant with my comment. AppArmor is useful but has some rough edges. All the best, Jacob ___ Tails-dev mailing list Tails-dev@boum.org https://mailman.boum.org/listinfo/tails-dev To unsubscribe from this list, send an empty email to tails-dev-unsubscr...@boum.org.
Re: [Tails-dev] MFSA 2015-78 (aka. CVE-2015-4495) vs. Tails
Jacob Appelbaum: > On 8/7/15, jvoisin wrote: >> Hello, >> >> I disagree with your analysis; >> while the Apparmor profile (♥) will prevent tragic things like gpg key >> stealing, please keep in mind that an attacker can access every Firefox >> files, like cookies (stealing sessions), stored passwords, changing >> preferences (remember http://net.ipcalf.com/ ?), executing code inside >> the browser, … > > I believe that the newest Tor Browser alpha will provide a fix. I hope > Mike will chime in here... I don't know what kind of fix you have in mind. All we'll provide is an update to ESR 38.2.0. We are basically about to tag the things and start building. ETA for the alpha is probably Tuesday. That said Mozilla's reasoning for not doing a chemspill for ESR 31 was "we determined that the vulnerability isn't present in the current 31 ESR." That's a quote from Liz Henry, the Firefox release manager. Georg signature.asc Description: OpenPGP digital signature ___ Tails-dev mailing list Tails-dev@boum.org https://mailman.boum.org/listinfo/tails-dev To unsubscribe from this list, send an empty email to tails-dev-unsubscr...@boum.org.
Re: [Tails-dev] MFSA 2015-78 (aka. CVE-2015-4495) vs. Tails
Jacob Appelbaum wrote (07 Aug 2015 10:37:25 GMT) : > I've heard that the exploit in the wild doesn't work against esr31 - I > haven't heard that it isn't impacted at all. Mozilla folks have explicitly written on their "enterprise" list that FF31 is not affected. > ( I think the apparmor profile may contain some of the worst aspects > but only until an attacker figures out how to make a hard link. May you please elaborate on the hardlink aspect? It rings a bell, but I don't remember the specifics. Cheers, -- intrigeri ___ Tails-dev mailing list Tails-dev@boum.org https://mailman.boum.org/listinfo/tails-dev To unsubscribe from this list, send an empty email to tails-dev-unsubscr...@boum.org.
Re: [Tails-dev] MFSA 2015-78 (aka. CVE-2015-4495) vs. Tails
On 8/7/15, jvoisin wrote: > Hello, > > I disagree with your analysis; > while the Apparmor profile (♥) will prevent tragic things like gpg key > stealing, please keep in mind that an attacker can access every Firefox > files, like cookies (stealing sessions), stored passwords, changing > preferences (remember http://net.ipcalf.com/ ?), executing code inside > the browser, … I believe that the newest Tor Browser alpha will provide a fix. I hope Mike will chime in here... > > This seems pretty serious to me, since people expect the web-browser to > be reasonably trustworthy. Agreed. All the best, Jacob ___ Tails-dev mailing list Tails-dev@boum.org https://mailman.boum.org/listinfo/tails-dev To unsubscribe from this list, send an empty email to tails-dev-unsubscr...@boum.org.
Re: [Tails-dev] MFSA 2015-78 (aka. CVE-2015-4495) vs. Tails
Hello, I disagree with your analysis; while the Apparmor profile (♥) will prevent tragic things like gpg key stealing, please keep in mind that an attacker can access every Firefox files, like cookies (stealing sessions), stored passwords, changing preferences (remember http://net.ipcalf.com/ ?), executing code inside the browser, … This seems pretty serious to me, since people expect the web-browser to be reasonably trustworthy. ___ Tails-dev mailing list Tails-dev@boum.org https://mailman.boum.org/listinfo/tails-dev To unsubscribe from this list, send an empty email to tails-dev-unsubscr...@boum.org.
Re: [Tails-dev] MFSA 2015-78 (aka. CVE-2015-4495) vs. Tails
On 8/7/15, intrigeri wrote: > Hi, > > that is: > > https://www.mozilla.org/en-US/security/advisories/mfsa2015-78/ > https://security-tracker.debian.org/tracker/CVE-2015-4495 > > ... apparently only affect Firefox 38.x, so current Tails stable > (1.4.1) is not affected. Most likely Tails 1.5~rc1 is affected, but > our AppArmor policy should mitigate the worst possible consequences, > so I doubt it's worth adding to the RC announce's known > issues section. > > If anyone has more insight or disagrees, let me know. > I've heard that the exploit in the wild doesn't work against esr31 - I haven't heard that it isn't impacted at all. The bad news is that it isn't fixed in esr31 - so while they have fixes in for ff38 - it isn't because that was the only problematic version. :-( ( I think the apparmor profile may contain some of the worst aspects but only until an attacker figures out how to make a hard link. That is not a super high bar for code execution but will at least stop random files from being included without a multi-bug payload. ) All the best, Jacob ___ Tails-dev mailing list Tails-dev@boum.org https://mailman.boum.org/listinfo/tails-dev To unsubscribe from this list, send an empty email to tails-dev-unsubscr...@boum.org.