Opened 4 years ago

Last modified 23 months ago

#16417 new defect

DEP/ASLR missing on some Tor Browser (Pluggable Transports) binaries on Windows

Reported by: boklm Owned by: tbb-team
Priority: Medium Milestone:
Component: Applications/Tor Browser Version:
Severity: Normal Keywords: tbb-security, tbb-rbm
Cc: gk, erinn, arthuredelstein Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

Some files in the TorBrowser/Tor/PluggableTransports directory are missing DEP/ASLR on Windows:

TorBrowser/Tor/PluggableTransports/_ctypes.pyd
TorBrowser/Tor/PluggableTransports/_hashlib.pyd
TorBrowser/Tor/PluggableTransports/_socket.pyd
TorBrowser/Tor/PluggableTransports/_ssl.pyd
TorBrowser/Tor/PluggableTransports/bz2.pyd
TorBrowser/Tor/PluggableTransports/Crypto.Cipher._AES.pyd
TorBrowser/Tor/PluggableTransports/Crypto.Hash._SHA256.pyd
TorBrowser/Tor/PluggableTransports/Crypto.Hash._SHA512.pyd
TorBrowser/Tor/PluggableTransports/Crypto.Random.OSRNG.winrandom.pyd
TorBrowser/Tor/PluggableTransports/Crypto.Util._counter.pyd
TorBrowser/Tor/PluggableTransports/Crypto.Util.strxor.pyd
TorBrowser/Tor/PluggableTransports/flashproxy-client.exe
TorBrowser/Tor/PluggableTransports/flashproxy-reg-appspot.exe
TorBrowser/Tor/PluggableTransports/flashproxy-reg-email.exe
TorBrowser/Tor/PluggableTransports/flashproxy-reg-http.exe
TorBrowser/Tor/PluggableTransports/flashproxy-reg-url.exe
TorBrowser/Tor/PluggableTransports/fte.cDFA.pyd
TorBrowser/Tor/PluggableTransports/fteproxy.exe
TorBrowser/Tor/PluggableTransports/M2Crypto.__m2crypto.pyd
TorBrowser/Tor/PluggableTransports/meek-client-torbrowser.exe
TorBrowser/Tor/PluggableTransports/meek-client.exe
TorBrowser/Tor/PluggableTransports/obfs4proxy.exe
TorBrowser/Tor/PluggableTransports/obfsproxy.exe
TorBrowser/Tor/PluggableTransports/pyexpat.pyd
TorBrowser/Tor/PluggableTransports/python27.dll
TorBrowser/Tor/PluggableTransports/select.pyd
TorBrowser/Tor/PluggableTransports/terminateprocess-buffer.exe
TorBrowser/Tor/PluggableTransports/unicodedata.pyd
TorBrowser/Tor/PluggableTransports/w9xpopen.exe
TorBrowser/Tor/PluggableTransports/zope.interface._zope_interface_coptimizations.pyd

Child Tickets

Change History (7)

comment:1 Changed 4 years ago by yawning

Anything that's Go based won't ever have either, because the upstream Go maintainers place way too much faith in their compiler and runtime to allow for such things. I think this is shortsighted and stupid (Golang binaries are also statically linked so ASLR seems somewhat less useful).

FTE/flashproxy are the only reasons why we still even bundle python/obfsproxy, we can probably remove obfsproxy.exe from the build process at this point as long fteproxy.exe still gets built correctly (or deprecate FTE).

comment:2 Changed 4 years ago by gk

Cc: gk added
Keywords: tbb-gitian added

comment:3 Changed 4 years ago by erinn

Cc: erinn added

comment:4 Changed 4 years ago by gk

Keywords: tbb-hardening added

comment:5 Changed 4 years ago by gk

Keywords: tbb-hardened added; tbb-hardening removed

comment:6 Changed 3 years ago by arthuredelstein

Cc: arthuredelstein added
Severity: Normal

comment:7 Changed 23 months ago by gk

Keywords: tbb-rbm added; tbb-gitian tbb-hardened removed
Note: See TracTickets for help on using tickets.