Opened 2 years ago

Closed 2 years ago

#22291 closed defect (fixed)

Tor Browser Sandbox 0.6 downloads an old version of Tor alpha on first use

Reported by: 6h72Q484AddGha8H Owned by: yawning
Priority: Medium Milestone:
Component: Archived/Tor Browser Sandbox Version:
Severity: Normal Keywords:
Cc: Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

Tor Browser Sandbox 0.6 downloads an old version of Tor alpha on first use

Utilizing sandbox release 0.6, the first startup asks which channel to utilize. If selecting alpha, Tor Browser 7.0a3 is downloaded instead of the latest 7.0a4. This appears to be because the JSON published URLs are not kept up to date. This has been a bug in past too with respect to outdated or wrong JSON listings. This should probably be fixed so that users are not put in jeopardy of downloading a vulnerable version in the future.

install: Metadata URL: https://aus1.torproject.org/torbrowser/update_2/alpha/downloads.json

As you can see, the metadata URL is not updated and therefor the older version is downloaded, putting the Tor user potentially at risk due to running and outdated or insecure older release.

Child Tickets

Change History (6)

comment:1 Changed 2 years ago by yawning

I'm not sure what you expect me to do about this since I have nothing to do with uploading the metadata.

comment:2 Changed 2 years ago by yawning

One thing that would be a permanent fix would be to write a MAR unpacker and use the non-incremental MARs instead of the tarball + signature, since the XML resources and MARs will always be up to date.

Patches accepted, I'm not going to do it.

comment:3 Changed 2 years ago by yawning

This is also basically fixed by https://gitweb.torproject.org/tor-browser/sandboxed-tor-browser.git/commit/?id=fc3475761427977cd63dfaa0351809174b147eb5

I was told that the update_2 stuff will be valid for a while, but apparently not.

I could also just force an update check on first launch after an install or something. Maybe I'll do that anyway because it's easy to do....

comment:5 Changed 2 years ago by cypherpunks

It's not Tor Browser Sandbox specific. Old alphas upgrade themselves the same way. Torbutton could warn users at startup, but it's broken the same way: https://www.torproject.org/projects/torbrowser/RecommendedTBBVersions

comment:6 in reply to:  5 Changed 2 years ago by yawning

Resolution: fixed
Status: newclosed

Replying to cypherpunks:

It's not Tor Browser Sandbox specific. Old alphas upgrade themselves the same way. Torbutton could warn users at startup, but it's broken the same way: https://www.torproject.org/projects/torbrowser/RecommendedTBBVersions

Huh? RecommendedTBBVersions has nothing to do with the sandbox, and downloads.json has nothing to do with the normal Tor Browser update process.

Anyway this is basically "fixed" now (thanks bolkm). Both git master (and the next sandbox tag, whenever I get around to it) will pull from update_3 in the future, and there isn't much I can do about "the location where all the metadata lives changed" now that I think about it.

Note: See TracTickets for help on using tickets.