Opened 3 years ago

Closed 3 years ago

#22648 closed enhancement (fixed)

Prevent the "easy" to fix X11 related sandbox escapes.

Reported by: yawning Owned by: yawning
Priority: Medium Milestone:
Component: Archived/Tor Browser Sandbox Version:
Severity: Normal Keywords:
Cc: Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

Per "Jann Horn of Google Project Zero", X11 provides a few vectors for sandbox escape. While this is not part of the threat model in current releases, the trivial cases should be fixed.

In the mean time, the documentation has been updated to note that this isn't covered:
https://trac.torproject.org/projects/tor/wiki/doc/TorBrowser/Sandbox/Linux?action=diff&version=22

nb: Even if the trivial cases are fixed, this still won't prevent an adversary from doing evil to or via X11.

Child Tickets

Change History (3)

comment:1 Changed 3 years ago by yawning

Summary: Do something about the X11 situation.Prevent the "easy" to fix X11 related sandbox escapes.

comment:2 Changed 3 years ago by yawning

Status: newaccepted

https://gitweb.torproject.org/tor-browser/sandboxed-tor-browser.git/commit/?id=1bfbd7cc1cd60c9468f2e33a3d4816973f1fb2f5

Should fix some of this. Doing significantly more rapidly approaches "write a full Window Manager + X server" in terms of complexity, and I don't hate myself quite that much.

comment:3 Changed 3 years ago by yawning

Resolution: fixed
Status: acceptedclosed
Note: See TracTickets for help on using tickets.