Tor Browser 6.5a1-hardened is released
A new hardened Tor Browser release is available. It can be found in the 6.5a1-hardened distribution directory and on the download page for hardened builds.
This release features important security updates to Firefox.
Tor Browser 6.5a1-hardened is the first hardened release in our 6.5 series. It updates Firefox to 45.2.0esr and contains all the improvements that went into Tor Browser 6.0. Compared to that there are additional noteworthy things that went into this alpha release: we bumped the Tor version to 0.2.8.3-alpha and backported additional security features: exploiting the JIT compiler got made harder and support for SHA1 HPKP pins got removed.
On the infrastructure side, we are now using fastly to deliver the update files. We thank them for their support.
Note: There is no incremental update from 6.0a5-hardened available due to bug 17858. The internal updater should work, though, doing a complete update.
Here is the complete changelog since 6.0a5-hardened:
- All Platforms
- Update Firefox to 45.2.0esr
- Update Tor to 0.2.8.3-alpha
- Update Torbutton to 1.9.6
- Bug 18743: Pref to hide 'Sign in to Sync' button in hamburger menu
- Bug 18905: Hide unusable items from help menu
- Bug 17599: Provide shortcuts for New Identity and New Circuit
- Bug 18980: Remove obsolete toolbar button code
- Bug 18238: Remove unused Torbutton code and strings
- Translation updates
- Code clean-up
- Update Tor Launcher to 0.2.8.5
- Bug 18947: Tor Browser is not starting on OS X if put into /Applications
- Update HTTPS-Everywhere to 5.1.9
- Update meek to 0.22 (tag 0.22-18371-3)
- Bug 19121: The update.xml hash should get checked during update
- Bug 12523: Mark JIT pages as non-writable
- Bug 19193: Reduce timing precision for AudioContext, HTMLMediaElement, and MediaStream
- Bug 19164: Remove support for SHA-1 HPKP pins
- Bug 19186: KeyboardEvents are only rounding to 100ms
- Bug 18884: Don't build the loop extension
- Bug 19187: Backport fix for crash related to popup menus
- Bug 19212: Fix crash related to network panel in developer tools
- Bug 18703: Fix circuit isolation issues on Page Info dialog
- Bug 19115: Tor Browser should not fall back to Bing as its search engine
- Bug 18915+19065: Use our search plugins in localized builds
- Bug 19176: Zip our language packs deterministically
- Bug 18811: Fix first-party isolation for blobs URLs in Workers
- Bug 18950: Disable or audit Reader View
- Bug 18886: Remove Pocket
- Bug 18619: Tor Browser reports "InvalidStateError" in browser console
- Bug 18945: Disable monitoring the connected state of Tor Browser users
- Bug 18855: Don't show error after add-on directory clean-up
- Bug 18885: Disable the option of logging TLS/SSL key material
- Bug 18770: SVGs should not show up on Page Info dialog when disabled
- Bug 18958: Spoof screen.orientation values
- Bug 19047: Disable Heartbeat prompts
- Bug 18914: Use English-only label in <isindex/> tags
- Bug 18996: Investigate server logging in esr45-based Tor Browser
- Bug 17790: Add unit tests for keyboard fingerprinting defenses
- Bug 18995: Regression test to ensure CacheStorage is disabled
- Bug 18912: Add automated tests for updater cert pinning
- Bug 16728: Add test cases for favicon isolation
- Bug 18976: Remove some FTE bridges
- Linux
- Bug 19189: Backport for working around a linker (gold) bug
- Build System
Comments
Please note that the comment area below has been archived.
Thanks again for another
Thanks again for another excellent release. I breathe a sigh of relief whenever I hear about a new Firefox release and then soon thereafter, see a TBB update.
Thanks for another timely,
Thanks for another timely, excellent release!!
Ditto. Thanks for all your
Ditto. Thanks for all your hard work on making Tor better, and damnation to our foes!
You guys are amazing! Keep
You guys are amazing! Keep up the great work. The internal updater works like a charm.
Now if we could only double or triple the size of the Tor network with a generous benefactor, using hardware certified by known and trusted Tor authorities, we could start to address all the risks present with bad actors in the network. Perhaps a JonDoNym model is the only solution in the end-game i.e. trusted and known Tor operators. This would solve all the relay attacks and bad exit node operators with malicious injection etc.
Hint, hint: Zuckerberg, Google and other undeserved billionaires (devoted PRISM partners) data-mining our asses and pretending they care about digital rights. Even 0.1% of their profits in perpetuity under an established legal trust with a Tor executive board making decisions for spending priorities would do wonders e.g. network expansion, Tor enhancements, code audits, promoting Tor coding summits/student get-togethers, paying your core teams decent $, accelerating adoption of quantum-resistant encryption etc.
On that note, I wonder when Mozilla is going to integrate the Tor button as part of their default browser, inviting 100s of millions of users to switch into Tor browsing as the click of a button? Sounds like a no-brainer also for the security model i.e. introducing huge numbers to anonymous browsing and making the tracking work of the creepy spy agencies and corporates much, much more difficult.
Thanks, we are working with
Thanks, we are working with Mozilla on that. I guess the vision we have is to get Tor used in the private browsing mode with all defenses we have in Tor Browser. We are far from reaching that goal, alas, but we are working on it. At the moment we try to upstream more and more of our patches to Mozilla in order to reduce the amount of our own patches in our tree.
If you do incorporate tor in
If you do incorporate tor in private browsing in firefox I hope that will be a different setting than "never remember history" option in firefox, and I hope the TBB will continue even then as a separate browser than firefox, I like to use both of them simultaneously sometimes.
Me too, except it's both
Me too, except it's both browsers _all_ the time.
You are right but google are
You are right but google are incorporated into the TOR browser in several locations via the firefox setting in 'about:config'.
I trust nothing about google and even firefox is suspicious over data collection with their standard browser. Safer to remove all references to google that you can find.
Yes.
Yes.
Made this comment on the
Made this comment on the last updat but it still hasnt been rectified. basically instead of showing me the circuit and countries and IP's of the circuit, it just shows (example.com) then 'Example A, Example B and Example C' Help?
If you are talking about
If you are talking about Onion Circuits, it is working fine (at least for me) in Tails 2.4.
I have the same issue since
I have the same issue since 2 versions. Please update!
All versions after Jacob
All versions after Jacob Appelbaum stepping down are compromised! Just like after Steve Jobs quit apple the feds took over!
Use older versions guys!
No, they are not. Not saying
No, they are not. Not saying the Feds took over in the Apple case but there are a crucial difference here: you can have a look at our code and be sure that there is no Feds-taking-over happening. That's actually much more useful in determining whether Tor software is compromised or not than pointing out who or who not is any longer working for Tor Project, Inc.
> you can have a look at our
> you can have a look at our code and be sure that there is no Feds-taking-over happening. That's actually much more useful in determining whether Tor software is compromised or not than pointing out who or who not is any longer working for Tor Project, Inc.
True, but few ordinary users, maybe even few computer programmers, really have the skill sets needed to make a reasonable attempt at checking, even using "canned" code checking tools.
Suggest Tor Project create a thoughtful, up to date, page similar to Tails Project documentation page "Trusting Tails". Some suggestions for bullet points:
o You should download Tor software products only from torproject.org or from an official Tor mirror.
o You should verify the signature before using any software product from Tor Project, such as Tor Browser or Tor Messenger, as explained at (links).
o You should read (link to Tor documentation page) before using any software product from Tor Project, to make sure you understand what Tor can and cannot do.
o It is true that the earliest onion routers were created by several civilian researchers working at (link to WP article) NRL, which is operated by the US Navy (link to existing documentation page describing the early history).
o Tor Project was later created as a non-profit US organization independent of the USG, but which for many years was supported almost entirely by USG entities created during the Eisenhower Administration which are tied to the US State Department and seek to bring outside points of view to people living in countries which censor their internet, such as Russia, China, Iran. Some of these entities were (link to WP article) caught, a few years ago, pushing "anti-censorship" software in countries like Cuba which turned out to be flawed, but that software has nothing to do with Tor.
o During part of 2015, Roger Dingledine, an MIT-based researcher and long-time Tor core developer, served as acting Executive Director of Tor Project. He once worked as a summer intern at NSA, but each summer, dozens of US college students with certain majors do that, and few of them wind up working for NSA, or even being sympathetic toward the "Collect It All" mentality.
o In the fall of 2015, Shari Steele, former Executive Director of EFF, the leading US nonprofit which advocates for digital freedoms, became Executive Director of Tor Project. She immediately announced that diversifying TP funding sources will be one of her priorities. You can help by (link) donating money to the Tor Foundation.
o TP draws upon the skills of a world wide network of volunteer experts, in addition to a team of core developers, not all of whom reside in FVEY nations. Since (date), Tor code has been checked using the Reproducible Builds project, which makes it much harder (we hope) for bad guys to slip malware into the official versions of Tor software products.
o The Snowden leaks contain several documents (link, link, link to EFF's collection) which show that five to ten years ago, NSA and GCHQ were having great difficulty compromising the Tor Network.
o One easy thing NSA can certainly do, and as the Snowden leaks confirm, is doing, is to keep track hour by hour of which IPs have joined the Tor network. If you live in a country which is not very hostile to the US, NSA most likely knows you use Tor. If you don't, your own government may know. See (link to page explaining that governments which operate a global dragnet internet surveillance system, because when you use Tor your computer first contacts a Tor Authority node. There are only few of these and their IP addresses cannot be hidden) and (link to information about Tor bridges).
o For more information on things we think NSA, GCHQ, and other well-funded agencies can possibly do to deanonymize some or all Tor users, see (link to a new documentation page).
o Using Tor is not yet illegal in the US, UK, or EU, although laws enacted in recent years threaten the freedom of residents of those countries to use Tor. Using Tor is explicitly illegal in (list).
o USG agencies such as FBI have expressed great hostility towards Tor hidden services, aka onion services, which allow people who run servers to publish/maintain websites anonymously. While most such sites appear to be related to documenting human rights violations, some appear to have a criminal nature. Highly publicized FBI and NCA "takedowns" of so-called "dark net sites" refer to attacks on non-Tor software running at particular onion service websites which appear to have had a criminal character.
o There is little hard evidence so far to suggest that NSA or FBI can break, or has broken, Tor itself, but many experts keep trying. This is actually helpful, as long as they publish their attacks, because it helps Tor Project to make Tor products better.
o In Jun 2016, long-time Tor core developer Jacob Appelbaum resigned after allegations of personal misconduct surfaced. The allegations do not involve anything like putting in backdoors or messing with code. Appelbaum himself stated that to the best of his knowledge, Tor software product code has not been compromised.
o (links to EFF's famous diagram, used by NSA in some of the documents leaked by Snowden), showing how onion circuits work, and other useful information about how Tor products work).
Did my reply get
Did my reply get disapproved?
I would recommend the Tor Project in light of the situation launch a full code audit, and for Mozilla to do the same, and not by any individuals with any interest in the particular case, to avoid a conflict of interest.
Now I'd be more worried
Now I'd be more worried about the events today leading to a compromise of Tor. Stay vigilant, Tor Project, as it is still a very important tool for me.
That's silly. You're telling
That's silly. You're telling people to use insecure, outdated versions because one guy who was involved primarily in research an activism had to step down. You should never tell anyone to use an older version of Tor or the browser, they have known vulnerabilities.
And as others have pointed out, it's open source anyway.
Still no response to several
Still no response to several comments on the why Panopticlick shows the newer versions revealing about 5 times more identification information than 5.5.5 did. Someone said because it was new but this is not the case as 555 had the same score the day it was published and still does today. With earlier versions there was constantly a slight improvement out of the box. Since 6 it went down hill. The visible difference being the pseudo tag Windows NT 6 FF38.0 instead of FF45 but I suspect this is not all.
they say this based on their
they say this based on their old data. in a few months when more people use this version and visit panopticlick your identification will go down
> All versions after Jacob
> All versions after Jacob Appelbaum stepping down are compromised! Just like after Steve Jobs quit apple the feds took over!
>
> Use older versions guys!
If that is not a spook troll, it's a good imitation.
The claim has already been debunked. Jacob Applebaum himself took a moment to tweet (even before the above message appeared) that to the best of his knowledge, Tor has not been compromised.
Older versions have publicly exposed bugs. Everyone should definitely use the current versions.
I'm not sure who should be
I'm not sure who should be using this. Perhaps an explanation with every release announcement would be helpful.
Also, is there any reason for not having hardened stable releases? Do some of its features move into stable?
Tor 0.2.8.3-alpha is an
Tor 0.2.8.3-alpha is an alpha release. I'll quote: "Expect a lot of bugs. You should only run this release if you're willing to find bugs and report them."
Hardened builds have added
Hardened builds have added security features which sacrifice performance for security - explained at https://vbdvexcmqi.oedi.net/blog/tor-browser-55a4-hardened-released
Hardened is compiled with
Hardened is compiled with Address Sanitizer(ASan) enabled, which means it uses up additional processing power and significantly more memory. It doesn't have any additional features over the normal alpha release.
I am trying to install Tor
I am trying to install Tor on OSX El Capitan. I keep getting this:
Disk images couldn't be opened
TorBrowser-6.0.1-osx5 no mountable file systems
I have deleted the dmg and tried to reinstall but the same thing happens each time.
Does anyone have any ideas why?
Hard to say. Does Tor
Hard to say. Does Tor Browser 6.0 work for you (https://utuhewzcso.oedi.net/torbrowser/6.0/)? Or 5.5.5? (https://archive.torproject.org/tor-package-archive/torbrowser/5.5.5/)
tor 6 still not working,
tor 6 still not working, although 5.5 working well, apart from the nag screens to update, any help welcomed. I have turned off most obvious things, I am using win7 64 bit.
Where is the 32-bits build?
Where is the 32-bits build?
There is none for the
There is none for the hardened series.
Both Tor Browser 6.5a1 and
Both Tor Browser 6.5a1 and 6.01 have the same problem: always crashes on particular sites.
Gone back to 6.0 as its stable.
I just posted a long comment
I just posted a long comment about https-everywhere plug-in and the Pref-Content-Language option on the 6.01 blog post
I am nowhere an expert in such matters but there seems to be some value in this discovery.
https://vbdvexcmqi.oedi.net/blog/tor-browser-601-released
Thanks for another timely,
Thanks for another timely, excellent release !!!
ok
ok
HELLO I DOWNLOADED THE
HELLO
I DOWNLOADED THE LATEST VERSION OF TOR BROWSER AND INSTALLED IT. FROM THE WHEN I OPEN IT, IT DOESNT RUN, WHAT CAN I DO TO RUN IT?
To every Microsoft Windows
To every Microsoft Windows user:
Uninstall everything unrelated to Tor, and also verify the downloads! Or try using Tails.
Keep up the great work
Keep up the great work
thank u :)
thank u :)
@ all Tor people: you are
@ all Tor people: you are the greatest! More like this please!
https://motherboard.vice.com/read/tor-is-teaming-up-with-researchers-to…
Tor Is Teaming Up With Researchers To Protect Users From FBI Hacking
Joshua Kopstein
19 Jun 2016
> The FBI has had a fair amount of success de-anonymizing Tor users over the past few years.
Not quite right; FBI has taken down certain onion services, but that is not the same thing as successfuly deanonmyzing users of Tor Browser Bundle or Tor Messenger. It is not even clear that FBI's takedowns have reduced the number of onion services (hidden sites), or the extent to which FBI targets suspected BLM activists and human rights researchers vs suspected pron/drug purveyors.
As always, those whose duty is to oversee FBI insist on looking the other way, even insist that FBI and other USIC agencies get creative and lie to them.
> Despite the encryption software's well-earned reputation as one of the best tools for online privacy, recent court cases have shown that government malware has compromised Tor users by exploiting bugs in the underlying Firefox browser—one of which was controversially provided to the FBI in 2015 by academic researchers at Carnegie Mellon University.
>
> But according to a new paper, security researchers are now working closely with the Tor Project to create a “hardened” version of the Tor Browser, implementing new anti-hacking techniques which could dramatically improve the anonymity of users and further frustrate the efforts of law enforcement.
See also
https://www.ics.uci.edu/~perl/pets16_selfrando.pdf
Any roadmap for when the
Any roadmap for when the improvements in the hardened browser will become part of standard TBB?
This is a great and much needed project, but we also need to fight in the political arena.
I urge the Project to tell Tor users in the US that EFF is organizing a campaign to pressure the US Congress to stop changes to Rule 41b which will encourage FBI agents to use their malware to hack into any computer anywhere on the internet any time they feel like it:
https://www.eff.org/deeplinks/2016/06/help-us-stop-updates-rule-41
Help Us Stop the Updates to Rule 41
EFF Calls for a Day of Action on June 21. Please join us.
rainey Reitman
16 Jun 2016
> The Department of Justice is using an obscure procedure to push through a rule change that will greatly increase law enforcement’s ability to hack into computers located around the world. It’s an update to Rule 41 of the Federal Rules of Criminal Procedure. If Congress does nothing, this massive change will automatically go into effect on December 1.
> EFF, the Tor Project, and dozens of other organizations concerned about the future of our digital security are taking a stand for users everywhere. We’re organizing a campaign and day of action to speak out against the changes to Rule 41.
> But we can’t do it alone. If you run a website, we need your help.
Clearly Tor Browser
Clearly Tor Browser hardening is urgently needed, but what about this? If a major CA such as Symantec can place trusted certs in our browsers, what then?
http://www.theregister.co.uk/2016/06/14/symantec_blue_coat_analysis/
Man-in-the-middle biz Blue Coat bought by Symantec: Infosec bods are worried
HTTPS-buster and root cert bods joining up? Hmm
John Leyden
14 Jun 2016
> But some security experts are concerned about the potential for conflict of interest created by housing Symantec’s digital certificate business and Blue Coat’s man-in-the-middle SSL inspection technologies under the same roof. Business dealings between the two firms have already prompted cause for concern.
The need for browser
The need for browser hardening is evident from leaks from the notorious intrusion-for-hire company Hacking Team, and from the disclosure of huge USG payments for hacks into onion service websites.
On the political side, support is coming from such surprising sources as former White House cybersecurity chief Ari Schwartz, who argues in a new paper that FBI should be forbidden from paying for hacks, specifically citing a huge payment for hack into an encrypted iPhone used by the San Bernardino killers:
http://www.theregister.co.uk/2016/06/17/fbis_iphone_hack_should_be_barr…
FBI's iPhone paid-for hack should be barred, say ex-govt officials
Cybersecurity bods argue for formalizing zero-day disclosure rules
Kieren McCarthy
17 Jun 2016
> Although the question over whether to disclose a security hole is complex, it is not so complex as to avoid a clear set of rules, say Knake and Schwartz. They don't agree with Bruce Schneier's argument that all zero-day holes should be disclosed immediately regardless of their potential value, and instead highlight a possible case where disclosure would result in the loss of valuable intelligence in an ongoing investigation.
>
> That does not include the FBI's $1.2m purchase of a hack, however. One of the paper's recommendations is that government agencies be "prohibited from entering into non-disclosure agreements with vulnerability researchers and resellers" – which is what the FBI did in buying access to the San Bernardino shooter's phone from an unnamed third party and then claiming it cannot disclose how it did so.
About a month ago some US legislators who expressed doubts about the effectiveness of FBI's rapidly expanding precrime programs, including its CVE programs targeting American schoolchildren, called for a careful scientific evaluation of FBI's precrime risk scores. Unfortunately, this brief window of opportunity for moment of sanity in the halls of USG power were torpedoed by the mass shooting in Orlando. As was the email privacy bill which had been expected, until the Orlando massacre, to pass unanimously.
FBI's dragnet surveillance programs almost always escape oversight. One of the very few exceptions is the enormously costly decades old disaster known as NEXTGEN, the FBI's much vaunted biometric identification program. After steady legal work by ACLU gradually revealed more and more clearly the failings of this program, GAO finally asked whether FBI's dragnet biometric programs are cost effective, and their report, just published, is extremely damaging to FBI's carefully guarded reputation:
http://thehill.com/policy/technology/283651-watchdog-fbi-doing-limited-…
Watchdog slams FBI's facial recognition database testing
David McCabe
15 Jun 2016
> The FBI has not appropriately tested its facial recognition database, according to a government watchdog report released on Wednesday. The agency maintains a database — called the Next Generation Identification-Interstate Photo System (NGI-IPS) — of photos and other biometric data that can be used in pursuing cases. The Government Accountability Office (GAO) said the agency had only done "limited" testing of its accuracy in situations in which officers were summoning a list of more than 50 potential matches, and did no testing when summoning a list of fewer than 50 potential matches. It also hasn’t tested the accuracy of the state and federal systems the FBI can access during investigations. “By taking such steps, the FBI could better ensure the data received from external partners is sufficiently accurate and do not unnecessarily include photos of innocent people as investigative leads,” said the watchdog.
For those familiar with ROC curves, a decade ago FBI tried to set some standards for the facial identification (in dragnet CCTV video) component of NEXTGEN. Specifically, they declared that the probability of false negatives to be below 5% and the probability of false positives to be below 2%, which is somewhat more stringent than some credit card fraud detection scores, and comparable to some medical testing scores. Five years after that when their own studies showed NEXTGEN was failing miserably to meet those standards, FBI simply dropped all accuracy requirements. Pretty amazing even for an agency with a century old track record at complete failure at every "national security" mission it has ever taken on, especially when FBI and its parent DOJ are pushing so hard for "evidence-based" precrime assessments of all American citizens.
And an excellent example of data journalism from Propublica has shown that the most widely used precrime scoring system in the US "justice" system [sic], from a little known Canadian company called Northpointe Inc, fails to meet even the low bar set for scoring systems which cannot result in persons being deprived of their freedom, much less the stronger standards common in clinical situations such as cancer testing (but not in psychiatric testing, where once again, unevaluated and dubious precrime scoring algorithms are sprouting like weeds, and being marketed to companies anxious about their employees and municipal governments anxious about local residents):
https://www.propublica.org/article/senates-popular-sentencing-reform-bi…
If you think COMPAS is bad, FBI's precrime scores are much worse, and far more dangerous, especially to privacy-minded citizens who use Tor (which USG tends to view as a "red flag" for all manner of suspected potential misconduct).
The GAO report also revealed the existence of a second vast FBI dragnet surveillance facial ID program, called FACE, which is also being developed without any oversight or requirement for meaningful evaluation.
Meanwhile, FBI is demanding that NEXTGEN and FACE be exempted from the Privacy Act, on of the very very few (outdated and weak) laws protecting some of the privacy of US persons, and they demand that the videos recorded by the hidden cameras be exempted from FOIA requests.
Among the controversial sources for NEXTGEN/FACE imagery are surveillance cameras which secretly placed on municipal utility poles, where they are hidden by "concealments" (in FBI parlance) to prevent alert passersby from noting the surveillance.
In recent court filings FBI has argued that revealing the location of the hidden cameras would violate the privacy of precrime suspects who have not yet been charged (naturally, because they haven't done anything wrong), or cause their unsuspected neighbors to become paranoid about USG intentions toward their own households. Because, you see, the pole cams record the comings and goings of everyone who passes by the hidden cameras, not just the current "person of interest". Even more striking, FBI argued that their own agents are afraid of having their identities leaked (perhaps the watching agents are also imaged sitting in their surveillance vehicles/trailers?). Reading into this zany arguments I see evidence that the USIC leadership is very anxious about being charged in absentia and maybe even extradited to face trial for war crimes:
http://thehill.com/policy/national-security/282689-former-cia-officer-f…
Former CIA officer faces extradition to Italy for Bush-era efforts
Julian Hattem
8 Jun 2016
> A former CIA officer appears set to be extradited to Italy over allegations about her role in the kidnapping and “extraordinary rendition” of an Egyptian man during the George W. Bush administration. Sabrina de Sousa told news outlets on Wednesday that the extradition process has already begun after the constitutional court in Portugal rejected her final appeal. If the process is finalized, she would become the first person to ever be charged, extradited and jailed over the CIA’s “extraordinary rendition” program, which was carried out under the Bush administration to seize suspected terrorists and bring them to another country for interrogation.
>
>In 2014, de Sousa was convicted in absentia by an Italian court for participating in the 2003 abduction of Egyptian cleric Hassan Mustafa Osama Nasr off a street in Milan and ferrying him to be questioned in Egypt. According to his wife and Italian prosecutors, the cleric, also known as Abu Omar, was subjected to beatings and electric shocks to his genitals.
Such is the political background which underlines the urgent necessity for projects like the Tor Browser hardening program.
I hope Tor users will consider making a donation to support browser hardening, reproducible builds, and other TP initiatives intended to counter unconstitutional state-sponsored-hacking and dragnet surveillance.
It fails to run on debian 8
It fails to run on debian 8 x64 . Debugging output
Launching './Browser/start-tor-browser --detach --debug --log'...
Logging Tor Browser debug information to tor-browser.log
=================================================================
==5871==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60200003d074 at pc 0x7f9fa642e7a6 bp 0x7ffe57932cf0 sp 0x7ffe579324a0
READ of size 5 at 0x60200003d074 thread T0
ASAN:SIGSEGV
==5871==AddressSanitizer: while reporting a bug found another one. Ignoring.
When is this happening?
When is this happening? During start-up? I guess you are running into https//bugs.torproject.org/19400. Does the Update 4 on https://vbdvexcmqi.oedi.net/blog/tor-browser-601-released help? Does it happen, too, with a freshly downloaded, clean 6.5a1-hardened?
It always happen. It never
It always happen. It never starts at all. If I run without the debug log then nothing happens, with debugging I get the message I posted above and that is it.
I had the same issue with 6.01a hardened and could not run it. Both were clean downloads. No browser appears or no dialog to establish connection and build the circuit ever appear.
Since the browser never starts I can not say for sure if it is related to the issue mentioned in update 4.
Let me know if there is any thing else I can do to help. Thank you all for your hard work!
Interesting. Could you get a
Interesting. Could you get a proper stack trace by following https://trac.torproject.org/projects/tor/wiki/doc/TorBrowser/Hacking#Us… ("Starting firefox from inside gdb" is the way to go after getting the debug symbols in place)?
I followed the instructions
I followed the instructions and made sure to add the hardened browser debug symbols to Browser/.debug
EDIT: I omitted the stack trace for security reasons, gk.
I'm not too familiar with gdb so If I have done this wrong I'll happily try again.
Thanks, this looks good to
Thanks, this looks good to me. Looking at the stack trace I think this is no bug in Firefox itself which is good. It is either one in the ASan code itself or one of your system libraries. Do you have your Debian customized somehow which would be relevant for getting this reproduced on a different machine? Is your system up-to-date?
Thanks gk. It was a standard
Thanks gk.
It was a standard base install with a minimal kde desktop on top of it. It is using the current Debian stable kernel, 3.16.0-4-amd64 #1 SMP Debian 3.16.7-ckt25-2 (2016-04-08) x86_64 GNU/Linux with apparmor installed but I have not configured a profile for the tor browser and to be sure I tested it with the apparmor service disabled. The system is kept up to date.
So, I tested with a live cd
So, I tested with a live cd today using the KDE flavor and I did not have issues. One idea to look at further is to check whether we both had the same versions of the libraries/packages involved installed, like libqtcurve.so etc. Could you check that on your side and report them back?
[07-02 17:03:51] Torbutton
[07-02 17:03:51] Torbutton INFO: tor SOCKS: https://vbdvexcmqi.oedi.net/blog/tors-innovative-metrics-program-receiv… via torproject.org:0
[07-02 17:03:51] Torbutton INFO: controlPort >> 650 STREAM 50 NEW 0 vbdvexcmqi.oedi.net:443 SOURCE_ADDR=127.0.0.1:49555 PURPOSE=USER
[07-02 17:03:52] Torbutton INFO: controlPort >> 650 STREAM 50 SENTCONNECT 9 vbdvexcmqi.oedi.net:443
[07-02 17:03:52] Torbutton INFO: controlPort >> 650 STREAM 50 REMAP 9 138.201.14.196:443 SOURCE=EXIT
[07-02 17:03:52] Torbutton INFO: controlPort >> 650 STREAM 50 SUCCEEDED 9 138.201.14.196:443
[07-02 17:08:28] Torbutton INFO: tor SOCKS: https://vbdvexcmqi.oedi.net/misc/jquery.js via torproject.org:0
Who thinks almost 5 mins???