Tor Browser 7.0.3 is released
Note: Tor Browser 7.0.3 is a security bugfix release for Linux users only. Users on Windows and macOS are not affected and stay on Tor Browser 7.0.2.
Tor Browser 7.0.3 is now available for our Linux users from the Tor Browser Project page and also from our distribution directory.
This release features an important security update to Tor Browser for Linux users. On Linux systems with GVfs/GIO support Firefox allows to bypass proxy settings as it ships a whitelist of supported protocols. Once an affected user navigates to a specially crafted URL the operating system may directly connect to the remote host, bypassing Tor Browser. Tails and Whonix users, and users of our sandboxed Tor Browser are unaffected, though.
The bug got reported to us yesterday by Julian Jackson (@atechdad) via our HackerOne bug bounty program. Thanks! We are not aware of it being exploited in the wild.
We are currently preparing updated Linux bundles for our alpha series and they should go live within the next couple of hours. Meanwhile Linux users on that series are strongly encouraged to use the stable bundles or one of the above mentioned tools that are not affected by the underlying problem.
Here is the full changelog since 7.0.2:
- Linux
- Bug 23044: Don't allow GIO supported protocols by default
Comments
Please note that the comment area below has been archived.
How do I get to know if my…
How do I get to know if my linux instalation has this problem or not?
Thanks.
You can check if gvfs…
You can check if gvfs packages are installed on your system. If gvfs is available, you are probably affected. Updating to version 7.0.3 should solve it.
Probably a better way than…
Probably a better way than this but I did this as a quick and dirty.
whereis gvfs
gvfs: /usr/lib64/gvfs /usr/share/gvfs /usr/share/man/man7/gvfs.7.gz
As you can see my system has gvfs and the man for it., I assume this means this is a good bug fix for me.
Thanks Tor guys/gals.
Thanks a lot Julian Jackson…
Thanks a lot Julian Jackson and your HackerOne bug bounty program !
updated : Priority changed from Medium to Immediate
My TBB was exploited. TBB…
My TBB was exploited. It forced a connection to a New Jersey IP address.
Can you share more details…
Can you share more details about how you believe your Tor Browser is exploited?
If you are seeing the same IP address as the first hop in all the circuits you build, you should know that is completely normal behavior. https://decvnxytmk.oedi.net/docs/faq.html.en#EntryGuards
sandboxed Tor Browser (are…
sandboxed Tor Browser (are unaffected) : updated 7.0.3
So? The sandbox tries to…
So? The sandbox tries to keep the user's bundle up to date, and doesn't know that the update isn't applicable.
Great thanks to Julian :-)
Great thanks to Julian :-)
Where can I read more…
Where can I read more details about this? What kind of URLs could be used, how would it work, etc.
Is it just an issue if…
Is it just an issue if someone clicks on a link or is FF already fetching information without clicking on the link? (Because if FF tries to fetches information about the site without clicking, could it not effect Tor Messenger and Thunderbird/Torbirdy, too ?)
How the NsA would pay for…
How the NsA would pay for this kind of exploit ?
how to check gvfs is…
how to check gvfs is available or not ?
Bad update! Thanks Obama.
Bad update!
Thanks Obama.
Wah, what a bug!…
Wah, what a bug!
Thanks for the patch
Is it safe to update the…
Is it safe to update the browser addons (HTTPS Everywhere + NoScript) through the Tor Network or should we use what ships with the current version of TBB even if they are outdated?
Please update those…
Please update those extensions whenever an update is available.
How do I configure Wget to…
How do I configure Wget to use with Tor Browser?
Menu icons have disappeared…
Menu icons have disappeared since tor browser 7.02 release.
What do you mean? Do you…
What do you mean? Do you have steps for reproducing your problem? Which operating system are you using?
Would you define this as an…
Would you define this as an example of why to use a quality VPN with TOR?
Might be a bit off topic but…
Might be a bit off topic but I believe this started with the release of TB 7.x versions.
The encryption part of signing up for a Tutanota account takes forever and then fails with an error message.
The same happens when trying to download from mega.nz. Decryption takes very long and after it finishes you receive an error about blob resources.
It seems the problem lies with the new spawning of Web Content processes and blob resources.
Is there a way to "fix" this?
On which level is the…
On which level is the security slider? If not on "low" does the issue happen as well if it is on "low"?
Happens on all 3 settings…
Happens on all 3 settings. Although on "low" the en/decryption part is as fast as with TB 6.5.2 on "high" but alas you get an error message and are not able to download the blob.
Sorry forgot to mention that…
Sorry forgot to mention that all is working fine on TB 6.5.2 with settings on "high".
Too bad you did not post my…
Too bad you did not post my reply. I would really love to find a solution to this.
As I said, the problem persists on all levels of the security slider although on "low" the javascript calculating part is as fast as it should be but you still can't download the blob in the case of mega.nz.
All is working fine with TB 6.5.2 on "high" security settings.
Here the same problem is discussed with even Tutanota chiming in but they too have no solution. But since the problem lies with TB how could they.
http://www.emailquestions.com/threads/tutanota-and-tor-broswer.11121/
Okay, I just tried with a…
Okay, I just tried with a vanilla Tor Browser 7.0.3 on Linux and this works as expected. I guess you are on Windows as the link to the Tutanota forum indicates?
Works for me with a fresh 7…
Works for me with a fresh 7.0.2 on Windows 7 as well. Hm. What does "Multiprocess Windows" on "about:support" in your Tor Browser say?
Are previous TBB versions…
Are previous TBB versions affected to this particular bug too? When this bug was added to TBB?
We believe that previous…
We believe that previous versions of Tor Browser are affected as well (definitely 6.5.2 which I tested). There is no particular version this bug got added as the offending code has been in Firefox for years.
my old 3.6.6 version also…
my old 3.6.6 version also affected...
anyone please solve my…
anyone please solve my problem.
when I use tor version 7.0.2 It can't download small file such as 15 or 16 kb .Is it the problem of tor .?what should I do??
What is happening? And how…
What is happening? And how are you downloading small files?
See also:…
See also:
https://trac.torproject.org/projects/tor/ticket/8695
GVfs is shit. Pure shit.
Does it effect hidden…
Does it effect hidden service .onion addresses as well?
This bug is unrelated to …
This bug is unrelated to .onion services.
Doesn't this bug affect Tor…
Doesn't this bug affect Tor Tails because of it special design not to allow direct internet connection or because Tor hasn't gvfs?
We have not looked closer…
We have not looked closer but we think Tails is not affected because it does not allow direct Internet connections.
I am looking for a version…
I am looking for a version that is compatible with mac OS x 10.7.5
There is none without…
There is none without serious security vulnerabilities, alas.