Delivery-Date: Mon, 10 Aug 2015 22:08:15 -0400
Return-Path: <tor-talk-bounces@lists.torproject.org>
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on moria.seul.org
X-Spam-Level: 
X-Spam-Status: No, score=-4.2 required=5.0 tests=BAYES_00,RCVD_IN_DNSWL_MED,
	T_RP_MATCHES_RCVD autolearn=ham version=3.3.1
X-Original-To: archiver@seul.org
Delivered-To: archiver@seul.org
Received: from eugeni.torproject.org (eugeni.torproject.org [38.229.72.13])
	(using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by khazad-dum.seul.org (Postfix) with ESMTPS id D31F71E0A34;
	Mon, 10 Aug 2015 22:08:13 -0400 (EDT)
Received: from eugeni.torproject.org (localhost [127.0.0.1])
	by eugeni.torproject.org (Postfix) with ESMTP id 4DE28350B6;
	Tue, 11 Aug 2015 02:08:07 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1])
 by eugeni.torproject.org (Postfix) with ESMTP id 0B34521BF5
 for <tor-talk@lists.torproject.org>; Tue, 11 Aug 2015 02:08:04 +0000 (UTC)
X-Virus-Scanned: Debian amavisd-new at 
Received: from eugeni.torproject.org ([127.0.0.1])
 by localhost (eugeni.torproject.org [127.0.0.1]) (amavisd-new, port 10024)
 with ESMTP id Q8rV-jEhVncY for <tor-talk@lists.torproject.org>;
 Tue, 11 Aug 2015 02:08:03 +0000 (UTC)
Received: from turtles.fscked.org (turtles.fscked.org [76.73.17.194])
 by eugeni.torproject.org (Postfix) with ESMTP id DFDE821001
 for <tor-talk@lists.torproject.org>; Tue, 11 Aug 2015 02:08:03 +0000 (UTC)
Date: Mon, 10 Aug 2015 19:07:36 -0700
From: Mike Perry <mikeperry@torproject.org>
To: tor-talk@lists.torproject.org
Message-ID: <20150811020736.GC2384@torproject.org>
References: <1500381438946702@web22h.yandex.ru> <2354332.somlbLvzk6@mvnjuthzeh>
MIME-Version: 1.0
In-Reply-To: <2354332.somlbLvzk6@mvnjuthzeh>
Subject: Re: [tor-talk] pdf with tor
X-BeenThere: tor-talk@lists.torproject.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: tor-talk@lists.torproject.org
List-Id: "all discussion about theory, design,
 and development of Onion Routing" <tor-talk.lists.torproject.org>
List-Unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-talk>, 
 <mailto:tor-talk-request@lists.torproject.org?subject=unsubscribe>
List-Archive: <http://lists.torproject.org/pipermail/tor-talk/>
List-Post: <mailto:tor-talk@lists.torproject.org>
List-Help: <mailto:tor-talk-request@lists.torproject.org?subject=help>
List-Subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk>, 
 <mailto:tor-talk-request@lists.torproject.org?subject=subscribe>
Content-Type: multipart/mixed; boundary="===============2461263811793478827=="
Errors-To: tor-talk-bounces@lists.torproject.org
Sender: "tor-talk" <tor-talk-bounces@lists.torproject.org>


--===============2461263811793478827==
Content-Type: multipart/signed; micalg=pgp-sha512;
	protocol="application/pgp-signature"; boundary="H8ygTp4AXg6deix2"
Content-Disposition: inline


--H8ygTp4AXg6deix2
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

tor-admin@torland.me:
> On Friday 07 August 2015 13:25:02 Cain Ungothep wrote:
> > > Well, Mozilla announced a secadv for pdf.js recently, so there's that.
> > >=20
> > > https://www.mozilla.org/en-US/security/advisories/mfsa2015-69/
> >=20
> > Ugh, here comes another:
> >=20
> > https://www.mozilla.org/en-US/security/advisories/mfsa2015-78/
> >=20
> > This one seems specially nasty in the context of Tor. Notice the follow=
ing=20
> sentence:
> > > Mozilla has received reports that an exploit based on this vulnerabil=
ity
> > > *has been found in the wild*.
> >=20
>=20
> As long as the Mozilla fix is not consumed by TBB you can prevent TBB fro=
m=20
> opening PDF document using pdf.js. Open about:config and toggle=20
> *pdfjs.disabled* to true. Now TBB asks for an external pdf viewer when it=
=20
> receives a pdf document.=20

FYI: The PDF.js exploit in the wild does not affect TBB 4.5 users. It
exploited a specific property of Firefox 38 that did not apply to
Firefox 31[1]. Unfortunately, this does mean our 5.0a3/5.0a4 alpha users
are vulnerable, since they are based on Firefox 38. The "High" Security
Slider setting will block the exploit even for those users, since
Javascript is required for it to function.=20

We don't recommend disabling pdf.js long-term via pref, since every
other PDF reader in existence can deanonymize you by loading embedded
remote resources outside of your Tor proxy settings (in addition to
likely being vulnerable to far more serious security issues).

5.0 and 5.5a1 will be out on Tuesday, August 11th (ie: in about 12 hours
or so). 4.5 users will be upgraded to 5.0 (based on Firefox 38-esr, but
with the fix included). 5.0a3 and 5.0a4 users will be upgraded to 5.5a1
(also based on Firefox 38-esr, but with the fix included).


1. https://bugzilla.mozilla.org/show_bug.cgi?id=3D1179262#c33 is the
statement from Mozilla for FF31 not being vulnerable. They have made a
similar statement on the ESR mailinglist (but that does not have open
archives).


--=20
Mike Perry

--H8ygTp4AXg6deix2
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature

-----BEGIN PGP SIGNATURE-----

iQIcBAEBCgAGBQJVyVjoAAoJEEEC+JXS8eGGQjUQAI2KlMhn9YLqG+HWYuGCSEs3
T9HbdJ9dBY3ePrrvQH91lysBpILclrOYqoOJGKXwdIhTqRVllFlYFv8L1zWiM5Ye
pUFJpf9IsZ2xgG0Vk9eHzy8epp6CKl6ggEmG1/bkXBEfEBskT5dYkEnlRMJxricn
xwGAv4PMN5jSTGMG2FfuKT6iqGpximitzB81Kq0sWPo3LnUC/t8Pmuq2qE9kIM7C
8KnFFTIZDbnc4oKC791lF1pJX1BuyokJ+huZSsXoD5uNSmYZr7PQixjSWSgJHIjy
A31QB8VgAZoiQeoCSBKZSMbL5mbsXP5oImTUnmfbAo8e+FmhbQUh00Z/WpV8plym
Dqz6IxUcWFb2rbEpp7SxQAFc1xhIHUqH6FjSmNNaqpmK+/T5Z74e9zC/AcfTWnax
KBJZ6yhaxrkdswn93KVk3D7uNtXQZEX8dscIud0f5dg/4DcGkf747ml/a/0ATW0T
VzhpPZFg1+I5UWFyed1sq00nC1g306gSkOzaA9IWIpAa+BilIkoJTinVlioJrdGf
iMTMEU7gq3cTyH84c+1Vb80YKq6mOLHUACDINDg4tujjD59mXQhMMjaChowmJuEb
oIorHBN01mr/3nqmAf2uzcd/L4gbt/EU5GmatJHmtU+B6hPiDbyWrwSkh/MEUYo/
T0BzdLQwIlbsiJK0BEvy
=oN9G
-----END PGP SIGNATURE-----

--H8ygTp4AXg6deix2--

--===============2461263811793478827==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

--===============2461263811793478827==--

