Delivery-Date: Fri, 12 Feb 2016 01:41:26 -0500
Return-Path: <tor-talk-bounces@lists.torproject.org>
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on moria.seul.org
X-Spam-Level: 
X-Spam-Status: No, score=-4.2 required=5.0 tests=BAYES_00,RCVD_IN_DNSWL_MED,
	T_RP_MATCHES_RCVD autolearn=ham version=3.3.1
X-Original-To: archiver@seul.org
Delivered-To: archiver@seul.org
Received: from eugeni.torproject.org (eugeni.torproject.org [38.229.72.13])
	(using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by khazad-dum.seul.org (Postfix) with ESMTPS id 890D91E06C9;
	Fri, 12 Feb 2016 01:41:24 -0500 (EST)
Received: from eugeni.torproject.org (localhost [127.0.0.1])
	by eugeni.torproject.org (Postfix) with ESMTP id B41AA390B0;
	Fri, 12 Feb 2016 06:41:19 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1])
 by eugeni.torproject.org (Postfix) with ESMTP id 15F16390B1
 for <tor-talk@lists.torproject.org>; Fri, 12 Feb 2016 06:41:16 +0000 (UTC)
X-Virus-Scanned: Debian amavisd-new at 
Received: from eugeni.torproject.org ([127.0.0.1])
 by localhost (eugeni.torproject.org [127.0.0.1]) (amavisd-new, port 10024)
 with ESMTP id goFcqZtVJRDt for <tor-talk@lists.torproject.org>;
 Fri, 12 Feb 2016 06:41:16 +0000 (UTC)
Received: from bilestoad.getfoxyproxy.org (bilestoad.getfoxyproxy.org
 [162.243.99.25])
 by eugeni.torproject.org (Postfix) with ESMTP id E825938CBF
 for <tor-talk@lists.torproject.org>; Fri, 12 Feb 2016 06:41:15 +0000 (UTC)
Received: from www.example.com (tor-exit6-readme.dfri.se [171.25.193.132])
 by bilestoad.getfoxyproxy.org (Postfix) with ESMTPSA id AFC1513561C
 for <tor-talk@lists.torproject.org>; Fri, 12 Feb 2016 06:41:12 +0000 (UTC)
To: tor-talk@lists.torproject.org
References: <1639231455258005@web3h.yandex.ru>
From: Georg Koppen <gk@torproject.org>
Message-ID: <56BD7E7D.7000903@torproject.org>
Date: Fri, 12 Feb 2016 06:41:01 +0000
MIME-Version: 1.0
In-Reply-To: <1639231455258005@web3h.yandex.ru>
Subject: Re: [tor-talk] Is Tor Browser 5.5.1 vulnerable to any of the
 graphite font vulnerabilities?
X-BeenThere: tor-talk@lists.torproject.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: tor-talk@lists.torproject.org
List-Id: "all discussion about theory, design,
 and development of Onion Routing" <tor-talk.lists.torproject.org>
List-Unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-talk>, 
 <mailto:tor-talk-request@lists.torproject.org?subject=unsubscribe>
List-Archive: <http://lists.torproject.org/pipermail/tor-talk/>
List-Post: <mailto:tor-talk@lists.torproject.org>
List-Help: <mailto:tor-talk-request@lists.torproject.org?subject=help>
List-Subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk>, 
 <mailto:tor-talk-request@lists.torproject.org?subject=subscribe>
Content-Type: multipart/mixed; boundary="===============7927519345794889160=="
Errors-To: tor-talk-bounces@lists.torproject.org
Sender: "tor-talk" <tor-talk-bounces@lists.torproject.org>

This is an OpenPGP/MIME signed message (RFC 4880 and 3156)
--===============7927519345794889160==
Content-Type: multipart/signed; micalg=pgp-sha512;
 protocol="application/pgp-signature";
 boundary="raW6DA2jo44oCwMNd19JL21T4BgCfdSNS"

This is an OpenPGP/MIME signed message (RFC 4880 and 3156)
--raW6DA2jo44oCwMNd19JL21T4BgCfdSNS
Content-Type: text/plain; charset=windows-1252
Content-Transfer-Encoding: quoted-printable

Cain Ungothep:
>> I would
>> like to know if Tor Browser 5.5.1 is vulnerable. Thanks
>=20
> Looks like it is:
>=20
> https://gitweb.torproject.org/builders/tor-browser-bundle.git/commit/?i=
d=3D7a36dbece35a307675f396a019dccf6e431efb44
>=20
> That build corresponds to a branch which includes the commit that
> supposedly fixed bug 1246093, and this commit was only pushed less than=

> 48 hours ago.

Indeed. We plan to get at least a new stable version (5.5.2) out today
which is based on Firefox ESR 38.6.1. Mozilla released 38.6.1 just to
address the Graphite vulnerabilities.

> NOTE: Torbutton's security slider at level "High" says "Some font rende=
ring
> features are disabled" and "[...] The Graphite font rendering mechanism=

> is disabled."  It would be good to know if this prevents the
> vulnerability.

Yes. Both on "High" and "Medium-High" Graphite font rendering is disabled=
=2E

Georg

>> [1]: https://www.mozilla.org/en-US/security/advisories/mfsa2016-14/
>> [2]:
>> http://blog.talosintel.com/2016/02/vulnerability-spotlight-libgraphite=
=2Ehtml
>> [3]:
>> https://blog.torproject.org/blog/tor-browser-551-released#comment-1559=
68



--raW6DA2jo44oCwMNd19JL21T4BgCfdSNS
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"

-----BEGIN PGP SIGNATURE-----

iQIcBAEBCgAGBQJWvX6EAAoJELu5eskkaQkDs00P/AyAccIhXVIAWYf8zuzNSUNE
/pxR9+UelMiXkPuTUruWnYnbuodoa5kQFWaLYrm5lqQkvqfxY0mOl3AF8902QOzY
XoJHS8H+uBpWYe1tnKIIC7wAJ7WOgnjthWdYpRKpQEy26Cb+ljEKZJPxgW3Ufxdl
MPtDNSkd5YV4nsWwMbXLmFJadUTryWbtQln67jXq3nGqkKzUppPrNinZ0qXxWY9l
NIw7ntJqn8s5JQGWMoIE/LGA/R+XU6TQcfGyImhqclsz6KCiLxApUjOmNrrbGjkY
ICb95rgY/odiUeruqg3EIBMCXD7kDPTZh7GlmlJA6Y6EmuiaqKt9278K39l9TUz8
zTUYAB9gMMBW8TXeKj71lGfFPWZl915t7rq70GFo2AbHC/vzYxKjTpi7cpQNwnkZ
bLeLhR97Gh9j0/ZiPaVMfjTeRvXmUIpq4yTQX3EZ/Xg/63ro1kYOTkJdcsb8EcNt
gpT50FFC3KvW2sAJB5gtSONEL6TVjufgZk4qft695Pw+nkL7cQIfpW3/MIeGcToq
4alOWhX2nHr70lX8L/f/e1NUAzJoImYQ4/ACHbSucRJ46rAVWW33bsuHMkBcJQEf
7hR7JyvWxcbfpq8MbO1IytNrzJZhkQ9AyymdL/yeDWWxtJUDd7Mgj5YjW+NFBROM
DwHXgdqqQMrMc0ZuJVHt
=6HO2
-----END PGP SIGNATURE-----

--raW6DA2jo44oCwMNd19JL21T4BgCfdSNS--

--===============7927519345794889160==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

--===============7927519345794889160==--

