[T(A)ILS-dev] Bug#595375: marked as done (xul-ext-torbutton:…

This message is part of the following thread:
Mthe complete thread tree sorted by date
M 
Mintrigeri at ->
Delete this message

Reply to this message
Author: Debian Bug Tracking System
Date:  
To: Jérémy Bobbio
Subject: [T(A)ILS-dev] Bug#595375: marked as done (xul-ext-torbutton: Leaks fingerprintable User-Agent when extensions.torbutton.spoof_english = false)
Your message dated Thu, 07 Oct 2010 21:47:23 +0000
with message-id <E1P3yJ9-0007MZ-Tx@???>
and subject line Bug#595375: fixed in torbutton 1.2.5-2
has caused the Debian Bug report #595375,
regarding xul-ext-torbutton: Leaks fingerprintable User-Agent when extensions.torbutton.spoof_english = false
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@???
immediately.)


--
595375: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=595375
Debian Bug Tracking System
Contact owner@??? with problems
Package: xul-ext-torbutton
Version: 1.2.5-1
Severity: important
Tags: security

Hi,

Context
=======

I am using the default preferences for the following settings:

pref("extensions.torbutton.set_uagent",true);
pref("extensions.torbutton.useragent_override", "Mozilla/5.0 (Windows; U; Windows NT 6.1; LANG; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.3");

What works
==========

extensions.torbutton.spoof_english defaults to true in
/usr/share/xul-ext/torbutton/defaults/preferences/preferences.js.

In this default case, the reported User-Agent is: 

    "Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.3"


i.e. the LANG placeholder is correctly replaced with a standard
looking locale in the torbutton_set_uagent() function.

What does not work
==================

When extensions.torbutton.spoof_english is set to true the reported
User-Agent is: 

    "Mozilla/5.0 (Windows; U; Windows NT 6.1; chrome://global/locale/intl.properties; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.3"


One can see the LANG placeholder is wrongly replaced with
"chrome://global/locale/intl.properties" instead of what is expected
i.e. the value of the "general.useragent.locale" preference setting.

Consequences
============

This leaks usage of Torbutton for userg who have disabled the
spoof_english setting. The Torbutton overridden User-Agent feature is
specifically aimed at preventing such fingerprinting. This bug makes
fingerprinting easier while the user thinks it has been made harder.

Hence the security tag and severity important.

Bye,

-- System Information:
Debian Release: squeeze/sid
APT prefers testing
APT policy: (900, 'testing')
Architecture: i386 (i686)

Kernel: Linux 2.6.32-5-686 (SMP w/1 CPU core)
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

xul-ext-torbutton depends on no packages. 

Versions of packages xul-ext-torbutton recommends:
ii  iceweasel           3.5.11-1             Web browser based on Firefox
ii  polipo              1.0.4.1-1.1~squeeze  a small, caching web proxy
ii  tor                 0.2.1.26-1~squeeze+1 anonymizing overlay network for TC


xul-ext-torbutton suggests no packages.

-- no debconf information

--
intrigeri <intrigeri@???>
| GnuPG key @ https://gaffer.ptitcanardnoir.org/intrigeri/intrigeri.asc
| OTR fingerprint @ https://gaffer.ptitcanardnoir.org/intrigeri/otr-fingerprint.asc
| Who wants a world in which the guarantee that we shall not
| die of starvation would entail the risk of dying of boredom ?


Source: torbutton
Source-Version: 1.2.5-2

We believe that the bug you reported is fixed in the latest version of
torbutton, which is due to be installed in the Debian FTP archive:

iceweasel-torbutton_1.2.5-2_all.deb
to main/t/torbutton/iceweasel-torbutton_1.2.5-2_all.deb
torbutton_1.2.5-2.debian.tar.gz
to main/t/torbutton/torbutton_1.2.5-2.debian.tar.gz
torbutton_1.2.5-2.dsc
to main/t/torbutton/torbutton_1.2.5-2.dsc
xul-ext-torbutton_1.2.5-2_all.deb
to main/t/torbutton/xul-ext-torbutton_1.2.5-2_all.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 595375@???,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Jérémy Bobbio <lunar@???> (supplier of updated torbutton package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@???)


Format: 1.8
Date: Thu, 07 Oct 2010 23:23:37 +0200
Source: torbutton
Binary: xul-ext-torbutton iceweasel-torbutton
Architecture: source all
Version: 1.2.5-2
Distribution: unstable
Urgency: low
Maintainer: Jérémy Bobbio <lunar@???>
Changed-By: Jérémy Bobbio <lunar@???>
Description: 
 iceweasel-torbutton - transitional dummy package
 xul-ext-torbutton - Iceweasel/Firefox extension enabling 1-click toggle of Tor usage
Closes: 595375
Changes: 
 torbutton (1.2.5-2) unstable; urgency=low
 .
   [ Benjamin Drung ]
   * Remove myself from Uploaders.
 .
   [ Jérémy Bobbio ]
   * Add fix_broken_locale_useragent_string.patch: using Torbutton
     with a localized user agent string on Debian resulted in a bad
     and fingerprintable string. (Closes: #595375)
   * Add fix_captcha_detection_for_encrypted_google.patch: fix captcha
     detection for encrypted.google.com.
   * Document a workaround for #571596 in README.Debian.
   * Bump Standards-Version to 3.9.1, no changes required.
Checksums-Sha1: 
 c130bf4021de57ec642611318ca3542db107b442 1981 torbutton_1.2.5-2.dsc
 591fad42713b3c0b1d39472b776b33b1c7d57754 7597 torbutton_1.2.5-2.debian.tar.gz
 c31c5857a1ed2e07f3dd9e65daff78d5b567407d 275468 xul-ext-torbutton_1.2.5-2_all.deb
 11d2c9adea2e40707f5bff3d4888cc875cecc7a0 12914 iceweasel-torbutton_1.2.5-2_all.deb
Checksums-Sha256: 
 76fe63f7a85f09cf68db1c2964e60f3c8018fab75f6d925b0e9160982a506455 1981 torbutton_1.2.5-2.dsc
 0089ea539853e23ccccd650a08fa71dfbaee16100db8fd1cefb80e9e578d02fc 7597 torbutton_1.2.5-2.debian.tar.gz
 0e406acef44ce1f24cfe8dcb3d2a4fd181f5516b3e061d4bd0795a8a503caa5a 275468 xul-ext-torbutton_1.2.5-2_all.deb
 2ff8564a3120fe4655618c0f74407a53575da3c098ee868cd1ee0f8ab3b35d40 12914 iceweasel-torbutton_1.2.5-2_all.deb
Files: 
 95e95a2ecd767e04f796af7598bc5564 1981 web optional torbutton_1.2.5-2.dsc
 f190ce185a6c272f1cf4411d48a068fb 7597 web optional torbutton_1.2.5-2.debian.tar.gz
 cc4047389188ea0fcb38c3da40f5c65d 275468 web optional xul-ext-torbutton_1.2.5-2_all.deb
 1f59068d795de29474991676936ab4ac 12914 web optional iceweasel-torbutton_1.2.5-2_all.deb




This message was posted to the following mailing lists:
tails-dev
Mailing List Info | Nearby Messages		<-Re: [T(A)ILS-dev] About HTPRe: [T(A)ILS-dev] OpenPGP keys and policy->
lists.autistici.org administrated by postmasterLurker (version 2.3)