Some stack canaries are still missing on Tor Browser binaries
It seems that the following binaries have missing stack canaries:
libmozalloc.so libnssckbi.so libplc4.so libplds4.so TorBrowser/Tor/libgmpxx.so TorBrowser/Tor/libgmpxx.so.4 TorBrowser/Tor/libgmpxx.so.4.3.3 TorBrowser/Tor/PluggableTransports/Crypto/Cipher/_ARC4.so TorBrowser/Tor/PluggableTransports/Crypto/Cipher/_XOR.so TorBrowser/Tor/PluggableTransports/Crypto/Util/_counter.so TorBrowser/Tor/PluggableTransports/meek-client-torbrowser TorBrowser/Tor/PluggableTransports/twisted/python/_initgroups.so TorBrowser/Tor/PluggableTransports/twisted/runner/portmap.so TorBrowser/Tor/PluggableTransports/twisted/test/raiser.so TorBrowser/Tor/PluggableTransports/zope/interface/_zope_interface_coptimizations.so
Activity
Si vous recherchez à vous protéger efficacement contre les cambrioleurs, il convient d'investir dans un coffre-fort agréé. Une armoire forte pour armes longues servira éventuellement pour le stockage des fusils de chasse pour ranger vos archives et dossiers importants. Une alarme n'est pas suffisante, les cambrioleurs savent où trouver vos valeurs et liquidités et fond des raids éclairs pour repartir avec vos valeurs, avant que le voisinage ait eu le temps d'alerter la police ou la gendarmerie. Un coffre-fort agréé et homologué qui sera correctement fixé au sol permettra de mettre les cambrioleurs en échec, ils n'auront d'autre choix que de s'enfuir pour ne pas se faire prendre.
Trac:
Username: JamesTow
libgmpxx is no issue anymore since legacy/trac#13588 (moved) got fixed.
libmozalloc.so libnssckbi.so libplc4.so libplds4.soWas any of those reported as protected for any previous versions?
hardening-wrapper(1.25) packaged forlucidusing-fstack-protectorwhich can't cover any functions from those libs (it needs proof, but brief reading code show that functions are small enough to be protected). If no protected functions then no detection code compiled and no canaries support reported.Shouldn't you pass SSP flags to
DLLFLAGSto get it working with NSS, like in https://gitweb.torproject.org/builders/tor-browser-build.git/tree/projects/firefox/build#n77?Trac:
Status: new to needs_information
Summary: Some stack canaries are still missing on Tor Browser binaries on Linux to Some stack canaries are still missing on Tor Browser binaries-
Replying to cypherpunks:
Shouldn't you pass SSP flags to
DLLFLAGSto get it working with NSS, like in https://gitweb.torproject.org/builders/tor-browser-build.git/tree/projects/firefox/build#n77?This issue happens on Linux, so it seems that
DLLFLAGSwon't help us here. Or are you referring to comment:12? 
The current list of binaries that we skip in our
readelf_stack_canarytest is:abicheck gtk2/libmozgtk.so libmozalloc.so libmozgtk.so libnssckbi.so libplc4.so libplds4.so TorBrowser/Tor/libstdc++/libstdc++.so.6 TorBrowser/Tor/PluggableTransports/Crypto/Cipher/_ARC4.so TorBrowser/Tor/PluggableTransports/Crypto/Cipher/_XOR.so TorBrowser/Tor/PluggableTransports/Crypto/Util/_counter.so TorBrowser/Tor/PluggableTransports/fte/cDFA.so TorBrowser/Tor/PluggableTransports/meek-client-torbrowser TorBrowser/Tor/PluggableTransports/twisted/python/_initgroups.so TorBrowser/Tor/PluggableTransports/twisted/runner/portmap.so TorBrowser/Tor/PluggableTransports/twisted/test/raiser.so TorBrowser/Tor/PluggableTransports/zope/interface/_zope_interface_coptimizations.so TorBrowser/Tor/PluggableTransports/meek-client TorBrowser/Tor/PluggableTransports/obfs4proxy-
From https://wiki.debian.org/HardeningWalkthrough:
Stack Protected: When an executable was built without any character arrays being allocated on the stack, this check will lead to false alarms (since there is no use of stack_chk_fail, even though it was compiled with the correct options. mentioned in issue legacy/trac#15138 (moved)
moved from legacy/trac#13056 (moved)
added Bug label and removed 1 deleted label
mentioned in merge request tor-browser-bundle-testsuite!1 (closed)
added Backlog label
added Security label and removed 1 deleted label
added Roadmap::Future label and removed Backlog label
marked this issue as related to #21448
added All Platforms label
