Skip to content

Bug 43326: Restrict the changes to LD_LIBRARY_PATH.

Pier Angelo Vendrame requested to merge pierov/tor-browser:bug_43326 into tor-browser-128.5.0esr-14.5-1

Merge Info

Issues

Resolves

  • #43326
  • mullvad-browser#xxxxx
  • tor-browser-build#xxxxx

Related

  • tor-browser#xxxxx
  • mullvad-browser#xxxxx
  • tor-browser-build#xxxxx

Merging

Target Branches

  • tor-browser - !fixups to tor-browser-specific commits, new features, security backports
  • base-browser and mullvad-browser - !fixups to base-browser-specific commits, new features to be shared with mullvad-browser, and security backports
    • ⚠️ IMPORTANT: Please list the base-browser-specific commits which need to be cherry-picked to the base-browser and mullvad-browser branches here

Target Channels

  • Alpha: esr128-14.5
  • Stable: esr128-14.0
  • Legacy: esr115-13.5

Backporting

Timeline

  • No Backport (preferred): patchset for the next major stable
  • Immediate: patchset needed as soon as possible
  • Next Minor Stable Release: patchset that needs to be verified in nightly before backport
  • Eventually: patchset that needs to be verified in alpha before backport

(Optional) Justification

  • Emergency security update: patchset fixes CVEs, 0-days, etc
  • Censorship event: patchset enables censorship circumvention
  • Critical bug-fix: patchset fixes a bug in core-functionality
    • Gentoo issued an update that made some system libraries we depend on link to OpenSSL 3.2.x. However, we ship OpenSSL 3.0.x and put in LD_LIBRARY_PATH, preventing the browser from starting.
    • A workaround exists: users can comment/remove LD_LIBRARY_PATH in firefox or remove OpenSSL, but it'll cause trouble when updating (a full update should resolve the problems though)
    • We've just released, and the next release is expected on January 😒
  • Consistency: patchset which would make development easier if it were in both the alpha and release branches; developer tools, build system changes, etc
  • Sponsor required: patchset required for sponsor
  • Localization: typos and other localization changes that should be also in the release branch
  • Other: please explain

Issue Tracking

Review

Request Reviewer

  • Request review from an applications developer depending on modified system:
    • NOTE: if the MR modifies multiple areas, please /cc all the relevant reviewers (since Gitlab only allows 1 reviewer)
    • accessibility : henry
    • android : clairehurst, dan
    • build system : boklm
    • extensions : ma1
    • firefox internals (XUL/JS/XPCOM) : jwilde, ma1
    • fonts : pierov
    • frontend (implementation) : henry
    • frontend (review) : donuts, morgan
    • localization : henry, pierov
    • macOS : clairehurst, dan
    • nightly builds : boklm
    • rebases/release-prep : dan, ma1, pierov, morgan
    • security : jwilde, ma1
    • signing : boklm, morgan
    • updater : pierov
    • windows : jwilde, morgan
    • misc/other : pierov, morgan

/cc @morgan for backport decisions.

Change Description

We ship an updated copy of OpenSSL from the LTS channel because we target also very old Linux systems.

However, we also depend on some system libraries, which might link to the newest channel instead.

At least that's been the case with a recent update on Gentoo.

The tor daemon is a process on its own, so we can change LD_LIBRARY_PATH only for it, rather than updating it before starting the browser. This solves the problem.

How Tested

Testbuild: https://tb-build-03.torproject.org/~pierov/testbuild/tor-browser-linux-x86_64-testbuild-43326.tar.xz

Tor seems to work normally.

I was told from the reporter it fixed the problem for them.

Edited by Pier Angelo Vendrame

Merge request reports