Tor Browser 7.0.3 is released

by gk | July 27, 2017

Note: Tor Browser 7.0.3 is a security bugfix release for Linux users only. Users on Windows and macOS are not affected and stay on Tor Browser 7.0.2.

Tor Browser 7.0.3 is now available for our Linux users from the Tor Browser Project page and also from our distribution directory.

This release features an important security update to Tor Browser for Linux users. On Linux systems with GVfs/GIO support Firefox allows to bypass proxy settings as it ships a whitelist of supported protocols. Once an affected user navigates to a specially crafted URL the operating system may directly connect to the remote host, bypassing Tor Browser. Tails and Whonix users, and users of our sandboxed Tor Browser are unaffected, though.

The bug got reported to us yesterday by Julian Jackson (@atechdad) via our HackerOne bug bounty program. Thanks! We are not aware of it being exploited in the wild.

We are currently preparing updated Linux bundles for our alpha series and they should go live within the next couple of hours. Meanwhile Linux users on that series are strongly encouraged to use the stable bundles or one of the above mentioned tools that are not affected by the underlying problem.

Here is the full changelog since 7.0.2:

  • Linux
    • Bug 23044: Don't allow GIO supported protocols by default

Comments

Please note that the comment area below has been archived.

Probably a better way than this but I did this as a quick and dirty.
whereis gvfs
gvfs: /usr/lib64/gvfs /usr/share/gvfs /usr/share/man/man7/gvfs.7.gz

As you can see my system has gvfs and the man for it., I assume this means this is a good bug fix for me.
Thanks Tor guys/gals.

July 27, 2017

Permalink

Thanks a lot Julian Jackson and your HackerOne bug bounty program !
updated : Priority changed from Medium to Immediate

July 28, 2017

Permalink

Where can I read more details about this? What kind of URLs could be used, how would it work, etc.

July 28, 2017

Permalink

Is it just an issue if someone clicks on a link or is FF already fetching information without clicking on the link? (Because if FF tries to fetches information about the site without clicking, could it not effect Tor Messenger and Thunderbird/Torbirdy, too ?)

July 29, 2017

Permalink

Is it safe to update the browser addons (HTTPS Everywhere + NoScript) through the Tor Network or should we use what ships with the current version of TBB even if they are outdated?

July 30, 2017

Permalink

Might be a bit off topic but I believe this started with the release of TB 7.x versions.

The encryption part of signing up for a Tutanota account takes forever and then fails with an error message.

The same happens when trying to download from mega.nz. Decryption takes very long and after it finishes you receive an error about blob resources.

It seems the problem lies with the new spawning of Web Content processes and blob resources.

Is there a way to "fix" this?

July 31, 2017

In reply to gk

Permalink

Happens on all 3 settings. Although on "low" the en/decryption part is as fast as with TB 6.5.2 on "high" but alas you get an error message and are not able to download the blob.

August 03, 2017

In reply to gk

Permalink

Too bad you did not post my reply. I would really love to find a solution to this.

As I said, the problem persists on all levels of the security slider although on "low" the javascript calculating part is as fast as it should be but you still can't download the blob in the case of mega.nz.

All is working fine with TB 6.5.2 on "high" security settings.

Here the same problem is discussed with even Tutanota chiming in but they too have no solution. But since the problem lies with TB how could they.

http://www.emailquestions.com/threads/tutanota-and-tor-broswer.11121/

We believe that previous versions of Tor Browser are affected as well (definitely 6.5.2 which I tested). There is no particular version this bug got added as the offending code has been in Firefox for years.

July 30, 2017

Permalink

anyone please solve my problem.
when I use tor version 7.0.2 It can't download small file such as 15 or 16 kb .Is it the problem of tor .?what should I do??

August 04, 2017

Permalink

Doesn't this bug affect Tor Tails because of it special design not to allow direct internet connection or because Tor hasn't gvfs?