Bug 273416
| Summary: | www/tor-browser: Update to 13.0.1 | ||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Product: | Ports & Packages | Reporter: | kaltheat <kaltheat> | ||||||||||
| Component: | Individual Port(s) | Assignee: | Jesper Schmitz Mouridsen <jsm> | ||||||||||
| Status: | Closed FIXED | ||||||||||||
| Severity: | Affects Many People | CC: | fernape, freebsd, grahamperrin, jsm, ports-secteam, rene | ||||||||||
| Priority: | --- | Keywords: | needs-patch | ||||||||||
| Version: | Latest | Flags: | freebsd:
maintainer-feedback+
|
||||||||||
| Hardware: | Any | ||||||||||||
| OS: | Any | ||||||||||||
| See Also: | https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=272477 | ||||||||||||
| Attachments: |
|
||||||||||||
|
Description
kaltheat
2023-08-29 07:42:33 UTC
Hi, meanwhile there is 12.5.4 from September 13: https://blog.torproject.org/new-release-tor-browser-1254/ with updated openssl and fixed webp-security-issue (12.5.3 from August 29 also fixed security issues ...). I don't know if the other releases also fix security issues, but I think it's highly likely. It might be a good idea to inform users of this port about it's outdated state, so that they do not rely on it's security- or anonymity-feature too much - especially as tor-browser comes with these promises ... Regards kaltheat A commit in branch main references this bug: URL: https://cgit.FreeBSD.org/ports/commit/?id=2e8c97b9bc3f7c6c14c30676f3c32f32c464e97b commit 2e8c97b9bc3f7c6c14c30676f3c32f32c464e97b Author: Fernando ApesteguĂa <fernape@FreeBSD.org> AuthorDate: 2023-09-20 12:21:30 +0000 Commit: Fernando ApesteguĂa <fernape@FreeBSD.org> CommitDate: 2023-09-20 12:21:30 +0000 security/vuxml: Add Tor browser libwebp vulnerability CVE-2023-4863 Base Score: 8.8 HIGH Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H PR: 273416 Reported by: kaltheat <kaltheat@gmail.com> Security: CVE-2023-4863 security/vuxml/vuln/2023.xml | 31 +++++++++++++++++++++++++++++++ 1 file changed, 31 insertions(+) Version 12.5.5 has just been released today, I'll pick this up. Testing 12.5.6 Created attachment 245337 [details]
update tor-brower to 12.5.6
Created attachment 245338 [details]
connection errors form Browser console
So Tor Browser builds fine on e.g. 12.4-i386 and 14.0-b4-amd64. It also starts on 14.0-b4-amd64 but cannot connect to the Tor network somehow. See the attached log for details. I tried this with both having Tor browser connecting directly to the Tor network (i.e. without setting a SOCKS proxy) and explicitly connecting via the SOCKS proxy exposed by running the security/tor package in client mode on localhost:9050 Connecting to e.g. https://check.torproject.org with vanilla Firefox using the SOCKS proxy works fine, the site confirms Firefox is connecting through the Tor network. Sanity check #2 : downloading the Linux 12.5.6 version (on a Linux laptop) fromhttps://www.torproject.org/download/ works fine. freebsd@sysctl.cz ping? Version 13.0 is out now, based off Firefox ESR 115 which will require quite some rebasing of the patch set. (In reply to Rene Ladan from comment #6) openat(AT_FDCWD,"/usr/local/lib/tor-browser/TorBrowser/torrc",O_WRONLY|O_CREAT|O_TRUNC|O_EXCL,0600) ERR#2 'No such file or directory' openat(AT_FDCWD,"/usr/local/lib/tor-browser/TorBrowser/torrc",O_WRONLY|O_CREAT|O_TRUNC|O_EXCL,0600) ERR#2 'No such file or directory' Solved by for example: --- toolkit/components/tor-launcher/TorLauncherUtil.jsm.orig 2023-09-28 09:14:27 UTC +++ toolkit/components/tor-launcher/TorLauncherUtil.jsm @@ -192,7 +192,7 @@ class TorFile { } else { // Windows and Linux still use the legacy behavior. // To avoid breaking old installations, let's just keep it. - this.file = TorFile.appDir; + this.file = TorFile.dataDir; this.file.append("TorBrowser"); } this.file.appendRelativePath(path); Above makes the profiledir ~/.tor project/firefox/.tor-browser-profiles/rsh9ohpo.default so perhaps the extra patch for profile dir is redundant (In reply to Rene Ladan from comment #10) The gecko team did update recently https://github.com/freebsd/freebsd-ports/tree/main/www/firefox-esr Created attachment 245777 [details]
update to 13.0 with included manual
(In reply to Jesper Schmitz Mouridsen from comment #14) Thanks, build-testing it now :) (In reply to Rene Ladan from comment #15) It fails on 14.0-amd64 during the configure stage with extracting: /wrkdirs/usr/ports/www/tor-browser/work/firefox-tor-browser-115.3.1esr-13.0-1-build2/tmp-manual/public/zh-TW/updating/index.html /usr/local/bin/python3.9 /usr/ports/www/tor-browser/files/packagemanual.py /wrkdirs/usr/ports/www/tor-browser/work/firefox-tor-browser-115.3.1esr-13.0-1-build2/tmp-manual/public /wrkdirs/usr/ports/www/tor-browser/work/firefox-tor-browser-115.3.1esr-13.0-1-build2/browser/base/content/manual make: exec(/usr/local/bin/python3.9) failed (No such file or directory) *** Error code 1 But lang/python39 is mentioned as a build dependency. Full log at https://people.freebsd.org/~rene/tor-browser-13.0.log (In reply to Rene Ladan from comment #16) I tested in an unclean test poudriere interactive jail What if you move ${PYTHON_CMD} ${FILESDIR}/packagemanual.py ${WRKSRC}/tmp-manual/public ${WRKSRC}/browser/base/content/manual to last line in pre-configure: instead of post-patch? (In reply to Jesper Schmitz Mouridsen from comment #17) That seems to work. (In reply to Rene Ladan from comment #18) Some nice to haves would be compiled in localization [1] (seems quite difficult with current build system at my first glance) right now it only knows us-en and you cannot add language packs because of security. Another one would be a pkg-message about noscript or a precompiled profile with noscript included. [1] https://firefox-source-docs.mozilla.org/build/buildsystem/locales.html Any other thoughts? Thanks /jsm (In reply to Jesper Schmitz Mouridsen from comment #19) Trying now with MOZ_CHROME_MULTILOCALE="ar ca da de en-US es-ES fa fr ga-IE he id is it ko nb-NO nl pl pt-BR ru sv-SE tr vi zh-CN zh-TW" (In reply to Jesper Schmitz Mouridsen from comment #20) Did not seem to work.. (In reply to Jesper Schmitz Mouridsen from comment #19) Not currently, but I had one more fix to get it compiling on 2023Q4: add MOZILLA_VER=115.3.1 to Makefile so that Mk/bsd.gecko.mk does not get confused because by default it sets MOZILLA_VER to PORTVERSION. Having MOZILLA_VER=13.0 triggers addition of some PERL environment variables which break the configure stage. @jsm feel free to take over this PR and commit your patch (don't forget to add MOZILLA_VER=115.3.1 in Makefile in that case) I will try to build the multilocale edition as well. Created attachment 246158 [details]
multilocale and with manual
A commit in branch main references this bug: URL: https://cgit.FreeBSD.org/ports/commit/?id=5bab21c20a580787a9906f4012743287141878d8 commit 5bab21c20a580787a9906f4012743287141878d8 Author: Jesper Schmitz Mouridsen <jsm@FreeBSD.org> AuthorDate: 2023-11-09 19:16:52 +0000 Commit: Jesper Schmitz Mouridsen <jsm@FreeBSD.org> CommitDate: 2023-11-09 19:39:10 +0000 www/tor-browser: Update to 13.01 Include locales upfront, the LOCAL/jsm l10n distfile is made by a tor-browser-build of project l10n-firefox. The tpo/translations do not keep tags so two files per locale are out of sync with the linux release. PR: 273416 PR: 272477 Tested by: Martin Filla freebsd@sysctl.cz,rene@ Approved by: freebsd@sysctl.cz (maintainer) www/tor-browser/Makefile | 65 +- www/tor-browser/distinfo | 14 +- www/tor-browser/files/packagemanual.py (new) | 69 + www/tor-browser/files/patch-addon-search | 24 +- .../files/patch-browser-app-nsBrowserApp.cpp | 14 +- .../files/patch-browser-base-jar.mn (new) | 227 + .../patch-browser_app_profile_000-tor-browser.js | 16 +- www/tor-browser/files/patch-bug1427152 (new) | 10 + www/tor-browser/files/patch-bug1504834_comment5 | 10 +- .../files/patch-bug1504834_comment9 (gone) | 49 - www/tor-browser/files/patch-bug1559213 | 39 +- www/tor-browser/files/patch-bug1626236 | 40 +- www/tor-browser/files/patch-bug1628567 | 4 +- www/tor-browser/files/patch-bug1640982 (gone) | 17 - www/tor-browser/files/patch-bug1659612 | 22 +- www/tor-browser/files/patch-bug1664115 (gone) | 82 - .../files/patch-bug1729459_comment12 (gone) | 93 - www/tor-browser/files/patch-bug847568 | 10 +- .../patch-gfx_skia_skia_src_base_SkEndian.h (new) | 11 + ...gfx_skia_skia_src_core_SkRasterPipeline.h (new) | 11 + .../files/patch-i386-protobuf-alignment (new) | 15 + .../files/patch-js_public_Utility.h (new) | 35 + .../files/patch-libwebrtc-generate (gone) | 159 - www/tor-browser/files/patch-libwebrtc-generated | 50556 ++++++++++++++----- .../files/patch-libwebrtc-powerpc64 (new) | 264 + .../files/patch-memory_mozalloc_throw__gcc.h | 2 +- .../patch-modules_fdlibm_src_math__private.h (new) | 27 + www/tor-browser/files/patch-pipewire_init | 67 +- ...patch-python_mozbuild_mozbuild_gn__processor.py | 21 +- www/tor-browser/files/patch-rust-1.70.0 (gone) | 33 - www/tor-browser/files/patch-rust-1.73.0 (gone) | 83 - ...rty_libwebrtc_build_config_BUILDCONFIG.gn (new) | 37 + ..._party_libwebrtc_rtc__base_ip__address.cc (new) | 23 + ...omponents_tor-launcher_TorProcess_sys_mjs (new) | 26 + ...nonents_tor-launcher_TorLauncherUtil.jsm (gone) | 20 - ...compononents_tor-launcher_TorProcess.jsm (gone) | 22 - .../files/patch-toolkit_torbutton_jar.mn (new) | 80 + .../files/patch-toolkit_xre_glxtest.cpp (new) | 17 + .../patch-toolkit_xre_nsXREDirPRovider.cpp (gone) | 14 - 39 files changed, 39157 insertions(+), 13171 deletions(-) |
