Re: [Tails-dev] MFSA 2015-78 (aka. CVE-2015-4495) vs. Tails

Delete this message

Reply to this message
Author: Jacob Appelbaum
Date:  
To: The Tails public development discussion list
CC: Mike Perry
Subject: Re: [Tails-dev] MFSA 2015-78 (aka. CVE-2015-4495) vs. Tails
On 8/7/15, intrigeri <intrigeri@???> wrote:
> Hi,
>
> that is:
>
> https://www.mozilla.org/en-US/security/advisories/mfsa2015-78/
> https://security-tracker.debian.org/tracker/CVE-2015-4495
>
> ... apparently only affect Firefox 38.x, so current Tails stable
> (1.4.1) is not affected. Most likely Tails 1.5~rc1 is affected, but
> our AppArmor policy should mitigate the worst possible consequences,
> so I doubt it's worth adding to the RC announce's known
> issues section.
>
> If anyone has more insight or disagrees, let me know.
>


I've heard that the exploit in the wild doesn't work against esr31 - I
haven't heard that it isn't impacted at all. The bad news is that it
isn't fixed in esr31 - so while they have fixes in for ff38 - it isn't
because that was the only problematic version. :-(

( I think the apparmor profile may contain some of the worst aspects
but only until an attacker figures out how to make a hard link. That
is not a super high bar for code execution but will at least stop
random files from being included without a multi-bug payload. )

All the best,
Jacob