[SRU] Version checking error in torbrowser-launcher since Tor Browser 10.0 was released

Bug #1896752 reported by AsciiWolf on 2020-09-23
12
This bug affects 1 person
Affects Status Importance Assigned to Milestone
torbrowser-launcher (Ubuntu)
Status tracked in Groovy
Bionic
Undecided
Thomas Ward
Focal
Undecided
Thomas Ward
Groovy
Undecided
Unassigned

Bug Description

[Impact]
Because of poor version string checking, the torbrowser-launcher package fails to recognize Tor Browser 10 and later as a valid version that is 'newer' than the previous versions. As such, the torbrowser-launcher package fails to update Tor Browser.

[Test Case]
(1) Install torbrowser-launcher
(2) Attempt to update
(3) Tor Browser version check will fail, and the tor browser version won't update.

[Regression Potential]
Thomas Ward reviewed the python changes relevant to this and they are superior to the previous version checking system. To that end, the fix for this issue should be non-breaking with very little risk of a regression.

[racb] Version comparison code (of Tor upstream) is being changed, so we might have missed some other area where a version comparison is required.

[Original Bug Description]

torbrowser-launcher does not work anymore since yesterday Tor Browser 10.0 release. There is already a simple fix available as a PR in the upstream GitHub repository: https://github.com/micahflee/torbrowser-launcher/pull/499

I will fix this in Focal as part of the #1896085 SRU, however it will also need to be fixed in Groovy.

vodopad27 (family-gan) wrote :

I have following error:
Tor Browser Launcher
By Micah Lee, licensed under MIT
version 0.3.2
https://github.com/micahflee/torbrowser-launcher
Your version of Tor Browser is out-of-date. Downloading the newest version.
Downloading https://aus1.torproject.org/torbrowser/update_3/release/Linux_x86_64-gcc3/x/en-US

Is it related with this topic? Or should i create new topic?

AsciiWolf (asciiwolf) wrote :

vodopad27, I am not sure. The error message this regression is causing is: "The version of Tor Browser you have installed is earlier than it should be, which could be a sign of an attack!"

Thomas Ward (teward) on 2020-09-24
Changed in torbrowser-launcher (Ubuntu Focal):
assignee: nobody → Thomas Ward (teward)
Changed in torbrowser-launcher (Ubuntu Groovy):
assignee: nobody → Thomas Ward (teward)
Changed in torbrowser-launcher (Ubuntu Focal):
status: New → In Progress
Changed in torbrowser-launcher (Ubuntu Groovy):
status: New → In Progress
Thomas Ward (teward) on 2020-09-25
Changed in torbrowser-launcher (Ubuntu Groovy):
status: In Progress → Fix Released
assignee: Thomas Ward (teward) → nobody
Thomas Ward (teward) on 2020-09-28
description: updated
summary: Version checking error in torbrowser-launcher since Tor Browser 10.0 was
- released
+ [SRU] released
summary: - Version checking error in torbrowser-launcher since Tor Browser 10.0 was
- [SRU] released
+ [SRU] Version checking error in torbrowser-launcher since Tor Browser
+ 10.0 was released
Robie Basak (racb) on 2020-09-29
description: updated

Hello AsciiWolf, or anyone else affected,

Accepted torbrowser-launcher into focal-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/torbrowser-launcher/0.3.2-9ubuntu1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-focal to verification-done-focal. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-focal. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Changed in torbrowser-launcher (Ubuntu Focal):
status: In Progress → Fix Committed
tags: added: verification-needed verification-needed-focal
AsciiWolf (asciiwolf) wrote :

I have tested the provided torbrowser-launcher 0.3.2-9ubuntu1 build from focal-proposed on fully-updated Ubuntu 20.04 system. I am no longer able to reproduce the issue and torbrowser-launcher now works properly.

tags: added: verification-done-focal
removed: verification-needed-focal
Thomas Ward (teward) on 2020-10-06
tags: removed: verification-needed
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package torbrowser-launcher - 0.3.2-9ubuntu1

---------------
torbrowser-launcher (0.3.2-9ubuntu1) focal; urgency=medium

  * This is a bug-fix only upload to address several significant bugs
    found in the Tor Browser launcher package.
  * Patches backported from Debian Unstable release and Debian Salsa git
    repository for the package into the Focal package to fix issues.
    The following patches were added in d/patches and added to the quilt
    series file in the stated order:
    - 0023-Update-Tor-Browser-Developers-public-key-481.patch: Fixes issue
      with signature verification of tor browser tarball, due to changed
      upstream developers key. (LP: #1856895)
    - 0030-Use-gpg-instead-of-gpg2.patch: Use /usr/bin/gpg instead of the
      /usr/bin/gpg2 symlink due to gnupg2 transitional package not being
      part of default installations. (LP: #1897306)
    - 0031-Use-better-version-string-comparison.patch: Properly handle the
      version string comparison between Tor Browser versions, so that the
      launcher supports version 10+ and can properly validate.
      (LP: #1896752)
    - 0032-apparmor-allow-Browser-to-memory-map-libstdc.patch: Allow
      apparmor profile to access and memory map libstdc, due to AppArmor
      default DENY on access causing issues. (LP: #1897302)

 -- Thomas Ward <email address hidden> Sun, 27 Sep 2020 14:34:53 -0400

Changed in torbrowser-launcher (Ubuntu Focal):
status: Fix Committed → Fix Released

The verification of the Stable Release Update for torbrowser-launcher has completed successfully and the package is now being released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

Thomas Ward (teward) wrote :

This issue impacts older versions of the launcher in Bionic as well - discovered while working on Bionic SRU fixes for https://bugs.launchpad.net/ubuntu/+source/torbrowser-launcher/+bug/1856895

Changed in torbrowser-launcher (Ubuntu Bionic):
assignee: nobody → Thomas Ward (teward)
status: New → In Progress
Thomas Ward (teward) wrote :
tags: added: verification-needed-bionic
tags: removed: verification-needed-bionic

Hello AsciiWolf, or anyone else affected,

Accepted torbrowser-launcher into bionic-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/torbrowser-launcher/0.2.9-2ubuntu1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-bionic to verification-done-bionic. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-bionic. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Changed in torbrowser-launcher (Ubuntu Bionic):
status: In Progress → Fix Committed
tags: added: verification-needed verification-needed-bionic
Thomas Ward (teward) wrote :

Tested and confirmed working in Bionic with proposed packages.

tags: added: verification-done verification-done-bionic
removed: verification-needed verification-needed-bionic
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package torbrowser-launcher - 0.2.9-2ubuntu1

---------------
torbrowser-launcher (0.2.9-2ubuntu1) bionic; urgency=medium

  * This is a stable release update to address issues with Tor Browser
    install verification.
  * Patches added to d/patches:
    - 0023-Update-Tor-Browser-Developers-public-key-481.patch: Fixes issue
      with signature verification of tor browser tarball, due to changed
      upstream develoeprs key. (LP: #1856895)
    - 0031-Use-better-version-string-comparison.patch: Properly handle the
      version string comparison between Tor Browser versions, so that the
      launcher supports version 10+ and can properly validate.
      (LP: #1896752)

 -- Thomas Ward <email address hidden> Mon, 12 Oct 2020 09:45:44 -0400

Changed in torbrowser-launcher (Ubuntu Bionic):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers