CVE-2016-3180

NameCVE-2016-3180
DescriptionTor Browser Launcher (aka torbrowser-launcher) before 0.2.4, during the initial run, allows man-in-the-middle attackers to bypass the PGP signature verification and execute arbitrary code via a Trojan horse tar file and a signature file with the valid tarball and signature.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
torbrowser-launcher (PTS)bullseye/contrib0.3.3-6fixed
bookworm/contrib0.3.6-2fixed
sid/contrib, trixie/contrib0.3.7-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
torbrowser-launchersourcejessie0.1.9-1+deb8u3
torbrowser-launchersource(unstable)0.2.4-1

Notes

https://github.com/micahflee/torbrowser-launcher/issues/229
Search for package or bug name: Reporting problems