New Release: Tor Browser 8.0.4
This release features important security updates to Firefox.
Tor Browser 8.0.4 contains updates to Tor (0.3.4.9), OpenSSL (1.0.2q) and other bundle components. Additionally, we backported a number of patches from our alpha series where they got some baking time. The most important ones are
- a defense against protocol handler enumeration which should enhance our fingerprinting resistance,
- enabling Stylo for macOS users by bypassing a reproducibility issue caused by Rust compilation and
- setting back the sandboxing level to 5 on Windows (the Firefox default), after working around some Tor Launcher interference causing a broken Tor Browser experience.
Moreover, we ship an updated donation banner for our year-end donation campaign.
The full changelog since Tor Browser 8.0.3 is:
- All platforms
- Update Firefox to 60.4.0esr
- Update Tor to 0.3.4.9
- Update OpenSSL to 1.0.2q
- Update Torbutton to 2.0.9
- Update HTTPS Everywhere to 2018.10.31
- Update NoScript to 10.2.0
- Bug 1623: Block protocol handler enumeration (backport of fix for #680300)
- Bug 25794: Disable pointer events
- Bug 28608: Disable background HTTP response throttling
- Bug 28185: Add smallerRichard to Tor Browser
- OS X
- Build System
- All Platforms
- Bug 27218: Generate multiple Tor Browser bundles in parallel
- All Platforms
What do you mean with "no text will work"?
I looked into it more. One or several fonts don't work correctly in 8.0.4. It isn't a particular website and not on every website. 8.0.3 works flawlessly. Here are the screenshots to explain better. I don't think it's the tor protocol.
What is the cause for this?
Hard to say. My guess is some software on your system interfering with Tor Browser. Looking at the Changelog for 8.0.4 I somehow doubt this is caused by any of our changes. But maybe that's some weird sandboxing related thing. Does opening
about:config and setting
2 (and restarting) solve this problem?
security.sandbox.content.level is and was set to 2 already for many reboots and TorBrowser restarts as well. I didn't ever change it. My guess is this setting was and is set to 2 all along. After reading the Changelogs i also doubt if those changes could be the cause. Windows can't be the problem. All TorBrowsers since 4.0.0 and all versions before that run very good. It isn't very likely that some software could pose a problem. 8.0.3 runs. It is only 8.0.4 that suddenly has a bit of a difficulty.
Some software interfering with Tor Browser i would have noticed and would have cleared the problem. I would have happened in previous versions, but it did't.
Did the compiler say anything? Perhaps messages different between 8.0.3 and 8.0.4?
But the sandbox level should be on "5" now after the update. So, I wonder what went wrong in your case, or did you set that preference to "2" yourself?
Additionally, it would not be the first time that minor version updates, especially if they contain updates to Tor as well (which this version does), causes issues with installed Antivirus/Firewall software. So, I would not dismiss that option right from the beginning.
Found the problem. 8.0.4 works on bare metal but not in Virtualbox. Previous versions work both ways, including 8.0.3.
Ah, interesting, thanks. I wonder why that is the case. Is that related to the sandboxing level 5 now? Or is there something else that comes to mind?
Doubtfully if vb can support alternate desktop.
Tried both sandboxing levels 5 and 2. 8.0.4 won't run correctly inside of a VirtualBox VM. Seems sandboxing isn't the problem. No Antivirus. Guest Additions installed. Flashplayer installed, not as plugin or addon.
But aside from that, 8.0.3 and previous versions prevail.
Tried the partial update from 8.0.3 to 8.0.4 and the complete new download of 8.0.4. Doesn't work both ways.
But overwriting the old \Tor directory with the new one, it works with all versions up to 8.0.3.
Interesting. Can you test some alpha bundles and report back the first one that contains the bug (assuming it manifests there as well)? Relevant alphas are 8.5a1-8.5a6 (inclusive) and bundles can be found at: https://archive.torproject.org/tor-package-archive/torbrowser/. Thanks!
TorBrowser 8.5a3 is the 1st version that contains the bug.
That's a bit mysterious as none of the changes in 8.5a3 made it into 8.0.4, but thanks a lot. We'll need to investigate more, which will be done in https://trac.torproject.org/projects/tor/ticket/29032 (please help if you can).