commit tor.1142 for openSUSE:12.2:Update

Hello community, here is the log from the commit of package tor.1142 for openSUSE:12.2:Update checked in at 2012-12-07 10:47:28 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:12.2:Update/tor.1142 (Old) and /work/SRC/openSUSE:12.2:Update/.tor.1142.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Package is "tor.1142", Maintainer is "" Changes: -------- New Changes file: --- /dev/null 2012-11-30 12:21:47.308011256 +0100 +++ /work/SRC/openSUSE:12.2:Update/.tor.1142.new/tor.changes 2012-12-07 10:47:31.000000000 +0100 @@ -0,0 +1,1843 @@ +------------------------------------------------------------------- +Tue Nov 27 20:28:28 UTC 2012 - andreas.stieger@gmx.de + +- Tear down the circuit when receiving an unexpected SENDME cell. + Prevents circumvention of the network's flow control, exhaustion + of network resources and possible denial-of-service attacks on + entry nodes + [bnc#791374] CVE-2012-5573, adding tor-0.2.2.39-SENDME-DOS.patch + +------------------------------------------------------------------- +Sat Sep 15 14:08:49 UTC 2012 - andreas.stieger@gmx.de + +- update to 0.2.2.39 [bnc#780620] + Changes in version 0.2.2.39 - 2012-09-11 + Tor 0.2.2.39 fixes two more opportunities for remotely triggerable + assertions. + + o Security fixes: + - Fix an assertion failure in tor_timegm() that could be triggered + by a badly formatted directory object. + CVE-2012-4922 + - Do not crash when comparing an address with port value 0 to an + address policy. This bug could have been used to cause a remote + assertion failure by or against directory authorities, or to + allow some applications to crash clients. + CVE-2012-4419 + +------------------------------------------------------------------- +Mon Aug 20 19:16:27 UTC 2012 - andreas.stieger@gmx.de + +- update to 0.2.2.38 [bnc#776642] + Changes in version 0.2.2.38 - 2012-08-12 + + Tor 0.2.2.38 fixes a rare race condition that can crash exit relays; + fixes a remotely triggerable crash bug; and fixes a timing attack that + could in theory leak path information. + + o Security fixes: + - Avoid read-from-freed-memory and double-free bugs that could occur + when a DNS request fails while launching it. + CVE-2012-3517 + - Avoid an uninitialized memory read when reading a vote or consensus + document that has an unrecognized flavor name. This read could + lead to a remote crash bug. + CVE-2012-3518 + - Try to leak less information about what relays a client is + choosing to a side-channel attacker. Previously, a Tor client would + stop iterating through the list of available relays as soon as it + had chosen one, thus finishing a little earlier when it picked + a router earlier in the list. If an attacker can recover this + timing information (nontrivial but not proven to be impossible), + they could learn some coarse-grained information about which relays + a client was picking (middle nodes in particular are likelier to + be affected than exits). The timing attack might be mitigated by + other factors, but it's best not to take chances. + CVE-2012-3519 + +------------------------------------------------------------------- +Fri Jun 15 19:45:01 UTC 2012 - andreas.stieger@gmx.de + +- add tor-0.2.2.37-logrotate.patch : add su option to logrotate to + fix W: suse-logrotate-user-writable-log-dir in Factory + +------------------------------------------------------------------- +Wed Jun 13 11:22:11 UTC 2012 - andreas.stieger@gmx.de + +- update to 0.2.2.37 + Changes in version 0.2.2.37 - 2012-06-06 + Tor 0.2.2.37 introduces a workaround for a critical renegotiation + bug in OpenSSL 1.0.1 (where 20% of the Tor network can't talk to itself + currently). + + o Major bugfixes: + - Work around a bug in OpenSSL that broke renegotiation with TLS + 1.1 and TLS 1.2. Without this workaround, all attempts to speak + the v2 Tor connection protocol when both sides were using OpenSSL + 1.0.1 would fail. Resolves ticket 6033. + - When waiting for a client to renegotiate, don't allow it to add + any bytes to the input buffer. This fixes a potential DoS issue. + Fixes bugs 5934 and 6007; bugfix on 0.2.0.20-rc. + - Fix an edge case where if we fetch or publish a hidden service + descriptor, we might build a 4-hop circuit and then use that circuit + for exiting afterwards -- even if the new last hop doesn't obey our + ExitNodes config option. Fixes bug 5283; bugfix on 0.2.0.10-alpha. + + o Minor bugfixes: + - Fix a build warning with Clang 3.1 related to our use of vasprintf. + Fixes bug 5969. Bugfix on 0.2.2.11-alpha. + + o Minor features: + - Tell GCC and Clang to check for any errors in format strings passed + to the tor_v*(print|scan)f functions. + +------------------------------------------------------------------- +Wed Jun 6 20:46:46 UTC 2012 - andreas.stieger@gmx.de + +- update to 0.2.2.36 + + Changes in version 0.2.2.36 - 2012-05-24 + o Directory authority changes: + - Change IP address for maatuska (v3 directory authority). + - Change IP address for ides (v3 directory authority), and rename + it to turtles. + + o Security fixes: + - When building or running with any version of OpenSSL earlier + than 0.9.8s or 1.0.0f, disable SSLv3 support. These OpenSSL + versions have a bug (CVE-2011-4576) in which their block cipher + padding includes uninitialized data, potentially leaking sensitive + information to any peer with whom they make a SSLv3 connection. Tor + does not use SSL v3 by default, but a hostile client or server + could force an SSLv3 connection in order to gain information that + they shouldn't have been able to get. The best solution here is to + upgrade to OpenSSL 0.9.8s or 1.0.0f (or later). But when building + or running with a non-upgraded OpenSSL, we disable SSLv3 entirely + to make sure that the bug can't happen. + - Never use a bridge or a controller-supplied node as an exit, even + if its exit policy allows it. Found by wanoskarnet. Fixes bug + 5342. Bugfix on 0.1.1.15-rc (for controller-purpose descriptors) + and 0.2.0.3-alpha (for bridge-purpose descriptors). + - Only build circuits if we have a sufficient threshold of the total + descriptors that are marked in the consensus with the "Exit" + flag. This mitigates an attack proposed by wanoskarnet, in which + all of a client's bridges collude to restrict the exit nodes that + the client knows about. Fixes bug 5343. + - Provide controllers with a safer way to implement the cookie + authentication mechanism. With the old method, if another locally + running program could convince a controller that it was the Tor + process, then that program could trick the controller into telling + it the contents of an arbitrary 32-byte file. The new "SAFECOOKIE" + authentication method uses a challenge-response approach to prevent + this attack. Fixes bug 5185; implements proposal 193. + + o Major bugfixes: + - Avoid logging uninitialized data when unable to decode a hidden + service descriptor cookie. Fixes bug 5647; bugfix on 0.2.1.5-alpha. + - Avoid a client-side assertion failure when receiving an INTRODUCE2 + cell on a general purpose circuit. Fixes bug 5644; bugfix on + 0.2.1.6-alpha. + - Fix builds when the path to sed, openssl, or sha1sum contains + spaces, which is pretty common on Windows. Fixes bug 5065; bugfix + on 0.2.2.1-alpha. + - Correct our replacements for the timeradd() and timersub() functions + on platforms that lack them (for example, Windows). The timersub() + function is used when expiring circuits, while timeradd() is + currently unused. Bug report and patch by Vektor. Fixes bug 4778; + bugfix on 0.2.2.24-alpha. + - Fix the SOCKET_OK test that we use to tell when socket + creation fails so that it works on Win64. Fixes part of bug 4533; + bugfix on 0.2.2.29-beta. Bug found by wanoskarnet. + + o Minor bugfixes: + - Reject out-of-range times like 23:59:61 in parse_rfc1123_time(). + Fixes bug 5346; bugfix on 0.0.8pre3. + - Make our number-parsing functions always treat too-large values + as an error, even when those values exceed the width of the + underlying type. Previously, if the caller provided these + functions with minima or maxima set to the extreme values of the + underlying integer type, these functions would return those + values on overflow rather than treating overflow as an error. + Fixes part of bug 5786; bugfix on 0.0.9. + - Older Linux kernels erroneously respond to strange nmap behavior + by having accept() return successfully with a zero-length + socket. When this happens, just close the connection. Previously, + we would try harder to learn the remote address: but there was + no such remote address to learn, and our method for trying to + learn it was incorrect. Fixes bugs 1240, 4745, and 4747. Bugfix + on 0.1.0.3-rc. Reported and diagnosed by "r1eo". + - Correct parsing of certain date types in parse_http_time(). + Without this patch, If-Modified-Since would behave + incorrectly. Fixes bug 5346; bugfix on 0.2.0.2-alpha. Patch from + Esteban Manchado Velázques. + - Change the BridgePassword feature (part of the "bridge community" + design, which is not yet implemented) to use a time-independent + comparison. The old behavior might have allowed an adversary + to use timing to guess the BridgePassword value. Fixes bug 5543; + bugfix on 0.2.0.14-alpha. + - Detect and reject certain misformed escape sequences in + configuration values. Previously, these values would cause us + to crash if received in a torrc file or over an authenticated + control port. Bug found by Esteban Manchado Velázquez, and + independently by Robert Connolly from Matta Consulting who further + noted that it allows a post-authentication heap overflow. Patch + by Alexander Schrijver. Fixes bugs 5090 and 5402 (CVE 2012-1668); + bugfix on 0.2.0.16-alpha. + - Fix a compile warning when using the --enable-openbsd-malloc + configure option. Fixes bug 5340; bugfix on 0.2.0.20-rc. + - During configure, detect when we're building with clang version + 3.0 or lower and disable the -Wnormalized=id and -Woverride-init + CFLAGS. clang doesn't support them yet. + - When sending an HTTP/1.1 proxy request, include a Host header. + Fixes bug 5593; bugfix on 0.2.2.1-alpha. + - Fix a NULL-pointer dereference on a badly formed SETCIRCUITPURPOSE + command. Found by mikeyc. Fixes bug 5796; bugfix on 0.2.2.9-alpha. + - If we hit the error case where routerlist_insert() replaces an + existing (old) server descriptor, make sure to remove that + server descriptor from the old_routers list. Fix related to bug ++++ 1646 more lines (skipped) ++++ between /dev/null ++++ and /work/SRC/openSUSE:12.2:Update/.tor.1142.new/tor.changes New: ---- tor-0.2.2.37-logrotate.patch tor-0.2.2.39-SENDME-DOS.patch tor-0.2.2.39.tar.gz tor.changes tor.spec ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ tor.spec ++++++ # # spec file for package tor # # Copyright (c) 2012 SUSE LINUX Products GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed # upon. The license for this file, and modifications and additions to the # file, is the same license as for the pristine package itself (unless the # license for the pristine package is not an Open Source License, in which # case the license is the MIT License). An "Open Source License" is a # license that conforms to the Open Source Definition (Version 1.9) # published by the Open Source Initiative. # Please submit bugfixes or comments via http://bugs.opensuse.org/ # Name: tor Version: 0.2.2.39 Release: 0 BuildRoot: %{_tmppath}/%{name}-%{version}-build Summary: Anonymizing overlay network for TCP (The onion router) License: BSD-3-Clause Group: Productivity/Networking/Security Url: https://www.torproject.org/ Source: https://www.torproject.org/dist/%{name}-%{version}.tar.gz # PATCH-FIX-UPSTREAM tor-0.2.2.37-logrotate.patch -- add su to logrotate config to fix W: suse-logrotate-user-writable-log-dir Patch0: tor-0.2.2.37-logrotate.patch # https://gitweb.torproject.org/arma/tor.git/commitdiff/b9b54568c0bb64c32bd0b3... # PATCH-FIX-UPSTREAM tor-0.2.2.39-SENDME-DOS.patch [bnc#791374] -- Roger Dingledine Patch1: tor-0.2.2.39-SENDME-DOS.patch Requires: logrotate BuildRequires: openssl-devel %if 0%{?suse_version} > 1100 BuildRequires: libevent-devel %else BuildRequires: libevent %endif %define toruser %{name} %define torgroup %{name} %define home_dir /var/lib/empty %description Tor is a connection-based low-latency anonymous communication system. This package provides the "tor" program, which serves as both a client and a relay node. Scripts will automatically create a "%{toruser}" user and a "%{torgroup}" group, and set tor up to run as a daemon when the system is rebooted. Applications connect to the local Tor proxy using the SOCKS protocol. The tor client chooses a path through a set of relays, in which each relay knows its predecessor and successor, but no others. Traffic flowing down the circuit is unwrapped by a symmetric key at each relay, which reveals the downstream relay. Warnings: Tor does no protocol cleaning. That means there is a danger that application protocols and associated programs can be induced to reveal information about the initiator. Tor depends on Privoxy or similar protocol cleaners to solve this problem. This is alpha code, and is even more likely than released code to have anonymity-spoiling bugs. The present network is small -- this further reduces the strength of the anonymity provided. Tor is not presently suitable for high-stakes anonymity. %prep %setup -q %patch0 %patch1 -p1 %build %configure \ --with-tor-user=%{toruser} \ --with-tor-group=%{torgroup} \ --docdir=%{_docdir}/%{name} %__make %{?jobs:-j%{jobs}} %install %makeinstall # missing dirs %{__install} -d -m 700 \ %{buildroot}/var/lib/%{name} \ %{buildroot}/var/tmp/%{name} %{__install} -d -m 755 \ %{buildroot}/var/run/%{name} \ %{buildroot}/var/log/%{name} \ %{buildroot}/%{_sbindir} # control script %__install -p -m 755 contrib/torctl %{buildroot}/%{_bindir} # sample config file %__install -p -m 644 src/config/torrc.sample %{buildroot}/%{_sysconfdir}/%{name}/torrc.sample # init script %__install -D -m 755 contrib/suse/tor.sh %{buildroot}/%{_initrddir}/%{name} %{__ln_s} -f ../..%{_initrddir}/%{name} %{buildroot}%{_sbindir}/rc%{name} # logrotate conf %__sed -i -e "s|_tor|tor|g" contrib/tor.logrotate %__install -D -m 644 contrib/tor.logrotate %{buildroot}/%{_sysconfdir}/logrotate.d/%{name} %clean %__rm -rf "%{buildroot}" %pre /usr/sbin/groupadd -r %{torgroup} &>/dev/null || : /usr/sbin/useradd -o -g %{torgroup} -s /bin/false -r -c "User to run %{name}" -d %{home_dir} %{toruser} &>/dev/null || : %post %fillup_and_insserv tor %preun %stop_on_removal tor %postun %insserv_cleanup %restart_on_update tor %files %defattr(-,root,root) %doc LICENSE README ChangeLog doc/HACKING doc/TODO doc/*.html %doc %{_mandir}/man*/* %{_bindir}/%{name} %{_bindir}/%{name}ctl %{_bindir}/%{name}ify %{_bindir}/%{name}-gencert %{_bindir}/%{name}-resolve %{_sbindir}/rc%{name} %dir %{_datadir}/%{name} %{_datadir}/%{name}/geoip %config %{_initrddir}/%{name} %config(noreplace) %attr(0644,root,root) %{_sysconfdir}/logrotate.d/%{name} %dir %attr(0755,root,%{torgroup}) %{_sysconfdir}/%{name} %config(noreplace) %attr(0644,root,%{torgroup}) %{_sysconfdir}/%{name}/* %attr(0700,%{toruser},%{torgroup}) %dir %{_localstatedir}/lib/%{name} %ghost %attr(0750,%{toruser},%{torgroup}) %dir %{_localstatedir}/run/%{name} %attr(0750,%{toruser},%{torgroup}) %dir %{_localstatedir}/log/%{name} %changelog ++++++ tor-0.2.2.37-logrotate.patch ++++++ Index: contrib/tor.logrotate.in =================================================================== --- contrib/tor.logrotate.in.orig 2012-05-10 21:00:16.000000000 +0100 +++ contrib/tor.logrotate.in 2012-06-15 20:06:22.000000000 +0100 @@ -7,6 +7,7 @@ notifempty # you may need to change the username/groupname below create 0640 _tor _tor + su _tor _tor sharedscripts postrotate /etc/init.d/tor reload > /dev/null ++++++ tor-0.2.2.39-SENDME-DOS.patch ++++++

From b9b54568c0bb64c32bd0b362954bdbc8c1234b16 Mon Sep 17 00:00:00 2001 From: Roger Dingledine Date: Thu, 28 Jun 2012 14:00:01 -0400 Subject: [PATCH] Detect bug 6252 (unexpected sendme cell)

I only check on circuits, not streams, since bloating your stream window past the initial circuit window can't help you much. Also, I compare to CIRCWINDOW_START_MAX so we don't have surprising races if we lower CIRCWINDOW_START for an experiment. --- changes/bug6252 | 8 ++++++++ src/or/relay.c | 14 ++++++++++++++ 2 files changed, 22 insertions(+), 0 deletions(-) create mode 100644 changes/bug6252 diff --git a/changes/bug6252 b/changes/bug6252 new file mode 100644 index 0000000..0d29203 --- /dev/null +++ b/changes/bug6252 @@ -0,0 +1,8 @@ + o Security fixes: + - Tear down the circuit if we get an unexpected SENDME cell. Clients + could use this trick to make their circuits receive cells faster + than our flow control would have allowed, or to gum up the network, + or possibly to do targeted memory denial-of-service attacks on + entry nodes. Fixes bug 6252. Bugfix on the 54th commit on Tor -- + from July 2002, before the release of Tor 0.0.0. + diff --git a/src/or/relay.c b/src/or/relay.c index 3f894bf..4ab4403 100644 --- a/src/or/relay.c +++ b/src/or/relay.c @@ -1265,11 +1265,25 @@ connection_edge_process_relay_cell(cell_t *cell, circuit_t *circ, case RELAY_COMMAND_SENDME: if (!conn) { if (layer_hint) { + if (layer_hint->package_window + CIRCWINDOW_INCREMENT > + CIRCWINDOW_START_MAX) { + log_fn(LOG_PROTOCOL_WARN, LD_PROTOCOL, + "Bug/attack: unexpected sendme cell from exit relay. " + "Closing circ."); + return -END_CIRC_REASON_TORPROTOCOL; + } layer_hint->package_window += CIRCWINDOW_INCREMENT; log_debug(LD_APP,"circ-level sendme at origin, packagewindow %d.", layer_hint->package_window); circuit_resume_edge_reading(circ, layer_hint); } else { + if (circ->package_window + CIRCWINDOW_INCREMENT > + CIRCWINDOW_START_MAX) { + log_fn(LOG_PROTOCOL_WARN, LD_PROTOCOL, + "Bug/attack: unexpected sendme cell from client. " + "Closing circ."); + return -END_CIRC_REASON_TORPROTOCOL; + } circ->package_window += CIRCWINDOW_INCREMENT; log_debug(LD_APP, "circ-level sendme at non-origin, packagewindow %d.", -- 1.7.2.5 -- To unsubscribe, e-mail: opensuse-commit+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-commit+help@opensuse.org