Hello community,
here is the log from the commit of package tor.1142 for openSUSE:12.2:Update checked in at 2012-12-07 10:47:28
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:12.2:Update/tor.1142 (Old)
and /work/SRC/openSUSE:12.2:Update/.tor.1142.new (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "tor.1142", Maintainer is ""
Changes:
--------
New Changes file:
--- /dev/null 2012-11-30 12:21:47.308011256 +0100
+++ /work/SRC/openSUSE:12.2:Update/.tor.1142.new/tor.changes 2012-12-07 10:47:31.000000000 +0100
@@ -0,0 +1,1843 @@
+-------------------------------------------------------------------
+Tue Nov 27 20:28:28 UTC 2012 - andreas.stieger@gmx.de
+
+- Tear down the circuit when receiving an unexpected SENDME cell.
+ Prevents circumvention of the network's flow control, exhaustion
+ of network resources and possible denial-of-service attacks on
+ entry nodes
+ [bnc#791374] CVE-2012-5573, adding tor-0.2.2.39-SENDME-DOS.patch
+
+-------------------------------------------------------------------
+Sat Sep 15 14:08:49 UTC 2012 - andreas.stieger@gmx.de
+
+- update to 0.2.2.39 [bnc#780620]
+ Changes in version 0.2.2.39 - 2012-09-11
+ Tor 0.2.2.39 fixes two more opportunities for remotely triggerable
+ assertions.
+
+ o Security fixes:
+ - Fix an assertion failure in tor_timegm() that could be triggered
+ by a badly formatted directory object.
+ CVE-2012-4922
+ - Do not crash when comparing an address with port value 0 to an
+ address policy. This bug could have been used to cause a remote
+ assertion failure by or against directory authorities, or to
+ allow some applications to crash clients.
+ CVE-2012-4419
+
+-------------------------------------------------------------------
+Mon Aug 20 19:16:27 UTC 2012 - andreas.stieger@gmx.de
+
+- update to 0.2.2.38 [bnc#776642]
+ Changes in version 0.2.2.38 - 2012-08-12
+
+ Tor 0.2.2.38 fixes a rare race condition that can crash exit relays;
+ fixes a remotely triggerable crash bug; and fixes a timing attack that
+ could in theory leak path information.
+
+ o Security fixes:
+ - Avoid read-from-freed-memory and double-free bugs that could occur
+ when a DNS request fails while launching it.
+ CVE-2012-3517
+ - Avoid an uninitialized memory read when reading a vote or consensus
+ document that has an unrecognized flavor name. This read could
+ lead to a remote crash bug.
+ CVE-2012-3518
+ - Try to leak less information about what relays a client is
+ choosing to a side-channel attacker. Previously, a Tor client would
+ stop iterating through the list of available relays as soon as it
+ had chosen one, thus finishing a little earlier when it picked
+ a router earlier in the list. If an attacker can recover this
+ timing information (nontrivial but not proven to be impossible),
+ they could learn some coarse-grained information about which relays
+ a client was picking (middle nodes in particular are likelier to
+ be affected than exits). The timing attack might be mitigated by
+ other factors, but it's best not to take chances.
+ CVE-2012-3519
+
+-------------------------------------------------------------------
+Fri Jun 15 19:45:01 UTC 2012 - andreas.stieger@gmx.de
+
+- add tor-0.2.2.37-logrotate.patch : add su option to logrotate to
+ fix W: suse-logrotate-user-writable-log-dir in Factory
+
+-------------------------------------------------------------------
+Wed Jun 13 11:22:11 UTC 2012 - andreas.stieger@gmx.de
+
+- update to 0.2.2.37
+ Changes in version 0.2.2.37 - 2012-06-06
+ Tor 0.2.2.37 introduces a workaround for a critical renegotiation
+ bug in OpenSSL 1.0.1 (where 20% of the Tor network can't talk to itself
+ currently).
+
+ o Major bugfixes:
+ - Work around a bug in OpenSSL that broke renegotiation with TLS
+ 1.1 and TLS 1.2. Without this workaround, all attempts to speak
+ the v2 Tor connection protocol when both sides were using OpenSSL
+ 1.0.1 would fail. Resolves ticket 6033.
+ - When waiting for a client to renegotiate, don't allow it to add
+ any bytes to the input buffer. This fixes a potential DoS issue.
+ Fixes bugs 5934 and 6007; bugfix on 0.2.0.20-rc.
+ - Fix an edge case where if we fetch or publish a hidden service
+ descriptor, we might build a 4-hop circuit and then use that circuit
+ for exiting afterwards -- even if the new last hop doesn't obey our
+ ExitNodes config option. Fixes bug 5283; bugfix on 0.2.0.10-alpha.
+
+ o Minor bugfixes:
+ - Fix a build warning with Clang 3.1 related to our use of vasprintf.
+ Fixes bug 5969. Bugfix on 0.2.2.11-alpha.
+
+ o Minor features:
+ - Tell GCC and Clang to check for any errors in format strings passed
+ to the tor_v*(print|scan)f functions.
+
+-------------------------------------------------------------------
+Wed Jun 6 20:46:46 UTC 2012 - andreas.stieger@gmx.de
+
+- update to 0.2.2.36
+
+ Changes in version 0.2.2.36 - 2012-05-24
+ o Directory authority changes:
+ - Change IP address for maatuska (v3 directory authority).
+ - Change IP address for ides (v3 directory authority), and rename
+ it to turtles.
+
+ o Security fixes:
+ - When building or running with any version of OpenSSL earlier
+ than 0.9.8s or 1.0.0f, disable SSLv3 support. These OpenSSL
+ versions have a bug (CVE-2011-4576) in which their block cipher
+ padding includes uninitialized data, potentially leaking sensitive
+ information to any peer with whom they make a SSLv3 connection. Tor
+ does not use SSL v3 by default, but a hostile client or server
+ could force an SSLv3 connection in order to gain information that
+ they shouldn't have been able to get. The best solution here is to
+ upgrade to OpenSSL 0.9.8s or 1.0.0f (or later). But when building
+ or running with a non-upgraded OpenSSL, we disable SSLv3 entirely
+ to make sure that the bug can't happen.
+ - Never use a bridge or a controller-supplied node as an exit, even
+ if its exit policy allows it. Found by wanoskarnet. Fixes bug
+ 5342. Bugfix on 0.1.1.15-rc (for controller-purpose descriptors)
+ and 0.2.0.3-alpha (for bridge-purpose descriptors).
+ - Only build circuits if we have a sufficient threshold of the total
+ descriptors that are marked in the consensus with the "Exit"
+ flag. This mitigates an attack proposed by wanoskarnet, in which
+ all of a client's bridges collude to restrict the exit nodes that
+ the client knows about. Fixes bug 5343.
+ - Provide controllers with a safer way to implement the cookie
+ authentication mechanism. With the old method, if another locally
+ running program could convince a controller that it was the Tor
+ process, then that program could trick the controller into telling
+ it the contents of an arbitrary 32-byte file. The new "SAFECOOKIE"
+ authentication method uses a challenge-response approach to prevent
+ this attack. Fixes bug 5185; implements proposal 193.
+
+ o Major bugfixes:
+ - Avoid logging uninitialized data when unable to decode a hidden
+ service descriptor cookie. Fixes bug 5647; bugfix on 0.2.1.5-alpha.
+ - Avoid a client-side assertion failure when receiving an INTRODUCE2
+ cell on a general purpose circuit. Fixes bug 5644; bugfix on
+ 0.2.1.6-alpha.
+ - Fix builds when the path to sed, openssl, or sha1sum contains
+ spaces, which is pretty common on Windows. Fixes bug 5065; bugfix
+ on 0.2.2.1-alpha.
+ - Correct our replacements for the timeradd() and timersub() functions
+ on platforms that lack them (for example, Windows). The timersub()
+ function is used when expiring circuits, while timeradd() is
+ currently unused. Bug report and patch by Vektor. Fixes bug 4778;
+ bugfix on 0.2.2.24-alpha.
+ - Fix the SOCKET_OK test that we use to tell when socket
+ creation fails so that it works on Win64. Fixes part of bug 4533;
+ bugfix on 0.2.2.29-beta. Bug found by wanoskarnet.
+
+ o Minor bugfixes:
+ - Reject out-of-range times like 23:59:61 in parse_rfc1123_time().
+ Fixes bug 5346; bugfix on 0.0.8pre3.
+ - Make our number-parsing functions always treat too-large values
+ as an error, even when those values exceed the width of the
+ underlying type. Previously, if the caller provided these
+ functions with minima or maxima set to the extreme values of the
+ underlying integer type, these functions would return those
+ values on overflow rather than treating overflow as an error.
+ Fixes part of bug 5786; bugfix on 0.0.9.
+ - Older Linux kernels erroneously respond to strange nmap behavior
+ by having accept() return successfully with a zero-length
+ socket. When this happens, just close the connection. Previously,
+ we would try harder to learn the remote address: but there was
+ no such remote address to learn, and our method for trying to
+ learn it was incorrect. Fixes bugs 1240, 4745, and 4747. Bugfix
+ on 0.1.0.3-rc. Reported and diagnosed by "r1eo".
+ - Correct parsing of certain date types in parse_http_time().
+ Without this patch, If-Modified-Since would behave
+ incorrectly. Fixes bug 5346; bugfix on 0.2.0.2-alpha. Patch from
+ Esteban Manchado Velázques.
+ - Change the BridgePassword feature (part of the "bridge community"
+ design, which is not yet implemented) to use a time-independent
+ comparison. The old behavior might have allowed an adversary
+ to use timing to guess the BridgePassword value. Fixes bug 5543;
+ bugfix on 0.2.0.14-alpha.
+ - Detect and reject certain misformed escape sequences in
+ configuration values. Previously, these values would cause us
+ to crash if received in a torrc file or over an authenticated
+ control port. Bug found by Esteban Manchado Velázquez, and
+ independently by Robert Connolly from Matta Consulting who further
+ noted that it allows a post-authentication heap overflow. Patch
+ by Alexander Schrijver. Fixes bugs 5090 and 5402 (CVE 2012-1668);
+ bugfix on 0.2.0.16-alpha.
+ - Fix a compile warning when using the --enable-openbsd-malloc
+ configure option. Fixes bug 5340; bugfix on 0.2.0.20-rc.
+ - During configure, detect when we're building with clang version
+ 3.0 or lower and disable the -Wnormalized=id and -Woverride-init
+ CFLAGS. clang doesn't support them yet.
+ - When sending an HTTP/1.1 proxy request, include a Host header.
+ Fixes bug 5593; bugfix on 0.2.2.1-alpha.
+ - Fix a NULL-pointer dereference on a badly formed SETCIRCUITPURPOSE
+ command. Found by mikeyc. Fixes bug 5796; bugfix on 0.2.2.9-alpha.
+ - If we hit the error case where routerlist_insert() replaces an
+ existing (old) server descriptor, make sure to remove that
+ server descriptor from the old_routers list. Fix related to bug
++++ 1646 more lines (skipped)
++++ between /dev/null
++++ and /work/SRC/openSUSE:12.2:Update/.tor.1142.new/tor.changes
New:
----
tor-0.2.2.37-logrotate.patch
tor-0.2.2.39-SENDME-DOS.patch
tor-0.2.2.39.tar.gz
tor.changes
tor.spec
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ tor.spec ++++++
#
# spec file for package tor
#
# Copyright (c) 2012 SUSE LINUX Products GmbH, Nuernberg, Germany.
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
# upon. The license for this file, and modifications and additions to the
# file, is the same license as for the pristine package itself (unless the
# license for the pristine package is not an Open Source License, in which
# case the license is the MIT License). An "Open Source License" is a
# license that conforms to the Open Source Definition (Version 1.9)
# published by the Open Source Initiative.
# Please submit bugfixes or comments via http://bugs.opensuse.org/
#
Name: tor
Version: 0.2.2.39
Release: 0
BuildRoot: %{_tmppath}/%{name}-%{version}-build
Summary: Anonymizing overlay network for TCP (The onion router)
License: BSD-3-Clause
Group: Productivity/Networking/Security
Url: https://www.torproject.org/
Source: https://www.torproject.org/dist/%{name}-%{version}.tar.gz
# PATCH-FIX-UPSTREAM tor-0.2.2.37-logrotate.patch -- add su to logrotate config to fix W: suse-logrotate-user-writable-log-dir
Patch0: tor-0.2.2.37-logrotate.patch
# https://gitweb.torproject.org/arma/tor.git/commitdiff/b9b54568c0bb64c32bd0b3...
# PATCH-FIX-UPSTREAM tor-0.2.2.39-SENDME-DOS.patch [bnc#791374] -- Roger Dingledine
From b9b54568c0bb64c32bd0b362954bdbc8c1234b16 Mon Sep 17 00:00:00 2001 From: Roger Dingledine
Date: Thu, 28 Jun 2012 14:00:01 -0400 Subject: [PATCH] Detect bug 6252 (unexpected sendme cell)
I only check on circuits, not streams, since bloating your stream window past the initial circuit window can't help you much. Also, I compare to CIRCWINDOW_START_MAX so we don't have surprising races if we lower CIRCWINDOW_START for an experiment. --- changes/bug6252 | 8 ++++++++ src/or/relay.c | 14 ++++++++++++++ 2 files changed, 22 insertions(+), 0 deletions(-) create mode 100644 changes/bug6252 diff --git a/changes/bug6252 b/changes/bug6252 new file mode 100644 index 0000000..0d29203 --- /dev/null +++ b/changes/bug6252 @@ -0,0 +1,8 @@ + o Security fixes: + - Tear down the circuit if we get an unexpected SENDME cell. Clients + could use this trick to make their circuits receive cells faster + than our flow control would have allowed, or to gum up the network, + or possibly to do targeted memory denial-of-service attacks on + entry nodes. Fixes bug 6252. Bugfix on the 54th commit on Tor -- + from July 2002, before the release of Tor 0.0.0. + diff --git a/src/or/relay.c b/src/or/relay.c index 3f894bf..4ab4403 100644 --- a/src/or/relay.c +++ b/src/or/relay.c @@ -1265,11 +1265,25 @@ connection_edge_process_relay_cell(cell_t *cell, circuit_t *circ, case RELAY_COMMAND_SENDME: if (!conn) { if (layer_hint) { + if (layer_hint->package_window + CIRCWINDOW_INCREMENT > + CIRCWINDOW_START_MAX) { + log_fn(LOG_PROTOCOL_WARN, LD_PROTOCOL, + "Bug/attack: unexpected sendme cell from exit relay. " + "Closing circ."); + return -END_CIRC_REASON_TORPROTOCOL; + } layer_hint->package_window += CIRCWINDOW_INCREMENT; log_debug(LD_APP,"circ-level sendme at origin, packagewindow %d.", layer_hint->package_window); circuit_resume_edge_reading(circ, layer_hint); } else { + if (circ->package_window + CIRCWINDOW_INCREMENT > + CIRCWINDOW_START_MAX) { + log_fn(LOG_PROTOCOL_WARN, LD_PROTOCOL, + "Bug/attack: unexpected sendme cell from client. " + "Closing circ."); + return -END_CIRC_REASON_TORPROTOCOL; + } circ->package_window += CIRCWINDOW_INCREMENT; log_debug(LD_APP, "circ-level sendme at non-origin, packagewindow %d.", -- 1.7.2.5 -- To unsubscribe, e-mail: opensuse-commit+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-commit+help@opensuse.org