Bug 212952

Summary:

security/tor and security/tor-devel: Update to 0.2.8.9 and 0.2.9.4-alpha

Product:

Ports & Packages

Reporter:

Neel Chauhan <nc>

Component:

Individual Port(s)

Assignee:

Rene Ladan <rene>

Status:

Closed FIXED

Severity:

Affects Many People

CC:

daniel, nc, pi, ports-secteam, rene, yuri

Priority:

Normal

Keywords:

patch, security

Version:

Latest

Flags:

vlad-fbsd: maintainer-feedback+
koobs: merge-quarterly?

Hardware:

Any

OS:

Any

Attachments:

Description	Flags
Patch to update security/tor to 0.2.8.8	none
Patch to update security/tor-devel to 0.2.9.3-alpha	vlad-fbsd: maintainer-approval+
Update to 0.2.8.8 + some extra changes	yuri: maintainer-approval+
Update to 0.2.8.8 + extra changes	yuri: maintainer-approval+
Update to 0.2.8.8 + extra changes	yuri: maintainer-approval+
patch updating security/tor to 0.2.8.9	yuri: maintainer-approval+
patch updating security/tor-devel to 0.2.9.4-alpha	yuri: maintainer-approval+

Description Neel Chauhan freebsd_committer

2016-09-24 01:08:48 UTC

Created attachment 175111 [details]
Patch to update security/tor to 0.2.8.8

Both build on FreeBSD 10.3 amd64

Comment 1 Neel Chauhan freebsd_committer

2016-09-24 01:09:11 UTC

Created attachment 175112 [details]
Patch to update security/tor-devel to 0.2.9.3-alpha

Comment 2 Yuri Victorovich freebsd_committer

2016-10-05 20:00:59 UTC

Created attachment 175452 [details]
Update to 0.2.8.8 + some extra changes

Thanks Neel for your patches.

I added some other changes that somebody else requested earlier to the patch.

Comment 3 Yuri Victorovich freebsd_committer

2016-10-05 20:01:44 UTC

Approved: Patch to update security/tor-devel to 0.2.9.3-alpha

Comment 4 Yuri Victorovich freebsd_committer

2016-10-05 20:10:32 UTC

Created attachment 175453 [details]
Update to 0.2.8.8 + extra changes

Comment 5 VK 2016-10-05 20:14:35 UTC

Thanks for the patches, guys.

Neel, please set the maintainer-approval? request flag on future attachments for ports you're not a maintainer of (with the maintainer's e-mail address in the request), to help us track these approvals better. That also allows the maintainers to approve the attachment, as otherwise they don't have permission to change flags on non-owned attachments.

Comment 6 Yuri Victorovich freebsd_committer

2016-10-05 20:43:28 UTC

Created attachment 175455 [details]
Update to 0.2.8.8 + extra changes

Comment 7 Rene Ladan freebsd_committer

2016-10-17 20:51:56 UTC

Take

Comment 8 Rene Ladan freebsd_committer

2016-10-17 21:07:55 UTC

Just got news that tor 0.2.8.9 and 0.2.9.4-alpha are out with some security fixes, we should probably upgrade to those versions instead?

Comment 9 Yuri Victorovich freebsd_committer

2016-10-17 21:54:30 UTC

Created attachment 175886 [details]
patch updating security/tor to 0.2.8.9

Comment 10 Yuri Victorovich freebsd_committer

2016-10-17 21:55:18 UTC

Created attachment 175887 [details]
patch updating security/tor-devel to 0.2.9.4-alpha

Comment 11 Kubilay Kocak freebsd_committer

2016-10-18 10:33:27 UTC

Presumably these 'security' fixes need to be MFH'd.

Can someone please include references to them (and any CVE's that may be relevant)

Comment 12 Yuri Victorovich freebsd_committer

2016-10-18 10:43:54 UTC

Here are 0.2.8.7 changes: https://blog.torproject.org/blog/tor-0287-released-important-fixes

I think, the security fix is this:
> Directory authority changes:
> The "Tonga" bridge authority has been retired; the new bridge authority is "Bifroest". Closes tickets 19728 and 19690.

0.2.8.8 is a bugfix release: https://blog.torproject.org/blog/tor-0288-released-important-fixes

Comment 13 Yuri Victorovich freebsd_committer

2016-10-18 10:46:01 UTC

0.2.8.9 also has a security fix: https://blog.torproject.org/blog/tor-0289-released-important-fixes

> Major features (security fixes, also in 0.2.9.4-alpha):
> Prevent a class of security bugs caused by treating the contents of a buffer chunk as if they were a NUL-terminated string. At least one such bug seems to be present in all currently used versions of Tor, and would allow an attacker to remotely crash most Tor instances, especially those compiled with extra compiler hardening. With this defense in place, such bugs can't crash Tor, though we should still fix them as they occur. Closes ticket 20384 (TROVE-2016-10-001).

Comment 14 Daniel Llewellyn 2016-10-18 11:06:00 UTC

It seems there isn't a CVE number for this, but Tor have assigned a TROVE number: TROVE-2016-10-001.

(exp. TROVE is explained here [1] that they are bad at getting CVEs assigned so they've made their own numbers to ensure they get similar benefits of the "this fixed that issue" cross-reference.)

[1] https://trac.torproject.org/projects/tor/ticket/20383

Comment 15 Daniel Llewellyn 2016-10-18 11:08:43 UTC

forgot the actual link to the security issue which is at [1].

[1] https://trac.torproject.org/projects/tor/ticket/20384

Comment 16 Kurt Jaeger freebsd_committer

2016-10-18 16:14:26 UTC

testbuilds@work

Comment 17 Kurt Jaeger freebsd_committer

2016-10-18 16:26:36 UTC

Testbuilds are fine for both tor and -devel.

Comment 18 commit-hook freebsd_committer

2016-10-18 17:27:02 UTC

A commit references this bug:

Author: rene
Date: Tue Oct 18 17:26:08 UTC 2016
New revision: 424184
URL: https://svnweb.freebsd.org/changeset/ports/424184

Log:
  Document remote denial of service vulnerability in security/tor*

  PR:		212952
  Submitted by:	Neel Chauhan <neel@neelc.org>
  Obtained from:	https://blog.torproject.org/blog/tor-0289-released-important-fixes

Changes:
  head/security/vuxml/vuln.xml

Comment 19 commit-hook freebsd_committer

2016-10-18 17:32:09 UTC

A commit references this bug:

Author: rene
Date: Tue Oct 18 17:31:56 UTC 2016
New revision: 424187
URL: https://svnweb.freebsd.org/changeset/ports/424187

Log:
  Update security/tor to 0.2.8.9
  Update security/tor-devel to 0.2.9.4-alpha

  For security/tor:
  - fix directory permissions
  - mark the TOR2WEB option as "expert"

  PR:		212952
  Submitted by:	Neel Chauhan <neel@neelc.org>
  Approved by:	maintainer <yuri@rawbw.com>
  MFH:		2016Q4
  Security:	c1dc55dc-9556-11e6-b154-3065ec8fd3ec

Changes:
  head/security/tor/Makefile
  head/security/tor/distinfo
  head/security/tor/files/tor.in
  head/security/tor/pkg-plist
  head/security/tor-devel/Makefile
  head/security/tor-devel/distinfo

Comment 20 commit-hook freebsd_committer

2016-10-18 18:19:25 UTC

A commit references this bug:

Author: rene
Date: Tue Oct 18 18:19:10 UTC 2016
New revision: 424198
URL: https://svnweb.freebsd.org/changeset/ports/424198

Log:
  MFH: r424187

  Update security/tor to 0.2.8.9
  Update security/tor-devel to 0.2.9.4-alpha

  For security/tor:
  - fix directory permissions
  - mark the TOR2WEB option as "expert"

  PR:		212952
  Submitted by:	Neel Chauhan <neel@neelc.org>
  Approved by:	maintainer <yuri@rawbw.com>
  Security:	c1dc55dc-9556-11e6-b154-3065ec8fd3ec

  Approved by:	ports-secteam (feld)

Changes:
_U  branches/2016Q4/
  branches/2016Q4/security/tor/Makefile
  branches/2016Q4/security/tor/distinfo
  branches/2016Q4/security/tor/files/tor.in
  branches/2016Q4/security/tor/pkg-plist
  branches/2016Q4/security/tor-devel/Makefile
  branches/2016Q4/security/tor-devel/distinfo

Comment 21 Dmitry Marakasov freebsd_committer

2016-11-15 15:26:40 UTC

Yuri, could you please elaborate on why permissions on /var directories (specifically, /var/run/tor) were changed? For me it had broken tor node monitoring which was running under its own user added to _tor group and could no longer access /var/run/tor/control_auth_cookie (which itself is 640) because of

CookieAuthentication 1
CookieAuthFileGroupReadable 1
CookieAuthFile /var/run/tor/control_auth_cookie

Also no processes at all can access /var/run/tor/tor.pid, which doesn't seem too correct either. Accessing tor logs does also seem a valid usecase, logs are 640 themselves, but 700 on /var/log/tor prevents group from accessing them.

Thus I suggest to change permissions for /var/log/tor to 750 and /var/run/tor to 755.

Comment 22 Yuri Victorovich freebsd_committer

2016-11-15 18:41:48 UTC

Dmitry,

The permissions were restricted too much by mistake.

> Thus I suggest to change permissions for /var/log/tor to 750 and /var/run/tor to 755.

Yes, please go ahead and commit this if you can.

Thanks,
Yuri