Bug 212952 - security/tor and security/tor-devel: Update to 0.2.8.9 and 0.2.9.4-alpha
Summary: security/tor and security/tor-devel: Update to 0.2.8.9 and 0.2.9.4-alpha
Status: Closed FIXED
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: Normal Affects Many People
Assignee: Rene Ladan
URL:
Keywords: patch, security
Depends on:
Blocks:
 
Reported: 2016-09-24 01:08 UTC by Neel Chauhan
Modified: 2016-11-15 18:41 UTC (History)
6 users (show)

See Also:
vlad-fbsd: maintainer-feedback+
koobs: merge-quarterly?


Attachments
Patch to update security/tor to 0.2.8.8 (775 bytes, patch)
2016-09-24 01:08 UTC, Neel Chauhan
no flags Details | Diff
Patch to update security/tor-devel to 0.2.9.3-alpha (832 bytes, patch)
2016-09-24 01:09 UTC, Neel Chauhan
vlad-fbsd: maintainer-approval+
Details | Diff
Update to 0.2.8.8 + some extra changes (2.89 KB, patch)
2016-10-05 20:00 UTC, Yuri Victorovich
yuri: maintainer-approval+
Details | Diff
Update to 0.2.8.8 + extra changes (2.96 KB, patch)
2016-10-05 20:10 UTC, Yuri Victorovich
yuri: maintainer-approval+
Details | Diff
Update to 0.2.8.8 + extra changes (2.97 KB, patch)
2016-10-05 20:43 UTC, Yuri Victorovich
yuri: maintainer-approval+
Details | Diff
patch updating security/tor to 0.2.8.9 (2.97 KB, patch)
2016-10-17 21:54 UTC, Yuri Victorovich
yuri: maintainer-approval+
Details | Diff
patch updating security/tor-devel to 0.2.9.4-alpha (946 bytes, patch)
2016-10-17 21:55 UTC, Yuri Victorovich
yuri: maintainer-approval+
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Neel Chauhan 2016-09-24 01:08:48 UTC
Created attachment 175111 [details]
Patch to update security/tor to 0.2.8.8

Both build on FreeBSD 10.3 amd64
Comment 1 Neel Chauhan 2016-09-24 01:09:11 UTC
Created attachment 175112 [details]
Patch to update security/tor-devel to 0.2.9.3-alpha
Comment 2 Yuri Victorovich freebsd_committer 2016-10-05 20:00:59 UTC
Created attachment 175452 [details]
Update to 0.2.8.8 + some extra changes

Thanks Neel for your patches.

I added some other changes that somebody else requested earlier to the patch.
Comment 3 Yuri Victorovich freebsd_committer 2016-10-05 20:01:44 UTC
Approved: Patch to update security/tor-devel to 0.2.9.3-alpha
Comment 4 Yuri Victorovich freebsd_committer 2016-10-05 20:10:32 UTC
Created attachment 175453 [details]
Update to 0.2.8.8 + extra changes
Comment 5 VK freebsd_triage 2016-10-05 20:14:35 UTC
Thanks for the patches, guys.

Neel, please set the maintainer-approval? request flag on future attachments for ports you're not a maintainer of (with the maintainer's e-mail address in the request), to help us track these approvals better. That also allows the maintainers to approve the attachment, as otherwise they don't have permission to change flags on non-owned attachments.
Comment 6 Yuri Victorovich freebsd_committer 2016-10-05 20:43:28 UTC
Created attachment 175455 [details]
Update to 0.2.8.8 + extra changes
Comment 7 Rene Ladan freebsd_committer 2016-10-17 20:51:56 UTC
Take
Comment 8 Rene Ladan freebsd_committer 2016-10-17 21:07:55 UTC
Just got news that tor 0.2.8.9 and 0.2.9.4-alpha are out with some security fixes, we should probably upgrade to those versions instead?
Comment 9 Yuri Victorovich freebsd_committer 2016-10-17 21:54:30 UTC
Created attachment 175886 [details]
patch updating security/tor to 0.2.8.9
Comment 10 Yuri Victorovich freebsd_committer 2016-10-17 21:55:18 UTC
Created attachment 175887 [details]
patch updating security/tor-devel to 0.2.9.4-alpha
Comment 11 Kubilay Kocak freebsd_committer freebsd_triage 2016-10-18 10:33:27 UTC
Presumably these 'security' fixes need to be MFH'd.

Can someone please include references to them (and any CVE's that may be relevant)
Comment 12 Yuri Victorovich freebsd_committer 2016-10-18 10:43:54 UTC
Here are 0.2.8.7 changes: https://blog.torproject.org/blog/tor-0287-released-important-fixes

I think, the security fix is this:
> Directory authority changes:
> The "Tonga" bridge authority has been retired; the new bridge authority is "Bifroest". Closes tickets 19728 and 19690.

0.2.8.8 is a bugfix release: https://blog.torproject.org/blog/tor-0288-released-important-fixes
Comment 13 Yuri Victorovich freebsd_committer 2016-10-18 10:46:01 UTC
0.2.8.9 also has a security fix: https://blog.torproject.org/blog/tor-0289-released-important-fixes

> Major features (security fixes, also in 0.2.9.4-alpha):
> Prevent a class of security bugs caused by treating the contents of a buffer chunk as if they were a NUL-terminated string. At least one such bug seems to be present in all currently used versions of Tor, and would allow an attacker to remotely crash most Tor instances, especially those compiled with extra compiler hardening. With this defense in place, such bugs can't crash Tor, though we should still fix them as they occur. Closes ticket 20384 (TROVE-2016-10-001).
Comment 14 Daniel Llewellyn 2016-10-18 11:06:00 UTC
It seems there isn't a CVE number for this, but Tor have assigned a TROVE number: TROVE-2016-10-001.

(exp. TROVE is explained here [1] that they are bad at getting CVEs assigned so they've made their own numbers to ensure they get similar benefits of the "this fixed that issue" cross-reference.)

[1] https://trac.torproject.org/projects/tor/ticket/20383
Comment 15 Daniel Llewellyn 2016-10-18 11:08:43 UTC
forgot the actual link to the security issue which is at [1].

[1] https://trac.torproject.org/projects/tor/ticket/20384
Comment 16 Kurt Jaeger freebsd_committer 2016-10-18 16:14:26 UTC
testbuilds@work
Comment 17 Kurt Jaeger freebsd_committer 2016-10-18 16:26:36 UTC
Testbuilds are fine for both tor and -devel.
Comment 18 commit-hook freebsd_committer 2016-10-18 17:27:02 UTC
A commit references this bug:

Author: rene
Date: Tue Oct 18 17:26:08 UTC 2016
New revision: 424184
URL: https://svnweb.freebsd.org/changeset/ports/424184

Log:
  Document remote denial of service vulnerability in security/tor*

  PR:		212952
  Submitted by:	Neel Chauhan <neel@neelc.org>
  Obtained from:	https://blog.torproject.org/blog/tor-0289-released-important-fixes

Changes:
  head/security/vuxml/vuln.xml
Comment 19 commit-hook freebsd_committer 2016-10-18 17:32:09 UTC
A commit references this bug:

Author: rene
Date: Tue Oct 18 17:31:56 UTC 2016
New revision: 424187
URL: https://svnweb.freebsd.org/changeset/ports/424187

Log:
  Update security/tor to 0.2.8.9
  Update security/tor-devel to 0.2.9.4-alpha

  For security/tor:
  - fix directory permissions
  - mark the TOR2WEB option as "expert"

  PR:		212952
  Submitted by:	Neel Chauhan <neel@neelc.org>
  Approved by:	maintainer <yuri@rawbw.com>
  MFH:		2016Q4
  Security:	c1dc55dc-9556-11e6-b154-3065ec8fd3ec

Changes:
  head/security/tor/Makefile
  head/security/tor/distinfo
  head/security/tor/files/tor.in
  head/security/tor/pkg-plist
  head/security/tor-devel/Makefile
  head/security/tor-devel/distinfo
Comment 20 commit-hook freebsd_committer 2016-10-18 18:19:25 UTC
A commit references this bug:

Author: rene
Date: Tue Oct 18 18:19:10 UTC 2016
New revision: 424198
URL: https://svnweb.freebsd.org/changeset/ports/424198

Log:
  MFH: r424187

  Update security/tor to 0.2.8.9
  Update security/tor-devel to 0.2.9.4-alpha

  For security/tor:
  - fix directory permissions
  - mark the TOR2WEB option as "expert"

  PR:		212952
  Submitted by:	Neel Chauhan <neel@neelc.org>
  Approved by:	maintainer <yuri@rawbw.com>
  Security:	c1dc55dc-9556-11e6-b154-3065ec8fd3ec

  Approved by:	ports-secteam (feld)

Changes:
_U  branches/2016Q4/
  branches/2016Q4/security/tor/Makefile
  branches/2016Q4/security/tor/distinfo
  branches/2016Q4/security/tor/files/tor.in
  branches/2016Q4/security/tor/pkg-plist
  branches/2016Q4/security/tor-devel/Makefile
  branches/2016Q4/security/tor-devel/distinfo
Comment 21 Dmitry Marakasov freebsd_committer 2016-11-15 15:26:40 UTC
Yuri, could you please elaborate on why permissions on /var directories (specifically, /var/run/tor) were changed? For me it had broken tor node monitoring which was running under its own user added to _tor group and could no longer access /var/run/tor/control_auth_cookie (which itself is 640) because of

CookieAuthentication 1
CookieAuthFileGroupReadable 1
CookieAuthFile /var/run/tor/control_auth_cookie

Also no processes at all can access /var/run/tor/tor.pid, which doesn't seem too correct either. Accessing tor logs does also seem a valid usecase, logs are 640 themselves, but 700 on /var/log/tor prevents group from accessing them.

Thus I suggest to change permissions for /var/log/tor to 750 and /var/run/tor to 755.
Comment 22 Yuri Victorovich freebsd_committer 2016-11-15 18:41:48 UTC
Dmitry,

The permissions were restricted too much by mistake.

> Thus I suggest to change permissions for /var/log/tor to 750 and /var/run/tor to 755.

Yes, please go ahead and commit this if you can.

Thanks,
Yuri