August 2012 - tor-commits - lists.torproject.org

[tor/release-0.2.3] changelog for bug6043
by nickm＠torproject.org 03 Aug '12

03 Aug '12

commit ae75fb13e175ec24cb3bff44150fd2f932aa5385 Author: Nick Mathewson <nickm(a)torproject.org> Date: Tue Jul 31 11:49:20 2012 -0400 changelog for bug6043 --- changes/bug6043 | 6 ++++++ 1 files changed, 6 insertions(+), 0 deletions(-) diff --git a/changes/bug6043 b/changes/bug6043 new file mode 100644 index 0000000..b88bafb --- /dev/null +++ b/changes/bug6043 @@ -0,0 +1,6 @@ + o Packaging (RPM): + - Our default RPM spec files have been updated to work with mock + and rpmbuild on RHEL/Fedora. They have an updated set of + dependencies and conflicts, a fix for an ancient typo when creating + the "_tor" user, and better instructions. Thanks to Ondrej + Mikle for the patch series; fix for bug 6043.

1 0

[tor/release-0.2.3] Fixes/beautification of RPM spec. Tiny improvements in RPM build docs.
by nickm＠torproject.org 03 Aug '12

03 Aug '12

commit eeb81b5bb1135c1b85fff68da823c10fc4a99965 Author: Ondrej Mikle <ondrej.mikle(a)gmail.com> Date: Thu Jun 21 18:26:05 2012 +0200 Fixes/beautification of RPM spec. Tiny improvements in RPM build docs. --- doc/tor-rpm-creation.txt | 6 ++++-- tor.spec.in | 21 +++++++++++++-------- 2 files changed, 17 insertions(+), 10 deletions(-) diff --git a/doc/tor-rpm-creation.txt b/doc/tor-rpm-creation.txt index a88f2e8..a03891e 100644 --- a/doc/tor-rpm-creation.txt +++ b/doc/tor-rpm-creation.txt @@ -14,14 +14,16 @@ LIBS=-lrt ./configure make dist-rpm You should have at least two, maybe three, rpms. There should be the binary -i386.rpm, a src.rpm, and on redhat/centos machines, a debuginfo.rpm. +(i686|x86_64).rpm, a src.rpm, and on redhat/centos machines, a debuginfo.rpm. +The debuginfo rpms are created if package redhat-rpm-config is installed (case +of redhat distros). This step suffices unless you want to create RPMs for distros other than the one you used for building. ## Instructions for building RPMs for multiple architectures or distributions -## using 'mock' +## using 'mock' on Fedora or RHEL (and clones) Make sure you have mock installed and configured, see following HOWTOs for setup: https://fedoraproject.org/wiki/How_to_create_an_RPM_package diff --git a/tor.spec.in b/tor.spec.in index 5605586..b452c9b 100644 --- a/tor.spec.in +++ b/tor.spec.in @@ -6,7 +6,7 @@ # This should be incremented whenever the spec file changes, but # can drop back to zero at a new Tor version -%define specver 0 +%define specver 1 ## Things users may want to change # @@ -108,17 +108,14 @@ License: 3-clause BSD Vendor: The Tor Project (https://torproject.org) Packager: Erinn Clark <erinn(a)torproject.org> -%if %{is_suse} -Requires: openssl >= 0.9.7, libevent >= 1.4.13 -BuildRequires: openssl-devel >= 0.9.7, rpm >= 4.0, zlib-devel, libevent-devel >= 1.4.13, asciidoc -%else Requires: openssl >= 0.9.7, libevent >= 1.4.13 BuildRequires: openssl-devel >= 0.9.7, libevent-devel >= 1.4.13, asciidoc -%endif -%if %{is_fc} -BuildRequires: rpm-build >= 4.0 + +# Fedora 16 and RHEL 5 have following conflicting packages according to rpm search +%if %{is_rh} Conflicts: tor-core, tor-lsb, tor-upstart %endif + Requires(pre): /usr/bin/id, /bin/date, /bin/sh Requires(pre): %{_sbindir}/useradd, %{_sbindir}/groupadd @@ -287,6 +284,14 @@ exit 0 %attr(0750,%{toruser},%{torgroup}) %dir %{_localstatedir}/log/%{name} %changelog +* Thu Jun 21 2012 Ondrej Mikle <ondrej.mikle(a)gmail.com> +- fixed to work with both rpmbuild and mock on RHEL/Fedora +- removed unnecessary files from rpm such as .git repo +- fixed build dependencies and package conflicts +- fixed creating _tor user on Fedora 17 (ancient typo) +- added/updated build instructions for RPM creation +- confirmed to build and run on EL5, EL6, Fedora 16/17, OpenSuse 12.1 + * Fri Aug 20 2010 Erinn Clark <erinn(a)torproject.org> - add conflicts for Fedora packages - add logic for SuSE since it requires special doc handling

1 0

[tor/release-0.2.3] Merge branch 'bug6480_squashed' into maint-0.2.3
by nickm＠torproject.org 03 Aug '12

03 Aug '12

commit 122c8efb09643a65cbec6c991f3433774a4524ae Merge: ae75fb1 62637fa Author: Nick Mathewson <nickm(a)torproject.org> Date: Tue Jul 31 17:19:47 2012 -0400 Merge branch 'bug6480_squashed' into maint-0.2.3 changes/bug6480 | 5 +++++ src/or/dns.c | 30 ++++++++++++++++++------------ 2 files changed, 23 insertions(+), 12 deletions(-)

1 0

[tor/release-0.2.3] Avoid hard (impossible?)-to-trigger double-free in dns_resolve()
by nickm＠torproject.org 03 Aug '12

03 Aug '12

commit 62637fa22405278758febb1743da9af562524d4c Author: Nick Mathewson <nickm(a)torproject.org> Date: Tue Jul 31 12:58:19 2012 -0400 Avoid hard (impossible?)-to-trigger double-free in dns_resolve() Fixes 6480; fix on 0.2.0.1-alpha; based on pseudonymous patch. --- changes/bug6480 | 5 +++++ src/or/dns.c | 30 ++++++++++++++++++------------ 2 files changed, 23 insertions(+), 12 deletions(-) diff --git a/changes/bug6480 b/changes/bug6480 new file mode 100644 index 0000000..83ae00b --- /dev/null +++ b/changes/bug6480 @@ -0,0 +1,5 @@ + o Major bugfixes: + - Avoid read-from-freed-RAM bug and related double-free bug that + could occur when a DNS request fails while launching it. Fixes + bug 6480; bugfix on 0.2.0.1-alpha. + diff --git a/src/or/dns.c b/src/or/dns.c index da11668..3e88fad 100644 --- a/src/or/dns.c +++ b/src/or/dns.c @@ -168,7 +168,8 @@ static void add_wildcarded_test_address(const char *address); static int configure_nameservers(int force); static int answer_is_wildcarded(const char *ip); static int dns_resolve_impl(edge_connection_t *exitconn, int is_resolve, - or_circuit_t *oncirc, char **resolved_to_hostname); + or_circuit_t *oncirc, char **resolved_to_hostname, + int *made_connection_pending_out); #ifdef DEBUG_DNS_CACHE static void _assert_cache_ok(void); #define assert_cache_ok() _assert_cache_ok() @@ -596,10 +597,12 @@ dns_resolve(edge_connection_t *exitconn) { or_circuit_t *oncirc = TO_OR_CIRCUIT(exitconn->on_circuit); int is_resolve, r; + int made_connection_pending = 0; char *hostname = NULL; is_resolve = exitconn->_base.purpose == EXIT_PURPOSE_RESOLVE; - r = dns_resolve_impl(exitconn, is_resolve, oncirc, &hostname); + r = dns_resolve_impl(exitconn, is_resolve, oncirc, &hostname, + &made_connection_pending); switch (r) { case 1: @@ -639,16 +642,11 @@ dns_resolve(edge_connection_t *exitconn) dns_cancel_pending_resolve(exitconn->_base.address); - if (!exitconn->_base.marked_for_close) { + if (!made_connection_pending && !exitconn->_base.marked_for_close) { + /* If we made the connection pending, then we freed it already in + * dns_cancel_pending_resolve(). If we marked it for close, it'll + * get freed from the main loop. Otherwise, can free it now. */ connection_free(TO_CONN(exitconn)); - // XXX ... and we just leak exitconn otherwise? -RD - // If it's marked for close, it's on closeable_connection_lst in - // main.c. If it's on the closeable list, it will get freed from - // main.c. -NM - // "<armadev> If that's true, there are other bugs around, where we - // don't check if it's marked, and will end up double-freeing." - // On the other hand, I don't know of any actual bugs here, so this - // shouldn't be holding up the rc. -RD } break; default: @@ -667,10 +665,15 @@ dns_resolve(edge_connection_t *exitconn) * Return -2 on a transient error. If it's a reverse resolve and it's * successful, sets *hostname_out to a newly allocated string * holding the cached reverse DNS value. + * + * Set *made_connection_pending_out to true if we have placed + * exitconn on the list of pending connections for some resolve; set it + * to false otherwise. */ static int dns_resolve_impl(edge_connection_t *exitconn, int is_resolve, - or_circuit_t *oncirc, char **hostname_out) + or_circuit_t *oncirc, char **hostname_out, + int *made_connection_pending_out) { cached_resolve_t *resolve; cached_resolve_t search; @@ -684,6 +687,7 @@ dns_resolve_impl(edge_connection_t *exitconn, int is_resolve, tor_assert(!SOCKET_OK(exitconn->_base.s)); assert_cache_ok(); tor_assert(oncirc); + *made_connection_pending_out = 0; /* first check if exitconn->_base.address is an IP. If so, we already * know the answer. */ @@ -757,6 +761,7 @@ dns_resolve_impl(edge_connection_t *exitconn, int is_resolve, pending_connection->conn = exitconn; pending_connection->next = resolve->pending_connections; resolve->pending_connections = pending_connection; + *made_connection_pending_out = 1; log_debug(LD_EXIT,"Connection (fd %d) waiting for pending DNS " "resolve of %s", exitconn->_base.s, escaped_safe_str(exitconn->_base.address)); @@ -797,6 +802,7 @@ dns_resolve_impl(edge_connection_t *exitconn, int is_resolve, pending_connection = tor_malloc_zero(sizeof(pending_connection_t)); pending_connection->conn = exitconn; resolve->pending_connections = pending_connection; + *made_connection_pending_out = 1; /* Add this resolve to the cache and priority queue. */ HT_INSERT(cache_map, &cache_root, resolve);

1 0

[tor/release-0.2.3] Workaround for building EL5 RPMs by specifying rpmbuild-md5. Updated old note about using static libevent when building RPMs.
by nickm＠torproject.org 03 Aug '12

03 Aug '12

commit 0e778ac6044f991bdd144a36258df341aa969554 Author: Ondrej Mikle <ondrej.mikle(a)gmail.com> Date: Sat Jun 16 18:38:14 2012 +0200 Workaround for building EL5 RPMs by specifying rpmbuild-md5. Updated old note about using static libevent when building RPMs. --- Makefile.am | 6 +++++- doc/tor-rpm-creation.txt | 35 +++++++++++++++++++++++------------ 2 files changed, 28 insertions(+), 13 deletions(-) diff --git a/Makefile.am b/Makefile.am index e25e8ff..29bba71 100644 --- a/Makefile.am +++ b/Makefile.am @@ -24,13 +24,17 @@ EXTRA_DIST = \ #install-data-local: # $(INSTALL) -m 755 -d $(LOCALSTATEDIR)/lib/tor +# Allows to override rpmbuild with rpmbuild-md5 from fedora-packager so that +# building for EL5 won't fail on https://bugzilla.redhat.com/show_bug.cgi?id=490613 +RPMBUILD ?= rpmbuild + # Use automake's dist-gzip target to build the tarball dist-rpm: dist-gzip TIMESTAMP=$$(date +"%Y-%m-%d_%H.%M.%S"); \ RPM_BUILD_DIR=$$(mktemp -d "/tmp/tor-rpm-build-$$TIMESTAMP-XXXX"); \ mkdir -p "$$RPM_BUILD_DIR"/{BUILD,RPMS,SOURCES/"tor-$(VERSION)",SPECS,SRPMS}; \ cp -fa "$(distdir).tar.gz" "$$RPM_BUILD_DIR"/SOURCES/; \ - LIBS=-lrt rpmbuild -ba --define "_topdir $$RPM_BUILD_DIR" tor.spec; \ + LIBS=-lrt $(RPMBUILD) -ba --define "_topdir $$RPM_BUILD_DIR" tor.spec; \ cp -fa "$$RPM_BUILD_DIR"/SRPMS/* .; \ cp -fa "$$RPM_BUILD_DIR"/RPMS/* .; \ rm -rf "$$RPM_BUILD_DIR"; \ diff --git a/doc/tor-rpm-creation.txt b/doc/tor-rpm-creation.txt index eb22c22..a88f2e8 100644 --- a/doc/tor-rpm-creation.txt +++ b/doc/tor-rpm-creation.txt @@ -2,18 +2,9 @@ ## The process used to create the official rpms is as follows: -Download latest stable libevent from -http://libevent.org/ - -The first step of compiling libevent is to configure it as follows: -./configure --enable-static --disable-shared - -Complete the "make" and "make install". You will need to be root, -or sudo -s, to complete the "make install". - -Check for a successful universal binary of libevent.a in, by default, -/usr/local/lib by using the following command: - "file /usr/local/lib/libevent.a" +You'll need to install libevent headers, usually located in package named +libevent-devel. Alternatively, you could download latest libevent from +http://libevent.org/ but that shouldn't be necessary. Download and Extract the latest tor source code from https://www.torproject.org/download @@ -25,6 +16,9 @@ make dist-rpm You should have at least two, maybe three, rpms. There should be the binary i386.rpm, a src.rpm, and on redhat/centos machines, a debuginfo.rpm. +This step suffices unless you want to create RPMs for distros other than the +one you used for building. + ## Instructions for building RPMs for multiple architectures or distributions ## using 'mock' @@ -39,5 +33,22 @@ extension in the -r parameter): mock --rebuild -r fedora-17-x86_64 tor-X.Y.Z.src.rpm +Building for EL5 from newer distro (e.g. EL6 or Fedora 17) will fail due to bug +(https://bugzilla.redhat.com/show_bug.cgi?id=490613). +Here's a workaround: + +Before even building the source RPM, install fedora-packager and instruct +the build system to use rpmbuild-md5 like this: + +yum install fedora-packager +export RPMBUILD=rpmbuild-md5 + +Then proceed as usual to create the source RPM and binary RPMs: + +LIBS=-lrt ./configure +make dist-rpm +mock --rebuild -r epel-5-x86_64 tor-X.Y.Z.src.rpm + + (Note: don't build under OpenVZ - it breaks unshare() syscall, which in turn breaks mock. It could save you several hours.)

1 0

[tor/release-0.2.3] Clarify security impact of bug 6530
by nickm＠torproject.org 03 Aug '12

03 Aug '12

commit 55f635745afacefffdaafc72cc176ca7ab817546 Author: Nick Mathewson <nickm(a)torproject.org> Date: Fri Aug 3 11:16:13 2012 -0400 Clarify security impact of bug 6530 --- changes/bug6530 | 7 ++++--- 1 files changed, 4 insertions(+), 3 deletions(-) diff --git a/changes/bug6530 b/changes/bug6530 index a6b7caa..825bbb7 100644 --- a/changes/bug6530 +++ b/changes/bug6530 @@ -1,4 +1,5 @@ - o Major bugfixes: + o Major security fixes: - Avoid a read of uninitializd RAM when reading a vote or consensus - document with an unrecognized flavor name. Fixes bug 6530; bugfix on - 0.2.2.6-alpha. + document with an unrecognized flavor name. This could lead to a + remote crash bug. Fixes bug 6530; bugfix on 0.2.2.6-alpha. +

1 0

[tor/release-0.2.3] Avoid possible segfault when handling networkstatus vote with bad flavor
by nickm＠torproject.org 03 Aug '12

03 Aug '12

commit 57e35ad3d91724882c345ac709666a551a977f0f Author: Nick Mathewson <nickm(a)torproject.org> Date: Fri Aug 3 10:53:00 2012 -0400 Avoid possible segfault when handling networkstatus vote with bad flavor Fix for 6530; fix on 0.2.2.6-alpha. --- changes/bug6530 | 4 ++++ src/or/routerparse.c | 2 +- 2 files changed, 5 insertions(+), 1 deletions(-) diff --git a/changes/bug6530 b/changes/bug6530 new file mode 100644 index 0000000..a6b7caa --- /dev/null +++ b/changes/bug6530 @@ -0,0 +1,4 @@ + o Major bugfixes: + - Avoid a read of uninitializd RAM when reading a vote or consensus + document with an unrecognized flavor name. Fixes bug 6530; bugfix on + 0.2.2.6-alpha. diff --git a/src/or/routerparse.c b/src/or/routerparse.c index 8c4f582..2ff546b 100644 --- a/src/or/routerparse.c +++ b/src/or/routerparse.c @@ -2821,7 +2821,7 @@ networkstatus_parse_vote_from_string(const char *s, const char **eos_out, int flavor = networkstatus_parse_flavor_name(tok->args[1]); if (flavor < 0) { log_warn(LD_DIR, "Can't parse document with unknown flavor %s", - escaped(tok->args[2])); + escaped(tok->args[1])); goto err; } ns->flavor = flav = flavor;

1 0

[tor/release-0.2.3] Remove bogus comment claiming that an assertion is triggerable by consensus
by nickm＠torproject.org 03 Aug '12

03 Aug '12

commit 82c5e385cbddec4fd80618d6e96111ad73d5a22e Author: Robert Ransom <rransom.8774(a)gmail.com> Date: Thu Jun 14 15:41:11 2012 +0000 Remove bogus comment claiming that an assertion is triggerable by consensus --- src/or/routerlist.c | 7 ++++--- 1 files changed, 4 insertions(+), 3 deletions(-) diff --git a/src/or/routerlist.c b/src/or/routerlist.c index de1a66c..37de70f 100644 --- a/src/or/routerlist.c +++ b/src/or/routerlist.c @@ -1983,9 +1983,10 @@ smartlist_choose_node_by_bandwidth(smartlist_t *sl, if (is_guard) bitarray_set(guard_bits, i); if (is_known) { - bandwidths[i] = (int32_t) this_bw; // safe since MAX_BELIEVABLE<INT32_MAX - // XXX this is no longer true! We don't always cap the bw anymore. Can - // a consensus make us overflow?-sh + bandwidths[i] = (int32_t) this_bw; + /* Casting this_bw to int32_t is safe because both kb_to_bytes + and bridge_get_advertised_bandwidth_bounded limit it to below + INT32_MAX. */ tor_assert(bandwidths[i] >= 0); if (is_guard) total_guard_bw += this_bw;

1 0

[tor/release-0.2.3] Merge remote-tracking branch 'origin/maint-0.2.2' into maint-0.2.3
by nickm＠torproject.org 03 Aug '12

03 Aug '12

commit 1040afb2425a8056dc41b35e6d825fc329663ee6 Merge: 122c8ef 55f6357 Author: Nick Mathewson <nickm(a)torproject.org> Date: Fri Aug 3 11:18:40 2012 -0400 Merge remote-tracking branch 'origin/maint-0.2.2' into maint-0.2.3 changes/bug6530 | 5 +++++ src/or/routerparse.c | 2 +- 2 files changed, 6 insertions(+), 1 deletions(-)

1 0

[tor/release-0.2.3] Mitigate a side-channel leak of which relays Tor chooses for a circuit
by nickm＠torproject.org 03 Aug '12

03 Aug '12

commit 308f6dad20675c42b29862f4269ad1fbfb00dc9a Author: Robert Ransom <rransom.8774(a)gmail.com> Date: Thu Jun 14 17:15:54 2012 +0000 Mitigate a side-channel leak of which relays Tor chooses for a circuit Tor's and OpenSSL's current design guarantee that there are other leaks, but this one is likely to be more easily exploitable, and is easy to fix. --- changes/pathsel-BUGGY-a | 12 ++++++++++++ src/or/routerlist.c | 22 ++++++++++++++++++---- 2 files changed, 30 insertions(+), 4 deletions(-) diff --git a/changes/pathsel-BUGGY-a b/changes/pathsel-BUGGY-a new file mode 100644 index 0000000..cad2af5 --- /dev/null +++ b/changes/pathsel-BUGGY-a @@ -0,0 +1,12 @@ + o Security fixes: + + - Try to leak less information about what relays a client is + choosing to a side-channel attacker. Previously, a Tor client + would stop iterating through the list of available relays as + soon as it had chosen one, thus leaking information about which + relays it picked for a circuit to a timing attack. (Tor is + likely to still leak information about which relays it has + chosen for a circuit to other processes on the same computer, + through e.g. which cache lines it loads while building the + circuit.) + diff --git a/src/or/routerlist.c b/src/or/routerlist.c index d21b40c..30c20bf 100644 --- a/src/or/routerlist.c +++ b/src/or/routerlist.c @@ -1674,6 +1674,8 @@ smartlist_choose_by_bandwidth_weights(smartlist_t *sl, double *bandwidths; double tmp = 0; unsigned int i; + unsigned int i_chosen; + unsigned int i_has_been_chosen; int have_unknown = 0; /* true iff sl contains element not in consensus. */ /* Can't choose exit and guard at same time */ @@ -1835,12 +1837,17 @@ smartlist_choose_by_bandwidth_weights(smartlist_t *sl, * from 1 below. See bug 1203 for details. */ /* Last, count through sl until we get to the element we picked */ + i_chosen = (unsigned)smartlist_len(sl); + i_has_been_chosen = 0; tmp = 0.0; for (i=0; i < (unsigned)smartlist_len(sl); i++) { tmp += bandwidths[i]; - if (tmp >= rand_bw) - break; + if (tmp >= rand_bw && !i_has_been_chosen) { + i_chosen = i; + i_has_been_chosen = 1; + } } + i = i_chosen; if (i == (unsigned)smartlist_len(sl)) { /* This was once possible due to round-off error, but shouldn't be able @@ -1877,6 +1884,8 @@ smartlist_choose_by_bandwidth(smartlist_t *sl, bandwidth_weight_rule_t rule, int statuses) { unsigned int i; + unsigned int i_chosen; + unsigned int i_has_been_chosen; routerinfo_t *router; routerstatus_t *status=NULL; int32_t *bandwidths; @@ -2092,6 +2101,8 @@ smartlist_choose_by_bandwidth(smartlist_t *sl, bandwidth_weight_rule_t rule, /* Last, count through sl until we get to the element we picked */ tmp = 0; + i_chosen = (unsigned)smartlist_len(sl); + i_has_been_chosen = 0; for (i=0; i < (unsigned)smartlist_len(sl); i++) { is_exit = bitarray_is_set(exit_bits, i); is_guard = bitarray_is_set(guard_bits, i); @@ -2106,9 +2117,12 @@ smartlist_choose_by_bandwidth(smartlist_t *sl, bandwidth_weight_rule_t rule, else tmp += bandwidths[i]; - if (tmp >= rand_bw) - break; + if (tmp >= rand_bw && !i_has_been_chosen) { + i_chosen = i; + i_has_been_chosen = 1; + } } + i = i_chosen; if (i == (unsigned)smartlist_len(sl)) { /* This was once possible due to round-off error, but shouldn't be able * to occur any longer. */

1 0