December 2017 - tor-commits - lists.torproject.org

[tor/maint-0.3.0] Merge branch 'maint-0.2.5' into maint-0.2.8
by nickm＠torproject.org 01 Dec '17

01 Dec '17

commit 2e219291bee2d378344286ba091ba09527b07188 Merge: ba4a9cf0c 6bda6777c Author: Nick Mathewson <nickm(a)torproject.org> Date: Thu Nov 30 12:21:36 2017 -0500 Merge branch 'maint-0.2.5' into maint-0.2.8 "ours" to avoid version bump

1 0

[tor/maint-0.3.1] Handle NULL input to protover_compute_for_old_tor()
by nickm＠torproject.org 01 Dec '17

01 Dec '17

commit 2c0487ecfb410d1361b114e60d8e9ffd2ed092ec Author: Nick Mathewson <nickm(a)torproject.org> Date: Sat Nov 11 13:56:35 2017 -0500 Handle NULL input to protover_compute_for_old_tor() Fixes bug 24245; bugfix on 0.2.9.4-alpha. TROVE-2017-010. --- changes/trove-2017-010 | 6 ++++++ src/or/protover.c | 5 +++++ 2 files changed, 11 insertions(+) diff --git a/changes/trove-2017-010 b/changes/trove-2017-010 new file mode 100644 index 000000000..d5bf9333d --- /dev/null +++ b/changes/trove-2017-010 @@ -0,0 +1,6 @@ + o Major bugfixes (security): + - Fix a denial-of-service issue where an attacker could crash + a directory authority using a malformed router descriptor. + Fixes bug 24245; bugfix on 0.2.9.4-alpha. Also tracked + as TROVE-2017-010 and CVE-2017-8820. + diff --git a/src/or/protover.c b/src/or/protover.c index 0a4d4fb8f..98957cabd 100644 --- a/src/or/protover.c +++ b/src/or/protover.c @@ -694,6 +694,11 @@ protocol_list_contains(const smartlist_t *protos, const char * protover_compute_for_old_tor(const char *version) { + if (version == NULL) { + /* No known version; guess the oldest series that is still supported. */ + version = "0.2.5.15"; + } + if (tor_version_as_new_as(version, FIRST_TOR_VERSION_TO_ADVERTISE_PROTOCOLS)) { return "";

1 0

[tor/maint-0.3.0] Merge branch 'trove-2017-012_025' into maint-0.2.5
by nickm＠torproject.org 01 Dec '17

01 Dec '17

commit f49876d66efbc5679ba7d9d9c6538c763b8e06b5 Merge: 08ce39fb0 6ab07419c Author: Nick Mathewson <nickm(a)torproject.org> Date: Thu Nov 30 12:06:21 2017 -0500 Merge branch 'trove-2017-012_025' into maint-0.2.5 changes/trove-2017-012-part1 | 6 ++++++ src/or/routerlist.c | 5 ++++- 2 files changed, 10 insertions(+), 1 deletion(-)

1 0

[tor/maint-0.3.0] Merge branch 'trove-2017-012_030' into maint-0.3.0
by nickm＠torproject.org 01 Dec '17

01 Dec '17

commit d459c08b7d5cb1766bda5443ea2750bca160212d Merge: 766d0a2d9 91cee3c9e Author: Nick Mathewson <nickm(a)torproject.org> Date: Thu Nov 30 12:07:43 2017 -0500 Merge branch 'trove-2017-012_030' into maint-0.3.0 changes/trove-2017-012-part2 | 5 +++++ src/or/entrynodes.c | 3 ++- 2 files changed, 7 insertions(+), 1 deletion(-)

1 0

[tor/maint-0.3.0] version bump to 0.2.8.17
by nickm＠torproject.org 01 Dec '17

01 Dec '17

commit 6ee44725449794951f93020bb04e5fa3ba784742 Author: Nick Mathewson <nickm(a)torproject.org> Date: Thu Nov 30 12:22:32 2017 -0500 version bump to 0.2.8.17 --- configure.ac | 2 +- contrib/win32build/tor-mingw.nsi.in | 2 +- src/win32/orconfig.h | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/configure.ac b/configure.ac index 6fb101bf9..94cebf401 100644 --- a/configure.ac +++ b/configure.ac @@ -4,7 +4,7 @@ dnl Copyright (c) 2007-2015, The Tor Project, Inc. dnl See LICENSE for licensing information AC_PREREQ([2.63]) -AC_INIT([tor],[0.2.8.16-dev]) +AC_INIT([tor],[0.2.8.17]) AC_CONFIG_SRCDIR([src/or/main.c]) AC_CONFIG_MACRO_DIR([m4]) diff --git a/contrib/win32build/tor-mingw.nsi.in b/contrib/win32build/tor-mingw.nsi.in index b9eac37c5..b9076fbc7 100644 --- a/contrib/win32build/tor-mingw.nsi.in +++ b/contrib/win32build/tor-mingw.nsi.in @@ -8,7 +8,7 @@ !include "LogicLib.nsh" !include "FileFunc.nsh" !insertmacro GetParameters -!define VERSION "0.2.8.16-dev" +!define VERSION "0.2.8.17" !define INSTALLER "tor-${VERSION}-win32.exe" !define WEBSITE "https://www.torproject.org/" !define LICENSE "LICENSE" diff --git a/src/win32/orconfig.h b/src/win32/orconfig.h index 211243d1d..9db6ef209 100644 --- a/src/win32/orconfig.h +++ b/src/win32/orconfig.h @@ -229,7 +229,7 @@ #define USING_TWOS_COMPLEMENT /* Version number of package */ -#define VERSION "0.2.8.16-dev" +#define VERSION "0.2.8.17"

1 0

[tor/maint-0.3.0] Merge branch 'maint-0.2.5' into maint-0.2.8
by nickm＠torproject.org 01 Dec '17

01 Dec '17

commit ba4a9cf0c094b7a19e1bf44264b1244a23a4b38e Merge: 3030741b5 f49876d66 Author: Nick Mathewson <nickm(a)torproject.org> Date: Thu Nov 30 12:07:59 2017 -0500 Merge branch 'maint-0.2.5' into maint-0.2.8 changes/trove-2017-009 | 10 ++++++++++ changes/trove-2017-011 | 8 ++++++++ changes/trove-2017-012-part1 | 6 ++++++ src/common/crypto.c | 16 +++++++++++++--- src/or/rendservice.c | 4 +++- src/or/routerlist.c | 5 ++++- 6 files changed, 44 insertions(+), 5 deletions(-)

1 0

[tor/maint-0.3.1] Fix length of replaycache-checked data.
by nickm＠torproject.org 01 Dec '17

01 Dec '17

commit 2834cc9c18230c36278ffa94a252abeb91b6cff9 Author: Nick Mathewson <nickm(a)torproject.org> Date: Sat Nov 11 13:40:21 2017 -0500 Fix length of replaycache-checked data. This is a regression; we should have been checking only the public-key encrypted portion. Fixes bug 24244, TROVE-2017-009, and CVE-2017-8819. --- changes/trove-2017-009 | 10 ++++++++++ src/or/rendservice.c | 4 +++- 2 files changed, 13 insertions(+), 1 deletion(-) diff --git a/changes/trove-2017-009 b/changes/trove-2017-009 new file mode 100644 index 000000000..512d18c29 --- /dev/null +++ b/changes/trove-2017-009 @@ -0,0 +1,10 @@ + o Major fixes (security): + - When checking for replays in the INTRODUCE1 cell data for a (legacy) + hiddden service, correctly detect replays in the RSA-encrypted part of + the cell. We were previously checking for replays on the entire cell, + but those can be circumvented due to the malleability of Tor's legacy + hybrid encryption. This fix helps prevent a traffic confirmation + attack. Fixes bug 24244; bugfix on 0.2.4.1-alpha. This issue is also + tracked as TROVE-2017-009 and CVE-2017-8819. + + diff --git a/src/or/rendservice.c b/src/or/rendservice.c index d958de9df..ba8891ead 100644 --- a/src/or/rendservice.c +++ b/src/or/rendservice.c @@ -1162,6 +1162,7 @@ rend_service_introduce(origin_circuit_t *circuit, const uint8_t *request, time_t now = time(NULL); time_t elapsed; int replay; + size_t keylen; /* Do some initial validation and logging before we parse the cell */ if (circuit->base_.purpose != CIRCUIT_PURPOSE_S_INTRO) { @@ -1245,9 +1246,10 @@ rend_service_introduce(origin_circuit_t *circuit, const uint8_t *request, } /* check for replay of PK-encrypted portion. */ + keylen = crypto_pk_keysize(intro_key); replay = replaycache_add_test_and_elapsed( intro_point->accepted_intro_rsa_parts, - parsed_req->ciphertext, parsed_req->ciphertext_len, + parsed_req->ciphertext, MIN(parsed_req->ciphertext_len, keylen), &elapsed); if (replay) {

1 0

[tor/maint-0.3.1] Fix changes file
by nickm＠torproject.org 01 Dec '17

01 Dec '17

commit 75509dc82778a3bb866dca0fa86ae3e179ad78fa Author: Nick Mathewson <nickm(a)torproject.org> Date: Thu Nov 30 11:52:40 2017 -0500 Fix changes file --- changes/trove-2017-009 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/changes/trove-2017-009 b/changes/trove-2017-009 index 512d18c29..166a5faec 100644 --- a/changes/trove-2017-009 +++ b/changes/trove-2017-009 @@ -1,4 +1,4 @@ - o Major fixes (security): + o Major bugfixes (security): - When checking for replays in the INTRODUCE1 cell data for a (legacy) hiddden service, correctly detect replays in the RSA-encrypted part of the cell. We were previously checking for replays on the entire cell,

1 0

[tor/maint-0.3.1] Guard: Don't pick ourselves as a possible Guard
by nickm＠torproject.org 01 Dec '17

01 Dec '17

commit 91cee3c9e73aba089804cd88305115fc3ab1f76c Author: David Goulet <dgoulet(a)torproject.org> Date: Tue Nov 28 19:09:13 2017 -0500 Guard: Don't pick ourselves as a possible Guard TROVE-2017-12. Severity: Medium Thankfully, tor will close any circuits that we try to extend to ourselves so this is not problematic but annoying. Part of #21534. --- changes/trove-2017-012-part2 | 5 +++++ src/or/entrynodes.c | 3 ++- 2 files changed, 7 insertions(+), 1 deletion(-) diff --git a/changes/trove-2017-012-part2 b/changes/trove-2017-012-part2 new file mode 100644 index 000000000..ed994c5b0 --- /dev/null +++ b/changes/trove-2017-012-part2 @@ -0,0 +1,5 @@ + o Major bugfixes (security, relay): + - When running as a relay, make sure that we never ever choose ourselves + as a guard. Previously, this was possible. Fixes part of bug 21534; + bugfix on 0.3.0.1-alpha. This issue is also tracked as TROVE-2017-012 + and CVE-2017-8822. diff --git a/src/or/entrynodes.c b/src/or/entrynodes.c index d762afdcf..0109da8e0 100644 --- a/src/or/entrynodes.c +++ b/src/or/entrynodes.c @@ -740,7 +740,8 @@ node_is_possible_guard(const node_t *node) node->is_stable && node->is_fast && node->is_valid && - node_is_dir(node)); + node_is_dir(node) && + !router_digest_is_me(node->identity)); } /**

1 0

[tor/maint-0.3.1] hs-v2: Remove any expiring intro from the retry list
by nickm＠torproject.org 01 Dec '17

01 Dec '17

commit 3030741b5d24e9ae36e6d72c6a8c7d035fde9d2a Author: David Goulet <dgoulet(a)torproject.org> Date: Tue Nov 21 10:16:08 2017 -0500 hs-v2: Remove any expiring intro from the retry list TROVE-2017-13. Severity: High. In the unlikely case that a hidden service could be missing intro circuit(s), that it didn't have enough directory information to open new circuits and that an intro point was about to expire, a use-after-free is possible because of the intro point object being both in the retry list and expiring list at the same time. The intro object would get freed after the circuit failed to open and then access a second time when cleaned up from the expiring list. Fixes #24313 --- changes/bug24313 | 5 +++++ src/or/rendservice.c | 4 ++++ 2 files changed, 9 insertions(+) diff --git a/changes/bug24313 b/changes/bug24313 new file mode 100644 index 000000000..b927ec3ba --- /dev/null +++ b/changes/bug24313 @@ -0,0 +1,5 @@ + o Major bugfixes (security, hidden service v2): + - Fix a use-after-free error that could crash v2 Tor hidden services + when it failed to open circuits while expiring introductions + points. Fixes bug 24313; bugfix on 0.2.7.2-alpha. This + issue is also tracked as TROVE-2017-013 and CVE-2017-8823. diff --git a/src/or/rendservice.c b/src/or/rendservice.c index 0a5b5efd5..cbf998136 100644 --- a/src/or/rendservice.c +++ b/src/or/rendservice.c @@ -3444,6 +3444,10 @@ remove_invalid_intro_points(rend_service_t *service, log_info(LD_REND, "Expiring %s as intro point for %s.", safe_str_client(extend_info_describe(intro->extend_info)), safe_str_client(service->service_id)); + /* We might have put it in the retry list if so, undo. */ + if (retry_nodes) { + smartlist_remove(retry_nodes, intro); + } smartlist_add(service->expiring_nodes, intro); SMARTLIST_DEL_CURRENT(service->intro_nodes, intro); /* Intro point is expired, we need a new one thus don't consider it

1 0