Control: tags -1 moreinfo confirmed On 2021-05-17 06:53:02 +0000, Peter Palfrader wrote: > Package: release.debian.org > Severity: normal > User: release.debian.org@packages.debian.org > Usertags: unblock > > I would like to update Tor in bullseye from 0.4.5.7-1 to 0.4.5.8-1. > Tor 0.4.5.8 is an upstream stable release. ACK, please remove the moreinfo tag once the new version is available in unstable. Cheers > > > unblock tor/0.4.5.8-1 > > > Please let me know if I may upload to unstable. > > An upstream diff is attached. I cut the geoip databases and the fallback > directory mirror lists. The ./debian/ diff is expected to contain only an > update to the changelog. It does not yet exist, but I can provide it > when needed. > > The upstream changelog entry follows. > > Cheers, > > } Changes in version 0.4.5.8 - 2021-05-10 > } Tor 0.4.5.8 fixes several bugs in earlier version, backporting fixes > } from the 0.4.6.x series. > } > } o Minor features (compatibility, Linux seccomp sandbox, backport > } from 0.4.6.3-rc): > } - Add a workaround to enable the Linux sandbox to work correctly > } with Glibc 2.33. This version of Glibc has started using the > } fstatat() system call, which previously our sandbox did not allow. > } Closes ticket 40382; see the ticket for a discussion of trade-offs. > } > } o Minor features (compilation, backport from 0.4.6.3-rc): > } - Make the autoconf script build correctly with autoconf versions > } 2.70 and later. Closes part of ticket 40335. > } > } o Minor features (fallback directory list, backport from 0.4.6.2-alpha): > } - Regenerate the list of fallback directories to contain a new set > } of 200 relays. Closes ticket 40265. > } > } o Minor features (geoip data): > } - Update the geoip files to match the IPFire Location Database, as > } retrieved on 2021/05/07. > } > } o Minor features (onion services): > } - Add warning message when connecting to now deprecated v2 onion > } services. As announced, Tor 0.4.5.x is the last series that will > } support v2 onions. Closes ticket 40373. > } > } o Minor bugfixes (bridge, pluggable transport, backport from 0.4.6.2-alpha): > } - Fix a regression that made it impossible start Tor using a bridge > } line with a transport name and no fingerprint. Fixes bug 40360; > } bugfix on 0.4.5.4-rc. > } > } o Minor bugfixes (build, cross-compilation, backport from 0.4.6.3-rc): > } - Allow a custom "ar" for cross-compilation. Our previous build > } script had used the $AR environment variable in most places, but > } it missed one. Fixes bug 40369; bugfix on 0.4.5.1-alpha. > } > } o Minor bugfixes (channel, DoS, backport from 0.4.6.2-alpha): > } - Fix a non-fatal BUG() message due to a too-early free of a string, > } when listing a client connection from the DoS defenses subsystem. > } Fixes bug 40345; bugfix on 0.4.3.4-rc. > } > } o Minor bugfixes (compiler warnings, backport from 0.4.6.3-rc): > } - Fix an indentation problem that led to a warning from GCC 11.1.1. > } Fixes bug 40380; bugfix on 0.3.0.1-alpha. > } > } o Minor bugfixes (controller, backport from 0.4.6.1-alpha): > } - Fix a "BUG" warning that would appear when a controller chooses > } the first hop for a circuit, and that circuit completes. Fixes bug > } 40285; bugfix on 0.3.2.1-alpha. > } > } o Minor bugfixes (onion service, client, memory leak, backport from > } 0.4.6.3-rc): > } - Fix a bug where an expired cached descriptor could get overwritten > } with a new one without freeing it, leading to a memory leak. Fixes > } bug 40356; bugfix on 0.3.5.1-alpha. > } > } o Minor bugfixes (testing, BSD, backport from 0.4.6.2-alpha): > } - Fix pattern-matching errors when patterns expand to invalid paths > } on BSD systems. Fixes bug 40318; bugfix on 0.4.5.1-alpha. Patch by > } Daniel Pinto. > > -- > | .''`. ** Debian ** > Peter Palfrader | : :' : The universal > https://www.palfrader.org/ | `. `' Operating System > | `- https://www.debian.org/ > diff --git a/ChangeLog b/ChangeLog > index a2052fa55f..1c3cbdc82f 100644 > --- a/ChangeLog > +++ b/ChangeLog > @@ -1,3 +1,65 @@ > +Changes in version 0.4.5.8 - 2021-05-10 > + Tor 0.4.5.8 fixes several bugs in earlier version, backporting fixes > + from the 0.4.6.x series. > + > + o Minor features (compatibility, Linux seccomp sandbox, backport from 0.4.6.3-rc): > + - Add a workaround to enable the Linux sandbox to work correctly > + with Glibc 2.33. This version of Glibc has started using the > + fstatat() system call, which previously our sandbox did not allow. > + Closes ticket 40382; see the ticket for a discussion of trade-offs. > + > + o Minor features (compilation, backport from 0.4.6.3-rc): > + - Make the autoconf script build correctly with autoconf versions > + 2.70 and later. Closes part of ticket 40335. > + > + o Minor features (fallback directory list, backport from 0.4.6.2-alpha): > + - Regenerate the list of fallback directories to contain a new set > + of 200 relays. Closes ticket 40265. > + > + o Minor features (geoip data): > + - Update the geoip files to match the IPFire Location Database, as > + retrieved on 2021/05/07. > + > + o Minor features (onion services): > + - Add warning message when connecting to now deprecated v2 onion > + services. As announced, Tor 0.4.5.x is the last series that will > + support v2 onions. Closes ticket 40373. > + > + o Minor bugfixes (bridge, pluggable transport, backport from 0.4.6.2-alpha): > + - Fix a regression that made it impossible start Tor using a bridge > + line with a transport name and no fingerprint. Fixes bug 40360; > + bugfix on 0.4.5.4-rc. > + > + o Minor bugfixes (build, cross-compilation, backport from 0.4.6.3-rc): > + - Allow a custom "ar" for cross-compilation. Our previous build > + script had used the $AR environment variable in most places, but > + it missed one. Fixes bug 40369; bugfix on 0.4.5.1-alpha. > + > + o Minor bugfixes (channel, DoS, backport from 0.4.6.2-alpha): > + - Fix a non-fatal BUG() message due to a too-early free of a string, > + when listing a client connection from the DoS defenses subsystem. > + Fixes bug 40345; bugfix on 0.4.3.4-rc. > + > + o Minor bugfixes (compiler warnings, backport from 0.4.6.3-rc): > + - Fix an indentation problem that led to a warning from GCC 11.1.1. > + Fixes bug 40380; bugfix on 0.3.0.1-alpha. > + > + o Minor bugfixes (controller, backport from 0.4.6.1-alpha): > + - Fix a "BUG" warning that would appear when a controller chooses > + the first hop for a circuit, and that circuit completes. Fixes bug > + 40285; bugfix on 0.3.2.1-alpha. > + > + o Minor bugfixes (onion service, client, memory leak, backport from 0.4.6.3-rc): > + - Fix a bug where an expired cached descriptor could get overwritten > + with a new one without freeing it, leading to a memory leak. Fixes > + bug 40356; bugfix on 0.3.5.1-alpha. > + > + o Minor bugfixes (testing, BSD, backport from 0.4.6.2-alpha): > + - Fix pattern-matching errors when patterns expand to invalid paths > + on BSD systems. Fixes bug 40318; bugfix on 0.4.5.1-alpha. Patch by > + Daniel Pinto. > + > + > Changes in version 0.4.5.7 - 2021-03-16 > Tor 0.4.5.7 fixes two important denial-of-service bugs in earlier > versions of Tor. > diff --git a/configure.ac b/configure.ac > index 0f2d6567e1..621fbd1612 100644 > --- a/configure.ac > +++ b/configure.ac > @@ -4,7 +4,7 @@ dnl Copyright (c) 2007-2019, The Tor Project, Inc. > dnl See LICENSE for licensing information > > AC_PREREQ([2.63]) > -AC_INIT([tor],[0.4.5.7]) > +AC_INIT([tor],[0.4.5.8]) > AC_CONFIG_SRCDIR([src/app/main/tor_main.c]) > AC_CONFIG_MACRO_DIR([m4]) > > @@ -16,7 +16,7 @@ configure_flags="$*" > # version number changes. Tor uses it to make sure that it > # only shuts down for missing "required protocols" when those protocols > # are listed as required by a consensus after this date. > -AC_DEFINE(APPROX_RELEASE_DATE, ["2021-03-15"], # for 0.4.5.7 > +AC_DEFINE(APPROX_RELEASE_DATE, ["2021-05-07"], # for 0.4.5.8 > [Approximate date when this software was released. (Updated when the version changes.)]) > > # "foreign" means we don't follow GNU package layout standards > @@ -441,7 +441,11 @@ AM_CONDITIONAL(BUILD_MANPAGE, [test "x$enable_manpage" != "xno"]) > AM_CONDITIONAL(BUILD_HTML_DOCS, [test "x$enable_html_manual" != "xno"]) > > AM_PROG_CC_C_O > -AC_PROG_CC_C99 > + > +dnl Before autoconf 2.70, AC_PROG_CC_C99 is supposedly necessary for some > +dnl compilers if you wan't C99 support. Starting with 2.70, it is obsolete and > +dnl forbidden. > +m4_version_prereq([2.70], [:], [AC_PROG_CC_C99]) > > AC_CACHE_CHECK([for Python 3], [tor_cv_PYTHON], > [AC_PATH_PROGS_FEATURE_CHECK([PYTHON], [ \ > diff --git a/contrib/win32build/tor-mingw.nsi.in b/contrib/win32build/tor-mingw.nsi.in > index e599a0857a..580f189525 100644 > --- a/contrib/win32build/tor-mingw.nsi.in > +++ b/contrib/win32build/tor-mingw.nsi.in > @@ -8,7 +8,7 @@ > !include "LogicLib.nsh" > !include "FileFunc.nsh" > !insertmacro GetParameters > -!define VERSION "0.4.5.7" > +!define VERSION "0.4.5.8" > !define INSTALLER "tor-${VERSION}-win32.exe" > !define WEBSITE "https://www.torproject.org/" > !define LICENSE "LICENSE" > diff --git a/scripts/build/combine_libs b/scripts/build/combine_libs > index fb311552fe..9c87f68248 100755 > --- a/scripts/build/combine_libs > +++ b/scripts/build/combine_libs > @@ -25,7 +25,7 @@ for input in "$@"; do > dir="$TMPDIR"/$(basename "$input" .a) > mkdir "$dir" > cd "$dir">/dev/null > - ar x "$abs" > + "${AR:-ar}" x "$abs" > done > > cd "$TMPDIR" >/dev/null > diff --git a/src/app/config/fallback_dirs.inc b/src/app/config/fallback_dirs.inc > index a7ef39bb96..4f43a4ba6e 100644 > --- a/src/app/config/fallback_dirs.inc > +++ b/src/app/config/fallback_dirs.inc > @@ -1,804 +1,1076 @@ > /* type=fallback */ > -/* version=3.0.0 */ > -/* timestamp=20200723133610 */ > +/* version=4.0.0 */ > +/* timestamp=20210412000000 */ > /* source=offer-list */ > + > +"62.78.194.4 orport=9001 id=BD5609383472735292627DB86D92A29F3CFEE52A" > +/* nickname=Unnamed */ > +/* extrainfo=0 */ > /* ===== */ > > [...] > > diff --git a/src/config/geoip b/src/config/geoip > index 3dce65ed00..222bb1be87 100644 > --- a/src/config/geoip > +++ b/src/config/geoip > @@ -7,7 +7,7 @@ > # > # Location Database Export > # > -# Generated: Fri, 12 Mar 2021 05:05:24 GMT > +# Generated: Fri, 07 May 2021 05:18:14 GMT > # Vendor: IPFire Project > # License: CC BY-SA 4.0 > # > > [...] > diff --git a/src/config/geoip6 b/src/config/geoip6 > index 79a0c627a2..4718eaa827 100644 > --- a/src/config/geoip6 > +++ b/src/config/geoip6 > @@ -7,7 +7,7 @@ > # > # Location Database Export > # > -# Generated: Fri, 12 Mar 2021 05:05:24 GMT > +# Generated: Fri, 07 May 2021 05:18:14 GMT > # Vendor: IPFire Project > # License: CC BY-SA 4.0 > # > > [...] > diff --git a/src/core/or/channel.c b/src/core/or/channel.c > index 26c93d169f..1ac029c152 100644 > --- a/src/core/or/channel.c > +++ b/src/core/or/channel.c > @@ -1882,11 +1882,11 @@ channel_do_open_actions(channel_t *chan) > geoip_note_client_seen(GEOIP_CLIENT_CONNECT, > &remote_addr, transport_name, > now); > - tor_free(transport_name); > /* Notify the DoS subsystem of a new client. */ > if (tlschan && tlschan->conn) { > dos_new_client_conn(tlschan->conn, transport_name); > } > + tor_free(transport_name); > } > /* Otherwise the underlying transport can't tell us this, so skip it */ > } > diff --git a/src/core/or/circuitbuild.c b/src/core/or/circuitbuild.c > index c0c918abe4..78501c0aa2 100644 > --- a/src/core/or/circuitbuild.c > +++ b/src/core/or/circuitbuild.c > @@ -881,14 +881,22 @@ circuit_pick_extend_handshake(uint8_t *cell_type_out, > } > > /** > - * Return true iff <b>purpose</b> is a purpose for a circuit which is > - * allowed to have no guard configured, even if the circuit is multihop > + * Return true iff <b>circ</b> is allowed > + * to have no guard configured, even if the circuit is multihop > * and guards are enabled. > */ > static int > -circuit_purpose_may_omit_guard(int purpose) > +circuit_may_omit_guard(const origin_circuit_t *circ) > { > - switch (purpose) { > + if (BUG(!circ)) > + return 0; > + > + if (circ->first_hop_from_controller) { > + /* The controller picked the first hop: that bypasses the guard system. */ > + return 1; > + } > + > + switch (circ->base_.purpose) { > case CIRCUIT_PURPOSE_TESTING: > case CIRCUIT_PURPOSE_C_MEASURE_TIMEOUT: > /* Testing circuits may omit guards because they're measuring > @@ -1019,7 +1027,7 @@ circuit_build_no_more_hops(origin_circuit_t *circ) > guard_usable_t r; > if (! circ->guard_state) { > if (circuit_get_cpath_len(circ) != 1 && > - ! circuit_purpose_may_omit_guard(circ->base_.purpose) && > + ! circuit_may_omit_guard(circ) && > get_options()->UseEntryGuards) { > log_warn(LD_BUG, "%d-hop circuit %p with purpose %d has no " > "guard state", > diff --git a/src/core/or/circuitlist.h b/src/core/or/circuitlist.h > index 3178e6cd0d..bd4a117e26 100644 > --- a/src/core/or/circuitlist.h > +++ b/src/core/or/circuitlist.h > @@ -118,7 +118,8 @@ > * bandwidth measurement, reachability test and address discovery from an > * authority using the NETINFO cell. */ > #define CIRCUIT_PURPOSE_TESTING 21 > -/** A controller made this circuit and Tor should not use it. */ > +/** A controller made this circuit and Tor should not cannibalize it or attach > + * streams to it without explicitly being told. */ > #define CIRCUIT_PURPOSE_CONTROLLER 22 > /** This circuit is used for path bias probing only */ > #define CIRCUIT_PURPOSE_PATH_BIAS_TESTING 23 > diff --git a/src/core/or/circuituse.c b/src/core/or/circuituse.c > index 0f3fc29361..059e43ec47 100644 > --- a/src/core/or/circuituse.c > +++ b/src/core/or/circuituse.c > @@ -1320,10 +1320,10 @@ circuit_predict_and_launch_new(void) > if (router_have_consensus_path() == CONSENSUS_PATH_INTERNAL) > flags |= CIRCLAUNCH_IS_INTERNAL; > > - log_info(LD_CIRC, > - "Have %d clean circs need another buildtime test circ.", num); > - circuit_launch(CIRCUIT_PURPOSE_C_GENERAL, flags); > - return; > + log_info(LD_CIRC, > + "Have %d clean circs need another buildtime test circ.", num); > + circuit_launch(CIRCUIT_PURPOSE_C_GENERAL, flags); > + return; > } > } > > diff --git a/src/core/or/connection_edge.c b/src/core/or/connection_edge.c > index a33c64fe19..7f260ba185 100644 > --- a/src/core/or/connection_edge.c > +++ b/src/core/or/connection_edge.c > @@ -2582,6 +2582,16 @@ connection_ap_handshake_rewrite_and_attach(entry_connection_t *conn, > tor_assert(addresstype == ONION_V2_HOSTNAME || > addresstype == ONION_V3_HOSTNAME); > tor_assert(!automap); > + > + if (addresstype == ONION_V2_HOSTNAME) { > + log_warn(LD_PROTOCOL, > + "Warning! You've just connected to a v2 onion address. These " > + "addresses are deprecated for security reasons, and are no " > + "longer supported in Tor. Please encourage the site operator " > + "to upgrade. For more information see " > + "https://blog.torproject.org/v2-deprecation-timeline"); > + } > + > return connection_ap_handle_onion(conn, socks, circ, addresstype); > } > > diff --git a/src/core/or/origin_circuit_st.h b/src/core/or/origin_circuit_st.h > index a45a6573dc..c40e84aed8 100644 > --- a/src/core/or/origin_circuit_st.h > +++ b/src/core/or/origin_circuit_st.h > @@ -170,6 +170,18 @@ struct origin_circuit_t { > * not try to negotiate further circuit padding. */ > unsigned padding_negotiation_failed : 1; > > + /** > + * If this flag is set, then a controller chose the first hop of this > + * circuit's path, and it's okay to ignore checks that we'd usually do > + * on this circuit's first hop. > + * > + * This flag is distinct from the CIRCUIT_PURPOSE_CONTROLLER purpose: the > + * purpose indicates _what tor can use the circuit for_. Controller-created > + * circuits can still have the CIRCUIT_PURPOSE_GENERAL purpose if Tor is > + * allowed to attach streams to them. > + */ > + unsigned first_hop_from_controller : 1; > + > /** > * Tristate variable to guard against pathbias miscounting > * due to circuit purpose transitions changing the decision > diff --git a/src/feature/client/entrynodes.c b/src/feature/client/entrynodes.c > index 232216c521..82866ea668 100644 > --- a/src/feature/client/entrynodes.c > +++ b/src/feature/client/entrynodes.c > @@ -804,9 +804,6 @@ get_sampled_guard_for_bridge(guard_selection_t *gs, > entry_guard_t *guard; > if (BUG(!addrport)) > return NULL; // LCOV_EXCL_LINE > - if (bridge_has_invalid_transport(bridge)) { > - return NULL; > - } > guard = get_sampled_guard_by_bridge_addr(gs, addrport); > if (! guard || (id && tor_memneq(id, guard->identity, DIGEST_LEN))) > return NULL; > diff --git a/src/feature/control/control_cmd.c b/src/feature/control/control_cmd.c > index 5b75c24692..0456d709f5 100644 > --- a/src/feature/control/control_cmd.c > +++ b/src/feature/control/control_cmd.c > @@ -819,6 +819,7 @@ handle_control_extendcircuit(control_connection_t *conn, > if (zero_circ) { > /* start a new circuit */ > circ = origin_circuit_init(intended_purpose, 0); > + circ->first_hop_from_controller = 1; > } > > /* now circ refers to something that is ready to be extended */ > diff --git a/src/feature/hs/hs_cache.c b/src/feature/hs/hs_cache.c > index c1334a7d27..9c35936748 100644 > --- a/src/feature/hs/hs_cache.c > +++ b/src/feature/hs/hs_cache.c > @@ -353,6 +353,31 @@ static digest256map_t *hs_cache_v3_client; > * objects all related to a specific service. */ > static digest256map_t *hs_cache_client_intro_state; > > +#define cache_client_desc_free(val) \ > + FREE_AND_NULL(hs_cache_client_descriptor_t, cache_client_desc_free_, (val)) > + > +/** Free memory allocated by <b>desc</b>. */ > +static void > +cache_client_desc_free_(hs_cache_client_descriptor_t *desc) > +{ > + if (desc == NULL) { > + return; > + } > + hs_descriptor_free(desc->desc); > + memwipe(&desc->key, 0, sizeof(desc->key)); > + memwipe(desc->encoded_desc, 0, strlen(desc->encoded_desc)); > + tor_free(desc->encoded_desc); > + tor_free(desc); > +} > + > +/** Helper function: Use by the free all function to clear the client cache */ > +static void > +cache_client_desc_free_void(void *ptr) > +{ > + hs_cache_client_descriptor_t *desc = ptr; > + cache_client_desc_free(desc); > +} > + > /** Return the size of a client cache entry in bytes. */ > static size_t > cache_get_client_entry_size(const hs_cache_client_descriptor_t *entry) > @@ -390,7 +415,18 @@ remove_v3_desc_as_client(const hs_cache_client_descriptor_t *desc) > static void > store_v3_desc_as_client(hs_cache_client_descriptor_t *desc) > { > + hs_cache_client_descriptor_t *cached_desc; > + > tor_assert(desc); > + > + /* Because the lookup function doesn't return an expired entry, it can linger > + * in the cache until we clean it up or a new descriptor is stored. So, > + * before adding, we'll make sure we are not overwriting an old descriptor > + * (which is OK in terms of semantic) but leads to memory leak. */ > + cached_desc = digest256map_get(hs_cache_v3_client, desc->key.pubkey); > + if (cached_desc) { > + cache_client_desc_free(cached_desc); > + } > digest256map_set(hs_cache_v3_client, desc->key.pubkey, desc); > /* Update cache size with this entry for the OOM handler. */ > rend_cache_increment_allocation(cache_get_client_entry_size(desc)); > @@ -473,31 +509,6 @@ cache_client_desc_new(const char *desc_str, > return client_desc; > } > > -#define cache_client_desc_free(val) \ > - FREE_AND_NULL(hs_cache_client_descriptor_t, cache_client_desc_free_, (val)) > - > -/** Free memory allocated by <b>desc</b>. */ > -static void > -cache_client_desc_free_(hs_cache_client_descriptor_t *desc) > -{ > - if (desc == NULL) { > - return; > - } > - hs_descriptor_free(desc->desc); > - memwipe(&desc->key, 0, sizeof(desc->key)); > - memwipe(desc->encoded_desc, 0, strlen(desc->encoded_desc)); > - tor_free(desc->encoded_desc); > - tor_free(desc); > -} > - > -/** Helper function: Use by the free all function to clear the client cache */ > -static void > -cache_client_desc_free_void(void *ptr) > -{ > - hs_cache_client_descriptor_t *desc = ptr; > - cache_client_desc_free(desc); > -} > - > /** Return a newly allocated and initialized hs_cache_intro_state_t object. */ > static hs_cache_intro_state_t * > cache_intro_state_new(void) > diff --git a/src/lib/fs/path.c b/src/lib/fs/path.c > index c2fdddb9db..81960bd69a 100644 > --- a/src/lib/fs/path.c > +++ b/src/lib/fs/path.c > @@ -571,6 +571,19 @@ wrap_closedir(void *arg) > { > closedir(arg); > } > + > +/** Function passed to glob to handle processing errors. <b>epath</b> is the > + * path that caused the error and <b>eerrno</b> is the errno set by the > + * function that failed. We want to ignore ENOENT and ENOTDIR because, in BSD > + * systems, these are not ignored automatically, which makes glob fail when > + * globs expand to non-existing paths and GLOB_ERR is set. > + */ > +static int > +glob_errfunc(const char *epath, int eerrno) > +{ > + (void)epath; > + return eerrno == ENOENT || eerrno == ENOTDIR ? 0 : -1; > +} > #endif /* defined(HAVE_GLOB) */ > > /** Return a new list containing the paths that match the pattern > @@ -591,7 +604,7 @@ tor_glob(const char *pattern) > tor_free(pattern_normalized); > #elif HAVE_GLOB /* !(defined(_WIN32)) */ > glob_t matches; > - int flags = GLOB_ERR | GLOB_NOSORT; > + int flags = GLOB_NOSORT; > #ifdef GLOB_ALTDIRFUNC > /* use functions that call sandbox_intern_string */ > flags |= GLOB_ALTDIRFUNC; > @@ -604,7 +617,10 @@ tor_glob(const char *pattern) > matches.gl_stat = &prot_stat; > matches.gl_lstat = &prot_lstat; > #endif /* defined(GLOB_ALTDIRFUNC) */ > - int ret = glob(pattern, flags, NULL, &matches); > + // use custom error handler to workaround BSD quirks and do not set GLOB_ERR > + // because it would make glob fail on error even if the error handler ignores > + // the error > + int ret = glob(pattern, flags, glob_errfunc, &matches); > if (ret == GLOB_NOMATCH) { > return smartlist_new(); > } else if (ret != 0) { > diff --git a/src/lib/sandbox/sandbox.c b/src/lib/sandbox/sandbox.c > index 168dfd943c..fc90dbe062 100644 > --- a/src/lib/sandbox/sandbox.c > +++ b/src/lib/sandbox/sandbox.c > @@ -1608,6 +1608,28 @@ add_noparam_filter(scmp_filter_ctx ctx) > } > } > > + if (is_libc_at_least(2, 33)) { > +#ifdef __NR_newfstatat > + // Libc 2.33 uses this syscall to implement both fstat() and stat(). > + // > + // The trouble is that to implement fstat(fd, &st), it calls: > + // newfstatat(fs, "", &st, AT_EMPTY_PATH) > + // We can't detect this usage in particular, because "" is a pointer > + // we don't control. And we can't just look for AT_EMPTY_PATH, since > + // AT_EMPTY_PATH only has effect when the path string is empty. > + // > + // So our only solution seems to be allowing all fstatat calls, which > + // means that an attacker can stat() anything on the filesystem. That's > + // not a great solution, but I can't find a better one. > + rc = seccomp_rule_add_0(ctx, SCMP_ACT_ALLOW, SCMP_SYS(newfstatat)); > + if (rc != 0) { > + log_err(LD_BUG,"(Sandbox) failed to add newfstatat() syscall; " > + "received libseccomp error %d", rc); > + return rc; > + } > +#endif > + } > + > return 0; > } > > diff --git a/src/win32/orconfig.h b/src/win32/orconfig.h > index 9a138c0928..06e6ad8ff7 100644 > --- a/src/win32/orconfig.h > +++ b/src/win32/orconfig.h > @@ -217,7 +217,7 @@ > #define USING_TWOS_COMPLEMENT > > /* Version number of package */ > -#define VERSION "0.4.5.7" > +#define VERSION "0.4.5.8" > > #define HAVE_STRUCT_SOCKADDR_IN6 > #define HAVE_STRUCT_IN6_ADDR -- Sebastian Ramacher
Attachment:
signature.asc
Description: PGP signature