Control: tags -1 moreinfo confirmed
On 2021-05-17 06:53:02 +0000, Peter Palfrader wrote:
> Package: release.debian.org
> Severity: normal
> User: release.debian.org@packages.debian.org
> Usertags: unblock
>
> I would like to update Tor in bullseye from 0.4.5.7-1 to 0.4.5.8-1.
> Tor 0.4.5.8 is an upstream stable release.
ACK, please remove the moreinfo tag once the new version is available in
unstable.
Cheers
>
>
> unblock tor/0.4.5.8-1
>
>
> Please let me know if I may upload to unstable.
>
> An upstream diff is attached. I cut the geoip databases and the fallback
> directory mirror lists. The ./debian/ diff is expected to contain only an
> update to the changelog. It does not yet exist, but I can provide it
> when needed.
>
> The upstream changelog entry follows.
>
> Cheers,
>
> } Changes in version 0.4.5.8 - 2021-05-10
> } Tor 0.4.5.8 fixes several bugs in earlier version, backporting fixes
> } from the 0.4.6.x series.
> }
> } o Minor features (compatibility, Linux seccomp sandbox, backport
> } from 0.4.6.3-rc):
> } - Add a workaround to enable the Linux sandbox to work correctly
> } with Glibc 2.33. This version of Glibc has started using the
> } fstatat() system call, which previously our sandbox did not allow.
> } Closes ticket 40382; see the ticket for a discussion of trade-offs.
> }
> } o Minor features (compilation, backport from 0.4.6.3-rc):
> } - Make the autoconf script build correctly with autoconf versions
> } 2.70 and later. Closes part of ticket 40335.
> }
> } o Minor features (fallback directory list, backport from 0.4.6.2-alpha):
> } - Regenerate the list of fallback directories to contain a new set
> } of 200 relays. Closes ticket 40265.
> }
> } o Minor features (geoip data):
> } - Update the geoip files to match the IPFire Location Database, as
> } retrieved on 2021/05/07.
> }
> } o Minor features (onion services):
> } - Add warning message when connecting to now deprecated v2 onion
> } services. As announced, Tor 0.4.5.x is the last series that will
> } support v2 onions. Closes ticket 40373.
> }
> } o Minor bugfixes (bridge, pluggable transport, backport from 0.4.6.2-alpha):
> } - Fix a regression that made it impossible start Tor using a bridge
> } line with a transport name and no fingerprint. Fixes bug 40360;
> } bugfix on 0.4.5.4-rc.
> }
> } o Minor bugfixes (build, cross-compilation, backport from 0.4.6.3-rc):
> } - Allow a custom "ar" for cross-compilation. Our previous build
> } script had used the $AR environment variable in most places, but
> } it missed one. Fixes bug 40369; bugfix on 0.4.5.1-alpha.
> }
> } o Minor bugfixes (channel, DoS, backport from 0.4.6.2-alpha):
> } - Fix a non-fatal BUG() message due to a too-early free of a string,
> } when listing a client connection from the DoS defenses subsystem.
> } Fixes bug 40345; bugfix on 0.4.3.4-rc.
> }
> } o Minor bugfixes (compiler warnings, backport from 0.4.6.3-rc):
> } - Fix an indentation problem that led to a warning from GCC 11.1.1.
> } Fixes bug 40380; bugfix on 0.3.0.1-alpha.
> }
> } o Minor bugfixes (controller, backport from 0.4.6.1-alpha):
> } - Fix a "BUG" warning that would appear when a controller chooses
> } the first hop for a circuit, and that circuit completes. Fixes bug
> } 40285; bugfix on 0.3.2.1-alpha.
> }
> } o Minor bugfixes (onion service, client, memory leak, backport from
> } 0.4.6.3-rc):
> } - Fix a bug where an expired cached descriptor could get overwritten
> } with a new one without freeing it, leading to a memory leak. Fixes
> } bug 40356; bugfix on 0.3.5.1-alpha.
> }
> } o Minor bugfixes (testing, BSD, backport from 0.4.6.2-alpha):
> } - Fix pattern-matching errors when patterns expand to invalid paths
> } on BSD systems. Fixes bug 40318; bugfix on 0.4.5.1-alpha. Patch by
> } Daniel Pinto.
>
> --
> | .''`. ** Debian **
> Peter Palfrader | : :' : The universal
> https://www.palfrader.org/ | `. `' Operating System
> | `- https://www.debian.org/
> diff --git a/ChangeLog b/ChangeLog
> index a2052fa55f..1c3cbdc82f 100644
> --- a/ChangeLog
> +++ b/ChangeLog
> @@ -1,3 +1,65 @@
> +Changes in version 0.4.5.8 - 2021-05-10
> + Tor 0.4.5.8 fixes several bugs in earlier version, backporting fixes
> + from the 0.4.6.x series.
> +
> + o Minor features (compatibility, Linux seccomp sandbox, backport from 0.4.6.3-rc):
> + - Add a workaround to enable the Linux sandbox to work correctly
> + with Glibc 2.33. This version of Glibc has started using the
> + fstatat() system call, which previously our sandbox did not allow.
> + Closes ticket 40382; see the ticket for a discussion of trade-offs.
> +
> + o Minor features (compilation, backport from 0.4.6.3-rc):
> + - Make the autoconf script build correctly with autoconf versions
> + 2.70 and later. Closes part of ticket 40335.
> +
> + o Minor features (fallback directory list, backport from 0.4.6.2-alpha):
> + - Regenerate the list of fallback directories to contain a new set
> + of 200 relays. Closes ticket 40265.
> +
> + o Minor features (geoip data):
> + - Update the geoip files to match the IPFire Location Database, as
> + retrieved on 2021/05/07.
> +
> + o Minor features (onion services):
> + - Add warning message when connecting to now deprecated v2 onion
> + services. As announced, Tor 0.4.5.x is the last series that will
> + support v2 onions. Closes ticket 40373.
> +
> + o Minor bugfixes (bridge, pluggable transport, backport from 0.4.6.2-alpha):
> + - Fix a regression that made it impossible start Tor using a bridge
> + line with a transport name and no fingerprint. Fixes bug 40360;
> + bugfix on 0.4.5.4-rc.
> +
> + o Minor bugfixes (build, cross-compilation, backport from 0.4.6.3-rc):
> + - Allow a custom "ar" for cross-compilation. Our previous build
> + script had used the $AR environment variable in most places, but
> + it missed one. Fixes bug 40369; bugfix on 0.4.5.1-alpha.
> +
> + o Minor bugfixes (channel, DoS, backport from 0.4.6.2-alpha):
> + - Fix a non-fatal BUG() message due to a too-early free of a string,
> + when listing a client connection from the DoS defenses subsystem.
> + Fixes bug 40345; bugfix on 0.4.3.4-rc.
> +
> + o Minor bugfixes (compiler warnings, backport from 0.4.6.3-rc):
> + - Fix an indentation problem that led to a warning from GCC 11.1.1.
> + Fixes bug 40380; bugfix on 0.3.0.1-alpha.
> +
> + o Minor bugfixes (controller, backport from 0.4.6.1-alpha):
> + - Fix a "BUG" warning that would appear when a controller chooses
> + the first hop for a circuit, and that circuit completes. Fixes bug
> + 40285; bugfix on 0.3.2.1-alpha.
> +
> + o Minor bugfixes (onion service, client, memory leak, backport from 0.4.6.3-rc):
> + - Fix a bug where an expired cached descriptor could get overwritten
> + with a new one without freeing it, leading to a memory leak. Fixes
> + bug 40356; bugfix on 0.3.5.1-alpha.
> +
> + o Minor bugfixes (testing, BSD, backport from 0.4.6.2-alpha):
> + - Fix pattern-matching errors when patterns expand to invalid paths
> + on BSD systems. Fixes bug 40318; bugfix on 0.4.5.1-alpha. Patch by
> + Daniel Pinto.
> +
> +
> Changes in version 0.4.5.7 - 2021-03-16
> Tor 0.4.5.7 fixes two important denial-of-service bugs in earlier
> versions of Tor.
> diff --git a/configure.ac b/configure.ac
> index 0f2d6567e1..621fbd1612 100644
> --- a/configure.ac
> +++ b/configure.ac
> @@ -4,7 +4,7 @@ dnl Copyright (c) 2007-2019, The Tor Project, Inc.
> dnl See LICENSE for licensing information
>
> AC_PREREQ([2.63])
> -AC_INIT([tor],[0.4.5.7])
> +AC_INIT([tor],[0.4.5.8])
> AC_CONFIG_SRCDIR([src/app/main/tor_main.c])
> AC_CONFIG_MACRO_DIR([m4])
>
> @@ -16,7 +16,7 @@ configure_flags="$*"
> # version number changes. Tor uses it to make sure that it
> # only shuts down for missing "required protocols" when those protocols
> # are listed as required by a consensus after this date.
> -AC_DEFINE(APPROX_RELEASE_DATE, ["2021-03-15"], # for 0.4.5.7
> +AC_DEFINE(APPROX_RELEASE_DATE, ["2021-05-07"], # for 0.4.5.8
> [Approximate date when this software was released. (Updated when the version changes.)])
>
> # "foreign" means we don't follow GNU package layout standards
> @@ -441,7 +441,11 @@ AM_CONDITIONAL(BUILD_MANPAGE, [test "x$enable_manpage" != "xno"])
> AM_CONDITIONAL(BUILD_HTML_DOCS, [test "x$enable_html_manual" != "xno"])
>
> AM_PROG_CC_C_O
> -AC_PROG_CC_C99
> +
> +dnl Before autoconf 2.70, AC_PROG_CC_C99 is supposedly necessary for some
> +dnl compilers if you wan't C99 support. Starting with 2.70, it is obsolete and
> +dnl forbidden.
> +m4_version_prereq([2.70], [:], [AC_PROG_CC_C99])
>
> AC_CACHE_CHECK([for Python 3], [tor_cv_PYTHON],
> [AC_PATH_PROGS_FEATURE_CHECK([PYTHON], [ \
> diff --git a/contrib/win32build/tor-mingw.nsi.in b/contrib/win32build/tor-mingw.nsi.in
> index e599a0857a..580f189525 100644
> --- a/contrib/win32build/tor-mingw.nsi.in
> +++ b/contrib/win32build/tor-mingw.nsi.in
> @@ -8,7 +8,7 @@
> !include "LogicLib.nsh"
> !include "FileFunc.nsh"
> !insertmacro GetParameters
> -!define VERSION "0.4.5.7"
> +!define VERSION "0.4.5.8"
> !define INSTALLER "tor-${VERSION}-win32.exe"
> !define WEBSITE "https://www.torproject.org/";
> !define LICENSE "LICENSE"
> diff --git a/scripts/build/combine_libs b/scripts/build/combine_libs
> index fb311552fe..9c87f68248 100755
> --- a/scripts/build/combine_libs
> +++ b/scripts/build/combine_libs
> @@ -25,7 +25,7 @@ for input in "$@"; do
> dir="$TMPDIR"/$(basename "$input" .a)
> mkdir "$dir"
> cd "$dir">/dev/null
> - ar x "$abs"
> + "${AR:-ar}" x "$abs"
> done
>
> cd "$TMPDIR" >/dev/null
> diff --git a/src/app/config/fallback_dirs.inc b/src/app/config/fallback_dirs.inc
> index a7ef39bb96..4f43a4ba6e 100644
> --- a/src/app/config/fallback_dirs.inc
> +++ b/src/app/config/fallback_dirs.inc
> @@ -1,804 +1,1076 @@
> /* type=fallback */
> -/* version=3.0.0 */
> -/* timestamp=20200723133610 */
> +/* version=4.0.0 */
> +/* timestamp=20210412000000 */
> /* source=offer-list */
> +
> +"62.78.194.4 orport=9001 id=BD5609383472735292627DB86D92A29F3CFEE52A"
> +/* nickname=Unnamed */
> +/* extrainfo=0 */
> /* ===== */
>
> [...]
>
> diff --git a/src/config/geoip b/src/config/geoip
> index 3dce65ed00..222bb1be87 100644
> --- a/src/config/geoip
> +++ b/src/config/geoip
> @@ -7,7 +7,7 @@
> #
> # Location Database Export
> #
> -# Generated: Fri, 12 Mar 2021 05:05:24 GMT
> +# Generated: Fri, 07 May 2021 05:18:14 GMT
> # Vendor: IPFire Project
> # License: CC BY-SA 4.0
> #
>
> [...]
> diff --git a/src/config/geoip6 b/src/config/geoip6
> index 79a0c627a2..4718eaa827 100644
> --- a/src/config/geoip6
> +++ b/src/config/geoip6
> @@ -7,7 +7,7 @@
> #
> # Location Database Export
> #
> -# Generated: Fri, 12 Mar 2021 05:05:24 GMT
> +# Generated: Fri, 07 May 2021 05:18:14 GMT
> # Vendor: IPFire Project
> # License: CC BY-SA 4.0
> #
>
> [...]
> diff --git a/src/core/or/channel.c b/src/core/or/channel.c
> index 26c93d169f..1ac029c152 100644
> --- a/src/core/or/channel.c
> +++ b/src/core/or/channel.c
> @@ -1882,11 +1882,11 @@ channel_do_open_actions(channel_t *chan)
> geoip_note_client_seen(GEOIP_CLIENT_CONNECT,
> &remote_addr, transport_name,
> now);
> - tor_free(transport_name);
> /* Notify the DoS subsystem of a new client. */
> if (tlschan && tlschan->conn) {
> dos_new_client_conn(tlschan->conn, transport_name);
> }
> + tor_free(transport_name);
> }
> /* Otherwise the underlying transport can't tell us this, so skip it */
> }
> diff --git a/src/core/or/circuitbuild.c b/src/core/or/circuitbuild.c
> index c0c918abe4..78501c0aa2 100644
> --- a/src/core/or/circuitbuild.c
> +++ b/src/core/or/circuitbuild.c
> @@ -881,14 +881,22 @@ circuit_pick_extend_handshake(uint8_t *cell_type_out,
> }
>
> /**
> - * Return true iff <b>purpose</b> is a purpose for a circuit which is
> - * allowed to have no guard configured, even if the circuit is multihop
> + * Return true iff <b>circ</b> is allowed
> + * to have no guard configured, even if the circuit is multihop
> * and guards are enabled.
> */
> static int
> -circuit_purpose_may_omit_guard(int purpose)
> +circuit_may_omit_guard(const origin_circuit_t *circ)
> {
> - switch (purpose) {
> + if (BUG(!circ))
> + return 0;
> +
> + if (circ->first_hop_from_controller) {
> + /* The controller picked the first hop: that bypasses the guard system. */
> + return 1;
> + }
> +
> + switch (circ->base_.purpose) {
> case CIRCUIT_PURPOSE_TESTING:
> case CIRCUIT_PURPOSE_C_MEASURE_TIMEOUT:
> /* Testing circuits may omit guards because they're measuring
> @@ -1019,7 +1027,7 @@ circuit_build_no_more_hops(origin_circuit_t *circ)
> guard_usable_t r;
> if (! circ->guard_state) {
> if (circuit_get_cpath_len(circ) != 1 &&
> - ! circuit_purpose_may_omit_guard(circ->base_.purpose) &&
> + ! circuit_may_omit_guard(circ) &&
> get_options()->UseEntryGuards) {
> log_warn(LD_BUG, "%d-hop circuit %p with purpose %d has no "
> "guard state",
> diff --git a/src/core/or/circuitlist.h b/src/core/or/circuitlist.h
> index 3178e6cd0d..bd4a117e26 100644
> --- a/src/core/or/circuitlist.h
> +++ b/src/core/or/circuitlist.h
> @@ -118,7 +118,8 @@
> * bandwidth measurement, reachability test and address discovery from an
> * authority using the NETINFO cell. */
> #define CIRCUIT_PURPOSE_TESTING 21
> -/** A controller made this circuit and Tor should not use it. */
> +/** A controller made this circuit and Tor should not cannibalize it or attach
> + * streams to it without explicitly being told. */
> #define CIRCUIT_PURPOSE_CONTROLLER 22
> /** This circuit is used for path bias probing only */
> #define CIRCUIT_PURPOSE_PATH_BIAS_TESTING 23
> diff --git a/src/core/or/circuituse.c b/src/core/or/circuituse.c
> index 0f3fc29361..059e43ec47 100644
> --- a/src/core/or/circuituse.c
> +++ b/src/core/or/circuituse.c
> @@ -1320,10 +1320,10 @@ circuit_predict_and_launch_new(void)
> if (router_have_consensus_path() == CONSENSUS_PATH_INTERNAL)
> flags |= CIRCLAUNCH_IS_INTERNAL;
>
> - log_info(LD_CIRC,
> - "Have %d clean circs need another buildtime test circ.", num);
> - circuit_launch(CIRCUIT_PURPOSE_C_GENERAL, flags);
> - return;
> + log_info(LD_CIRC,
> + "Have %d clean circs need another buildtime test circ.", num);
> + circuit_launch(CIRCUIT_PURPOSE_C_GENERAL, flags);
> + return;
> }
> }
>
> diff --git a/src/core/or/connection_edge.c b/src/core/or/connection_edge.c
> index a33c64fe19..7f260ba185 100644
> --- a/src/core/or/connection_edge.c
> +++ b/src/core/or/connection_edge.c
> @@ -2582,6 +2582,16 @@ connection_ap_handshake_rewrite_and_attach(entry_connection_t *conn,
> tor_assert(addresstype == ONION_V2_HOSTNAME ||
> addresstype == ONION_V3_HOSTNAME);
> tor_assert(!automap);
> +
> + if (addresstype == ONION_V2_HOSTNAME) {
> + log_warn(LD_PROTOCOL,
> + "Warning! You've just connected to a v2 onion address. These "
> + "addresses are deprecated for security reasons, and are no "
> + "longer supported in Tor. Please encourage the site operator "
> + "to upgrade. For more information see "
> + "https://blog.torproject.org/v2-deprecation-timeline";);
> + }
> +
> return connection_ap_handle_onion(conn, socks, circ, addresstype);
> }
>
> diff --git a/src/core/or/origin_circuit_st.h b/src/core/or/origin_circuit_st.h
> index a45a6573dc..c40e84aed8 100644
> --- a/src/core/or/origin_circuit_st.h
> +++ b/src/core/or/origin_circuit_st.h
> @@ -170,6 +170,18 @@ struct origin_circuit_t {
> * not try to negotiate further circuit padding. */
> unsigned padding_negotiation_failed : 1;
>
> + /**
> + * If this flag is set, then a controller chose the first hop of this
> + * circuit's path, and it's okay to ignore checks that we'd usually do
> + * on this circuit's first hop.
> + *
> + * This flag is distinct from the CIRCUIT_PURPOSE_CONTROLLER purpose: the
> + * purpose indicates _what tor can use the circuit for_. Controller-created
> + * circuits can still have the CIRCUIT_PURPOSE_GENERAL purpose if Tor is
> + * allowed to attach streams to them.
> + */
> + unsigned first_hop_from_controller : 1;
> +
> /**
> * Tristate variable to guard against pathbias miscounting
> * due to circuit purpose transitions changing the decision
> diff --git a/src/feature/client/entrynodes.c b/src/feature/client/entrynodes.c
> index 232216c521..82866ea668 100644
> --- a/src/feature/client/entrynodes.c
> +++ b/src/feature/client/entrynodes.c
> @@ -804,9 +804,6 @@ get_sampled_guard_for_bridge(guard_selection_t *gs,
> entry_guard_t *guard;
> if (BUG(!addrport))
> return NULL; // LCOV_EXCL_LINE
> - if (bridge_has_invalid_transport(bridge)) {
> - return NULL;
> - }
> guard = get_sampled_guard_by_bridge_addr(gs, addrport);
> if (! guard || (id && tor_memneq(id, guard->identity, DIGEST_LEN)))
> return NULL;
> diff --git a/src/feature/control/control_cmd.c b/src/feature/control/control_cmd.c
> index 5b75c24692..0456d709f5 100644
> --- a/src/feature/control/control_cmd.c
> +++ b/src/feature/control/control_cmd.c
> @@ -819,6 +819,7 @@ handle_control_extendcircuit(control_connection_t *conn,
> if (zero_circ) {
> /* start a new circuit */
> circ = origin_circuit_init(intended_purpose, 0);
> + circ->first_hop_from_controller = 1;
> }
>
> /* now circ refers to something that is ready to be extended */
> diff --git a/src/feature/hs/hs_cache.c b/src/feature/hs/hs_cache.c
> index c1334a7d27..9c35936748 100644
> --- a/src/feature/hs/hs_cache.c
> +++ b/src/feature/hs/hs_cache.c
> @@ -353,6 +353,31 @@ static digest256map_t *hs_cache_v3_client;
> * objects all related to a specific service. */
> static digest256map_t *hs_cache_client_intro_state;
>
> +#define cache_client_desc_free(val) \
> + FREE_AND_NULL(hs_cache_client_descriptor_t, cache_client_desc_free_, (val))
> +
> +/** Free memory allocated by <b>desc</b>. */
> +static void
> +cache_client_desc_free_(hs_cache_client_descriptor_t *desc)
> +{
> + if (desc == NULL) {
> + return;
> + }
> + hs_descriptor_free(desc->desc);
> + memwipe(&desc->key, 0, sizeof(desc->key));
> + memwipe(desc->encoded_desc, 0, strlen(desc->encoded_desc));
> + tor_free(desc->encoded_desc);
> + tor_free(desc);
> +}
> +
> +/** Helper function: Use by the free all function to clear the client cache */
> +static void
> +cache_client_desc_free_void(void *ptr)
> +{
> + hs_cache_client_descriptor_t *desc = ptr;
> + cache_client_desc_free(desc);
> +}
> +
> /** Return the size of a client cache entry in bytes. */
> static size_t
> cache_get_client_entry_size(const hs_cache_client_descriptor_t *entry)
> @@ -390,7 +415,18 @@ remove_v3_desc_as_client(const hs_cache_client_descriptor_t *desc)
> static void
> store_v3_desc_as_client(hs_cache_client_descriptor_t *desc)
> {
> + hs_cache_client_descriptor_t *cached_desc;
> +
> tor_assert(desc);
> +
> + /* Because the lookup function doesn't return an expired entry, it can linger
> + * in the cache until we clean it up or a new descriptor is stored. So,
> + * before adding, we'll make sure we are not overwriting an old descriptor
> + * (which is OK in terms of semantic) but leads to memory leak. */
> + cached_desc = digest256map_get(hs_cache_v3_client, desc->key.pubkey);
> + if (cached_desc) {
> + cache_client_desc_free(cached_desc);
> + }
> digest256map_set(hs_cache_v3_client, desc->key.pubkey, desc);
> /* Update cache size with this entry for the OOM handler. */
> rend_cache_increment_allocation(cache_get_client_entry_size(desc));
> @@ -473,31 +509,6 @@ cache_client_desc_new(const char *desc_str,
> return client_desc;
> }
>
> -#define cache_client_desc_free(val) \
> - FREE_AND_NULL(hs_cache_client_descriptor_t, cache_client_desc_free_, (val))
> -
> -/** Free memory allocated by <b>desc</b>. */
> -static void
> -cache_client_desc_free_(hs_cache_client_descriptor_t *desc)
> -{
> - if (desc == NULL) {
> - return;
> - }
> - hs_descriptor_free(desc->desc);
> - memwipe(&desc->key, 0, sizeof(desc->key));
> - memwipe(desc->encoded_desc, 0, strlen(desc->encoded_desc));
> - tor_free(desc->encoded_desc);
> - tor_free(desc);
> -}
> -
> -/** Helper function: Use by the free all function to clear the client cache */
> -static void
> -cache_client_desc_free_void(void *ptr)
> -{
> - hs_cache_client_descriptor_t *desc = ptr;
> - cache_client_desc_free(desc);
> -}
> -
> /** Return a newly allocated and initialized hs_cache_intro_state_t object. */
> static hs_cache_intro_state_t *
> cache_intro_state_new(void)
> diff --git a/src/lib/fs/path.c b/src/lib/fs/path.c
> index c2fdddb9db..81960bd69a 100644
> --- a/src/lib/fs/path.c
> +++ b/src/lib/fs/path.c
> @@ -571,6 +571,19 @@ wrap_closedir(void *arg)
> {
> closedir(arg);
> }
> +
> +/** Function passed to glob to handle processing errors. <b>epath</b> is the
> + * path that caused the error and <b>eerrno</b> is the errno set by the
> + * function that failed. We want to ignore ENOENT and ENOTDIR because, in BSD
> + * systems, these are not ignored automatically, which makes glob fail when
> + * globs expand to non-existing paths and GLOB_ERR is set.
> + */
> +static int
> +glob_errfunc(const char *epath, int eerrno)
> +{
> + (void)epath;
> + return eerrno == ENOENT || eerrno == ENOTDIR ? 0 : -1;
> +}
> #endif /* defined(HAVE_GLOB) */
>
> /** Return a new list containing the paths that match the pattern
> @@ -591,7 +604,7 @@ tor_glob(const char *pattern)
> tor_free(pattern_normalized);
> #elif HAVE_GLOB /* !(defined(_WIN32)) */
> glob_t matches;
> - int flags = GLOB_ERR | GLOB_NOSORT;
> + int flags = GLOB_NOSORT;
> #ifdef GLOB_ALTDIRFUNC
> /* use functions that call sandbox_intern_string */
> flags |= GLOB_ALTDIRFUNC;
> @@ -604,7 +617,10 @@ tor_glob(const char *pattern)
> matches.gl_stat = &prot_stat;
> matches.gl_lstat = &prot_lstat;
> #endif /* defined(GLOB_ALTDIRFUNC) */
> - int ret = glob(pattern, flags, NULL, &matches);
> + // use custom error handler to workaround BSD quirks and do not set GLOB_ERR
> + // because it would make glob fail on error even if the error handler ignores
> + // the error
> + int ret = glob(pattern, flags, glob_errfunc, &matches);
> if (ret == GLOB_NOMATCH) {
> return smartlist_new();
> } else if (ret != 0) {
> diff --git a/src/lib/sandbox/sandbox.c b/src/lib/sandbox/sandbox.c
> index 168dfd943c..fc90dbe062 100644
> --- a/src/lib/sandbox/sandbox.c
> +++ b/src/lib/sandbox/sandbox.c
> @@ -1608,6 +1608,28 @@ add_noparam_filter(scmp_filter_ctx ctx)
> }
> }
>
> + if (is_libc_at_least(2, 33)) {
> +#ifdef __NR_newfstatat
> + // Libc 2.33 uses this syscall to implement both fstat() and stat().
> + //
> + // The trouble is that to implement fstat(fd, &st), it calls:
> + // newfstatat(fs, "", &st, AT_EMPTY_PATH)
> + // We can't detect this usage in particular, because "" is a pointer
> + // we don't control. And we can't just look for AT_EMPTY_PATH, since
> + // AT_EMPTY_PATH only has effect when the path string is empty.
> + //
> + // So our only solution seems to be allowing all fstatat calls, which
> + // means that an attacker can stat() anything on the filesystem. That's
> + // not a great solution, but I can't find a better one.
> + rc = seccomp_rule_add_0(ctx, SCMP_ACT_ALLOW, SCMP_SYS(newfstatat));
> + if (rc != 0) {
> + log_err(LD_BUG,"(Sandbox) failed to add newfstatat() syscall; "
> + "received libseccomp error %d", rc);
> + return rc;
> + }
> +#endif
> + }
> +
> return 0;
> }
>
> diff --git a/src/win32/orconfig.h b/src/win32/orconfig.h
> index 9a138c0928..06e6ad8ff7 100644
> --- a/src/win32/orconfig.h
> +++ b/src/win32/orconfig.h
> @@ -217,7 +217,7 @@
> #define USING_TWOS_COMPLEMENT
>
> /* Version number of package */
> -#define VERSION "0.4.5.7"
> +#define VERSION "0.4.5.8"
>
> #define HAVE_STRUCT_SOCKADDR_IN6
> #define HAVE_STRUCT_IN6_ADDR
--
Sebastian Ramacher
Attachment:
signature.asc
Description: PGP signature