critical bug in all versions of TorChat in Ubuntu
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
torchat (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned | ||
Oneiric |
Fix Released
|
Undecided
|
Unassigned | ||
Precise |
Fix Released
|
Undecided
|
Unassigned | ||
Quantal |
Fix Released
|
Undecided
|
Unassigned |
Bug Description
I am the upstream programmer of this package. A horrible bug has come to my attention (I never tested the Ubuntu version myself, I use only my original upstream version, so I only discovered it after having been asked by other users about this strange behavior)
torchat-0.9.9.550-1 contains the following patch which was invented by the maintainer:
use-system-
Author: Dererk <email address hidden>
Date: 2011-04-17
Description: Use system socksipy library and fix release versions
Index: torchat-
=======
--- torchat-
+++ torchat-
@@ -17,7 +17,7 @@
# This is the TorChat client library. Import this module, make an instance
# of BuddyList, give it your call-back function and your client is running.
-import SocksiPy.socks as socks
+import socks
import socket
import threading
import random
@@ -29,7 +29,6 @@
import tempfile
import hashlib
import config
-import version
TORCHAT_PORT = 11009 #do NOT change this.
TOR_CONFIG = "tor" #the name of the active section in the .ini file
@@ -192,7 +191,7 @@
- self.version = ""
+ self.version = "0.9.9.550"
self.timer = False
@@ -506,9 +505,9 @@
def sendVersion(self):
if self.isAlreadyP
- msg = ProtocolMsg_
+ msg = ProtocolMsg_
- msg = ProtocolMsg_
+ msg = ProtocolMsg_
else:
print "(2) not connected, not sending version to %s" % self.address
Index: torchat-
=======
--- torchat-
+++ torchat-
@@ -25,7 +25,6 @@
import time
import subprocess
import textwrap
-import version
import dlg_settings
import translations
import tc_notification
@@ -379,8 +378,8 @@
def onAbout(self, evt):
- wx.MessageBox(
- "svn":version.
+ wx.MessageBox(
+ "svn":"530",
This patch introduces a dangerous security problem, it interferes with the network protocol and the inner workings of TorChat and makes TorChat broadcast private information to other buddies.
Reason:
======
The intention of this patch is to achieve two things:
* use socks.py from the python-socksipy package instead of the bundled one
* disable the detection of SVN revision and hardcode the version number
The first thing (socksipy) is only the very first lines:
-import SocksiPy.socks as socks
+import socks
this is all that is needed and this works OK, no problems here
The second thing is the version number. The correct way to solve this would have been to do *nothing* (no patch) at all because there *is* no problem to solve in the first place, it was already programmed in such a way that it would detect on its own that it is not running from within an SVN repository folder and therefor it would not cause any problems at all, this patch actually intends to solve a non-problem.
What the patch is trying to do is to remove all references to version.py and hardcode the version number somewhere in the code but it is patching totally *unrelated* things!
* In the Buddy() class it is patching the field self.version, this has no effect at all because this field will later contain the received version message from the buddy it connects to. It has absolutely noting to do with the *own* version.
* in def sendVersion(self) it is getting really ugly: When it is trying to broadcast its version.VERSION and version.NAME which would normally result in two protocol messages to be sent:
client TorChat
version 0.9.9.550
it now does the following: Instead of sending the software name ("TorChat") from version.NAME it will send buddy.name which is the local alias of that buddy, this is a descriptive name the user assigns to the buddy, it could be something like "my stupid boss", something one certainly doesn't want to broadcast to the buddy in question. And instead of sending version.VERSION it will now send buddy.version which is the version that it previously received from that buddy. Its now echoing back the version number which is also plain wrong.
Solution
=======
Remove this patch entirely, it serves no purpose, version.py is clever enough to detect the absence of the .svn directory on its own and will then automatically use the contents of version_cached.py, this is the same mechanism that is used for the windows release and for my own .deb release, it has been programmed to do this automatically, there is no need for a patch at all. The only thing in this patch that does no harm is the first two lines regarding socksipy.
Severity
======
this is a critical bug, it reveals private information and it impacts the credibility of TorChat in general and it also makes people doubt my own programming skills (and/or my intentions) because it still has my name written in the about box although after this horrible nonsense-patch I would rather not have anything to do with it.
Please change this in oneiric, precise (and the new one with q, can't remember its name now)
The author of this patch (the email address contained in this patch) was also notified but I have not heard anything from him anymore and ubuntu is still distributing these broken packages. Please fix this ASAP.
Related branches
Changed in torchat (Ubuntu Precise): | |
status: | Fix Committed → Fix Released |
Changed in torchat (Ubuntu Oneiric): | |
status: | Fix Committed → Fix Released |
It seems it has been fixed in Debian, how about updating them in Ubuntu?
This is a major show-stopper bug and a security problem and the fix is easy: Just use the new debian package. You can use the same package for Precise and for Oneiric. Why no reaction from Ubuntu, why keep broken packages in the repository?