[SRU] Tor 0.2.9.14 and 0.3.0.13

The attachment "tor-16.04.debdiff" seems to be a debdiff. The ubuntu-sponsors team has been subscribed to the bug report so that they can review and hopefully sponsor the debdiff. If the attachment isn't a patch, please remove the "patch" flag from the attachment, remove the "patch" tag, and if you are member of the ~ubuntu-sponsors, unsubscribe the team.

[This is an automated message performed by a Launchpad user owned by ~brian-murray, for any issue please contact him.]

Thanks for providing these debdiffs.

Since they contain changes unrelated to the CVE-2017-0380 fix, please go through the SRU process as detailed here:

https://wiki.ubuntu.com/StableReleaseUpdates

Once the new packages have made their way to -updates, we can then rebuild them for the -security pocket if required.

I am unsubscribing ubuntu-security-sponsors for now.

Alternatively, you may submit debdiffs that only contain the required fix for CVE-2017-0380, and resubscribe ubuntu-security-sponsors. Thank you.

The -v2 debdiffs now target -updates, -security will be handled later on.

Status changed to 'Confirmed' because the bug affects multiple users.

Even newer versions with security fixes have since been released:

https://blog.torproject.org/new-stable-tor-releases-security-fixes-0319-03013-02914-02817-02516

Sorry about the delay. I've added the tasks for Xenial and Artful. We're going to ignore Zesty due to its EOL.

@Simon are you planning on bumping those to the releases that have been released since?

If so, I'll wait a bit before uploading those, if not, let me know and I'll upload those.

I wasn't sure how you wanted to proceed but since you offered to wait, I'll prepare new debdiffs for Xenial and Artful based on the new Tor versions.

@Stéphane, here are the 2 new debdiffs.

Oh, I'm not subscribed to this bug, that's why I keep missing notifications :)

Simon: Any chance you can update the debdiffs to have changelogs which include the previous upload?

Without that, some of the update tools will be a bit confused. That's not an issue for the dev release, but for SRUs it's preferable to only add to the changelog, not remove entries.

Also you appear to have missed running update-maintainer :)

Thanks for the feedback, please find the 2 new debdiffs with your suggestions applied.

Hello Simon, or anyone else affected,

Accepted tor into xenial-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/tor/0.2.9.14-1ubuntu1~16.04.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed.Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-xenial to verification-done-xenial. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-xenial. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Hello Simon, or anyone else affected,

Accepted tor into artful-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/tor/0.3.0.13-0ubuntu1~17.10.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed.Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-artful to verification-done-artful. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-artful. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Works here on xenial.

@Otus, many thanks for verifying on Xenial.

The SRU verification process [1] now requires to provide a brief
description of how the bug fix was verified. Would you be so kind to do
it, please? I generally give the "dpkg -l | grep tor" output to confirm
the right package version was tested and mention that I successfully
went through the reproduction steps as outlined in the bug description.

If you get a chance to test on Artful that would be nice otherwise I'll
try to do it myself as time permits.

1: https://wiki.ubuntu.com/StableReleaseUpdates#Verification

Sure, below are the steps I did. However, I do not have an artful system to test on so I'll leave that to someone else.

$ dpkg -l | grep ' tor '
ii tor 0.2.9.14-1ubuntu1~16.04.1 amd64 anonymizing overlay network for TCP

$ torsocks wget -qO - https://ifconfig.co
65.19.167.xxx

$ wget -qO - https://ifconfig.co
88.193.200.xxx

I also checked that the old version warning disappeared from atlas.torproject.org regarding my relay and that traffic continued to be relayed for a few hours.

Verified on artful:

$ dpkg -l tor tor-geoipdb | grep ^ii
ii tor 0.3.0.13-0ubuntu1~17.10.1 amd64 anonymizing overlay network for TCP
ii tor-geoipdb 0.3.0.13-0ubuntu1~17.10.1 all GeoIP database for Tor

$ torsocks wget -qO - https://ifconfig.co
51.15.53.83

This bug was fixed in the package tor - 0.2.9.14-1ubuntu1~16.04.1

---------------
tor (0.2.9.14-1ubuntu1~16.04.1) xenial; urgency=medium

  [ Peter Palfrader ]
  * apparmor: use Pix instead of PUx for obfs4proxy, giving us
    better confinement of the child process while actually working
    with systemd's NoNewPrivileges. (closes: #867342)
  * Do not rely on aa-exec and aa-enabled being in /usr/sbin in the
    SysV init script. This change enables apparmor confinement
    on some system-V systems again. (closes: #869153)
  * Update apparmor profile: replace CAP_DAC_OVERRIDE with
    CAP_DAC_READ_SEARCH to match the systemd capability bounding set
    changed with 0.3.0.4-rc-1. This change will allow tor to start
    again under apparmor if hidden services are configured.
    Patch by intrigeri. (closes: #862993)
  * Replace CAP_DAC_OVERRIDE with CAP_DAC_READ_SEARCH in systemd's service
    capability bounding set. Read access is sufficient for Tor (as root on
    startup) to check its onion service directories (see #847598).
  * Change "AppArmorProfile=system_tor" to AppArmorProfile=-system_tor,
    causing all errors while switching to the new apparmor profile to
    be ignored. This is not ideal, but for now it's probably the
    best solution. Thanks to intrigeri; closes: #880490.

  [ Simon Deziel ]
  * Backport 0.2.9.14 to 16.04 (LP: #1731698)
  * debian/rules: stop overriding micro-revision.i
  * debian/control: drop build-conflicts
  * debian/control: Limit the seccomp build-dependency to [amd64 i386 x32 armel armhf]
  * Resync with Debian Stretch

tor (0.2.9.14-1) stretch-security; urgency=medium

  * New upstream version, including among others:
    - Fix an issue causing DNS to fail on high-bandwidth exit nodes,
      making them nearly unusable. Fixes bugs 21394 and 18580; bugfix on
      0.1.2.2-alpha, which introduced eventdns. Thanks to Dhalgren for
      identifying and finding a workaround to this bug and to Moritz,
      Arthur Edelstein, and Roger for helping to track it down and
      analyze it.
    - Fix a denial of service bug where an attacker could use a
      malformed directory object to cause a Tor instance to pause while
      OpenSSL would try to read a passphrase from the terminal. (Tor
      instances run without a terminal, which is the case for most Tor
      packages, are not impacted.) Fixes bug 24246; bugfix on every
      version of Tor. Also tracked as TROVE-2017-011 and CVE-2017-8821.
      Found by OSS-Fuzz as testcase 6360145429790720.
    - Fix a denial of service issue where an attacker could crash a
      directory authority using a malformed router descriptor. Fixes bug
      24245; bugfix on 0.2.9.4-alpha. Also tracked as TROVE-2017-010
      and CVE-2017-8820.
    - When checking for replays in the INTRODUCE1 cell data for a
      (legacy) onion service, correctly detect replays in the RSA-
      encrypted part of the cell. We were previously checking for
      replays on the entire cell, but those can be circumvented due to
      the malleability of Tor's legacy hybrid encryption. This fix helps
      prevent a traffic confirmation attack. Fixes bug 24244; bugfix on
      0.2.4.1-alpha...

The verification of the Stable Release Update for tor has completed successfully and the package has now been released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

This bug was fixed in the package tor - 0.3.0.13-0ubuntu1~17.10.1

---------------
tor (0.3.0.13-0ubuntu1~17.10.1) artful; urgency=medium

  [ Peter Palfrader ]
  * Change "AppArmorProfile=system_tor" to AppArmorProfile=-system_tor,
    causing all errors while switching to the new apparmor profile to
    be ignored. This is not ideal, but for now it's probably the
    best solution. Thanks to intrigeri; closes: #880490.

  [ Simon Deziel ]
  * New upstream version: 0.3.0.13 (LP: #1731698)
    - Fix a denial of service bug where an attacker could use a
      malformed directory object to cause a Tor instance to pause while
      OpenSSL would try to read a passphrase from the terminal. (Tor
      instances run without a terminal, which is the case for most Tor
      packages, are not impacted.) Fixes bug 24246; bugfix on every
      version of Tor. Also tracked as TROVE-2017-011 and CVE-2017-8821.
      Found by OSS-Fuzz as testcase 6360145429790720.
    - Fix a denial of service issue where an attacker could crash a
      directory authority using a malformed router descriptor. Fixes bug
      24245; bugfix on 0.2.9.4-alpha. Also tracked as TROVE-2017-010
      and CVE-2017-8820.
    - When checking for replays in the INTRODUCE1 cell data for a
      (legacy) onion service, correctly detect replays in the RSA-
      encrypted part of the cell. We were previously checking for
      replays on the entire cell, but those can be circumvented due to
      the malleability of Tor's legacy hybrid encryption. This fix helps
      prevent a traffic confirmation attack. Fixes bug 24244; bugfix on
      0.2.4.1-alpha. This issue is also tracked as TROVE-2017-009
      and CVE-2017-8819.
    - Fix a use-after-free error that could crash v2 Tor onion services
      when they failed to open circuits while expiring introduction
      points. Fixes bug 24313; bugfix on 0.2.7.2-alpha. This issue is
      also tracked as TROVE-2017-013 and CVE-2017-8823.
    - When running as a relay, make sure that we never build a path
      through ourselves, even in the case where we have somehow lost the
      version of our descriptor appearing in the consensus. Fixes part
      of bug 21534; bugfix on 0.2.0.1-alpha. This issue is also tracked
      as TROVE-2017-012 and CVE-2017-8822.
    - When running as a relay, make sure that we never choose ourselves
      as a guard. Fixes part of bug 21534; bugfix on 0.3.0.1-alpha. This
      issue is also tracked as TROVE-2017-012 and CVE-2017-8822.
  * New upstream version: 0.3.0.12
    - Directory authority changes
  * New upstream version: 0.3.0.11
    - Fix TROVE-2017-008: Stack disclosure in hidden services logs when
      SafeLogging disabled (CVE-2017-0380)
  * debian/rules: stop overriding micro-revision.i

tor (0.3.0.10-2) UNRELEASED; urgency=medium

  * apparmor: use Pix instead of PUx for obfs4proxy, giving us
    better confinement of the child process while actually working
    with systemd's NoNewPrivileges. (closes: #867342)
  * Drop versioned dependency on binutils. The version is already
    newer in all supported Debian and Ubuntu trees, and binutils
    is in the transitive dependency set of build-essentia...

Thanks Simon!