New Tor stable releases (0.2.8.15, 0.2.9.12, 0.3.0.11) with fix for onion service security issue

by nickm | September 18, 2017

Hello! We found a security issue in the onion service code (CVE-2017-0380, TROVE-2017-008) that can cause sensitive information to be written to your logs if you have set the SafeLogging option to 0. If you are not running an onion service, or you have not changed the SafeLogging option from its default, you are not affected. If you are running 0.2.5, you are not affected. (0.2.4, 0.2.6, and 0.2.7 are no longer supported.) For more information, including workaround steps, see the advisory.

Because of this issue, we have released new Tor versions in the 0.2.8, 0.2.9, and 0.3.0 series. If you build Tor from source, you will find the source code for these releases at https://dist.torproject.org/. Packages should be available over the coming days -- in the meantime, please see the advisory linked above for information on working around this issue.

The release series 0.3.1.x has also become stable today; I'll announce that in a separate post.

Below are the changelog entries for the new releases mentioned in this email:

Tor 0.2.8.15 backports a collection of bugfixes from later Tor series.

Most significantly, it includes a fix for TROVE-2017-008, a security bug that affects onion services running with the SafeLogging option disabled. For more information, see https://trac.torproject.org/projects/tor/ticket/23490

Note that Tor 0.2.8.x will no longer be supported after 1 Jan 2018. We suggest that you upgrade to the latest stable release if possible. If you can't, we recommend that you upgrade at least to 0.2.9, which will be supported until 2020.

Changes in version 0.2.8.15 - 2017-09-18

  • Major bugfixes (openbsd, denial-of-service, backport from 0.3.1.5-alpha):
    • Avoid an assertion failure bug affecting our implementation of inet_pton(AF_INET6) on certain OpenBSD systems whose strtol() handling of "0xx" differs from what we had expected. Fixes bug 22789; bugfix on 0.2.3.8-alpha. Also tracked as TROVE-2017-007.
  • Minor features:
    • Update geoip and geoip6 to the September 6 2017 Maxmind GeoLite2 Country database.
  • Minor bugfixes (compilation, mingw, backport from 0.3.1.1-alpha):
    • Backport a fix for an "unused variable" warning that appeared in some versions of mingw. Fixes bug 22838; bugfix on 0.2.8.1-alpha.
  • Minor bugfixes (defensive programming, undefined behavior, backport from 0.3.1.4-alpha):
    • Fix a memset() off the end of an array when packing cells. This bug should be harmless in practice, since the corrupted bytes are still in the same structure, and are always padding bytes, ignored, or immediately overwritten, depending on compiler behavior. Nevertheless, because the memset()'s purpose is to make sure that any other cell-handling bugs can't expose bytes to the network, we need to fix it. Fixes bug 22737; bugfix on 0.2.4.11-alpha. Fixes CID 1401591.
  • Build features (backport from 0.3.1.5-alpha):
    • Tor's repository now includes a Travis Continuous Integration (CI) configuration file (.travis.yml). This is meant to help new developers and contributors who fork Tor to a Github repository be better able to test their changes, and understand what we expect to pass. To use this new build feature, you must fork Tor to your Github account, then go into the "Integrations" menu in the repository settings for your fork and enable Travis, then push your changes. Closes ticket 22636.

Tor 0.2.9.12 backports a collection of bugfixes from later Tor series.

Most significantly, it includes a fix for TROVE-2017-008, a security bug that affects onion services running with the SafeLogging option disabled. For more information, see https://trac.torproject.org/projects/tor/ticket/23490

Changes in version 0.2.9.12 - 2017-09-18

  • Major features (security, backport from 0.3.0.2-alpha):
    • Change the algorithm used to decide DNS TTLs on client and server side, to better resist DNS-based correlation attacks like the DefecTor attack of Greschbach, Pulls, Roberts, Winter, and Feamster. Now relays only return one of two possible DNS TTL values, and clients are willing to believe DNS TTL values up to 3 hours long. Closes ticket 19769.
  • Major bugfixes (crash, directory connections, backport from 0.3.0.5-rc):
    • Fix a rare crash when sending a begin cell on a circuit whose linked directory connection had already been closed. Fixes bug 21576; bugfix on 0.2.9.3-alpha. Reported by Alec Muffett.
  • Major bugfixes (DNS, backport from 0.3.0.2-alpha):
    • Fix a bug that prevented exit nodes from caching DNS records for more than 60 seconds. Fixes bug 19025; bugfix on 0.2.4.7-alpha.
  • Major bugfixes (linux TPROXY support, backport from 0.3.1.1-alpha):
    • Fix a typo that had prevented TPROXY-based transparent proxying from working under Linux. Fixes bug 18100; bugfix on 0.2.6.3-alpha. Patch from "d4fq0fQAgoJ".
  • Major bugfixes (openbsd, denial-of-service, backport from 0.3.1.5-alpha):
    • Avoid an assertion failure bug affecting our implementation of inet_pton(AF_INET6) on certain OpenBSD systems whose strtol() handling of "0xx" differs from what we had expected. Fixes bug 22789; bugfix on 0.2.3.8-alpha. Also tracked as TROVE-2017-007.
  • Minor features (code style, backport from 0.3.1.3-alpha):
    • Add "Falls through" comments to our codebase, in order to silence GCC 7's -Wimplicit-fallthrough warnings. Patch from Andreas Stieger. Closes ticket 22446.
  • Minor features (geoip):
    • Update geoip and geoip6 to the September 6 2017 Maxmind GeoLite2 Country database.
  • Minor bugfixes (bandwidth accounting, backport from 0.3.1.1-alpha):
    • Roll over monthly accounting at the configured hour and minute, rather than always at 00:00. Fixes bug 22245; bugfix on 0.0.9rc1. Found by Andrey Karpov with PVS-Studio.
  • Minor bugfixes (compilation, backport from 0.3.1.5-alpha):
    • Suppress -Wdouble-promotion warnings with clang 4.0. Fixes bug 22915; bugfix on 0.2.8.1-alpha.
    • Fix warnings when building with libscrypt and openssl scrypt support on Clang. Fixes bug 22916; bugfix on 0.2.7.2-alpha.
    • When building with certain versions the mingw C header files, avoid float-conversion warnings when calling the C functions isfinite(), isnan(), and signbit(). Fixes bug 22801; bugfix on 0.2.8.1-alpha.
  • Minor bugfixes (compilation, backport from 0.3.1.7):
    • Avoid compiler warnings in the unit tests for running tor_sscanf() with wide string outputs. Fixes bug 15582; bugfix on 0.2.6.2-alpha.
  • Minor bugfixes (compilation, mingw, backport from 0.3.1.1-alpha):
    • Backport a fix for an "unused variable" warning that appeared in some versions of mingw. Fixes bug 22838; bugfix on 0.2.8.1-alpha.
  • Minor bugfixes (controller, backport from 0.3.1.7):
    • Do not crash when receiving a HSPOST command with an empty body. Fixes part of bug 22644; bugfix on 0.2.7.1-alpha.
    • Do not crash when receiving a POSTDESCRIPTOR command with an empty body. Fixes part of bug 22644; bugfix on 0.2.0.1-alpha.
  • Minor bugfixes (coverity build support, backport from 0.3.1.5-alpha):
    • Avoid Coverity build warnings related to our BUG() macro. By default, Coverity treats BUG() as the Linux kernel does: an instant abort(). We need to override that so our BUG() macro doesn't prevent Coverity from analyzing functions that use it. Fixes bug 23030; bugfix on 0.2.9.1-alpha.
  • Minor bugfixes (defensive programming, undefined behavior, backport from 0.3.1.4-alpha):
    • Fix a memset() off the end of an array when packing cells. This bug should be harmless in practice, since the corrupted bytes are still in the same structure, and are always padding bytes, ignored, or immediately overwritten, depending on compiler behavior. Nevertheless, because the memset()'s purpose is to make sure that any other cell-handling bugs can't expose bytes to the network, we need to fix it. Fixes bug 22737; bugfix on 0.2.4.11-alpha. Fixes CID 1401591.
  • Minor bugfixes (file limits, osx, backport from 0.3.1.5-alpha):
    • When setting the maximum number of connections allowed by the OS, always allow some extra file descriptors for other files. Fixes bug 22797; bugfix on 0.2.0.10-alpha.
  • Minor bugfixes (linux seccomp2 sandbox, backport from 0.3.1.5-alpha):
    • Avoid a sandbox failure when trying to re-bind to a socket and mark it as IPv6-only. Fixes bug 20247; bugfix on 0.2.5.1-alpha.
  • Minor bugfixes (linux seccomp2 sandbox, backport from 0.3.1.4-alpha):
    • Permit the fchmod system call, to avoid crashing on startup when starting with the seccomp2 sandbox and an unexpected set of permissions on the data directory or its contents. Fixes bug 22516; bugfix on 0.2.5.4-alpha.
  • Minor bugfixes (relay, backport from 0.3.0.5-rc):
    • Avoid a double-marked-circuit warning that could happen when we receive DESTROY cells under heavy load. Fixes bug 20059; bugfix on 0.1.0.1-rc.
  • Minor bugfixes (voting consistency, backport from 0.3.1.1-alpha):
    • Reject version numbers with non-numeric prefixes (such as +, -, or whitespace). Disallowing whitespace prevents differential version parsing between POSIX-based and Windows platforms. Fixes bug 21507 and part of 21508; bugfix on 0.0.8pre1.
  • Build features (backport from 0.3.1.5-alpha):
    • Tor's repository now includes a Travis Continuous Integration (CI) configuration file (.travis.yml). This is meant to help new developers and contributors who fork Tor to a Github repository be better able to test their changes, and understand what we expect to pass. To use this new build feature, you must fork Tor to your Github account, then go into the "Integrations" menu in the repository settings for your fork and enable Travis, then push your changes. Closes ticket 22636.

Tor 0.3.0.11 backports a collection of bugfixes from Tor the 0.3.1 series.

Most significantly, it includes a fix for TROVE-2017-008, a security bug that affects onion services running with the SafeLogging option disabled. For more information, see https://trac.torproject.org/projects/tor/ticket/23490

Changes in version 0.3.0.11 - 2017-09-18

  • Minor features (code style, backport from 0.3.1.7):
    • Add "Falls through" comments to our codebase, in order to silence GCC 7's -Wimplicit-fallthrough warnings. Patch from Andreas Stieger. Closes ticket 22446.
  • Minor features:
    • Update geoip and geoip6 to the September 6 2017 Maxmind GeoLite2 Country database.
  • Minor bugfixes (compilation, backport from 0.3.1.7):
    • Avoid compiler warnings in the unit tests for calling tor_sscanf() with wide string outputs. Fixes bug 15582; bugfix on 0.2.6.2-alpha.
  • Minor bugfixes (controller, backport from 0.3.1.7):
    • Do not crash when receiving a HSPOST command with an empty body. Fixes part of bug 22644; bugfix on 0.2.7.1-alpha.
    • Do not crash when receiving a POSTDESCRIPTOR command with an empty body. Fixes part of bug 22644; bugfix on 0.2.0.1-alpha.
  • Minor bugfixes (file limits, osx, backport from 0.3.1.5-alpha):
    • When setting the maximum number of connections allowed by the OS, always allow some extra file descriptors for other files. Fixes bug 22797; bugfix on 0.2.0.10-alpha.
  • Minor bugfixes (logging, relay, backport from 0.3.1.6-rc):
    • Remove a forgotten debugging message when an introduction point successfully establishes an onion service prop224 circuit with a client.
    • Change three other log_warn() for an introduction point to protocol warnings, because they can be failure from the network and are not relevant to the operator. Fixes bug 23078; bugfix on 0.3.0.1-alpha and 0.3.0.2-alpha.

Comments

Please note that the comment area below has been archived.

Anonymous (not verified) said:

September 19, 2017

Permalink

"(0.2.4, 0.2.6, and 0.2.7 are no longer supported.)"

There are a lot of Relays with these version numbers. What
does that mean?

These are old systems that may be vulnerable for some attacks. As far as I know, version 0.2.9.12 is the last one that successfully compiles with gcc-3 . It is strongly recommended to update.