--- Begin Message ---
Package: release.debian.org
Severity: normal
User: release.debian....@packages.debian.org
Usertags: unblock
I would like to update Tor in bullseye from 0.4.5.7-1 to 0.4.5.8-1.
Tor 0.4.5.8 is an upstream stable release.
unblock tor/0.4.5.8-1
Please let me know if I may upload to unstable.
An upstream diff is attached. I cut the geoip databases and the fallback
directory mirror lists. The ./debian/ diff is expected to contain only an
update to the changelog. It does not yet exist, but I can provide it
when needed.
The upstream changelog entry follows.
Cheers,
} Changes in version 0.4.5.8 - 2021-05-10
} Tor 0.4.5.8 fixes several bugs in earlier version, backporting fixes
} from the 0.4.6.x series.
}
} o Minor features (compatibility, Linux seccomp sandbox, backport
} from 0.4.6.3-rc):
} - Add a workaround to enable the Linux sandbox to work correctly
} with Glibc 2.33. This version of Glibc has started using the
} fstatat() system call, which previously our sandbox did not allow.
} Closes ticket 40382; see the ticket for a discussion of trade-offs.
}
} o Minor features (compilation, backport from 0.4.6.3-rc):
} - Make the autoconf script build correctly with autoconf versions
} 2.70 and later. Closes part of ticket 40335.
}
} o Minor features (fallback directory list, backport from 0.4.6.2-alpha):
} - Regenerate the list of fallback directories to contain a new set
} of 200 relays. Closes ticket 40265.
}
} o Minor features (geoip data):
} - Update the geoip files to match the IPFire Location Database, as
} retrieved on 2021/05/07.
}
} o Minor features (onion services):
} - Add warning message when connecting to now deprecated v2 onion
} services. As announced, Tor 0.4.5.x is the last series that will
} support v2 onions. Closes ticket 40373.
}
} o Minor bugfixes (bridge, pluggable transport, backport from 0.4.6.2-alpha):
} - Fix a regression that made it impossible start Tor using a bridge
} line with a transport name and no fingerprint. Fixes bug 40360;
} bugfix on 0.4.5.4-rc.
}
} o Minor bugfixes (build, cross-compilation, backport from 0.4.6.3-rc):
} - Allow a custom "ar" for cross-compilation. Our previous build
} script had used the $AR environment variable in most places, but
} it missed one. Fixes bug 40369; bugfix on 0.4.5.1-alpha.
}
} o Minor bugfixes (channel, DoS, backport from 0.4.6.2-alpha):
} - Fix a non-fatal BUG() message due to a too-early free of a string,
} when listing a client connection from the DoS defenses subsystem.
} Fixes bug 40345; bugfix on 0.4.3.4-rc.
}
} o Minor bugfixes (compiler warnings, backport from 0.4.6.3-rc):
} - Fix an indentation problem that led to a warning from GCC 11.1.1.
} Fixes bug 40380; bugfix on 0.3.0.1-alpha.
}
} o Minor bugfixes (controller, backport from 0.4.6.1-alpha):
} - Fix a "BUG" warning that would appear when a controller chooses
} the first hop for a circuit, and that circuit completes. Fixes bug
} 40285; bugfix on 0.3.2.1-alpha.
}
} o Minor bugfixes (onion service, client, memory leak, backport from
} 0.4.6.3-rc):
} - Fix a bug where an expired cached descriptor could get overwritten
} with a new one without freeing it, leading to a memory leak. Fixes
} bug 40356; bugfix on 0.3.5.1-alpha.
}
} o Minor bugfixes (testing, BSD, backport from 0.4.6.2-alpha):
} - Fix pattern-matching errors when patterns expand to invalid paths
} on BSD systems. Fixes bug 40318; bugfix on 0.4.5.1-alpha. Patch by
} Daniel Pinto.
--
| .''`. ** Debian **
Peter Palfrader | : :' : The universal
https://www.palfrader.org/ | `. `' Operating System
| `- https://www.debian.org/
diff --git a/ChangeLog b/ChangeLog
index a2052fa55f..1c3cbdc82f 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,65 @@
+Changes in version 0.4.5.8 - 2021-05-10
+ Tor 0.4.5.8 fixes several bugs in earlier version, backporting fixes
+ from the 0.4.6.x series.
+
+ o Minor features (compatibility, Linux seccomp sandbox, backport from 0.4.6.3-rc):
+ - Add a workaround to enable the Linux sandbox to work correctly
+ with Glibc 2.33. This version of Glibc has started using the
+ fstatat() system call, which previously our sandbox did not allow.
+ Closes ticket 40382; see the ticket for a discussion of trade-offs.
+
+ o Minor features (compilation, backport from 0.4.6.3-rc):
+ - Make the autoconf script build correctly with autoconf versions
+ 2.70 and later. Closes part of ticket 40335.
+
+ o Minor features (fallback directory list, backport from 0.4.6.2-alpha):
+ - Regenerate the list of fallback directories to contain a new set
+ of 200 relays. Closes ticket 40265.
+
+ o Minor features (geoip data):
+ - Update the geoip files to match the IPFire Location Database, as
+ retrieved on 2021/05/07.
+
+ o Minor features (onion services):
+ - Add warning message when connecting to now deprecated v2 onion
+ services. As announced, Tor 0.4.5.x is the last series that will
+ support v2 onions. Closes ticket 40373.
+
+ o Minor bugfixes (bridge, pluggable transport, backport from 0.4.6.2-alpha):
+ - Fix a regression that made it impossible start Tor using a bridge
+ line with a transport name and no fingerprint. Fixes bug 40360;
+ bugfix on 0.4.5.4-rc.
+
+ o Minor bugfixes (build, cross-compilation, backport from 0.4.6.3-rc):
+ - Allow a custom "ar" for cross-compilation. Our previous build
+ script had used the $AR environment variable in most places, but
+ it missed one. Fixes bug 40369; bugfix on 0.4.5.1-alpha.
+
+ o Minor bugfixes (channel, DoS, backport from 0.4.6.2-alpha):
+ - Fix a non-fatal BUG() message due to a too-early free of a string,
+ when listing a client connection from the DoS defenses subsystem.
+ Fixes bug 40345; bugfix on 0.4.3.4-rc.
+
+ o Minor bugfixes (compiler warnings, backport from 0.4.6.3-rc):
+ - Fix an indentation problem that led to a warning from GCC 11.1.1.
+ Fixes bug 40380; bugfix on 0.3.0.1-alpha.
+
+ o Minor bugfixes (controller, backport from 0.4.6.1-alpha):
+ - Fix a "BUG" warning that would appear when a controller chooses
+ the first hop for a circuit, and that circuit completes. Fixes bug
+ 40285; bugfix on 0.3.2.1-alpha.
+
+ o Minor bugfixes (onion service, client, memory leak, backport from 0.4.6.3-rc):
+ - Fix a bug where an expired cached descriptor could get overwritten
+ with a new one without freeing it, leading to a memory leak. Fixes
+ bug 40356; bugfix on 0.3.5.1-alpha.
+
+ o Minor bugfixes (testing, BSD, backport from 0.4.6.2-alpha):
+ - Fix pattern-matching errors when patterns expand to invalid paths
+ on BSD systems. Fixes bug 40318; bugfix on 0.4.5.1-alpha. Patch by
+ Daniel Pinto.
+
+
Changes in version 0.4.5.7 - 2021-03-16
Tor 0.4.5.7 fixes two important denial-of-service bugs in earlier
versions of Tor.
diff --git a/configure.ac b/configure.ac
index 0f2d6567e1..621fbd1612 100644
--- a/configure.ac
+++ b/configure.ac
@@ -4,7 +4,7 @@ dnl Copyright (c) 2007-2019, The Tor Project, Inc.
dnl See LICENSE for licensing information
AC_PREREQ([2.63])
-AC_INIT([tor],[0.4.5.7])
+AC_INIT([tor],[0.4.5.8])
AC_CONFIG_SRCDIR([src/app/main/tor_main.c])
AC_CONFIG_MACRO_DIR([m4])
@@ -16,7 +16,7 @@ configure_flags="$*"
# version number changes. Tor uses it to make sure that it
# only shuts down for missing "required protocols" when those protocols
# are listed as required by a consensus after this date.
-AC_DEFINE(APPROX_RELEASE_DATE, ["2021-03-15"], # for 0.4.5.7
+AC_DEFINE(APPROX_RELEASE_DATE, ["2021-05-07"], # for 0.4.5.8
[Approximate date when this software was released. (Updated when the version changes.)])
# "foreign" means we don't follow GNU package layout standards
@@ -441,7 +441,11 @@ AM_CONDITIONAL(BUILD_MANPAGE, [test "x$enable_manpage" != "xno"])
AM_CONDITIONAL(BUILD_HTML_DOCS, [test "x$enable_html_manual" != "xno"])
AM_PROG_CC_C_O
-AC_PROG_CC_C99
+
+dnl Before autoconf 2.70, AC_PROG_CC_C99 is supposedly necessary for some
+dnl compilers if you wan't C99 support. Starting with 2.70, it is obsolete and
+dnl forbidden.
+m4_version_prereq([2.70], [:], [AC_PROG_CC_C99])
AC_CACHE_CHECK([for Python 3], [tor_cv_PYTHON],
[AC_PATH_PROGS_FEATURE_CHECK([PYTHON], [ \
diff --git a/contrib/win32build/tor-mingw.nsi.in b/contrib/win32build/tor-mingw.nsi.in
index e599a0857a..580f189525 100644
--- a/contrib/win32build/tor-mingw.nsi.in
+++ b/contrib/win32build/tor-mingw.nsi.in
@@ -8,7 +8,7 @@
!include "LogicLib.nsh"
!include "FileFunc.nsh"
!insertmacro GetParameters
-!define VERSION "0.4.5.7"
+!define VERSION "0.4.5.8"
!define INSTALLER "tor-${VERSION}-win32.exe"
!define WEBSITE "https://www.torproject.org/";
!define LICENSE "LICENSE"
diff --git a/scripts/build/combine_libs b/scripts/build/combine_libs
index fb311552fe..9c87f68248 100755
--- a/scripts/build/combine_libs
+++ b/scripts/build/combine_libs
@@ -25,7 +25,7 @@ for input in "$@"; do
dir="$TMPDIR"/$(basename "$input" .a)
mkdir "$dir"
cd "$dir">/dev/null
- ar x "$abs"
+ "${AR:-ar}" x "$abs"
done
cd "$TMPDIR" >/dev/null
diff --git a/src/app/config/fallback_dirs.inc b/src/app/config/fallback_dirs.inc
index a7ef39bb96..4f43a4ba6e 100644
--- a/src/app/config/fallback_dirs.inc
+++ b/src/app/config/fallback_dirs.inc
@@ -1,804 +1,1076 @@
/* type=fallback */
-/* version=3.0.0 */
-/* timestamp=20200723133610 */
+/* version=4.0.0 */
+/* timestamp=20210412000000 */
/* source=offer-list */
+
+"62.78.194.4 orport=9001 id=BD5609383472735292627DB86D92A29F3CFEE52A"
+/* nickname=Unnamed */
+/* extrainfo=0 */
/* ===== */
[...]
diff --git a/src/config/geoip b/src/config/geoip
index 3dce65ed00..222bb1be87 100644
--- a/src/config/geoip
+++ b/src/config/geoip
@@ -7,7 +7,7 @@
#
# Location Database Export
#
-# Generated: Fri, 12 Mar 2021 05:05:24 GMT
+# Generated: Fri, 07 May 2021 05:18:14 GMT
# Vendor: IPFire Project
# License: CC BY-SA 4.0
#
[...]
diff --git a/src/config/geoip6 b/src/config/geoip6
index 79a0c627a2..4718eaa827 100644
--- a/src/config/geoip6
+++ b/src/config/geoip6
@@ -7,7 +7,7 @@
#
# Location Database Export
#
-# Generated: Fri, 12 Mar 2021 05:05:24 GMT
+# Generated: Fri, 07 May 2021 05:18:14 GMT
# Vendor: IPFire Project
# License: CC BY-SA 4.0
#
[...]
diff --git a/src/core/or/channel.c b/src/core/or/channel.c
index 26c93d169f..1ac029c152 100644
--- a/src/core/or/channel.c
+++ b/src/core/or/channel.c
@@ -1882,11 +1882,11 @@ channel_do_open_actions(channel_t *chan)
geoip_note_client_seen(GEOIP_CLIENT_CONNECT,
&remote_addr, transport_name,
now);
- tor_free(transport_name);
/* Notify the DoS subsystem of a new client. */
if (tlschan && tlschan->conn) {
dos_new_client_conn(tlschan->conn, transport_name);
}
+ tor_free(transport_name);
}
/* Otherwise the underlying transport can't tell us this, so skip it */
}
diff --git a/src/core/or/circuitbuild.c b/src/core/or/circuitbuild.c
index c0c918abe4..78501c0aa2 100644
--- a/src/core/or/circuitbuild.c
+++ b/src/core/or/circuitbuild.c
@@ -881,14 +881,22 @@ circuit_pick_extend_handshake(uint8_t *cell_type_out,
}
/**
- * Return true iff <b>purpose</b> is a purpose for a circuit which is
- * allowed to have no guard configured, even if the circuit is multihop
+ * Return true iff <b>circ</b> is allowed
+ * to have no guard configured, even if the circuit is multihop
* and guards are enabled.
*/
static int
-circuit_purpose_may_omit_guard(int purpose)
+circuit_may_omit_guard(const origin_circuit_t *circ)
{
- switch (purpose) {
+ if (BUG(!circ))
+ return 0;
+
+ if (circ->first_hop_from_controller) {
+ /* The controller picked the first hop: that bypasses the guard system. */
+ return 1;
+ }
+
+ switch (circ->base_.purpose) {
case CIRCUIT_PURPOSE_TESTING:
case CIRCUIT_PURPOSE_C_MEASURE_TIMEOUT:
/* Testing circuits may omit guards because they're measuring
@@ -1019,7 +1027,7 @@ circuit_build_no_more_hops(origin_circuit_t *circ)
guard_usable_t r;
if (! circ->guard_state) {
if (circuit_get_cpath_len(circ) != 1 &&
- ! circuit_purpose_may_omit_guard(circ->base_.purpose) &&
+ ! circuit_may_omit_guard(circ) &&
get_options()->UseEntryGuards) {
log_warn(LD_BUG, "%d-hop circuit %p with purpose %d has no "
"guard state",
diff --git a/src/core/or/circuitlist.h b/src/core/or/circuitlist.h
index 3178e6cd0d..bd4a117e26 100644
--- a/src/core/or/circuitlist.h
+++ b/src/core/or/circuitlist.h
@@ -118,7 +118,8 @@
* bandwidth measurement, reachability test and address discovery from an
* authority using the NETINFO cell. */
#define CIRCUIT_PURPOSE_TESTING 21
-/** A controller made this circuit and Tor should not use it. */
+/** A controller made this circuit and Tor should not cannibalize it or attach
+ * streams to it without explicitly being told. */
#define CIRCUIT_PURPOSE_CONTROLLER 22
/** This circuit is used for path bias probing only */
#define CIRCUIT_PURPOSE_PATH_BIAS_TESTING 23
diff --git a/src/core/or/circuituse.c b/src/core/or/circuituse.c
index 0f3fc29361..059e43ec47 100644
--- a/src/core/or/circuituse.c
+++ b/src/core/or/circuituse.c
@@ -1320,10 +1320,10 @@ circuit_predict_and_launch_new(void)
if (router_have_consensus_path() == CONSENSUS_PATH_INTERNAL)
flags |= CIRCLAUNCH_IS_INTERNAL;
- log_info(LD_CIRC,
- "Have %d clean circs need another buildtime test circ.", num);
- circuit_launch(CIRCUIT_PURPOSE_C_GENERAL, flags);
- return;
+ log_info(LD_CIRC,
+ "Have %d clean circs need another buildtime test circ.", num);
+ circuit_launch(CIRCUIT_PURPOSE_C_GENERAL, flags);
+ return;
}
}
diff --git a/src/core/or/connection_edge.c b/src/core/or/connection_edge.c
index a33c64fe19..7f260ba185 100644
--- a/src/core/or/connection_edge.c
+++ b/src/core/or/connection_edge.c
@@ -2582,6 +2582,16 @@ connection_ap_handshake_rewrite_and_attach(entry_connection_t *conn,
tor_assert(addresstype == ONION_V2_HOSTNAME ||
addresstype == ONION_V3_HOSTNAME);
tor_assert(!automap);
+
+ if (addresstype == ONION_V2_HOSTNAME) {
+ log_warn(LD_PROTOCOL,
+ "Warning! You've just connected to a v2 onion address. These "
+ "addresses are deprecated for security reasons, and are no "
+ "longer supported in Tor. Please encourage the site operator "
+ "to upgrade. For more information see "
+ "https://blog.torproject.org/v2-deprecation-timeline";);
+ }
+
return connection_ap_handle_onion(conn, socks, circ, addresstype);
}
diff --git a/src/core/or/origin_circuit_st.h b/src/core/or/origin_circuit_st.h
index a45a6573dc..c40e84aed8 100644
--- a/src/core/or/origin_circuit_st.h
+++ b/src/core/or/origin_circuit_st.h
@@ -170,6 +170,18 @@ struct origin_circuit_t {
* not try to negotiate further circuit padding. */
unsigned padding_negotiation_failed : 1;
+ /**
+ * If this flag is set, then a controller chose the first hop of this
+ * circuit's path, and it's okay to ignore checks that we'd usually do
+ * on this circuit's first hop.
+ *
+ * This flag is distinct from the CIRCUIT_PURPOSE_CONTROLLER purpose: the
+ * purpose indicates _what tor can use the circuit for_. Controller-created
+ * circuits can still have the CIRCUIT_PURPOSE_GENERAL purpose if Tor is
+ * allowed to attach streams to them.
+ */
+ unsigned first_hop_from_controller : 1;
+
/**
* Tristate variable to guard against pathbias miscounting
* due to circuit purpose transitions changing the decision
diff --git a/src/feature/client/entrynodes.c b/src/feature/client/entrynodes.c
index 232216c521..82866ea668 100644
--- a/src/feature/client/entrynodes.c
+++ b/src/feature/client/entrynodes.c
@@ -804,9 +804,6 @@ get_sampled_guard_for_bridge(guard_selection_t *gs,
entry_guard_t *guard;
if (BUG(!addrport))
return NULL; // LCOV_EXCL_LINE
- if (bridge_has_invalid_transport(bridge)) {
- return NULL;
- }
guard = get_sampled_guard_by_bridge_addr(gs, addrport);
if (! guard || (id && tor_memneq(id, guard->identity, DIGEST_LEN)))
return NULL;
diff --git a/src/feature/control/control_cmd.c b/src/feature/control/control_cmd.c
index 5b75c24692..0456d709f5 100644
--- a/src/feature/control/control_cmd.c
+++ b/src/feature/control/control_cmd.c
@@ -819,6 +819,7 @@ handle_control_extendcircuit(control_connection_t *conn,
if (zero_circ) {
/* start a new circuit */
circ = origin_circuit_init(intended_purpose, 0);
+ circ->first_hop_from_controller = 1;
}
/* now circ refers to something that is ready to be extended */
diff --git a/src/feature/hs/hs_cache.c b/src/feature/hs/hs_cache.c
index c1334a7d27..9c35936748 100644
--- a/src/feature/hs/hs_cache.c
+++ b/src/feature/hs/hs_cache.c
@@ -353,6 +353,31 @@ static digest256map_t *hs_cache_v3_client;
* objects all related to a specific service. */
static digest256map_t *hs_cache_client_intro_state;
+#define cache_client_desc_free(val) \
+ FREE_AND_NULL(hs_cache_client_descriptor_t, cache_client_desc_free_, (val))
+
+/** Free memory allocated by <b>desc</b>. */
+static void
+cache_client_desc_free_(hs_cache_client_descriptor_t *desc)
+{
+ if (desc == NULL) {
+ return;
+ }
+ hs_descriptor_free(desc->desc);
+ memwipe(&desc->key, 0, sizeof(desc->key));
+ memwipe(desc->encoded_desc, 0, strlen(desc->encoded_desc));
+ tor_free(desc->encoded_desc);
+ tor_free(desc);
+}
+
+/** Helper function: Use by the free all function to clear the client cache */
+static void
+cache_client_desc_free_void(void *ptr)
+{
+ hs_cache_client_descriptor_t *desc = ptr;
+ cache_client_desc_free(desc);
+}
+
/** Return the size of a client cache entry in bytes. */
static size_t
cache_get_client_entry_size(const hs_cache_client_descriptor_t *entry)
@@ -390,7 +415,18 @@ remove_v3_desc_as_client(const hs_cache_client_descriptor_t *desc)
static void
store_v3_desc_as_client(hs_cache_client_descriptor_t *desc)
{
+ hs_cache_client_descriptor_t *cached_desc;
+
tor_assert(desc);
+
+ /* Because the lookup function doesn't return an expired entry, it can linger
+ * in the cache until we clean it up or a new descriptor is stored. So,
+ * before adding, we'll make sure we are not overwriting an old descriptor
+ * (which is OK in terms of semantic) but leads to memory leak. */
+ cached_desc = digest256map_get(hs_cache_v3_client, desc->key.pubkey);
+ if (cached_desc) {
+ cache_client_desc_free(cached_desc);
+ }
digest256map_set(hs_cache_v3_client, desc->key.pubkey, desc);
/* Update cache size with this entry for the OOM handler. */
rend_cache_increment_allocation(cache_get_client_entry_size(desc));
@@ -473,31 +509,6 @@ cache_client_desc_new(const char *desc_str,
return client_desc;
}
-#define cache_client_desc_free(val) \
- FREE_AND_NULL(hs_cache_client_descriptor_t, cache_client_desc_free_, (val))
-
-/** Free memory allocated by <b>desc</b>. */
-static void
-cache_client_desc_free_(hs_cache_client_descriptor_t *desc)
-{
- if (desc == NULL) {
- return;
- }
- hs_descriptor_free(desc->desc);
- memwipe(&desc->key, 0, sizeof(desc->key));
- memwipe(desc->encoded_desc, 0, strlen(desc->encoded_desc));
- tor_free(desc->encoded_desc);
- tor_free(desc);
-}
-
-/** Helper function: Use by the free all function to clear the client cache */
-static void
-cache_client_desc_free_void(void *ptr)
-{
- hs_cache_client_descriptor_t *desc = ptr;
- cache_client_desc_free(desc);
-}
-
/** Return a newly allocated and initialized hs_cache_intro_state_t object. */
static hs_cache_intro_state_t *
cache_intro_state_new(void)
diff --git a/src/lib/fs/path.c b/src/lib/fs/path.c
index c2fdddb9db..81960bd69a 100644
--- a/src/lib/fs/path.c
+++ b/src/lib/fs/path.c
@@ -571,6 +571,19 @@ wrap_closedir(void *arg)
{
closedir(arg);
}
+
+/** Function passed to glob to handle processing errors. <b>epath</b> is the
+ * path that caused the error and <b>eerrno</b> is the errno set by the
+ * function that failed. We want to ignore ENOENT and ENOTDIR because, in BSD
+ * systems, these are not ignored automatically, which makes glob fail when
+ * globs expand to non-existing paths and GLOB_ERR is set.
+ */
+static int
+glob_errfunc(const char *epath, int eerrno)
+{
+ (void)epath;
+ return eerrno == ENOENT || eerrno == ENOTDIR ? 0 : -1;
+}
#endif /* defined(HAVE_GLOB) */
/** Return a new list containing the paths that match the pattern
@@ -591,7 +604,7 @@ tor_glob(const char *pattern)
tor_free(pattern_normalized);
#elif HAVE_GLOB /* !(defined(_WIN32)) */
glob_t matches;
- int flags = GLOB_ERR | GLOB_NOSORT;
+ int flags = GLOB_NOSORT;
#ifdef GLOB_ALTDIRFUNC
/* use functions that call sandbox_intern_string */
flags |= GLOB_ALTDIRFUNC;
@@ -604,7 +617,10 @@ tor_glob(const char *pattern)
matches.gl_stat = &prot_stat;
matches.gl_lstat = &prot_lstat;
#endif /* defined(GLOB_ALTDIRFUNC) */
- int ret = glob(pattern, flags, NULL, &matches);
+ // use custom error handler to workaround BSD quirks and do not set GLOB_ERR
+ // because it would make glob fail on error even if the error handler ignores
+ // the error
+ int ret = glob(pattern, flags, glob_errfunc, &matches);
if (ret == GLOB_NOMATCH) {
return smartlist_new();
} else if (ret != 0) {
diff --git a/src/lib/sandbox/sandbox.c b/src/lib/sandbox/sandbox.c
index 168dfd943c..fc90dbe062 100644
--- a/src/lib/sandbox/sandbox.c
+++ b/src/lib/sandbox/sandbox.c
@@ -1608,6 +1608,28 @@ add_noparam_filter(scmp_filter_ctx ctx)
}
}
+ if (is_libc_at_least(2, 33)) {
+#ifdef __NR_newfstatat
+ // Libc 2.33 uses this syscall to implement both fstat() and stat().
+ //
+ // The trouble is that to implement fstat(fd, &st), it calls:
+ // newfstatat(fs, "", &st, AT_EMPTY_PATH)
+ // We can't detect this usage in particular, because "" is a pointer
+ // we don't control. And we can't just look for AT_EMPTY_PATH, since
+ // AT_EMPTY_PATH only has effect when the path string is empty.
+ //
+ // So our only solution seems to be allowing all fstatat calls, which
+ // means that an attacker can stat() anything on the filesystem. That's
+ // not a great solution, but I can't find a better one.
+ rc = seccomp_rule_add_0(ctx, SCMP_ACT_ALLOW, SCMP_SYS(newfstatat));
+ if (rc != 0) {
+ log_err(LD_BUG,"(Sandbox) failed to add newfstatat() syscall; "
+ "received libseccomp error %d", rc);
+ return rc;
+ }
+#endif
+ }
+
return 0;
}
diff --git a/src/win32/orconfig.h b/src/win32/orconfig.h
index 9a138c0928..06e6ad8ff7 100644
--- a/src/win32/orconfig.h
+++ b/src/win32/orconfig.h
@@ -217,7 +217,7 @@
#define USING_TWOS_COMPLEMENT
/* Version number of package */
-#define VERSION "0.4.5.7"
+#define VERSION "0.4.5.8"
#define HAVE_STRUCT_SOCKADDR_IN6
#define HAVE_STRUCT_IN6_ADDR
--- End Message ---
