Bug 11922 - Wrong BuildRequires in tor (The Onion Router)
Summary: Wrong BuildRequires in tor (The Onion Router)
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 4
Hardware: All Linux
Priority: Normal major
Target Milestone: ---
Assignee: QA Team
QA Contact:
URL:
Whiteboard: MGA3TOO has_procedure advisory mga3-3...
Keywords: Junior_job, validated_update
Depends on:
Blocks:
 
Reported: 2013-12-07 16:59 CET by Hartmut Goebel
Modified: 2014-06-06 16:35 CEST (History)
6 users (show)

See Also:
Source RPM: tor-0.2.3.25-3.mga3.src.rpm
CVE:
Status comment:


Attachments
patch to solve this problem (460 bytes, patch)
2014-05-22 13:32 CEST, roelof Wobben
Details | Diff
solve this problem and update it to the newest version (915 bytes, patch)
2014-05-22 14:22 CEST, roelof Wobben
Details | Diff

Description Hartmut Goebel 2013-12-07 16:59:15 CET
Description of problem:

Building tor requires transfig, tetex-latex and ghostscript as BuildRequires. But according to the 'tor.spec.in' file within the source tar.gz, none of these is requires, but 'asciidoc' is required. 

I checked configure.in and the makefiles, but could not find any place where transfig, tetex-latex or ghostscript should be needed.

So I suspect, this three requirement are wrong and should be replace by asciidoc.

Reproducible: 

Steps to Reproduce:
Hartmut Goebel 2013-12-07 16:59:24 CET

Keywords: (none) => Junior_job

Comment 1 roelof Wobben 2014-05-22 13:31:33 CEST
Hello, 

I looked at this problem and you are right. asciidoc is already mentioned as a BuildRequires and the package compiles and seems to run fine without it. 

So I include a patch to delete the three buildrequires. 

Roelof

CC: (none) => r.wobben

Comment 2 roelof Wobben 2014-05-22 13:32:08 CEST
Created attachment 5169 [details]
patch to solve this problem
roelof Wobben 2014-05-22 14:00:32 CEST

Assignee: bugsquad => r.wobben

Comment 3 roelof Wobben 2014-05-22 14:22:28 CEST
Created attachment 5170 [details]
solve this problem and update it to the newest version

This patch solved this problem and also updates it to the newest version.

Attachment 5169 is obsolete: 0 => 1

Comment 4 roelof Wobben 2014-05-28 14:46:34 CEST
I have uploaded a updated package for Mageia 3, 4 and Cauldron

You can test this by installed it and look for M4 and Cauldron if the
service will start.

Suggested advisory:
========================

The missing .service file is added so it works fine with systemd now.

Update to version 0.2.4.22 which solve these major and security problems:


   - Block authority signing keys that were used on authorities

   - Fix a memory leak that could occur if a microdescriptor parse
       fails during the tokenizing step.

   - The relay ciphersuite list is now generated automatically based on
       uniform criteria, and includes all OpenSSL ciphersuites with
       acceptable strength and forward secrecy.

   -  Relays now trust themselves to have a better view than clients of
       which TLS ciphersuites are better than others.

   - Clients now try to advertise the same list of ciphersuites as
       Firefox 28.


Upstream change log :

https://gitweb.torproject.org/tor.git?a=blob_plain;hb=HEAD;f=ChangeLog
=======================================================================

Updated packages in core/updates_testing:

========================
tor-0.24.21-1.mga3

tor-0.24.21-1.mga4



Source RPMs:

tor-0.24.21-1.mga3.src.rpm
tor-0.24.21-1.mga4.src.rpm

CC: (none) => rwobben

Comment 5 David Walser 2014-05-28 15:55:45 CEST
OpenSuSE has issued an advisory for this today (May 28):
http://lists.opensuse.org/opensuse-updates/2014-05/msg00079.html
Comment 6 roelof Wobben 2014-05-28 17:09:41 CEST
Oke, 

I will update both packages to .22 and ask Rindolf to build them and make a new advisory.
Comment 7 roelof Wobben 2014-05-29 16:36:13 CEST
I have uploaded a updated package for Mageia 3, 4.

You can test this by installed it.

Suggested advisory:
========================

Update to version 0.2.4.22 which solve these major and security problems:


   - Block authority signing keys that were used on authorities

   - Fix a memory leak that could occur if a microdescriptor parse
       fails during the tokenizing step.

   - The relay ciphersuite list is now generated automatically based on
       uniform criteria, and includes all OpenSSL ciphersuites with
       acceptable strength and forward secrecy.

   -  Relays now trust themselves to have a better view than clients of
       which TLS ciphersuites are better than others.

   - Clients now try to advertise the same list of ciphersuites as
       Firefox 28.


Upstream change log :

https://gitweb.torproject.org/tor.git?a=blob_plain;hb=HEAD;f=ChangeLog
=======================================================================

Updated packages in core/updates_testing:

========================
tor-0.24.22-1.mga3

tor-0.24.22-1.mga4



Source RPMs:

tor-0.24.22-1.mga3.src.rpm
tor-0.24.22-1.mga4.src.rpm

Component: RPM Packages => Security
Version: Cauldron => 4
Assignee: r.wobben => qa-bugs

roelof Wobben 2014-05-29 16:37:55 CEST

Whiteboard: (none) => MGA3too

David Walser 2014-05-29 16:54:45 CEST

CC: (none) => luigiwalser
Whiteboard: MGA3too => MGA3TOO

Comment 8 claire robinson 2014-05-29 18:07:58 CEST
- Block authority signing keys that were used on authorities
vulnerable to the "heartbleed" bug in OpenSSL (CVE-2014-0160).
Comment 9 David Walser 2014-05-29 18:09:57 CEST
(In reply to claire robinson from comment #8)
> - Block authority signing keys that were used on authorities
> vulnerable to the "heartbleed" bug in OpenSSL (CVE-2014-0160).

Note that that CVE doesn't need to be listed, because this isn't actually fixing that CVE, it's just something related to it.
Comment 10 claire robinson 2014-05-29 18:12:19 CEST
Procedure: https://bugs.mageia.org/show_bug.cgi?id=3953#c4

Whiteboard: MGA3TOO => MGA3TOO has_procedure

Comment 11 Lewis Smith 2014-06-04 21:45:52 CEST
Testing MGA4 64-bit real h/w.

Just to clarify how to get Tor working (pre update) at least with Firefox. Elaborated from the link above.

Install Tor [tor]
which needs also - should pull them in if necessary -
tsocks & lib64tsocks1

It can be run directly from the command line (end with Ctrl/C):
$ tor
which which should output a series of lines like:
Jan 03 15:30:33.976 [notice] Tor v0.2.1.30. This is experimental software. Do not rely on it for strong anonymity. (Running on Linux x86_64)
Jan 03 15:30:33.977 [notice] Opening Socks listener on 127.0.0.1:9050
Jan 03 15:30:34.131 [notice] OpenSSL OpenSSL 1.0.0d 8 Feb 2011 looks like version 0.9.8m or later; I will try SSL_OP to enable renegotiation
Jan 03 15:30:34.587 [notice] We now have enough directory information to build circuits.
Jan 03 15:30:34.587 [notice] Bootstrapped 80%: Connecting to the Tor network.
Jan 03 15:30:34.617 [notice] Bootstrapped 85%: Finishing handshake with first hop.
Jan 03 15:30:34.764 [notice] Bootstrapped 90%: Establishing a Tor circuit.
Jan 03 15:30:35.056 [notice] Tor has successfully opened a circuit. Looks like client functionality is working.
Jan 03 15:30:35.056 [notice] Bootstrapped 100%: Done.

Or started as a service:
# service tor start
check with:
# service tor status
tor.service - Anonymizing overlay network for TCP
   Loaded: loaded (/usr/lib/systemd/system/tor.service; enabled)
   Active: active (running) since Wed 2014-06-04 20:24:02 CEST; 12min ago
& more.
# netstat -natp
should include a line like:
tcp        0      0 127.0.0.1:9050              0.0.0.0:*                   LISTEN      1929/tor

The necessary URL to try is:
http[s]://check.torproject.org/
Before the browser is configured for Tor, this returns a valid page saying you do not seem to be using it.

To set up Firefox to use it, go to  Edit > Preferences > Advanced > Network > click Connection Settings;
select Manual Proxy configuration;
select the SOCKS v5 button;
in the HTTP proxy boxes put 'localhost' port '9050' & check the 'Use this proxy server for all protocols'.
If this does not work (proxy server refuses connections), undo that and instead put 'localhost' port '9050' in the SOCKS v5 entry boxes.

If all is well, the check.torproject.org URL returns a page saying "Congratulations. This browser is configured to use Tor".

CC: (none) => lewyssmith

Comment 12 Lewis Smith 2014-06-04 22:08:40 CEST
Testing MGA4 64-bit real h/w.

Tried Tor pre-update as per comment 11. Before it worked, with Firefox on check.torproject.org got "Sorry. You are not using Tor."; after correctly configuring Firefox got "Congratulations. This browser is configured to use Tor." plus other checks noted above OK.

Stopped the tor service. Updated OK to tor-0.2.4.22-1.mga4 (N.B. the slight difference from comment 7 tor-0.24.22-1.mga4). Re-started the tor service, re-tried it. A browser *not* configured to use the tor proxy got the "Sorry. You are not using Tor." response. Firefox configured to use it got the "Congratulations. This browser is configured to use Tor." response.

So no apparent reversion; the update OK'd.

Whiteboard: MGA3TOO has_procedure => MGA3TOO has_procedure MGA4-64-OK

Comment 13 claire robinson 2014-06-06 13:47:03 CEST
Testing complete mga4 32

Whiteboard: MGA3TOO has_procedure MGA4-64-OK => MGA3TOO has_procedure mga4-32-ok MGA4-64-OK

Comment 14 claire robinson 2014-06-06 14:36:14 CEST
Testing complete mga3 32 & 64 - well done Roelof

Note: if you need to access the tor server from machines other than localhost it's necessary to change the SocksPort setting in /etc/tor/torrc to the IP of the server (eg.192.168.1.10:9050 or possibly 0.0.0.0:9050), otherwise it binds to loopback only.

Whiteboard: MGA3TOO has_procedure mga4-32-ok MGA4-64-OK => MGA3TOO has_procedure mga3-32-ok mga3-64-ok mga4-32-ok MGA4-64-OK

Comment 15 claire robinson 2014-06-06 14:57:54 CEST
Validating. Advisory uploaded.

Could sysadmin please push to 3 & 4 updates

Thanks

Keywords: (none) => validated_update
Whiteboard: MGA3TOO has_procedure mga3-32-ok mga3-64-ok mga4-32-ok MGA4-64-OK => MGA3TOO has_procedure advisory mga3-32-ok mga3-64-ok mga4-32-ok MGA4-64-OK
CC: (none) => sysadmin-bugs

Comment 16 Thomas Backlund 2014-06-06 16:35:50 CEST
Update pushed:
http://advisories.mageia.org/MGASA-2014-0256.html

Status: NEW => RESOLVED
CC: (none) => tmb
Resolution: (none) => FIXED


Note You need to log in before you can comment on or make changes to this bug.