Updated packages uploaded by Jani.

Advisory:
========================

Updated tor package fixes security vulnerabilities:

When checking for replays in the INTRODUCE1 cell data for a (legacy) onion
service, Tor didn't correctly detect replays in the RSA- encrypted part of the
cell. It was previously checking for replays on the entire cell, but those can
be circumvented due to the malleability of Tor's legacy hybrid encryption.
This can lead to a traffic confirmation attack (CVE-2017-8819).

Denial of service issue where an attacker could crash a directory authority
using a malformed router descriptor (CVE-2017-8820).

Denial of service bug where an attacker could use a malformed directory object
to cause a Tor instance to pause while OpenSSL would try to read a passphrase
from the terminal (CVE-2017-8821).

When running as a relay, Tor could build a path through itself, especially
when it lost the version of its descriptor appearing in the consensus. When
running as a relay, it could also choose itself as a guard (CVE-2017-8822).

Use-after-free error that could crash v2 Tor onion services when they failed
to open circuits while expiring introduction points (CVE-2017-8823).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8819
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8820
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8821
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8822
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8823
https://blog.torproject.org/new-stable-tor-releases-security-fixes-0319-03013-02914-02817-02516
========================

Updated packages in core/updates_testing:
========================
tor-0.2.8.17-1.mga5
tor-0.2.9.14-1.mga6

from SRPMS:
tor-0.2.8.17-1.mga5.src.rpm
tor-0.2.9.14-1.mga6.src.rpm

Version: Cauldron => 6
Assignee: jani.valimaa => qa-bugs
Whiteboard: MGA6TOO, MGA5TOO => MGA5TOO
CC: (none) => jani.valimaa

Installed and tested without issues.

System: Mageia 5, x86_64, Intel CPU.

Tested using Firefox setup to use the Tor socks proxy. Tested several .onion and other URLs. All worked.

$ uname -a
Linux marte 4.4.103-desktop-1.mga5 #1 SMP Thu Nov 30 12:44:39 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux
$ rpm -q tor
tor-0.2.8.17-1.mga5

Whiteboard: MGA5TOO => MGA5TOO MGA5-64-OK
CC: (none) => mageia

MGA6-32 on Dell Latitude D600 MATE
No installation issues.
Followed test as per bug 21740 Comment 2. Works OK.

Whiteboard: MGA5TOO MGA5-64-OK => MGA5TOO MGA5-64-OK MGA6-32-OK
CC: (none) => herman.viaene

MGA5-32 on Dell Latitude D600 MATE
No installation issues.
Followed test as per bug 21740 Comment 2. Works OK.

Whiteboard: MGA5TOO MGA5-64-OK MGA6-32-OK => MGA5TOO MGA5-64-OK MGA6-32-OK MGA5-32-OK

@ PC LX
Having spent several hours chasing documentation on the net and perusing man pages I would be grateful if you could provide some details about how you did this.
tor is installed.  vidalia is installed and I eventually gave up trying to find the tor-browser command and ran tor, which insisted that there be a /run/tor/ directory accessible to the user only.  At this point I had to give up.  Still no ides where tor-browser lives.

CC: (none) => tarazed25

Re comment 5:
vidalia says it has connected to the Tor network and it looks as if tor does more or less the same thing.

Dec 05 16:27:31.000 [notice] Bootstrapped 80%: Connecting to the Tor network
Dec 05 16:27:31.000 [notice] Bootstrapped 90%: Establishing a Tor circuit
Dec 05 16:27:31.000 [notice] Tor has successfully opened a circuit. Looks like client functionality is working.
Dec 05 16:27:31.000 [notice] Bootstrapped 100%: Done

So the big question is - where is the browser.  The documentation implies that you run tor-browser and up pops an instance of Firefox or whatever.  I guess that choice has to be configured somewhere.

One of the documents on the Tor site had this:

Once that's done, switch to the Tor browser directory by running:

cd tor-browser_LANG

(where LANG is the language listed in the filename).

To run Tor Browser, click either on the Tor Browser or the Tor Browser Setup icon or execute the start-tor-browser.desktop file in a terminal:

./start-tor-browser.desktop

This will launch Tor Launcher and once that connects to Tor, it will launch Firefox. Do not unpack or run TBB as root.

This was for a tarball installation

(In reply to Len Lawrence from comment #5)
> @ PC LX
> Having spent several hours chasing documentation on the net and perusing man
> pages I would be grateful if you could provide some details about how you
> did this.

I already had tor setup so the following steps are from memory and may not be complete.

0. Install tor and vidalia packages.
1. Setup a tor socks proxy (for normal browsing and other TCP traffic).
1.1. Generate a hashed password for authentication with tor using the command:
    $ tor --hash-password "SOME_RANDOM_PASSWORD"
1.2. Add these lines to the tor config file /etc/tor/torrc
    - ControlPort 9051
    - HashedControlPassword 16:PUT_HASHED_PASSWORD_HERE
1.3. Enable the tor service (optional).
    - systemctl enable tor
1.4. Start the tor service.
    - systemctl start tor
1.5. Run vidalia.
1.6. Configure vidalia:
    - Go to configuration > advanced.
    - Select "Use TCP connection (ControlPort)".
    - In "Address" enter 127.0.0.1 : 9051
    - In dropdown "authentication" select password.
    - Enter "SOME_RANDOM_PASSWORD"
1.7. In vidalia click "start tor".
2. Run Firefox (as usual).
2.1 Configure firefox to use the tor SOCKS proxy.
   - Open "about:preferences"
   - In the "network proxy"
   -- Select manual proxy
   -- In SOCKS server enter 127.0.0.1 : 9050
   -- Select "SOCKS v5"
3. Finally, open "https://check.torproject.org/" to confirm that it is using tor.

Addition to 2.1:
  - Check "DNS to SOCKS v5".

The labels may not be exactly what I wrote. I'm not using Firefox with an a English localization so I had to translate to English.

Quite complicated steps described in previous comments.

Only thing one needs to do is 'systemctl start tor' as root and configure web browser to use SOCKS proxy localhost:9050.

Or if vidalia is installed, then start/run vidalia and configure web browser to use SOCKS proxy localhost:9051.

(In reply to Jani Välimaa from comment #10)
> Quite complicated steps described in previous comments.
> 
> Only thing one needs to do is 'systemctl start tor' as root and configure
> web browser to use SOCKS proxy localhost:9050.
> 
> Or if vidalia is installed, then start/run vidalia and configure web browser
> to use SOCKS proxy localhost:9051.

Note also, that if vidalia is used, then there's no need to start tor as a system service with systemctl.

(In reply to Jani Välimaa from comment #11)
> (In reply to Jani Välimaa from comment #10)
> > Quite complicated steps described in previous comments.
> > 
> > Only thing one needs to do is 'systemctl start tor' as root and configure
> > web browser to use SOCKS proxy localhost:9050.
> > 
> > Or if vidalia is installed, then start/run vidalia and configure web browser
> > to use SOCKS proxy localhost:9051.
> 
> Note also, that if vidalia is used, then there's no need to start tor as a
> system service with systemctl.

Also one correction to port with vidalia, it's not 9051. 9051 is the default control port and vidalia opens socks port by itself. Opened port number can be found from vidalia logs. For example:

joulukuuta 05 19:35:31.160 [Notice] Opening Socks listener on 127.0.0.1:34553

@PC LX : Thanks very much for those details.  Got as far as "Congratulations. This browser is configured to use Tor." but it also said "However, it does not appear to be Tor Browser.
Click here to go to the download page" so I imagine that I should close down firefox and restart it from vidalia.

It looks like a lot of the stuff on the internet is eyewash, or at least irrelevant and misleading.  I ended up on a VPN site and got chatting to a support guy and he kept saying I should use VPN; running tor browser by itself is not recommended.

@ Jani, re comment 10, 11.  Thanks also.  I actually needed alot of those details above - had no idea how to configure a proxy.  Also I had tried to start tor as a service.  Enabled it and failed to start it.  No information anywhere about why.  However, vidalia  worked, as you said.  It seems to start OK with the 9051 control port.   Shall look for the logs to check what it is actually using.

Interesting to see that setting up the proxy logged me out of Bugzilla.

Shut down firefox and restarted vidalia.  Trouble.

Vidalia can't find out how to talk to Tor because it can't access this file: /home/lcl/.vidalia/port.conf
Here's the last error message:
No such file or directory

port.conf was there but as soon as I tried to look at it, more trouble.

[lcl@belexeuli .vidalia]$ cat port.conf
cat: port.conf: No such file or directory
[1]+  Segmentation fault      (core dumped) vidalia  (wd: ~)
(wd now: ~/.vidalia)

Discovered that vidalia lacked the port number.  Added 9051 to localhost: and port.conf reappeared in .vidalia and now contains:
PORT=127.0.0.1:37601

So far so good.

Had to log in to Bugzilla again.

Restarted tor and the same thing happened; port.conf was erased and Tor stopped running.

Logged out of Bugzilla every time.

This is going nowhere.  No matter what port number I choose now the Tor project site gives me a "No way".
$ cat port.conf
PORT=127.0.0.1:44333

vidalia.conf contains: 
RunProxyAtStart=true
ProxyExecutableArguments=SOCKS proxy localhost:9501

It ended up in a state where I could not log in to any site because I was using a proxy which was misconfigured as far as I can gather.  At no point has vidalia even attempted to launch firefox.  It comes up with the encouraging message

Connected to the Tor Network
We were able to successfully establish a connection to the Tor network.

but:

You can now configure your applications to use the Internet anonymously.

Something I had just finished doing before restarting.

This is taking up too much of everybody's time.  I am abandoning it as of now because it is obviously going nowhere.

It might be better to remove ~/.vidalia directory and start from a scratch (default vidalia settings). Or just ditch vidalia (which is actually ditched by upstream ages ago also) and use system tor service and SOCKS port 9050 to do tests.

Please note that ~/.vidalia/port.conf isn't showing the port you should use in your proxy configuration, but tor's control port. SOCKS port for proxy configuration you can get from vidalia's logs. IINM Vidalia isn't supposed to start any web browser after it's connected to tor network.

Addendum.  Noted the typo - 9501 instead of 9051.
The torproject page was happy only with 9050, would not accept 9051.

Have not found the vidalia logs yet.  I was expecting tor-browser = firefox because I had configured proxy application to be firefox - starting when Tor starts.

You may be right about abandoning vidalia but I did not have any luck trying to start tor earlier.

(In reply to Len Lawrence from comment #20)
> 
> Have not found the vidalia logs yet.

View -> Message Log

Thanks for that Jani.
Used the Socks listener port from the logs = 36031
Configured firefox and tried the project site.  All good there except that it complains that it is not Tor browser, so how does the user make it the Tor browser?  Tried restarting firefox.  No change.
port.conf contains the control listener port number.
Going to try restarting Tor.
That did noot break anything but the project site still does not recognize the browser as the Tor browser.

Definitely stopping this for tonight.  Might have some time tomorrow.

torbrowser is a browser derived from Firefox but is NOT Firefox.

torbrowser can be downloaded from here:
https://www.torproject.org/download/download-easy.html.en

Personally, I don't see the point in having a browser specifically for using with Tor. I just use Firefox with a specific profile that is configured in a privacy sensitive way.

And thanks again PC LX.  Am I reading this right - are you saying you managed to test Tor without having tor-browser?  
Quoting you:

"Tested using Firefox setup to use the Tor socks proxy. Tested several .onion and other URLs. All worked."

My question now is how you tested .onion and other URLs?  I don't understand what that means.  The project site said the configured firefox was OK so I guess that is halfway there.

Here is an example of a onion URL, in this case for duckduckgo:
https://3g2upl4pq6kufc4m.onion/

More onion URLs can be found here:
http://deepweblinks.org/

Just use these URLs like any other HTTP(S) URL.

For these onion URLs to work, DNS must go through SOCKS v5, so check that option in the Firefox network settings.

Experimenting here.  Logged in to the router to see what my WAN address is then switched over to the proxy settings in firefox.  Found that I could not access anything, not even the router.  The router address had been anonymized which meant   I could not log in to the router or reconnect it but I could ping it on the old address.  For external sites "connection being refused by a proxy server" kept on appearing.
 
Mid-air collision.  Shall try duckduckgo and report back.

DNS .... has been checked from the beginning.

I hit duckduckgo and it failed in exactly the same way - "Proxy server is refusing connections".

Goddamn!  vidalia had changed the listener port.  After fixing that the onion site worked.
Thanks a million PC LX and Jani.

Now to run the update!  No, it is halfway through the night now so leave it until the morning.

Had a look at a couple of the CVEs but not understanding the language took that no further.

Updated tor, restarted vidalia and checked log to find the new listener port address which was then passed on to firefox.  Looked at a few onion sites, skipping those that took too long to respond and accessed several normal sites.

This report is going through the proxy.

tor OK for mga6 64-bit.

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2017-0444.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED