Re: [tor-bugs] #29158 [Applications/Tor Browser]: Add fix for DSA 4371-1 (apt vulnerability)

[Tor Bug Tracker & Wiki]

#29158: Add fix for DSA 4371-1 (apt vulnerability)
-+-
 Reporter:  boklm|  Owner:  tbb-
 |  team
 Type:  defect   | Status:  closed
 Priority:  High |  Milestone:
Component:  Applications/Tor Browser |Version:
 Severity:  Normal   | Resolution:  fixed
 Keywords:  TorBrowserTeam201901R, tbb-rbm,  |  Actual Points:
  tbb-backported |
Parent ID:   | Points:
 Reviewer:   |Sponsor:
-+-
Changes (by gk):

 * keywords:  TorBrowserTeam201901R, tbb-rbm => TorBrowserTeam201901R, tbb-
 rbm, tbb-backported


Comment:

 Thanks, looks good to me and pushed to `maint-8.0`. I'll note the commits
 in the respective bugs. The bugfix for this ticket is available in commit
 528f683266709865780e75b14755715f44f04d5a.

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #29158 [Applications/Tor Browser]: Add fix for DSA 4371-1 (apt vulnerability)

[Tor Bug Tracker & Wiki]

#29158: Add fix for DSA 4371-1 (apt vulnerability)
+--
 Reporter:  boklm   |  Owner:  tbb-team
 Type:  defect  | Status:  closed
 Priority:  High|  Milestone:
Component:  Applications/Tor Browser|Version:
 Severity:  Normal  | Resolution:  fixed
 Keywords:  TorBrowserTeam201901R, tbb-rbm  |  Actual Points:
Parent ID:  | Points:
 Reviewer:  |Sponsor:
+--

Comment (by boklm):

 Replying to [comment:12 boklm]:
 > In branch `bug_29158_maint-8.0_v2`, I backorted patches for #29158,
 #29181 and #29235 on maint-8.0:
 > https://gitweb.torproject.org/user/boklm/tor-browser-
 
build.git/commit/?h=bug_29158_maint-8.0_v2=d036a293dcd041d3ed4d02453b85aa03cfed23fa

 And I checked that a `release` build of `https-everywhere` is working
 correctly.

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #29158 [Applications/Tor Browser]: Add fix for DSA 4371-1 (apt vulnerability)

[Tor Bug Tracker & Wiki]

#29158: Add fix for DSA 4371-1 (apt vulnerability)
+--
 Reporter:  boklm   |  Owner:  tbb-team
 Type:  defect  | Status:  closed
 Priority:  High|  Milestone:
Component:  Applications/Tor Browser|Version:
 Severity:  Normal  | Resolution:  fixed
 Keywords:  TorBrowserTeam201901R, tbb-rbm  |  Actual Points:
Parent ID:  | Points:
 Reviewer:  |Sponsor:
+--

Comment (by boklm):

 In branch `bug_29158_maint-8.0_v2`, I backorted patches for #29158, #29181
 and #29235 on maint-8.0:
 https://gitweb.torproject.org/user/boklm/tor-browser-
 
build.git/commit/?h=bug_29158_maint-8.0_v2=d036a293dcd041d3ed4d02453b85aa03cfed23fa

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #29158 [Applications/Tor Browser]: Add fix for DSA 4371-1 (apt vulnerability)

[Tor Bug Tracker & Wiki]

#29158: Add fix for DSA 4371-1 (apt vulnerability)
+--
 Reporter:  boklm   |  Owner:  tbb-team
 Type:  defect  | Status:  closed
 Priority:  High|  Milestone:
Component:  Applications/Tor Browser|Version:
 Severity:  Normal  | Resolution:  fixed
 Keywords:  TorBrowserTeam201901R, tbb-rbm  |  Actual Points:
Parent ID:  | Points:
 Reviewer:  |Sponsor:
+--
Changes (by gk):

 * status:  needs_information => closed
 * resolution:   => fixed


Comment:

 Okay, sounds good. This got merged into `master` with commit
 15e8c5389b76e5fd8634a35c5bff1a5a7192a818. #26323 will address the 32bit
 Wheezy issue.

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #29158 [Applications/Tor Browser]: Add fix for DSA 4371-1 (apt vulnerability)

[Tor Bug Tracker & Wiki]

#29158: Add fix for DSA 4371-1 (apt vulnerability)
+--
 Reporter:  boklm   |  Owner:  tbb-team
 Type:  defect  | Status:
|  needs_information
 Priority:  High|  Milestone:
Component:  Applications/Tor Browser|Version:
 Severity:  Normal  | Resolution:
 Keywords:  TorBrowserTeam201901R, tbb-rbm  |  Actual Points:
Parent ID:  | Points:
 Reviewer:  |Sponsor:
+--

Comment (by boklm):

 Replying to [comment:9 gk]:
 > So, we need 4 packages to fix the vulnerability on Debian systems. Why
 do we only need 2 for Ubuntu?

 I looked at the Ubuntu image we download, and there was only 2 apt
 packages included inside this image. For the Debian ones, I looked at the
 apt packages installed by debootstrap, and there was those 4 packages.

 > What is the plan for 32bit Wheezy? commit
 cd1874ffe37bc50bda7ea2fefadd9637d93b360b ? I am feeling a bit reluctant to
 taking trusty packages tbh...

 The commit using trusty packages was just a test to see if that could
 work, but it doesn't work.
 I think the plan is to do #26323 to be able to stop using 32bit Wheezy.

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #29158 [Applications/Tor Browser]: Add fix for DSA 4371-1 (apt vulnerability)

[Tor Bug Tracker & Wiki]

#29158: Add fix for DSA 4371-1 (apt vulnerability)
+--
 Reporter:  boklm   |  Owner:  tbb-team
 Type:  defect  | Status:
|  needs_information
 Priority:  High|  Milestone:
Component:  Applications/Tor Browser|Version:
 Severity:  Normal  | Resolution:
 Keywords:  TorBrowserTeam201901R, tbb-rbm  |  Actual Points:
Parent ID:  | Points:
 Reviewer:  |Sponsor:
+--
Changes (by gk):

 * status:  needs_review => needs_information


Comment:

 So, we need 4 packages to fix the vulnerability on Debian systems. Why do
 we only need 2 for Ubuntu?
 What is the plan for 32bit Wheezy? commit
 cd1874ffe37bc50bda7ea2fefadd9637d93b360b ? I am feeling a bit reluctant to
 taking trusty packages tbh...

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #29158 [Applications/Tor Browser]: Add fix for DSA 4371-1 (apt vulnerability)

[Tor Bug Tracker & Wiki]

#29158: Add fix for DSA 4371-1 (apt vulnerability)
+--
 Reporter:  boklm   |  Owner:  tbb-team
 Type:  defect  | Status:  needs_review
 Priority:  High|  Milestone:
Component:  Applications/Tor Browser|Version:
 Severity:  Normal  | Resolution:
 Keywords:  TorBrowserTeam201901R, tbb-rbm  |  Actual Points:
Parent ID:  | Points:
 Reviewer:  |Sponsor:
+--
Changes (by boklm):

 * status:  needs_revision => needs_review
 * keywords:  TorBrowserTeam201901, tbb-rbm => TorBrowserTeam201901R, tbb-
   rbm


Comment:

 There is a patch for review in branch `bug_29158_v4`:
 https://gitweb.torproject.org/user/boklm/tor-browser-
 build.git/commit/?h=bug_29158_v4=f9cbcb92e13bea3792733dd89d6efab4d62be7e2

 We are now checking the version of the `apt` package installed.

 It is still missing the fix for `wheezy-i386` which I think could be done
 in a separate commit.

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #29158 [Applications/Tor Browser]: Add fix for DSA 4371-1 (apt vulnerability)

[Tor Bug Tracker & Wiki]

#29158: Add fix for DSA 4371-1 (apt vulnerability)
---+---
 Reporter:  boklm  |  Owner:  tbb-team
 Type:  defect | Status:
   |  needs_revision
 Priority:  High   |  Milestone:
Component:  Applications/Tor Browser   |Version:
 Severity:  Normal | Resolution:
 Keywords:  TorBrowserTeam201901, tbb-rbm  |  Actual Points:
Parent ID: | Points:
 Reviewer: |Sponsor:
---+---

Comment (by boklm):

 Replying to [comment:6 gk]:
 > The 32bit situation for Linux looks bleak. BUT: I thought we should
 start soon with #26323 anyway. I think this bug is a reason to start now-
 ish with that effort. I guess we could try to squeeze it into 8.5. boklm:
 what do you think?

 Yes, I think it should be possible to do #26323 soon.

 The new apt package is not available yet for i386 at this time:
 http://deb.freexian.com/extended-lts/pool/main/a/apt/

 However maybe they will add it later as looking at the file modification
 time it seems it is not the first time that the i386 package comes later.
 Otherwise we can maybe rebuild the package ourself.

 I started working on a patch installing the apt updated packages into the
 containers:
 https://gitweb.torproject.org/user/boklm/tor-browser-
 build.git/commit/?h=bug_29158_v3=4672030e7308f852836092ddcfdce76ae90f797b

 It is currently installing the packages on stretch too, however since
 yesterday they made a stretch point release, so it should not be needed
 anymore (but maybe we can add a check to verify that the correct version
 was installed).

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #29158 [Applications/Tor Browser]: Add fix for DSA 4371-1 (apt vulnerability)

[Tor Bug Tracker & Wiki]

#29158: Add fix for DSA 4371-1 (apt vulnerability)
---+---
 Reporter:  boklm  |  Owner:  tbb-team
 Type:  defect | Status:
   |  needs_revision
 Priority:  High   |  Milestone:
Component:  Applications/Tor Browser   |Version:
 Severity:  Normal | Resolution:
 Keywords:  TorBrowserTeam201901, tbb-rbm  |  Actual Points:
Parent ID: | Points:
 Reviewer: |Sponsor:
---+---

Comment (by gk):

 The 32bit situation for Linux looks bleak. BUT: I thought we should start
 soon with #26323 anyway. I think this bug is a reason to start now-ish
 with that effort. I guess we could try to squeeze it into 8.5. boklm: what
 do you think?

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #29158 [Applications/Tor Browser]: Add fix for DSA 4371-1 (apt vulnerability)

[Tor Bug Tracker & Wiki]

#29158: Add fix for DSA 4371-1 (apt vulnerability)
---+---
 Reporter:  boklm  |  Owner:  tbb-team
 Type:  defect | Status:
   |  needs_revision
 Priority:  High   |  Milestone:
Component:  Applications/Tor Browser   |Version:
 Severity:  Normal | Resolution:
 Keywords:  TorBrowserTeam201901, tbb-rbm  |  Actual Points:
Parent ID: | Points:
 Reviewer: |Sponsor:
---+---

Comment (by boklm):

 Replying to [comment:3 watt]:
 > EOLed wheezy?!

 For wheezy, I think we can use the update provided by Freexian:
 https://deb.freexian.com/extended-lts/updates/ela-76-1-apt/

 Until we do #26238.

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #29158 [Applications/Tor Browser]: Add fix for DSA 4371-1 (apt vulnerability)

[Tor Bug Tracker & Wiki]

#29158: Add fix for DSA 4371-1 (apt vulnerability)
---+---
 Reporter:  boklm  |  Owner:  tbb-team
 Type:  defect | Status:
   |  needs_revision
 Priority:  High   |  Milestone:
Component:  Applications/Tor Browser   |Version:
 Severity:  Normal | Resolution:
 Keywords:  TorBrowserTeam201901, tbb-rbm  |  Actual Points:
Parent ID: | Points:
 Reviewer: |Sponsor:
---+---
Changes (by boklm):

 * status:  needs_review => needs_revision
 * keywords:  TorBrowserTeam201901R, tbb-rbm => TorBrowserTeam201901, tbb-
   rbm


Comment:

 Replying to [comment:2 gk]:
 > What happens inside the containers if we are installing, say, build
 dependencies? Are we good here? I guess I was wondering about the `apt-
 get` calls in `container-image/config`.

 After checking, debootstrap is not installing packages from
 security.debian.org. So we are using a vulnerable apt version in
 `container-image/config`.

 I think we can fix that by manually installing new apt packages inside the
 chroots after creating them with debootstrap in `projects/debootstrap-
 image/config`. I will work on a new version of the patch doing that.

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #29158 [Applications/Tor Browser]: Add fix for DSA 4371-1 (apt vulnerability)

[Tor Bug Tracker & Wiki]

#29158: Add fix for DSA 4371-1 (apt vulnerability)
+--
 Reporter:  boklm   |  Owner:  tbb-team
 Type:  defect  | Status:  needs_review
 Priority:  High|  Milestone:
Component:  Applications/Tor Browser|Version:
 Severity:  Normal  | Resolution:
 Keywords:  TorBrowserTeam201901R, tbb-rbm  |  Actual Points:
Parent ID:  | Points:
 Reviewer:  |Sponsor:
+--

Comment (by watt):

 EOLed wheezy?!

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #29158 [Applications/Tor Browser]: Add fix for DSA 4371-1 (apt vulnerability)

[Tor Bug Tracker & Wiki]

#29158: Add fix for DSA 4371-1 (apt vulnerability)
+--
 Reporter:  boklm   |  Owner:  tbb-team
 Type:  defect  | Status:  needs_review
 Priority:  High|  Milestone:
Component:  Applications/Tor Browser|Version:
 Severity:  Normal  | Resolution:
 Keywords:  TorBrowserTeam201901R, tbb-rbm  |  Actual Points:
Parent ID:  | Points:
 Reviewer:  |Sponsor:
+--

Comment (by gk):

 What happens inside the containers if we are installing, say, build
 dependencies? Are we good here? I guess I was wondering about the `apt-
 get` calls in `container-image/config`.

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #29158 [Applications/Tor Browser]: Add fix for DSA 4371-1 (apt vulnerability)

[Tor Bug Tracker & Wiki]

#29158: Add fix for DSA 4371-1 (apt vulnerability)
+--
 Reporter:  boklm   |  Owner:  tbb-team
 Type:  defect  | Status:  needs_review
 Priority:  High|  Milestone:
Component:  Applications/Tor Browser|Version:
 Severity:  Normal  | Resolution:
 Keywords:  TorBrowserTeam201901R, tbb-rbm  |  Actual Points:
Parent ID:  | Points:
 Reviewer:  |Sponsor:
+--
Changes (by boklm):

 * status:  new => needs_review
 * keywords:  TorBrowserTeam201901, tbb-rbm => TorBrowserTeam201901R, tbb-
   rbm


Comment:

 There is a patch for review in branch `bug_29158_v2`:
 https://gitweb.torproject.org/user/boklm/tor-browser-
 build.git/commit/?h=bug_29158_v2=bddaf8e6f4a4710e43d46bf0c8aa6d64d66b3293

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

[tor-bugs] #29158 [Applications/Tor Browser]: Add fix for DSA 4371-1 (apt vulnerability)

[Tor Bug Tracker & Wiki]

#29158: Add fix for DSA 4371-1 (apt vulnerability)
-+-
 Reporter:  boklm|  Owner:  tbb-team
 Type:  defect   | Status:  new
 Priority:  High |  Milestone:
Component:  Applications/Tor |Version:
  Browser|   Keywords:  TorBrowserTeam201901,
 Severity:  Normal   |  tbb-rbm
Actual Points:   |  Parent ID:
   Points:   |   Reviewer:
  Sponsor:   |
-+-
 Debian announced yesterday an important security update for apt:
 https://lists.debian.org/debian-security-announce/2019/msg00010.html

 In `projects/debootstrap-image` we are downloading an Ubuntu 18.04.1
 image, and doing an `apt-get update -y` in it before installing some
 packages using an affected apt version.

 To avoid this we could download updated apt packages and install them
 using `dpkg -i`.

 We should also check if the use of debootstrap is affected by the issue.

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs