Debian Bug report logs - #700179
Tor: keep CAP_NET_BIND_SERVICE when dropping root, open sockets as debian-tor

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Matt Kraai <kraai@ftbfs.org>

To: submit@bugs.debian.org

Subject: Start tor as debian-tor to allow traffic shaping

Date: Sat, 9 Feb 2013 06:39:24 -0800

Package: tor
Version: 0.2.3.25-1
Severity: wishlist

Hi,

According to the Tor prioritization script at

 https://gitweb.torproject.org/tor.git/blob/HEAD:/contrib/linux-tor-prio.sh

UID-based prioritization requires that Tor be started using a specific
user ID instead of relying on the User configuration setting.
/etc/init.d/tor appears to start Tor as root and rely on the User
configuration setting to change the user ID to debian-tor.

The following patch modifies /etc/init.d/tor so that Tor is started
using the debian-tor account, which should allow the script to work.

-- 
Matt

diff --git a/debian/tor.init b/debian/tor.init
index 91f776d..a55bd7d 100644
--- a/debian/tor.init
+++ b/debian/tor.init
@@ -154,6 +154,7 @@ case "$1" in
 		fi
 		if start-stop-daemon --start --quiet \
 			--pidfile $TORPID \
+			--user debian-tor \
 			$NICE \
 			$AA_EXEC \
 			--exec $DAEMON -- $AA_EXEC_ARGS $DEFAULT_ARGS $ARGS

Message #10 received at 700179@bugs.debian.org (full text, mbox, reply):

From: Peter Palfrader <weasel@debian.org>

To: Matt Kraai <kraai@ftbfs.org>, 700179@bugs.debian.org

Subject: Re: Bug#700179: Start tor as debian-tor to allow traffic shaping

Date: Sat, 9 Feb 2013 15:45:56 +0100

On Sat, 09 Feb 2013, Matt Kraai wrote:

> UID-based prioritization requires that Tor be started using a specific
> user ID instead of relying on the User configuration setting.
> /etc/init.d/tor appears to start Tor as root and rely on the User
> configuration setting to change the user ID to debian-tor.
> 
> The following patch modifies /etc/init.d/tor so that Tor is started
> using the debian-tor account, which should allow the script to work.

Alas, that's not an option, as it would prevent tor from opending
listening ports < 1024.

Cheers,
weasel
-- 
                           |  .''`.       ** Debian **
      Peter Palfrader      | : :' :      The  universal
 http://www.palfrader.org/ | `. `'      Operating System
                           |   `-    http://www.debian.org/

Message #15 received at 700179@bugs.debian.org (full text, mbox, reply):

From: Matt Kraai <kraai@ftbfs.org>

To: Peter Palfrader <weasel@debian.org>

Cc: 700179@bugs.debian.org

Subject: Re: Bug#700179: Start tor as debian-tor to allow traffic shaping

Date: Sat, 9 Feb 2013 08:08:19 -0800

On Sat, Feb 09, 2013 at 03:45:56PM +0100, Peter Palfrader wrote:
> On Sat, 09 Feb 2013, Matt Kraai wrote:
> 
> > UID-based prioritization requires that Tor be started using a specific
> > user ID instead of relying on the User configuration setting.
> > /etc/init.d/tor appears to start Tor as root and rely on the User
> > configuration setting to change the user ID to debian-tor.
> > 
> > The following patch modifies /etc/init.d/tor so that Tor is started
> > using the debian-tor account, which should allow the script to work.
> 
> Alas, that's not an option, as it would prevent tor from opending
> listening ports < 1024.

How about making Tor change user but keep the CAP_NET_BIND_SERVICE
capability before opening the sockets?

-- 
Matt

Message #20 received at 700179@bugs.debian.org (full text, mbox, reply):

From: Peter Palfrader <weasel@debian.org>

To: Matt Kraai <kraai@ftbfs.org>, 700179@bugs.debian.org

Subject: Re: Bug#700179: Start tor as debian-tor to allow traffic shaping

Date: Sat, 9 Feb 2013 20:20:58 +0100

On Sat, 09 Feb 2013, Matt Kraai wrote:

> On Sat, Feb 09, 2013 at 03:45:56PM +0100, Peter Palfrader wrote:
> > On Sat, 09 Feb 2013, Matt Kraai wrote:
> > 
> > > UID-based prioritization requires that Tor be started using a specific
> > > user ID instead of relying on the User configuration setting.
> > > /etc/init.d/tor appears to start Tor as root and rely on the User
> > > configuration setting to change the user ID to debian-tor.
> > > 
> > > The following patch modifies /etc/init.d/tor so that Tor is started
> > > using the debian-tor account, which should allow the script to work.
> > 
> > Alas, that's not an option, as it would prevent tor from opending
> > listening ports < 1024.
> 
> How about making Tor change user but keep the CAP_NET_BIND_SERVICE
> capability before opening the sockets?

Tor does change user.  You seemed to imply that wasn't sufficient for
your traffic shaping thing.

-- 
                           |  .''`.       ** Debian **
      Peter Palfrader      | : :' :      The  universal
 http://www.palfrader.org/ | `. `'      Operating System
                           |   `-    http://www.debian.org/

Message #25 received at 700179@bugs.debian.org (full text, mbox, reply):

From: Matt Kraai <kraai@ftbfs.org>

To: Peter Palfrader <weasel@debian.org>

Cc: 700179@bugs.debian.org

Subject: Re: Bug#700179: Start tor as debian-tor to allow traffic shaping

Date: Sat, 9 Feb 2013 12:07:17 -0800

On Sat, Feb 09, 2013 at 08:20:58PM +0100, Peter Palfrader wrote:
> On Sat, 09 Feb 2013, Matt Kraai wrote:
> 
> > On Sat, Feb 09, 2013 at 03:45:56PM +0100, Peter Palfrader wrote:
> > > On Sat, 09 Feb 2013, Matt Kraai wrote:
> > > 
> > > > UID-based prioritization requires that Tor be started using a specific
> > > > user ID instead of relying on the User configuration setting.
> > > > /etc/init.d/tor appears to start Tor as root and rely on the User
> > > > configuration setting to change the user ID to debian-tor.
> > > > 
> > > > The following patch modifies /etc/init.d/tor so that Tor is started
> > > > using the debian-tor account, which should allow the script to work.
> > > 
> > > Alas, that's not an option, as it would prevent tor from opending
> > > listening ports < 1024.
> > 
> > How about making Tor change user but keep the CAP_NET_BIND_SERVICE
> > capability before opening the sockets?
> 
> Tor does change user.  You seemed to imply that wasn't sufficient for
> your traffic shaping thing.

The traffic shaping script needs Tor to change user before creating
the sockets.  It says

 # The UID based method requires that Tor be launched from
 # a specific user ID. The "User" Tor config setting is
 # insufficient, as it sets the UID after the socket is created.

If tor were to change the user before creating the sockets, but keep
the CAP_NET_BIND_SERVICE capability, I think this would allow it to
perform UID-based shaping *and* bind to ports less than 1024.

I wanted to check that this seemed reasonable before I tried to
implement it.

-- 
Matt

Message #32 received at 700179@bugs.debian.org (full text, mbox, reply):

From: Peter Palfrader <weasel@debian.org>

To: Matt Kraai <kraai@ftbfs.org>

Subject: Re: Bug#700179: Start tor as debian-tor to allow traffic shaping

Date: Sat, 9 Feb 2013 21:10:09 +0100

On Sat, 09 Feb 2013, Matt Kraai wrote:

> On Sat, Feb 09, 2013 at 08:20:58PM +0100, Peter Palfrader wrote:
> > On Sat, 09 Feb 2013, Matt Kraai wrote:
> > 
> > > On Sat, Feb 09, 2013 at 03:45:56PM +0100, Peter Palfrader wrote:
> > > > On Sat, 09 Feb 2013, Matt Kraai wrote:
> > > > 
> > > > > UID-based prioritization requires that Tor be started using a specific
> > > > > user ID instead of relying on the User configuration setting.
> > > > > /etc/init.d/tor appears to start Tor as root and rely on the User
> > > > > configuration setting to change the user ID to debian-tor.
> > > > > 
> > > > > The following patch modifies /etc/init.d/tor so that Tor is started
> > > > > using the debian-tor account, which should allow the script to work.
> > > > 
> > > > Alas, that's not an option, as it would prevent tor from opending
> > > > listening ports < 1024.
> > > 
> > > How about making Tor change user but keep the CAP_NET_BIND_SERVICE
> > > capability before opening the sockets?
> > 
> > Tor does change user.  You seemed to imply that wasn't sufficient for
> > your traffic shaping thing.
> 
> The traffic shaping script needs Tor to change user before creating
> the sockets.  It says
> 
>  # The UID based method requires that Tor be launched from
>  # a specific user ID. The "User" Tor config setting is
>  # insufficient, as it sets the UID after the socket is created.
> 
> If tor were to change the user before creating the sockets, but keep
> the CAP_NET_BIND_SERVICE capability, I think this would allow it to
> perform UID-based shaping *and* bind to ports less than 1024.
> 
> I wanted to check that this seemed reasonable before I tried to
> implement it.

Keeping the bind service capability has other advantages too.  For
instance it'd make re-opening sockets after hibernation possible.

I guess a patch might be received well.

Cheers,
weasel
-- 
                           |  .''`.       ** Debian **
      Peter Palfrader      | : :' :      The  universal
 http://www.palfrader.org/ | `. `'      Operating System
                           |   `-    http://www.debian.org/

Message #37 received at 700179@bugs.debian.org (full text, mbox, reply):

From: Peter Palfrader <weasel@debian.org>

To: Matt Kraai <kraai@ftbfs.org>

Cc: 700179@bugs.debian.org

Subject: Re: Bug#700179: Start tor as debian-tor to allow traffic shaping

Date: Tue, 12 Feb 2013 21:41:37 +0100

On Sat, 09 Feb 2013, Peter Palfrader wrote:

> > I wanted to check that this seemed reasonable before I tried to
> > implement it.
> 
> Keeping the bind service capability has other advantages too.  For
> instance it'd make re-opening sockets after hibernation possible.
> 
> I guess a patch might be received well.

Also see https://trac.torproject.org/5220 - it came up a while ago.

It'd be great if somebody worked on it.  It seems the Tor people
themselves won't get to it for a long while at this rate.

Cheers,
-- 
                           |  .''`.       ** Debian **
      Peter Palfrader      | : :' :      The  universal
 http://www.palfrader.org/ | `. `'      Operating System
                           |   `-    http://www.debian.org/

Message #44 received at 700179@bugs.debian.org (full text, mbox, reply):

From: Matt Kraai <kraai@ftbfs.org>

To: Peter Palfrader <weasel@debian.org>

Cc: 700179@bugs.debian.org

Subject: Re: Bug#700179: Start tor as debian-tor to allow traffic shaping

Date: Tue, 12 Feb 2013 13:35:56 -0800

On Tue, Feb 12, 2013 at 09:41:37PM +0100, Peter Palfrader wrote:
> On Sat, 09 Feb 2013, Peter Palfrader wrote:
> 
> > > I wanted to check that this seemed reasonable before I tried to
> > > implement it.
> > 
> > Keeping the bind service capability has other advantages too.  For
> > instance it'd make re-opening sockets after hibernation possible.
> > 
> > I guess a patch might be received well.
> 
> Also see https://trac.torproject.org/5220 - it came up a while ago.
> 
> It'd be great if somebody worked on it.  It seems the Tor people
> themselves won't get to it for a long while at this rate.

I'm working on a patch.

Message #49 received at 700179@bugs.debian.org (full text, mbox, reply):

From: Matt Kraai <kraai@ftbfs.org>

To: 700179@bugs.debian.org

Cc: Matt Kraai <kraai@ftbfs.org>

Subject: [PATCH] Switch user before opening sockets if capable

Date: Tue, 12 Feb 2013 20:11:31 -0800

The "User" config setting is not sufficient for
contrib/linux-tor-prio.sh's UID-based traffic prioritization since it
sets the UID after the sockets are created.  The UID is set after
sockets are created so that they can be bound to ports less than 1024.

Processes with Linux's CAP_NET_BIND_SERVICES capability can bind to
ports less than 1024 without having to run as root.

If possible, keep this capability and switch UID before opening the
sockets.  This allows both UID-based traffic prioritization to work
and binding to ports less than 1024.
---
 configure.ac        |    1 +
 src/common/compat.c |   37 +++++++++++++++++++++++++++++++++++++
 src/common/compat.h |    3 +++
 src/or/config.c     |   13 +++++++++++++
 4 files changed, 54 insertions(+)

diff --git a/configure.ac b/configure.ac
index 182cc1b..c1a791a 100644
--- a/configure.ac
+++ b/configure.ac
@@ -781,6 +781,7 @@ AC_CHECK_HEADERS(
         netinet/in6.h \
         pwd.h \
         stdint.h \
+        sys/capabilities.h \
         sys/file.h \
         sys/ioctl.h \
         sys/limits.h \
diff --git a/src/common/compat.c b/src/common/compat.c
index 3b15f8a..0d9d706 100644
--- a/src/common/compat.c
+++ b/src/common/compat.c
@@ -104,6 +104,9 @@
 /* Only use the linux prctl;  the IRIX prctl is totally different */
 #include <sys/prctl.h>
 #endif
+#ifdef HAVE_SYS_CAPABILITIES_H
+#include <sys/capabilities.h>
+#endif
 
 #include "torlog.h"
 #include "util.h"
@@ -1469,6 +1472,40 @@ log_credential_status(void)
 }
 #endif
 
+#ifdef HAVE_SYS_CAPABILITIES_H
+/** Keep the CAP_NET_BIND_SERVICE capability to allow ports less than 1024
+ * to be opened.  Return 0 on success.  On failure, log and return -1.
+ */
+int
+keep_cap_net_bind_service(void)
+{
+  cap_user_header_t hdr;
+  cap_user_data_t data;
+
+  /* Get the capabilities or bail out */
+  memset(&hdr, 0, sizeof(hdr));
+  hdr.version = _LINUX_CAPABILITY_VERSION;
+  if (capget(&hdr, &data)) {
+    log_warn("Error getting capabilities: %s", strerror(errno));
+    return -1;
+  }
+
+  /* Set the capabilities or bail out */
+  data.permitted &= ~CAP_TO_MASK(CAP_NET_BIND_SERVICE);
+  data.inheritable = 0;
+  if (capset(&hdr, &data)) {
+    log_warn("Error setting capabilities: %s", strerror(errno));
+    return -1;
+  }
+
+  /* Keep the capabilities or bail out */
+  if (prctl(PR_SET_KEEPCAPS, 1)) {
+    log_warn("Error keeping capabilities: %s", strerror(errno));
+    return -1;
+  }
+}
+#endif
+
 /** Call setuid and setgid to run as <b>user</b> and switch to their
  * primary group.  Return 0 on success.  On failure, log and return -1.
  */
diff --git a/src/common/compat.h b/src/common/compat.h
index d2944e6..0145d85 100644
--- a/src/common/compat.h
+++ b/src/common/compat.h
@@ -611,6 +611,9 @@ typedef unsigned long rlim_t;
 #endif
 int set_max_file_descriptors(rlim_t limit, int *max);
 int tor_disable_debugger_attach(void);
+#ifdef HAVE_SYS_CAPABILITIES_H
+int keep_cap_net_bind_service(void);
+#endif
 int switch_id(const char *user);
 #ifdef HAVE_PWD_H
 char *get_user_homedir(const char *username);
diff --git a/src/or/config.c b/src/or/config.c
index 31695ba..6e753dd 100644
--- a/src/or/config.c
+++ b/src/or/config.c
@@ -983,6 +983,19 @@ options_act_reversible(const or_options_t *old_options, char **msg)
   }
 #endif
 
+#ifdef HAVE_SYS_CAPABILITIES_H
+  /* Setuid/setgid as appropriate */
+  if (options->User) {
+    if (!keep_cap_net_bind_service ()) {
+      if (switch_id(options->User) != 0) {
+	/* No need to roll back, since you can't change the value. */
+	*msg = tor_strdup("Problem with User value. See logs for details.");
+	goto done;
+      }
+    }
+  }
+#endif
+
   if (running_tor) {
     int n_ports=0;
     /* We need to set the connection limit before we can open the listeners. */
-- 
1.7.10.4

Message #54 received at 700179@bugs.debian.org (full text, mbox, reply):

From: Peter Palfrader <weasel@debian.org>

To: Matt Kraai <kraai@ftbfs.org>, 700179@bugs.debian.org

Subject: Re: Bug#700179: [PATCH] Switch user before opening sockets if capable

Date: Wed, 13 Feb 2013 17:28:23 +0100

On Tue, 12 Feb 2013, Matt Kraai wrote:

> The "User" config setting is not sufficient for
> contrib/linux-tor-prio.sh's UID-based traffic prioritization since it
> sets the UID after the sockets are created.  The UID is set after
> sockets are created so that they can be bound to ports less than 1024.
> 
> Processes with Linux's CAP_NET_BIND_SERVICES capability can bind to
> ports less than 1024 without having to run as root.
> 
> If possible, keep this capability and switch UID before opening the
> sockets.  This allows both UID-based traffic prioritization to work
> and binding to ports less than 1024.

Do you want to submit that directly to the tor bug tracking system?
That'd enable upstream to give direct feedback for your patch.

  https://trac.torproject.org/5220
or
  https://trac.torproject.org/8195


Cheers,
weasel
-- 
                           |  .''`.       ** Debian **
      Peter Palfrader      | : :' :      The  universal
 http://www.palfrader.org/ | `. `'      Operating System
                           |   `-    http://www.debian.org/

Message #59 received at 700179@bugs.debian.org (full text, mbox, reply):

From: Matt Kraai <kraai@ftbfs.org>

To: Peter Palfrader <weasel@debian.org>

Cc: 700179@bugs.debian.org

Subject: Re: Bug#700179: [PATCH] Switch user before opening sockets if capable

Date: Wed, 13 Feb 2013 17:17:12 -0800

On Wed, Feb 13, 2013 at 05:28:23PM +0100, Peter Palfrader wrote:
> On Tue, 12 Feb 2013, Matt Kraai wrote:
> 
> > The "User" config setting is not sufficient for
> > contrib/linux-tor-prio.sh's UID-based traffic prioritization since it
> > sets the UID after the sockets are created.  The UID is set after
> > sockets are created so that they can be bound to ports less than 1024.
> > 
> > Processes with Linux's CAP_NET_BIND_SERVICES capability can bind to
> > ports less than 1024 without having to run as root.
> > 
> > If possible, keep this capability and switch UID before opening the
> > sockets.  This allows both UID-based traffic prioritization to work
> > and binding to ports less than 1024.
> 
> Do you want to submit that directly to the tor bug tracking system?
> That'd enable upstream to give direct feedback for your patch.
> 
>   https://trac.torproject.org/5220
> or
>   https://trac.torproject.org/8195

Done.

Message #66 received at 700179-close@bugs.debian.org (full text, mbox, reply):

From: Peter Palfrader <weasel@debian.org>

To: 700179-close@bugs.debian.org

Subject: Bug#700179: fixed in tor 0.3.2.5-alpha-1

Date: Thu, 23 Nov 2017 17:34:48 +0000

Source: tor
Source-Version: 0.3.2.5-alpha-1

We believe that the bug you reported is fixed in the latest version of
tor, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 700179@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Peter Palfrader <weasel@debian.org> (supplier of updated tor package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Wed, 22 Nov 2017 15:59:58 +0100
Source: tor
Binary: tor tor-geoipdb
Architecture: source
Version: 0.3.2.5-alpha-1
Distribution: experimental
Urgency: medium
Maintainer: Peter Palfrader <weasel@debian.org>
Changed-By: Peter Palfrader <weasel@debian.org>
Description:
 tor        - anonymizing overlay network for TCP
 tor-geoipdb - GeoIP database for Tor
Closes: 700179 882281
Changes:
 tor (0.3.2.5-alpha-1) experimental; urgency=medium
 .
   * New upstream version.
   * Build-depend on libcap-dev on linux-any so we can build tor with
     capabilities support to retain the capability to bind to low ports;
     closes: #882281, #700179.
Checksums-Sha1:
 a878467be7c62e6ddbd38dc7974842d40c818e42 1866 tor_0.3.2.5-alpha-1.dsc
 3db184555f059095acd6c69c991ba17f4efbbe72 6310699 tor_0.3.2.5-alpha.orig.tar.gz
 fddd7a382522ff4f540dfa088474f4953e29151a 48508 tor_0.3.2.5-alpha-1.diff.gz
Checksums-Sha256:
 25a5cd698f7cb99f4ea5b30e5d2181432cb44ccba7c82434be66d818a32535de 1866 tor_0.3.2.5-alpha-1.dsc
 1b61d280310e2f5e1472e567cdae965392902b89babd33e211356a02c28c5c15 6310699 tor_0.3.2.5-alpha.orig.tar.gz
 77f5fa9ae8f414bdf2d2a8d09bcf15cc986a4afe8a7ed5ff116feeaa4b8bb381 48508 tor_0.3.2.5-alpha-1.diff.gz
Files:
 826799baf9272897147c26e827b1290f 1866 net optional tor_0.3.2.5-alpha-1.dsc
 e2bdd8e64dac38da1384a1b6025af627 6310699 net optional tor_0.3.2.5-alpha.orig.tar.gz
 02775cfe6cc12ff5a85aae6826557cef 48508 net optional tor_0.3.2.5-alpha-1.diff.gz

-----BEGIN PGP SIGNATURE-----

iQEzBAEBCAAdFiEEs4PXhajJL968BgN2hgLIIDhyMx8FAloXANAACgkQhgLIIDhy
Mx8THQf/b+gxqKTjLm+/IO6YkRc8VWVLlXFocwiETxloRxNz5L0Yy8yVM1GUXn4m
oD9mTk9qbK1ztNLugHiG2hxc/SrFzHLzIgW0qPL+ZfSG6zKKiCw+d/m+gmS2FAvn
QJuykh++eeuVzVomu7RaaXxTp2GT74cxflbZguXP5dm6ho6L58U0XVY4R8NBqBnD
94jkR/Sz5SPu70ImMqnSc1VlNwoF8X/hxXppd61yf97lL7PJl/B6Jn+TrAoN2BXy
Txs0UivYGAhpNRVlsm502Oye5lvX39eP71L7B0OPTlBBj+DokVQeqXIl9GSzFbEr
fd4+lMlxblUU3pWXn45JJ79kQPFSGQ==
=74M/
-----END PGP SIGNATURE-----

Message #71 received at 700179-close@bugs.debian.org (full text, mbox, reply):

From: Peter Palfrader <weasel@debian.org>

To: 700179-close@bugs.debian.org

Subject: Bug#700179: fixed in tor 0.3.1.9-1

Date: Sat, 02 Dec 2017 12:19:18 +0000

Source: tor
Source-Version: 0.3.1.9-1

We believe that the bug you reported is fixed in the latest version of
tor, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 700179@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Peter Palfrader <weasel@debian.org> (supplier of updated tor package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Fri, 01 Dec 2017 23:32:58 +0100
Source: tor
Binary: tor tor-geoipdb
Architecture: source
Version: 0.3.1.9-1
Distribution: unstable
Urgency: high
Maintainer: Peter Palfrader <weasel@debian.org>
Changed-By: Peter Palfrader <weasel@debian.org>
Description:
 tor        - anonymizing overlay network for TCP
 tor-geoipdb - GeoIP database for Tor
Closes: 700179 882281
Changes:
 tor (0.3.1.9-1) unstable; urgency=high
 .
   * New upstream version, including among others:
     - Fix a denial of service bug where an attacker could use a
       malformed directory object to cause a Tor instance to pause while
       OpenSSL would try to read a passphrase from the terminal. (Tor
       instances run without a terminal, which is the case for most Tor
       packages, are not impacted.) Fixes bug 24246; bugfix on every
       version of Tor. Also tracked as TROVE-2017-011 and CVE-2017-8821.
       Found by OSS-Fuzz as testcase 6360145429790720.
     - Fix a denial of service issue where an attacker could crash a
       directory authority using a malformed router descriptor. Fixes bug
       24245; bugfix on 0.2.9.4-alpha. Also tracked as TROVE-2017-010
       and CVE-2017-8820.
     - When checking for replays in the INTRODUCE1 cell data for a
       (legacy) onion service, correctly detect replays in the RSA-
       encrypted part of the cell. We were previously checking for
       replays on the entire cell, but those can be circumvented due to
       the malleability of Tor's legacy hybrid encryption. This fix helps
       prevent a traffic confirmation attack. Fixes bug 24244; bugfix on
       0.2.4.1-alpha. This issue is also tracked as TROVE-2017-009
       and CVE-2017-8819.
     - Fix a use-after-free error that could crash v2 Tor onion services
       when they failed to open circuits while expiring introduction
       points. Fixes bug 24313; bugfix on 0.2.7.2-alpha. This issue is
       also tracked as TROVE-2017-013 and CVE-2017-8823.
     - When running as a relay, make sure that we never build a path
       through ourselves, even in the case where we have somehow lost the
       version of our descriptor appearing in the consensus. Fixes part
       of bug 21534; bugfix on 0.2.0.1-alpha. This issue is also tracked
       as TROVE-2017-012 and CVE-2017-8822.
     - When running as a relay, make sure that we never choose ourselves
       as a guard. Fixes part of bug 21534; bugfix on 0.3.0.1-alpha. This
       issue is also tracked as TROVE-2017-012 and CVE-2017-8822.
   * Build-depend on libcap-dev on linux-any so we can build tor with
     capabilities support to retain the capability to bind to low ports;
     closes: #882281, #700179.
Checksums-Sha1:
 8c132af553721ba81f0d2a297f5141f5b455435d 1824 tor_0.3.1.9-1.dsc
 5d6d5f00691d35c782f9126b7ad70a678343a832 6092702 tor_0.3.1.9.orig.tar.gz
 7b33ff16dfe470cc5bd3af53960a7ebc7204f415 48881 tor_0.3.1.9-1.diff.gz
Checksums-Sha256:
 d767ca3b900a839b03083a0492c0e2d08ddf0bb15bf9323fd1280d1f115714d2 1824 tor_0.3.1.9-1.dsc
 6e1b04f7890e782fd56014a0de5075e4ab29b52a35d8bca1f6b80c93f58f3d26 6092702 tor_0.3.1.9.orig.tar.gz
 dde9f4b63e0ec28d4d649988a494b0bb0e10897df2cb22268c9b2042f080d59f 48881 tor_0.3.1.9-1.diff.gz
Files:
 893c1b5715d321f859707836b2d00e61 1824 net optional tor_0.3.1.9-1.dsc
 585e62d086ae7df7cd873f735d726118 6092702 net optional tor_0.3.1.9.orig.tar.gz
 02e347d9a5e3bf1b8871dfd75eaa3d19 48881 net optional tor_0.3.1.9-1.diff.gz

-----BEGIN PGP SIGNATURE-----

iQEzBAEBCAAdFiEEs4PXhajJL968BgN2hgLIIDhyMx8FAloil1cACgkQhgLIIDhy
Mx8o1wf/ROiFY4BoZaa6kEdVwmR8cMJqUc8TLlbvOk1W37tGxMPGu/Y/LjBhRlhf
bbuu521zumWb5+sjZ5bxO5Y1r/jdV96p3nN2ZsiLo+P44kUyJsBrCiSfZU4DTP7n
Cy/vsJYAsHNkqnmxuWy+jISggP1EOHz9ce5LBsD8PFtiQgDkB7MtKnPM6sQ6QC6z
WbcpxeabFqyMjXx76sE1dmh1pTOdPyHCiIJdD0RJp8SIuNbbTBqFvMbYQWH9igoK
B06r8qH9Bg+RtMo3XjvN6XpcfKOLosgeP3rtlfwhdmfdh3Uny/iS2/Xc1s/ncTih
tcnQiJrwVTQBrqcCCuhVgz1K/km6WQ==
=0fxq
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.